Flow GRC Docs

Compliance Framework Setup

Step-by-step guide to implementing ISO 27001 compliance from scratch using Flow's framework management tools

This walkthrough demonstrates how to set up a compliance framework in Flow from scratch, using ISO 27001:2022 as the example. The same process applies to any supported framework including NIST CSF, SOC 2, PCI DSS, and ISO 22301.

Prerequisites

Before starting, ensure you have:

  • An active Flow organization with Admin access
  • At least one team member assigned as compliance lead
  • An understanding of which framework domains apply to your organization

Step 1: Navigate to Compliance

  1. Open the Flow dashboard
  2. Click Compliance in the sidebar navigation
  3. Select the Frameworks tab to view framework management

Step 2: Add a Framework

  1. Click the Add Framework button
  2. Browse the available framework library
  3. Select ISO 27001:2022 (or your target framework)

Step 3: Configure Framework Settings

The framework selection dialog presents several configuration options:

Implementation Priority

Set the priority level for this framework implementation:

  • Critical - Regulatory requirement or contractual obligation with hard deadlines
  • High - Strategic priority for the current fiscal year
  • Medium - Planned implementation within the next 12–18 months
  • Low - Future consideration or nice-to-have

Target Completion Date

Set a realistic target date for achieving compliance. Consider:

  • Audit timelines and certification deadlines
  • Resource availability and competing priorities
  • Complexity of the selected domains

Domain Scoping

Select the specific domains relevant to your organization:

For ISO 27001:2022, you might select:

  • A.5 Information Security Policies — if you need formal security policies
  • A.6 Organization of Information Security — for organizational security structure
  • A.8 Asset Management — if tracking information assets
  • A.9 Access Control — for user access management

You might exclude:

  • A.7 Human Resource Security — if handled by a separate HR system

Assessment Frequency

Choose how often compliance will be assessed:

  • Quarterly — for high-priority or rapidly changing environments
  • Semi-annually — balanced frequency for most organizations
  • Annually — for stable frameworks with mature implementations

Lead Assessor

Assign the primary person responsible for managing this framework's compliance activities.

Step 4: Auto-Create Compliance Items

Enable the Auto-create compliance items option to automatically populate your compliance register with:

  • One compliance item per requirement in each selected domain
  • Initial status set to "Not Started"
  • Default ownership assigned to the lead assessor
  • Linked to the source framework and domain

This eliminates manual data entry and ensures complete coverage of all selected requirements.

Step 5: Review Your Compliance Register

After framework setup, navigate to the Compliance Register tab:

  1. Filter by the newly added framework
  2. Review the auto-created compliance items
  3. Verify domain coverage matches your scope
  4. Note the total number of items to plan your assessment workload

Step 6: Begin Assessments

For each compliance item:

  1. Assess Current State - Evaluate your current compliance posture against the requirement
  2. Update Status - Set to In Progress, Compliant, or Non-Compliant
  3. Assign Owners - Delegate specific items to responsible team members
  4. Link Evidence - Attach policies, procedures, and evidence documents
  5. Link Controls - Map existing controls to the compliance requirements
  6. Create Actions - For non-compliant items, create remediation actions

Step 7: Track Progress

Monitor your compliance program through:

  • Compliance Dashboard - Overall compliance percentage and status breakdown
  • Framework View - Per-framework compliance progress
  • Gap Analysis - Identify remaining non-compliant areas
  • Reports - Generate compliance reports for management and auditors

Adding Additional Frameworks

Repeat steps 2–5 for each additional framework. When multiple frameworks are active:

  • Cross-framework mappings help identify overlapping requirements
  • Controls mapped to one framework can satisfy similar requirements in others
  • The compliance register provides a unified view across all frameworks

Timeline Estimate

Phase Activities Typical Duration
Setup Framework selection, domain scoping, auto-creation 1–2 hours
Initial Assessment Review all items, assess current state 2–4 weeks
Gap Remediation Implement controls, create policies, collect evidence 2–6 months
Internal Review Self-assessment against all requirements 2–4 weeks
Certification Audit External auditor assessment (if applicable) 1–2 weeks

Best Practices

  • Scope First - Be deliberate about domain selection; it's easier to add domains later than to remove them
  • Assign Early - Distribute compliance items to owners as soon as the register is populated
  • Evidence as You Go - Link documents and evidence continuously rather than collecting everything at audit time
  • Use Controls - Map controls to compliance items to demonstrate implementation
  • Regular Check-ins - Schedule recurring reviews to track progress against your target date
Introduction

Search Documentation

Search through documentation, navigate to pages, or run quick actions