Compliance Frameworks

Flow ships with a curated library of compliance frameworks, each pre-loaded with domains, control families, and requirements. Select the frameworks relevant to your organization, scope them to specific domains, and auto-populate your compliance register — no manual data entry required.

Supported Frameworks

ISO 27001:2022 — Information Security Management

• Category: Information Security
• Domains: 5 (Policies, Organization, HR Security, Asset Management, Access Control)
• Control Families: 12 across all domains
• Use Cases: ISMS implementation, certification readiness, customer trust

NIST Cybersecurity Framework 2.0

• Category: Cybersecurity
• Domains: 6 (Govern, Identify, Protect, Detect, Respond, Recover)
• Control Families: 28 across all domains
• Use Cases: Federal compliance, critical infrastructure, cybersecurity maturity

SOC 2 Type II

• Category: Operational Security
• Domains: 6 (Common Criteria, Security, Availability, Confidentiality, Processing Integrity, Privacy)
• Control Families: 17 across all domains
• Use Cases: SaaS vendor assurance, customer due diligence, Type II audits

PCI DSS 4.0

• Category: Payment Security
• Domains: 4 (Network Security, Secure Configurations, Stored Data Protection, Cryptography)
• Control Families: 7 across all domains
• Use Cases: Payment card processing, merchant compliance, acquiring bank requirements

ISO 22301:2019 — Business Continuity Management

• Category: Business Continuity
• Domains: 7 (Context, Leadership, Planning, Support, Operation, Performance Evaluation, Improvement)
• Control Families: 25 across all domains
• Use Cases: BCP development, disaster recovery planning, organizational resilience

Framework Selection

Selecting Frameworks

From the Compliance > Frameworks tab, click Add Frameworks to open the selection dialog. Each available framework shows its name, code, category, version, and domain count.

Check the frameworks you want to track. When you select a framework, a configuration panel expands with the following options:

• Implementation Priority — Critical, High, Medium, or Low
• Target Completion Date — When you aim to achieve compliance
• Assessment Frequency — Monthly, Quarterly, Semi-Annually, or Annually
• Lead Assessor — The team member responsible for this framework
• Implementation Notes — Free-text context for your team

Domain Scoping

Each framework can be scoped to specific domains. By default, all domains are selected. Deselect domains that aren't relevant to your organization to keep your compliance register focused.

Example: SOC 2 Scoping

Selected Domains:
✓ Common Criteria (CC) — 9 control families
✓ Security (S) — 1 control family
✓ Availability (A) — 1 control family
✗ Confidentiality (C) — excluded, not in scope
✗ Processing Integrity (PI) — excluded, not in scope
✓ Privacy (P) — 8 control families

Result: 4 of 6 domains selected
Requirements created only for selected domains

Auto-Populating the Compliance Register

When selecting frameworks, the Automatically populate compliance register option is enabled by default. This creates a compliance item for every requirement in the selected domains, pre-filled with:

• Implementation status set to Not Implemented
• Maturity level set to Initial
• Risk level derived from the requirement's priority
• Assessment frequency set to Annually
• Next assessment due date calculated from today
• Owner set to the lead assessor (or the current user)

A preview panel shows what will be created before you confirm:

Preview: What will be created

Total requirements:     42
Will create:            38
Already exist:           4
Critical/High priority: 22

You can also trigger this manually later by clicking Populate Register on any selected framework card.

Framework Management

Summary Dashboard

The Frameworks tab shows three summary cards at the top:

• Selected Frameworks — Count of frameworks currently being tracked
• Available Frameworks — Count of frameworks ready to be added
• Assessments Due — Count of frameworks with assessments due in the next 30 days

Framework Cards

Each selected framework appears as a card showing:

• Framework name, code, and version (e.g. ISO 27001:2022, ISO27001, v2022)
• Priority badge — Color-coded by implementation priority
• Assessment status — Days until next assessment, or overdue indicator
• Assessment frequency — How often assessments are scheduled
• Target completion date — When compliance should be achieved
• Lead assessor — Assigned team member
• Domain count — Number of selected domains
• Implementation notes — Any context added during selection

Example: Framework Card

┌──────────────────────────────────────────────────┐
│  NIST Cybersecurity Framework 2.0   NISTCSF v2.0 │
│  Framework for improving critical infrastructure  │
│  cybersecurity                                    │
│                                                   │
│  🔴 high priority    📅 Due in 47 days            │
│  annually assessments                             │
│                                                   │
│  🎯 Target: Mar 15, 2027                          │
│  👤 Lead: Sarah Chen                              │
│  ⚙ Domains: 6 selected                           │
│                                                   │
│  [Configure]  [Populate Register]  [Remove]       │
└──────────────────────────────────────────────────┘

Removing a Framework

Click Remove on a framework card. A confirmation dialog explains that removing a framework stops active tracking but does not delete existing compliance data. Previously created compliance items, evidence, and assessments remain in your register.

Requirements Library

Each framework includes pre-built requirements with structured metadata. When auto-populated into your compliance register, each requirement becomes a trackable compliance item.

Requirement Fields

• Requirement ID — Framework-specific identifier (e.g. A.9.1.1, CC6.1, 8.2.1)
• Title — Short description of the requirement
• Description — Full requirement text
• Domain — Parent domain within the framework
• Control Family — Grouping within the domain
• Priority — Critical, High, Medium, or Low
• Type — Preventive, Detective, or Corrective
• Implementation Guidance — How to implement the requirement
• Testing Guidance — How to verify compliance
• Evidence Requirements — What documentation is needed

Example: SOC 2 Requirement

Requirement: CC6.1 — Logical Access Security Software

Priority:    Critical
Type:        Preventive
Domain:      Common Criteria (CC)
Family:      CC6 — Logical and Physical Access Controls

Implementation Guidance:
  Implement comprehensive logical access controls including
  authentication, authorization, and monitoring.

Testing Guidance:
  Test access controls, review user access rights, and
  verify access monitoring mechanisms.

Evidence Required:
  - Access control systems
  - User access reviews
  - Authentication logs
  - Privilege management procedures

Example: ISO 22301 Requirement

Requirement: 8.2.1 — Business Impact Analysis

Priority:    Critical
Type:        Detective
Domain:      Operation (8)
Family:      8.2 — BIA and Risk Assessment

Implementation Guidance:
  Conduct BIA to identify critical activities, assess impacts
  of disruption over time, establish RTOs and RPOs.

Testing Guidance:
  Review BIA methodology, verify impact assessments, confirm
  RTO/RPO targets, and test BIA currency.

Evidence Required:
  - BIA methodology
  - BIA reports
  - RTO/RPO documentation
  - Critical activity register

Multi-Framework Workflows

Cross-Framework Coverage

When you select multiple frameworks, Flow tracks requirements independently per framework. This lets you:

• See which controls satisfy requirements across multiple frameworks
• Identify gaps that are specific to a single framework
• Prioritize work that addresses the most frameworks at once

Phased Rollout

A common approach is to start with one framework, build maturity, then expand:

Phase 1: SOC 2 Type II (Months 1–6)
  → Focus: Common Criteria + Security domains
  → Goal: Pass Type II audit

Phase 2: ISO 27001:2022 (Months 4–12)
  → Focus: All 5 domains
  → Goal: Certification readiness
  → Leverage: Existing SOC 2 controls map to many ISO requirements

Phase 3: PCI DSS 4.0 (Months 10–18)
  → Focus: All 4 domains
  → Goal: PCI compliance for payment processing
  → Leverage: Access controls and encryption from SOC 2 / ISO 27001

Getting Started

1. Navigate to Compliance > Frameworks tab
2. Click Add Frameworks and select the ones relevant to your organization
3. Configure each framework with priority, target date, and lead assessor
4. Scope domains by deselecting any that aren't applicable
5. Confirm selection — compliance items are auto-created in your register
6. Assign ownership of individual compliance items to team members
7. Begin assessments using the implementation and testing guidance on each item

Next Steps

• Compliance Management — Track implementation status, evidence, and audit readiness
• Controls Management — Link controls to compliance requirements
• Risk Register — Connect compliance gaps to organizational risks
• Actions Management — Create remediation plans for compliance gaps