Multi-Framework Mapping

The single most important fact about compliance frameworks: they overlap by 50–80%. The same control — say "MFA on all admin accounts" — satisfies a requirement in ISO 27001, in SOC 2, in NIST CSF, in Cyber Essentials, in PCI-DSS, and in NIST 800-53. You implement the control once, and you point five framework requirements at it.

This is why a mature GRC programme is not five times more expensive than a single-framework programme. It's typically 1.3–1.5×.

The mechanics in Blankitt

Blankitt models this with a join table: itsm_control_framework_mappings. Each row is a tuple of (control_id, framework_section_id). A single control row can have ten mappings. A single framework section can be satisfied by three different controls.

When you implement a new control:

1. Add it to the Controls library with a description, type, and test frequency.
2. From its detail page, click Map to frameworks and pick the relevant sections from each activated framework. Blankitt shows the active frameworks; checkboxes pick the leaf sections.
3. Assign a test schedule and an owner.
4. Future tests, evidence, and findings hang off the control — not the framework. The framework view projects compliance percentages from the underlying control health.

A worked example

You implement "Quarterly access review". It runs in the IT helpdesk system, the HR offboarding system, and the cloud IAM. You upload a sample of completed reviews each quarter as evidence.

That single control maps to:

• ISO 27001 A.5.18 — Access rights review.
• SOC 2 CC6.3 — Logical access removal.
• NIST CSF 2.0 PR.AA-04 — Access permissions are managed and revoked.
• NIST 800-53 AC-2(3) — Disable inactive accounts.
• CIS Controls v8 6.1 — Establish account-management process.
• Cyber Essentials A2 — User access control.

Six framework sections, one control, one quarterly test, one piece of evidence per quarter. The compliance percentage on each of the six frameworks ticks up because of one piece of work.

How to start a multi-framework programme

Don't activate every framework at once. The sequence:

1. Pick your primary framework — the one driving certification (usually ISO 27001 or SOC 2). Activate it. Build out controls to cover the gaps.
2. Activate your secondary framework — the one your customers will eventually ask about. Don't add new controls yet; just look at the overlap. Blankitt's framework view shows which sections are already covered by your existing controls via the mapping table. Surprisingly often, you're already 60–70% covered by accident.
3. Address the genuine gaps — the 30% of secondary-framework requirements that your primary framework didn't already force you to cover. These are usually narrow, specific things (e.g. SOC 2 has a privacy trust principle that ISO 27001 doesn't directly mirror).
4. Repeat for the third framework, by which point the marginal cost is small.

The gotcha — wording variation

Different frameworks describe the same thing differently. ISO 27001 says "supplier relationships" where SOC 2 says "third-party risk management" and NIST 800-53 says "supply chain risk". A naive mapping based on keywords misses overlap.

The Blankitt-supplied frameworks come with mapping suggestions baked in — when you create a control mapped to ISO 27001 A.5.19, the Suggested mappings widget proposes the equivalent SOC 2 / NIST CSF / NIST 800-53 sections. Accept what fits, reject what doesn't.

What you've learned

Across this series:

• Chapter 1 — what a framework actually is.
• Chapter 2 — how to choose your starting framework.
• Chapter 3 — what's inside ISO 27001.
• Chapter 4 — what's inside NIST CSF 2.0.
• Chapter 5 — how multi-framework mapping makes the programme economics work.

The next step is the practical one: activate a framework, walk its hierarchy in Blankitt, and start mapping your existing controls to the requirements. That's where the platform earns its keep.