Compyl
Frameworks

Every framework.
One control library.

Compyl cross-maps a single control library to 70+ compliance frameworks, regulations, and standards. Collect your evidence once, satisfy every framework it applies to, and keep them all continuously audit-ready, instead of running a separate project for each.

Interactive · try it
See it for yourself
Tap a piece of evidence Compyl pulls automatically from your stack, and watch one item satisfy controls across multiple frameworks at once.
↳ this one item satisfies controls across frameworks
Collect once · satisfy many

One piece of evidence. Every framework it satisfies.

Compyl maps each control and its evidence across every framework that requires it. So a single artifact, pulled automatically from your stack, counts everywhere at once.

  • One control library mapped to all 70+ frameworks, no duplicate work per framework.
  • Add the next framework in a fraction of the time, most of it is already covered by evidence you have.
  • Evidence Health scores every artifact on relevance, freshness, and completeness, so it stays audit-ready.
MFA enforced on all users
pulled automatically from your identity provider
↳ ONE EVIDENCE ITEM SATISFIES 4 CONTROLS
CC6.1 SOC 2 A.8.5 ISO 27001 8.4 PCI DSS IA-2 NIST 800-53
The full library

70+ frameworks, regulations & standards, and growing

From SOC 2 to the EU AI Act, every framework runs on the same connected evidence. Filter the full library below, or request a demo to see yours mapped to your stack.

ACSC Essential Eight – Maturity Level 1FrameworkACSC Essential Eight – Maturity Level 2FrameworkACSC Essential Eight – Maturity Level 3FrameworkAPRA CPS 234RegulationAssured AI Framework (AAIF)FrameworkAWS Foundational Technical Review (FTR)AttestationBSI Cloud Computing Compliance Criteria Catalogue (C5)AttestationCCPARegulationCIS AWS Foundations BenchmarkStandardCIS v8FrameworkCJIS Security PolicyRegulationCloud Security Alliance Cloud Controls Matrix (CCM) 4.0.1FrameworkCMMC 2.0 Level 1AttestationCMMC 2.0 Level 2AttestationCMS ARS 5.0StandardCMS MARS-E v2.2StandardCOBIT 2019FrameworkCPRARegulationCSA Code of Conduct for GDPRFrameworkCSA STARAttestationCyber Risk Institute (CRI) ProfileFrameworkCybersecurity Capability Maturity Model (C2M2)GuidanceDigital Services Act (DSA)RegulationDORARegulationETSI EN 319 401StandardEU AI ActRegulationFedRAMP 20xFrameworkFedRAMP High BaselineFrameworkFedRAMP Low BaselineFrameworkFedRAMP Moderate BaselineFrameworkFFIEC Cybersecurity Assessment ToolFrameworkFIPARegulationGDPRRegulationGLBARegulationGLBA Safeguards RuleRegulationHIPAARegulationISO 9001Certification StandardISO/IEC 22301Certification StandardISO/IEC 27001:2013Certification StandardISO/IEC 27001:2022Certification StandardISO/IEC 27017:2015StandardISO/IEC 27018StandardISO/IEC 27031:2011StandardISO/IEC 27032GuidanceISO/IEC 27701Certification StandardISO/IEC 42001:2023Certification StandardLGPDRegulationMicrosoft Supplier Privacy & Security Assurance (SSPA / DPR)StandardMinimum Viable Secure Product (MVSP)GuidanceMITRE ATT&CKGuidanceMITRE D3FENDGuidanceNCSC Cyber Assessment Framework (CAF)FrameworkNERCRegulationNIS2 DirectiveRegulationNIST AI Risk Management FrameworkFrameworkNIST CSF 2.0FrameworkNIST Privacy FrameworkFrameworkNIST Secure Software Development Framework (SSDF)GuidanceNIST SP 800-171StandardNIST SP 800-53StandardNIST SP 800-66 Rev.2GuidanceNISTIR 8374GuidanceNYDFS Cybersecurity Regulation (23 NYCRR Part 500)RegulationOFDSS (Open Finance Data Security Standard)FrameworkOSFI B-13RegulationPCI DSS 4.0StandardPCI DSS SAQ AAttestationPCI DSS SAQ A-EPAttestationSEC Regulation S-PRegulationSecure Controls Framework (SCF)FrameworkSOC 2AttestationSOX ITGCRegulationSWIFT Customer Security Controls FrameworkFrameworkTISAXAttestationUK Cyber EssentialsAttestationUSDPFrameworkWCAG 2.2Standard
Why Compyl

Built to make every framework take less time than the last

One source of truth

Controls, evidence, and mappings live in one place, connected across governance, risk, and compliance.

Continuous, not point-in-time

Evidence refreshes automatically and is scored for health, so frameworks stay audit-ready year-round.

Agentic AI does the busywork

AI drafts evidence blueprints and maps controls across frameworks, your experts approve what matters.

Frameworks FAQ

Questions about framework coverage

70+ frameworks out of the box, including SOC 2, ISO 27001, ISO 42001, HIPAA, GDPR, CCPA, PCI DSS, NIST CSF, NIST SP 800-53, MAS, and NIS2, plus custom frameworks you define. One control library is cross-mapped to all of them.

Yes. Compyl maps each control and its evidence across every framework it satisfies. Evidence of enforced MFA, for example, can satisfy SOC 2 CC6.1, ISO 27001 A.8.5, PCI DSS 8.4, and NIST 800-53 IA-2 at once, collected one time.

Because your evidence is mapped to a single control library, adding the next framework mostly reuses what you already have. Compyl shows coverage instantly, so only the net-new requirements need attention, making the second and third framework far faster and more efficient than the first.

Yes. Beyond the prebuilt catalog, you can define custom frameworks and internal control sets, then cross-map them to your existing controls and evidence so they stay continuously monitored alongside everything else.

Compyl collects evidence automatically and continuously scores every artifact on relevance, freshness, and completeness with Evidence Health. Gaps and drift surface weeks before an audit, so each framework stays in a live, audit-ready state.

GRC Your Way

See your frameworks, cross-mapped to your stack

One platform for the whole GRC lifecycle, with agentic AI that removes the busywork and leaves your experts in control.

Request a Demo →
By clicking “Accept”, you agree to the use of cookies on your device in accordance with our Privacy and Cookie policies