Cross-compliance mapping: how to unify ISO 27001, NIST CSF, SOC 2, and GDPR in one matrix
A practical look at multi-framework compliance mapping — the traditional spreadsheet approach versus structured, version-pinned skill workflows. Includes real output excerpts and conversation examples.
Organizations that maintain two or three certifications — ISO 27001 plus SOC 2, or NIST 800-53 plus CMMC — eventually face the same question: which controls overlap, and where are we doing duplicate work? The answer usually lives in a spreadsheet that someone built over several months, linked to a specific person’s institutional knowledge, and that nobody fully trusts after the first framework update.
This article looks at how the Cross-Compliance Matrix skill in Rakenne addresses that problem: what it produces, how the workflow compares to traditional approaches, and where human judgment remains essential.
The traditional approach — and where it breaks down
Multi-framework mapping typically follows one of three paths:
Path 1: The consultant’s spreadsheet. A senior GRC professional builds a mapping in Excel over weeks or months, drawing on experience and published crosswalks (NIST publishes CSF-to-800-53 informative references; ISO provides mapping guides). The result is valuable but fragile: tied to one person, hard to maintain when frameworks update, and difficult to validate for completeness.
Path 2: Custom RAG pipelines. Technical practitioners build retrieval-augmented generation systems to query across framework documents. One veteran consultant described building four separate RAGs — one for policies, one for a blueprint, one for cross-compliance mapping, and one for standards — a 4–5 month infrastructure effort just to get precise answers like “give me which controls are related to some NIST controls, and give me policy clauses where they are covered.”
Path 3: Generic AI prompting. Teams ask ChatGPT or similar tools to map controls. The results look plausible but suffer from a well-documented problem: version hallucination. Models routinely mix ISO 27001:2013 controls (114 controls across 14 domains, A.5–A.18) with the current 2022 version (93 controls across 4 themes, A.5–A.8). As one practitioner noted: “All models hallucinate annex A controls and often mistake :2013 controls instead of using :2022.”
Each path has the same underlying issue: the mapping logic lives in someone’s head or in a custom system, and there’s no programmatic way to validate that every control has been accounted for.
How the Cross-Compliance Matrix skill works
The skill takes a different approach: curated, version-pinned reference files contain the authoritative pairwise mappings, and the agent follows a structured workflow to produce three auditor-ready output documents. The reference files — not the model’s general knowledge — are the source of truth.
The six-phase workflow
| Phase | What happens | Who decides |
|---|---|---|
| 1. Framework selection | You choose 2–5 frameworks from the supported set | You pick what matters for your certifications |
| 2. Workspace scan | Agent checks for existing gap assessment outputs from per-framework skills | Automatic — enriches the matrix if prior work exists |
| 3. Matrix generation | Agent reads pairwise reference files and produces a unified mapping table | Agent follows references; you review the output |
| 4. Gap analysis | Agent identifies controls with no or partial mappings, prioritizes by cross-framework benefit | Agent computes; you validate the priorities |
| 5. Executive summary | Coverage scores, top 10 gaps, recommendations | Agent drafts; you adjust for your org’s context |
| 6. Validation | check_cross_compliance_coverage tool verifies matrix completeness | Programmatic — pass/fail, not opinion |
The key difference from generic prompting: the agent must read the reference files first and is instructed not to generate mappings from memory. Each reference file specifies the exact framework version (ISO 27001:2022, NIST CSF 2.0, GDPR EU 2016/679) and uses framework-native control IDs.
Side-by-side: traditional vs. skill workflow
| Dimension | Traditional (spreadsheet/RAG) | Cross-Compliance Matrix skill |
|---|---|---|
| Time to first matrix | Weeks to months (manual research) | Single session (~30–60 minutes) |
| Version accuracy | Depends on author’s knowledge; no automated check | Version-pinned reference files; 2013/2022 confusion impossible |
| Completeness validation | Manual review (“did I miss any controls?”) | check_cross_compliance_coverage tool counts IDs per framework and flags gaps |
| Maintenance | Manual update when frameworks change | Update reference files; re-run the skill |
| Output format | Typically Excel; varies by consultant | Clause-numbered markdown tables; exportable to Word/PDF |
| Gap prioritization | Consultant judgment (valuable but unstated) | Cross-framework benefit score + regulatory severity, then reviewed by consultant |
| Audit trail | The spreadsheet is the audit trail | Three separate documents (matrix, gap report, executive summary) + validation result |
What the skill does not replace: your understanding of the client’s business, your interpretation of “partial” vs. “full” coverage for their specific context, and your professional judgment about what matters for their next audit.
What the conversation looks like
Here’s a realistic exchange from a session mapping ISO 27001, SOC 2, and GDPR:
You: We’re ISO 27001 certified and starting SOC 2 Type II. Our EU customers also need GDPR evidence. Can you map all three?
Agent: I’ll build a unified matrix for ISO 27001:2022, SOC 2 TSC, and GDPR.
Loading reference files:
references/framework-metadata.md— control counts and ID patternsreferences/iso27001-to-soc2-tsc.md— 93 Annex A controls mapped to TSC criteriareferences/iso27001-to-gdpr.md— 93 Annex A controls mapped to GDPR articlesChecking workspace for existing assessments… Found
output/Gap-Assessment-Report.mdfrom a prior ISO 27001 gap assessment. I’ll use your implementation status to enrich the matrix.You: Go ahead.
Agent: Matrix complete — 93 rows, each with SOC 2 and GDPR mappings plus your current implementation status.
Coverage:
- SOC 2 TSC: 78 Full, 12 Partial, 3 No Mapping (90.3%)
- GDPR: 58 Full, 30 Partial, 5 No Mapping (78.5%)
Now running gap analysis. Top finding: A.5.34 (Privacy and PII protection) maps to both SOC 2 Privacy criteria (P1.1, P2.1) and GDPR Art. 5, 6, 7, 9 — strengthening this single control closes gaps across both target frameworks simultaneously. That’s the highest cross-framework benefit score in your matrix.
The conversation continues through gap analysis and validation. The agent runs check_cross_compliance_coverage at the end to produce a programmatic pass/fail:
Cross-Compliance Matrix — Coverage Report Frameworks detected: 3 --- Per-Framework Coverage --- ISO 27001:2022 93 / 93 (100%) SOC 2 TSC 47 / 50 (94%) GDPR 19 / 21 (90.5%) PASS — Matrix covers all detected frameworks.
What the output looks like
The skill produces three documents. Here are excerpts from each.
Cross-Compliance Matrix (excerpt)
| # | ISO 27001 ID | Title | SOC 2 TSC | GDPR | Notes |
|---|---|---|---|---|---|
| 1 | A.5.1 | Policies for information security | CC1.1, CC1.2, CC5.3 (Full) | Art. 24, Art. 32 (Full) | |
| 9 | A.5.9 | Inventory of assets | CC6.1 (Full) | Art. 30 (Full) | GDPR ROPA aligns directly |
| 14 | A.5.14 | Information transfer | CC6.7 (Full) | Art. 44, Art. 46 (Full) | GDPR Chapter V transfers |
| 19 | A.5.19 | Supplier relationships | CC9.2 (Full) | Art. 28 (Full) | GDPR processor agreements |
| 24 | A.5.24 | Incident management | CC7.3, CC7.4 (Full) | Art. 33 (Full) | GDPR 72-hour notification |
| 34 | A.5.34 | Privacy and PII | P1.1, P2.1, P3.1 (Full) | Art. 5, 6, 7, 9 (Full) | Core GDPR/SOC 2 Privacy alignment |
| 66 | A.8.10 | Information deletion | CC6.5, P4.2 (Full) | Art. 5, Art. 17 (Full) | Right to erasure |
Each row uses framework-native IDs (A.8.10, CC6.5, Art. 17) — not narrative descriptions. An auditor can trace any mapping back to the specific control or article. A consultant can edit a single row without rewriting the surrounding matrix.
Gap Report (excerpt)
| Rank | Gap ID | Description | Frameworks | Severity | Effort | Benefit |
|---|---|---|---|---|---|---|
| 1 | GAP-001 | Privacy/PII protection (A.5.34) partial | SOC 2, GDPR | Mandatory | Medium | 2 |
| 2 | GAP-002 | Data subject rights (GDPR Art. 15–22) | GDPR | Mandatory | Medium | 1 |
| 3 | GAP-003 | Information deletion (A.8.10) | SOC 2, GDPR | Mandatory | Low | 2 |
The gap report ranks by cross-framework benefit (how many frameworks does fixing this gap satisfy?) multiplied by regulatory severity (GDPR mandatory fines vs. SOC 2 voluntary). This surfaces the highest-value remediations first: implementing A.8.10 (information deletion) is a low-effort fix that closes gaps across both SOC 2 and GDPR at once.
Executive Summary (excerpt)
| Metric | Value |
|---|---|
| Frameworks mapped | 3 |
| Total unique controls | 164 |
| Full cross-framework mappings | 136 (82.9%) |
| Gaps (no mapping) | 8 (4.9%) |
| Overall coverage | 90.4% |
Top recommendation: Implement data subject rights procedures (GDPR Art. 15–22). No direct ISO 27001 control exists for this — it is a standalone GDPR obligation that requires a dedicated implementation regardless of other framework coverage.
What the validation tool actually checks
The check_cross_compliance_coverage tool is not an opinion — it’s a programmatic check that:
- Detects frameworks from the matrix table headers
- Extracts control IDs using framework-specific regex patterns anchored to table rows (e.g.,
A.N.Nfor ISO 27001,CCN.Nfor SOC 2) - Counts found vs. expected per framework (93 for ISO 27001, 50 for SOC 2 TSC, 21 for GDPR key articles)
- Flags incomplete rows — any table row with an empty cell for a selected framework
The tool reports PASS when all frameworks are covered, or WARN with specific missing control IDs and incomplete row numbers. This is the kind of completeness check that would take hours to do manually on a 93-row matrix across three frameworks.
When this skill is most (and least) useful
Most useful when:
- Your organization holds or pursues 2+ certifications and needs to show unified compliance
- You’re a consultant running multi-framework engagements and want a repeatable, validated starting point
- You need to demonstrate to an auditor that controls satisfy requirements across frameworks simultaneously
- You’re prioritizing remediation and want to fix the fewest controls to close the most gaps
Less useful when:
- You only work with a single framework (use the dedicated per-framework skills instead)
- You need deeply customized mappings that diverge from published crosswalks (the reference files are the source of truth; custom mappings require editing them)
- You need real-time integration with GRC platforms like ServiceNow or OneTrust (this produces documents, not API integrations)
Try it
The Cross-Compliance Matrix skill is available in the skill library . Start by selecting ISO 27001 + one target framework — the simplest pair — and review the output before scaling to 3–5 frameworks. If you’ve already run per-framework gap assessments in Rakenne (ISO 27001, SOC 2, NIST 800-53, or GDPR), the skill automatically reads those outputs to enrich the matrix with your current implementation status.
Start a free trial with the ISO 27001 workspace
Summary. Multi-framework compliance mapping is one of those tasks that practitioners know is valuable but rarely get right in a sustainable way — the spreadsheet drifts, the RAG pipeline breaks, the generic AI hallucinates control versions. The Cross-Compliance Matrix skill addresses this with version-pinned reference files, a structured six-phase workflow, and programmatic validation. Your role stays where it belongs: interpreting coverage for your specific context, validating priorities against business reality, and signing off on what goes to the auditor.
Try it yourself
Open a workspace with the skills described in this article and start drafting in minutes.
Get Started Free — No Sign-Up