Overview
Organizations pursuing multiple certifications often implement overlapping controls without realizing a single implementation can satisfy requirements across ISO 27001, NIST CSF, SOC 2, GDPR, and NIS2/DORA simultaneously. This skill produces a unified cross-compliance matrix that maps controls across 2-5 frameworks, identifies coverage gaps, and prioritizes remediation by how many frameworks benefit from each fix.
All mappings come from version-pinned reference files (ISO 27001:2022, NIST CSF 2.0, GDPR EU 2016/679) — not from model memory — eliminating the version hallucination problem (e.g., mixing 2013 and 2022 ISO 27001 controls) that plagues generic AI prompting for GRC work.
What It Covers
- Unified compliance matrix — maps all 93 ISO 27001:2022 Annex A controls to their equivalents across selected target frameworks, using framework-native control IDs
- Coverage scoring — Full, Partial, or No Mapping per control, with per-framework and overall coverage percentages
- Gap analysis — identifies controls required by one framework but not covered by others, prioritized by cross-framework benefit and regulatory severity
- Remediation plan — ranks gaps so implementing one control closes the most certification gaps at once
- Upstream artifact consumption — optionally reads existing gap assessment outputs from per-framework skills to pre-populate implementation status
Supported Framework Pairs
| Hub Framework | Target Framework | Reference |
|---|---|---|
| ISO 27001:2022 | NIST CSF 2.0 | 93 controls mapped to ~106 subcategories |
| ISO 27001:2022 | SOC 2 TSC | 93 controls mapped to 50 criteria |
| ISO 27001:2022 | GDPR | 93 controls mapped to 21 key articles |
| ISO 27001:2022 | NIS2 / DORA | 93 controls mapped to Art. 21 measures + Art. 5-16 |
| NIST 800-53 Rev 5 | CMMC Level 2 | Control families mapped to 110 practices |
Example Conversation
You: We hold ISO 27001 certification and just started a SOC 2 Type II engagement. We also need to demonstrate GDPR compliance to our EU customers. Can you map our controls across all three frameworks?
Agent: I’ll produce a unified cross-compliance matrix for ISO 27001:2022, SOC 2 TSC, and GDPR. Let me load the reference files.
Reading
references/framework-metadata.md… Readingreferences/iso27001-to-soc2-tsc.md… Readingreferences/iso27001-to-gdpr.md…Before I build the matrix, let me check your workspace for existing gap assessments that can pre-populate coverage status.
Found:
output/Gap-Assessment-Report.mdfrom a prior ISO 27001 gap assessment. I’ll use this to mark which controls are already implemented.You: Great, go ahead and build the matrix.
Agent: Building the matrix with all 93 Annex A controls. For each control I’m recording the SOC 2 TSC equivalent(s), the GDPR article mapping, and implementation status from your prior assessment.
Here’s a preview of the first few rows:
ISO 27001 ID Title SOC 2 TSC GDPR Status A.5.1 Policies for information security CC1.1, CC1.2, CC5.3 (Full) Art. 24, Art. 32 (Full) Implemented A.5.2 Roles and responsibilities CC1.2, CC1.3 (Full) Art. 24, Art. 37 (Full) Implemented A.5.3 Segregation of duties CC5.1 (Full) Art. 32 (Partial) Partial Matrix complete — 93 rows populated. Writing to
output/Cross-Compliance-Matrix.md.Coverage summary:
- SOC 2 TSC: 78 Full, 12 Partial, 3 No Mapping → 90.3% coverage
- GDPR: 58 Full, 30 Partial, 5 No Mapping → 78.5% coverage
Now analyzing gaps. I found 14 priority gaps. The top 3:
- GAP-001: Privacy and PII protection (A.5.34) — Maps to GDPR Art. 5, 6, 7, 9 and SOC 2 P1.1, P2.1. Your current implementation is partial. Closing this gap satisfies both frameworks. Severity: Mandatory (GDPR).
- GAP-002: Data subject rights procedures — Required by GDPR Art. 15-22, no direct ISO 27001 control. Needs standalone implementation. Severity: Mandatory (GDPR).
- GAP-003: Information deletion (A.8.10) — Maps to GDPR Art. 17 (right to erasure) and SOC 2 CC6.5, P4.2. Currently not implemented. Closing this satisfies 2 frameworks.
You: Run the validation tool on the matrix.
Agent: Running
check_cross_compliance_coverageonoutput/Cross-Compliance-Matrix.md…======================================================================== Cross-Compliance Matrix — Coverage Report ======================================================================== Frameworks detected: 3 --- Per-Framework Coverage --- ISO 27001:2022 93 / 93 (100%) SOC 2 TSC 47 / 50 (94%) GDPR 19 / 21 (90.5%) Overall: 159 / 164 control IDs found (97%) PASS — Matrix covers all detected frameworks. ========================================================================All three output files are ready: the matrix, gap report, and executive summary.
Sample Output Excerpt
Below is a representative excerpt from a generated cross-compliance matrix and gap report for an ISO 27001 + SOC 2 + GDPR mapping.
Cross-Compliance Matrix (excerpt)
| # | ISO 27001 ID | ISO 27001 Title | SOC 2 TSC | GDPR | Notes |
|---|---|---|---|---|---|
| 1 | A.5.1 | Policies for information security | CC1.1, CC1.2, CC5.3 (Full) | Art. 24, Art. 32 (Full) | |
| 2 | A.5.2 | Information security roles and responsibilities | CC1.2, CC1.3 (Full) | Art. 24, Art. 37, Art. 38 (Full) | GDPR DPO role maps to Art. 37-38 |
| 3 | A.5.3 | Segregation of duties | CC5.1 (Full) | Art. 32 (Partial) | GDPR addresses indirectly via security measures |
| 9 | A.5.9 | Inventory of information and other associated assets | CC6.1 (Full) | Art. 30 (Full) | GDPR ROPA requirement aligns directly |
| 14 | A.5.14 | Information transfer | CC6.7 (Full) | Art. 44, Art. 46 (Full) | GDPR international transfer rules (Ch. V) |
| 19 | A.5.19 | Information security in supplier relationships | CC9.2 (Full) | Art. 28 (Full) | GDPR processor agreements (Art. 28) |
| 24 | A.5.24 | Incident management planning | CC7.3, CC7.4 (Full) | Art. 33 (Full) | GDPR 72-hour notification requirement |
| 34 | A.5.34 | Privacy and protection of PII | P1.1, P2.1, P3.1 (Full) | Art. 5, 6, 7, 9 (Full) | Core GDPR alignment |
| 66 | A.8.10 | Information deletion | CC6.5, P4.2 (Full) | Art. 5, Art. 17 (Full) | GDPR right to erasure |
| 80 | A.8.24 | Use of cryptography | CC6.1, CC6.7 (Full) | Art. 32 (Full) |
Coverage Summary
| Framework | Total Controls | Full | Partial | No Mapping | Coverage % |
|---|---|---|---|---|---|
| ISO 27001:2022 | 93 | — | — | — | Hub |
| SOC 2 TSC | 50 | 78 mappings | 12 mappings | 3 controls | 90.3% |
| GDPR | 21 | 58 mappings | 30 mappings | 5 controls | 78.5% |
Gap Report (top 5 excerpt)
| Rank | Gap ID | Description | Frameworks | Severity | Effort | Benefit |
|---|---|---|---|---|---|---|
| 1 | GAP-001 | Privacy/PII protection gap (A.5.34 partial) | 2 — SOC 2, GDPR | Mandatory | Medium | 2 |
| 2 | GAP-002 | Data subject rights procedures (GDPR Art. 15-22) | 1 — GDPR | Mandatory | Medium | 1 |
| 3 | GAP-003 | Information deletion (A.8.10 not implemented) | 2 — SOC 2, GDPR | Mandatory | Low | 2 |
| 4 | GAP-004 | Confidentiality agreements (A.6.6) — SOC 2 only | 1 — SOC 2 | Voluntary | Low | 1 |
| 5 | GAP-005 | Return of assets (A.5.11) — SOC 2 only | 1 — SOC 2 | Voluntary | Low | 1 |
Extension Tools
check_cross_compliance_coverage
Validates a generated cross-compliance matrix for completeness and coverage. The tool reads the matrix markdown file, detects which frameworks are present, and reports coverage statistics.
What it checks:
| Check | How |
|---|---|
| Framework detection | Scans table headers for framework names (ISO 27001, NIST CSF, SOC 2, GDPR, NIS2, DORA, NIST 800-53, CMMC) |
| Control ID extraction | Applies framework-specific regex patterns to table rows only (lines starting with |) |
| Coverage percentage | Computes found IDs vs expected count per framework |
| Incomplete rows | Flags table rows with empty cells for selected frameworks |
Supported framework ID patterns:
| Framework | Pattern | Example |
|---|---|---|
| ISO 27001:2022 | A.N.N | A.8.1 |
| NIST CSF 2.0 | FN.CC-NN | PR.DS-01 |
| SOC 2 TSC | CCN.N, AN.N, CN.N, PIN.N, PN.N | CC6.1 |
| GDPR | Art. N | Art. 32 |
| NIS2 | NIS2 Art. N | NIS2 Art. 21 |
| DORA | DORA Art. N | DORA Art. 5 |
| NIST 800-53 | FF-N or FF-N(N) | AC-2, AC-2(1) |
| CMMC | N.N.N | 3.1.1 |
Output: A structured report with per-framework counts, coverage percentages, warnings for missing IDs or empty cells, and an overall PASS/WARN result.
Getting Started
Activate the Cross-Compliance Matrix skill and tell the agent which frameworks you want to map. Select 2-5 from the supported set: ISO 27001:2022 (always included as hub), NIST CSF 2.0, SOC 2 TSC, GDPR, NIS2/DORA, or NIST 800-53/CMMC.
For best results, have these ready:
- Your list of target certifications or regulatory obligations
- Any existing gap assessment outputs from per-framework skills (the agent auto-detects these in the workspace)
- Current implementation status for key control areas, if known
The agent guides you through a 6-phase workflow:
- Framework selection — choose which frameworks to map
- Workspace scan — auto-detect prior gap assessments to pre-populate coverage
- Matrix generation — build the unified mapping table from authoritative reference files
- Gap analysis — identify and prioritize cross-framework gaps
- Executive summary — coverage scores, top gaps, and recommendations
- Validation — run
check_cross_compliance_coverageto verify completeness
If you’ve already run the ISO 27001 Gap Assessment, SOC 2 Readiness Gap Analysis, NIST 800-53 Gap Analysis, or GDPR Gap Assessment skills, the cross-compliance matrix will automatically consume their outputs to enrich coverage status.