Supported Frameworks

How Govula supports multiple compliance frameworks with unified control management.

This section is intended for: Technical Team, Auditor, Management, End User. Unauthorised access is restricted.

Multi-Framework Support

Most organizations must comply with multiple frameworks simultaneously. A healthcare organization might need DSPT, ISO 27001, and Cyber Essentials. A financial services firm might require SOC 2, PCI DSS, and ISO 27001.

Govula is designed for this reality. You can select multiple frameworks for your organization, and the platform manages them in a unified system rather than as separate, disconnected efforts.

Currently Supported Frameworks

ISO/IEC 27001:2022

The international standard for information security management systems (ISMS). Contains 93 controls organized into 4 themes: Organizational, People, Physical, and Technological.

93 Controls4 ThemesCertification Standard

SOC 2 (Type I & II)

The AICPA framework for service organizations. Based on Trust Services Criteria: Security, Availability, Processing Integrity, Confidentiality, and Privacy.

5 Trust CriteriaCommon CriteriaAttestation Report

NIST Cybersecurity Framework (CSF) 2.0

The US National Institute of Standards and Technology framework. Organized into 6 functions: Govern, Identify, Protect, Detect, Respond, and Recover.

6 FunctionsImplementation TiersRisk-Based

PCI DSS 4.0

The Payment Card Industry Data Security Standard. Required for any organization that stores, processes, or transmits cardholder data.

12 RequirementsPayment DataMandatory Compliance

DSPT (Data Security and Protection Toolkit)

The UK NHS self-assessment tool for data security. Required for all organizations with access to NHS patient data and systems.

10 StandardsNHS MandatoryAnnual Assessment

Cyber Essentials / Cyber Essentials Plus

The UK government-backed scheme for basic cyber hygiene. Required for government contracts involving sensitive data.

5 Technical ControlsUK GovernmentAnnual Certification

Control Normalization

Different frameworks express similar requirements in different ways. ISO 27001 might require "access control," while SOC 2 addresses "logical and physical access controls," and PCI DSS specifies "restrict access to cardholder data."

Govula normalizes controls by identifying common themes and requirements across frameworks. This allows you to:

  • Implement a control once and satisfy multiple framework requirements
  • Collect evidence once and apply it across frameworks
  • See unified compliance status rather than managing separate assessments
  • Identify gaps where frameworks have unique requirements

Control Mapping

The platform maintains explicit mappings between controls in different frameworks. When controls overlap, these relationships are documented and exploited for efficiency.

Example Control Mapping

Control ThemeISO 27001SOC 2NIST CSF
Access ControlA.5.15, A.8.2CC6.1, CC6.2PR.AA-01
EncryptionA.8.24CC6.7PR.DS-01
Incident ResponseA.5.24-A.5.28CC7.4, CC7.5RS.MA-01

When you implement access controls and provide evidence, that evidence is automatically associated with all mapped controls across your selected frameworks.

Handling Overlapping Controls

When controls overlap, the platform takes the most stringent interpretation to ensure you meet all requirements. For example:

If ISO 27001 requires password complexity and PCI DSS requires passwords of at least 12 characters, implementing 12-character complex passwords satisfies both.

If SOC 2 requires access reviews and ISO 27001 requires periodic access review, the platform tracks both requirements against the same control implementation.

Adding New Frameworks

The framework library is maintained and updated by Govula. When you need a framework that is not currently available:

  1. 1Contact support with the framework name and version
  2. 2We assess the framework structure and mapping requirements
  3. 3The framework is added to the library with control mappings
  4. 4Your organization can select it and begin assessments

Framework Updates

Compliance frameworks are updated periodically. When a framework is updated (e.g., ISO 27001:2013 to ISO 27001:2022), the platform:

  • Notifies affected organizations of the change
  • Maps old controls to new controls where applicable
  • Identifies new controls that require assessment
  • Highlights removed controls that may affect your SoA
  • Provides a transition timeline and guidance
SoA EngineAudit Readiness