Nobody gets into security because they love filling out compliance spreadsheets. But here’s the thing: if you’ve already built your policies, implemented your controls, and documented everything, the compliance mapping step is what makes all that work visible to auditors. It’s the bridge between “we’re doing the right things” and “here’s proof we’re doing the right things.”
CISO Assistant makes this manageable by letting you link applied controls directly to framework requirements and document your compliance status for each one. This guide walks through the process for both ISO 27001 and TISAX.
How compliance mapping works
The process has three layers. First, you have the compliance framework itself, the standard you’re complying with like ISO 27001:2022 or TISAX VDA ISA. CISO Assistant comes with built-in framework libraries for these.
Second, you create a compliance assessment, which is your specific evaluation against that framework. You might have an “ISO 27001:2022 Certification Assessment” and a separate “TISAX Assessment Level 2.”
Third, you have requirement assessments, which are individual evaluations for each requirement in the framework. When you create a compliance assessment, CISO Assistant generates one requirement assessment per assessable requirement. Your job is to work through each one and document how you meet it.
Setting up your assessment
Go to Compliance > Compliance Assessments and click Add Compliance Assessment. Give it a specific name like “ISO 27001:2022 Certification Audit 2026” rather than something vague. Select the framework from the library, and add a description covering scope, auditor information, and target completion date.
Once created, CISO Assistant generates all the requirement assessments. For ISO 27001:2022 that means roughly 93 Annex A controls plus the ISMS management system clauses (4 through 10). For TISAX, it’s organized across chapters covering information security, HR, physical security, identity management, IT security, supplier relationships, compliance, and data protection.
For each requirement assessment, you’ll fill in the applied controls that satisfy it, the current status (To Do, In Progress, or Done), and your compliance verdict (Compliant, Partially Compliant, Non-Compliant, or Not Applicable). You also write an observation explaining how your organization meets the requirement. For TISAX, add a maturity score from 0 to 5.
That observation field is what auditors read most carefully, so don’t rush it.
Mapping to ISO 27001:2022
ISO 27001 has two parts you need to address. The management system requirements in Clauses 4 through 10, and the Annex A controls in sections A.5 through A.8.
ISMS management system (Clauses 4-10)
These requirements cover how your ISMS is governed, not specific technical controls. You’ll typically map your overarching policies here.
| Requirement | What it asks | Controls to map |
|---|---|---|
| 4.1 Context of the organization | Understanding internal/external issues | Information Security Policy |
| 4.2 Interested parties | Identifying stakeholders and requirements | Information Security Policy, Legal Compliance Management |
| 4.3 Scope | Defining ISMS boundaries | Information Security Policy |
| 4.4 ISMS | Establishing the management system | Information Security Policy, ISMS Roles and Responsibilities |
| 5.1 Leadership commitment | Management support | Information Security Policy, ISMS Roles and Responsibilities |
| 5.2 IS Policy | Having a policy | Information Security Policy |
| 5.3 Organizational roles | Assigning responsibilities | ISMS Roles and Responsibilities, Segregation of Duties |
| 6.1 Risk assessment | Risk methodology | Information Security Policy (risk management section) |
| 6.2 IS objectives | Setting security goals | Information Security Policy |
| 6.3 Planning of changes | Managing ISMS changes | Change Management Process |
| 7.2-7.3 Competence and awareness | Training | Security Awareness and Training |
| 8.1 Operational planning | Running the ISMS | Information Security Policy, Change Management |
| 9.1 Monitoring and measurement | Measuring effectiveness | Security Monitoring and Alerts, SIEM |
| 9.2 Internal audit | Auditing your ISMS | Audit Management Procedure |
| 9.3 Management review | Regular management review | Information Security Policy |
| 10.1-10.2 Improvement | Handling nonconformities | Information Security Policy, Incident Management |
In our experience, teams often breeze through these clauses because they feel abstract. Don’t. Auditors pay close attention to how well your governance structure actually works in practice. If you need help with the risk assessment clause (6.1), our risk assessment guide walks through the complete process.
Annex A - Organizational controls (A.5)
| Requirement | What it asks | Your controls |
|---|---|---|
| A.5.1 IS policies | Collection of IS policies | Information Security Policy |
| A.5.2 IS roles | Defined roles | ISMS Roles and Responsibilities |
| A.5.3 Segregation of duties | Separating conflicting duties | Segregation of Duties |
| A.5.4 Management responsibilities | Management enforcing security | ISMS Roles, IS Policy |
| A.5.5-A.5.6 Authority contacts | Contact with authorities | Contact with Authorities |
| A.5.7 Threat intelligence | Staying aware of threats | Threat Intelligence and Vulnerability Research |
| A.5.8 IS in project management | Security in projects | Security Recommendations for Projects |
| A.5.9 Asset inventory | Maintaining asset register | Asset Management Policy |
| A.5.10 Acceptable use | Rules for using assets | Acceptable Use of Information |
| A.5.11 Return of assets | Getting assets back when people leave | Offboarding Process |
| A.5.12-A.5.13 Classification | Classifying and labelling information | Information Classification and Labelling |
| A.5.14 Information transfer | Secure data transfer | Encryption Policy |
| A.5.15-A.5.18 Access control | Managing user access | User and Access Management, Access Reviews |
| A.5.17 Authentication | Secure authentication | Password Manager, MFA |
| A.5.19-A.5.22 Supplier security | Managing vendor risks | Supplier Management Policy and Process |
| A.5.23 Cloud security | Securing cloud usage | Cloud Security Guidelines |
| A.5.24-A.5.28 Incident management | Handling security incidents | Incident Management Policy, Evidence Collection |
| A.5.29-A.5.30 Business continuity | Maintaining operations | Business Continuity Policy, ICT Readiness |
| A.5.31-A.5.36 Compliance | Meeting legal requirements | Legal Compliance, Licensing, Audit, Privacy |
Annex A - People controls (A.6)
| Requirement | Your controls |
|---|---|
| A.6.1 Screening | Employee Screening Process |
| A.6.2 Employment terms | Employment Terms - Security Obligations |
| A.6.3 Awareness and training | Security Awareness Training |
| A.6.4 Disciplinary process | HR Management Policy |
| A.6.5 After termination | Offboarding Process |
| A.6.6 Confidentiality | NDA and Confidentiality Agreements |
| A.6.7 Remote working | Remote Work Security Policy |
| A.6.8 Event reporting | Incident Management Policy |
Annex A - Physical controls (A.7)
| Requirement | Your controls |
|---|---|
| A.7.1-A.7.3 Perimeters and entry | Office Security, Physical Security Policy |
| A.7.4-A.7.6 Securing areas | Secure Areas and Zones |
| A.7.7 Clear desk/screen | Clear Desk and Clear Screen Policy |
| A.7.9 Off-premises security | Remote Work Policy, Endpoint Security |
| A.7.10 Storage media | JumpCloud Storage Media Control |
| A.7.11 Utilities | UPS and Power Protection |
| A.7.12 Cabling security | Cabling Security |
| A.7.13 Equipment maintenance | IT Equipment Maintenance |
| A.7.14 Disposal | Data Retention and Deletion |
Annex A - Technology controls (A.8)
| Requirement | Your controls |
|---|---|
| A.8.1 User endpoints | Endpoint Security, JumpCloud MDM |
| A.8.2 Privileged access | Privileged Access Management |
| A.8.3 Access restriction | User and Access Management |
| A.8.4 Source code access | Source Code Access Control |
| A.8.5 Secure authentication | Password Manager (1Password), MFA |
| A.8.6 Capacity management | Capacity Management - Cloud Resources |
| A.8.7 Malware protection | ESET Antivirus, Gmail AV Protection |
| A.8.8 Vulnerability management | Vulnerability Management, System Updates |
| A.8.9-A.8.10 Configuration and deletion | Change Management, Information Deletion |
| A.8.11 Data masking | Data Masking - Production Data |
| A.8.12 Data leakage prevention | Google Workspace DLP |
| A.8.13 Backup | Information Backup |
| A.8.14 Redundancy | SaaS Redundancy, ICT Readiness |
| A.8.15-A.8.16 Logging and monitoring | Event Monitoring, SIEM, Security Alerts |
| A.8.17 Clock synchronization | NTP Clock Synchronization |
| A.8.18-A.8.19 Software control | Software Management Procedure |
| A.8.20-A.8.22 Network security | Network Policy, FortiGate UTM, VLANs, RADIUS |
| A.8.23 Web filtering | FortiGate Web Filtering, ESET Web Filtering |
| A.8.24 Cryptography | Encryption Policy, Encrypted Drives, Database Encryption |
| A.8.25-A.8.28 Secure development | Security Recommendations, ASVS, Secure Coding |
| A.8.29 Security testing | Security Testing Procedure |
| A.8.31 Environment separation | Dev/Test/Prod Separation |
| A.8.32 Change management | Change Management, IT Change Management |
| A.8.33-A.8.34 Test data and audit | Environment Separation, Security Testing |
Mapping to TISAX
TISAX uses a different structure than ISO 27001, organized into chapters with maturity scoring on a 0-to-5 scale. The main difference is that TISAX assigns a maturity level rather than a simple compliant/non-compliant result.
The maturity levels range from 0 (Incomplete, the control doesn’t exist) through 1 (Performed, it exists but is ad-hoc), 2 (Managed, it’s planned and tracked), 3 (Established, it’s standardized and documented), 4 (Predictable, it’s measured and monitored), to 5 (Optimizing, it’s continuously improved).
For most controls, aim for level 3 as your baseline. That means the control is documented, standardized across the organization, and consistently applied. We’ve seen teams struggle with the jump from 2 to 3 because it requires moving from “we do this” to “we do this the same way every time and here’s proof.”
TISAX chapter mapping
Chapter 1 covers IS Policies and Organization. Map your Information Security Policy to requirements 1.1.1 and 1.2. Your Asset Management Policy covers 1.3. Supplier Management handles 1.3.3 (external IT services). Endpoint Security and JumpCloud MDM satisfy 1.3.4 (approved software). Your IS Policy risk section covers 1.4.1. Legal Compliance addresses 1.5. Incident Management and SIEM handle 1.6.1-1.6.2 (security events). Business Continuity and Incident Management cover 1.6.3 (crisis situations).
Chapter 2 handles Human Resources. HR Management Policy maps to 2.1.1 (qualification) and 2.1.2 (contractual binding). Security Awareness Training covers 2.1.3. Remote Work Policy, Endpoint Security, and MDM satisfy 2.1.4 (mobile work).
Chapter 3 is Physical Security. Physical Security Policy covers 3.1.1 (security zones). Business Continuity and Backup address 3.1.2 (disruption). Physical Security and Asset Management handle 3.1.3 (supporting assets). Endpoint Security, MDM, and Encrypted Drives cover 3.1.4 (mobile IT devices).
Chapter 4 deals with Identity and Access Management. Your Password Policy and 1Password cover 4.1.1 (identification means) and 4.1.2 (secured access). Add Access Reviews for 4.1.3 (managed accounts) and 4.2.1 (access rights).
Chapter 5 covers IT Security and Cyber Security. This is the biggest chapter. Encryption Policy and Encrypted Drives handle 5.1.1-5.1.2 (cryptography). Change Management covers 5.2.1 and 5.2.2 (including dev/test separation). ESET and Gmail AV cover 5.2.3 (malware protection). Event Monitoring and SIEM handle 5.2.4 (logging). Vulnerability Management covers 5.2.5 and 5.2.6. Network Policy, FortiGate, VLANs, and RADIUS satisfy 5.2.7. Business Continuity handles 5.2.8. Backup Policy covers 5.2.9. Change Management and IS Policy address 5.3.1 (new systems). Supplier Management and Data Deletion cover 5.3.3 and 5.3.4.
Chapter 6 is Supplier Relationships. Supplier Management Policy covers 6.1.1 (contractors) and 6.1.2 (NDAs).
Chapter 7 handles Compliance. Legal Compliance Policy maps to 7.1.1. Personal Data Protection Policy covers 7.1.2.
Chapter 9 is Data Protection. If applicable, your Personal Data Protection Policy is the primary control here, supplemented by Incident Management, HR Policy, and Training.
Writing observations that auditors respect
The observation field is where you explain how you actually meet each requirement. This is what auditors read most carefully, so it’s worth doing well.
Structure your observations in three parts. State the control that’s in place, describe how it works in practice, and reference where the auditor can find evidence.
A weak observation looks like “We have access control.” That tells nobody anything. A good observation looks like “Onboarding/offboarding processes with rules for user registration, deregistration, and access assignment. Managed via JumpCloud. New employees receive access based on role templates. Departing employees have access revoked within 24 hours of last working day.”
For something like malware protection, a good observation would be “ESET Endpoint Antivirus deployed to all company workstations via JumpCloud MDM. Real-time protection enabled, daily signature updates. Gmail’s built-in security scans all incoming messages for malware, phishing, and spam.”
Be specific. Be concrete. Reference the actual tools and processes you use.
Working through the assessment efficiently
Let’s be honest: with 93+ ISO 27001 requirements or 50+ TISAX requirements, this is a multi-day effort. Here’s how to make it manageable.
Work section by section. Do all of A.5 first, then A.6, then A.7, then A.8. Jumping around is tempting but leads to inconsistencies and missed items. Mark each requirement “Done” once you’ve added controls and written the observation, so you can track progress. There’s a real psychological benefit to watching the “Done” count go up.
Flag gaps immediately. If you can’t map any control to a requirement, mark it “In Progress” and make a note. These gaps become your improvement plan. Use “Not Applicable” sparingly and always justify exclusions. “We don’t do mobile work” only works for A.6.7 if it’s genuinely true.
Many controls map to multiple requirements, and it’s perfectly fine to reuse descriptions across observation fields. Auditors expect consistency, not novelty.
Before the audit
In the weeks before an actual audit, review all your “Done” assessments to make sure they’re still accurate. Close any “In Progress” items, either by implementing the control or formally accepting the gap. Export the assessment to share with auditors in advance. And prepare evidence for each control, meaning screenshots, policy documents, or system configurations ready to demonstrate on request. Fumbling around looking for a screenshot while the auditor watches is not a good look.
Compliance mapping is tedious work. There’s no sugarcoating that. But the goal isn’t to impress auditors with quantity. It’s to demonstrate that you’ve thoughtfully considered each requirement and have real, specific measures in place. Quality over quantity, honesty over optimism. An auditor who sees that you’ve been straightforward about gaps will trust the rest of your assessment far more than one who sees everything marked “Compliant” with no substance behind it.
Before mapping, make sure your Statement of Applicability is complete - those are the controls you’ll be linking to requirements. If you’re working on ISO 27001 compliance specifically, our step-by-step ISO 27001 guide covers the broader implementation process. For organizations also tackling NIS2, see how NIS2 requirements overlap with ISO 27001 to map both frameworks efficiently.
