Most organizations in 2026 don’t face a single compliance requirement. They face three, four, sometimes six overlapping frameworks - and someone on the team just got told to “handle compliance” without a six-figure software budget.
This guide is for that person. We’ll walk through how to build a compliance program that covers multiple frameworks simultaneously using open-source tools, where to start, what to skip, and how to avoid the most common mistakes that cause compliance efforts to stall.
The multi-framework problem
Here’s a scenario we see constantly: a European SaaS company needs ISO 27001 for customer contracts, NIS2 because they provide digital services in the EU, GDPR for data protection, and SOC 2 because their US customers demand it. That’s four frameworks with a combined total of roughly 500+ individual requirements.
The naive approach is to treat each framework separately - four projects, four sets of controls, four evidence libraries. This fails. Not because the team isn’t capable, but because the overlap between frameworks is massive and the duplication becomes unmanageable.
ISO 27001 A.8.5 requires secure authentication. NIS2 Article 21(2)(j) requires multi-factor authentication. SOC 2 CC6.1 requires logical access controls. GDPR Article 32 requires appropriate security measures for access. That’s the same MFA implementation satisfying four different standards - but only if your system is smart enough to map them together.
Spreadsheets can’t do this at scale. Enterprise GRC platforms can, but they cost $10,000-50,000+ per year. Open-source platforms sit in the middle: they handle the cross-mapping automatically, and they cost the price of a small cloud server.
Step 1: Determine which frameworks actually apply to you
Before implementing anything, figure out exactly what you need. Over-scoping is the number one cause of compliance burnout.
Mandatory vs. aspirational
Separate frameworks into two categories:
Legally required - frameworks where non-compliance has legal consequences:
- NIS2 - if you’re an essential or important entity in the EU (energy, health, transport, digital infrastructure, and more)
- GDPR - if you process personal data of EU residents
- DORA - if you’re in EU financial services
- HIPAA - if you handle US healthcare data
Commercially required - frameworks customers demand:
- ISO 27001 - the most commonly requested certification in B2B contracts
- SOC 2 - primarily demanded by US enterprise customers
- TISAX - required for automotive industry supply chains
Start with what’s legally mandatory, then add what’s commercially necessary. Don’t add aspirational frameworks until the mandatory ones are solid.
Use our free NIS2 Readiness Assessment to check whether the directive applies to your organization and where your gaps are. For ISO 27001 specifically, our ISO 27001 Gap Analysis tool walks through every clause and Annex A control to give you a baseline score.
Step 2: Map the overlaps before writing a single policy
This is where most compliance programs either save or waste months.
About 80% of what you need to implement is shared across frameworks. ISO 27001 and NIS2 overlap by roughly 70%. SOC 2 and ISO 27001 overlap by about 60%. Once you implement a solid security control, you can satisfy requirements in multiple standards simultaneously - but only if you track the mappings.
The control-first approach
Instead of starting with Framework A and implementing all its requirements, then doing Framework B, work control-first:
- List every unique control you need across all frameworks
- Group controls that serve the same purpose across different standards
- Implement each control once
- Map it to every framework requirement it satisfies
For example, “implement multi-factor authentication for all administrative access” is one control. It satisfies:
| Framework | Requirement |
|---|---|
| ISO 27001 | A.8.5 - Secure authentication |
| NIS2 | Art. 21(2)(j) - Multi-factor authentication |
| SOC 2 | CC6.1 - Logical access controls |
| GDPR | Art. 32 - Appropriate technical measures |
| NIST CSF | PR.AC-7 - Authentication and identity proofing |
One implementation, five checkmarks. That’s what makes multi-framework compliance manageable.
Tools that handle cross-mapping
CISO Assistant ships with 100+ frameworks and performs this cross-mapping automatically. When you mark a control as implemented, the platform shows you every standard it satisfies. This is the feature that saves the most time in practice - and it’s free.
Our detailed compliance mapping guide walks through this process step by step in CISO Assistant. If you want to see how this looks before committing to a tool, the live demo has real frameworks loaded and cross-mapped.
Step 3: Prioritize your implementation order
You can’t implement everything at once. Here’s a sequence that works, with each layer building on the previous one.
Phase 1: Foundation (Weeks 1-4)
-
Asset inventory - you can’t protect what you don’t know about. List all systems, data stores, applications, and third parties. Our asset management guide covers this for CISO Assistant.
-
Risk assessment - identify what can go wrong and how badly. This is the foundation that every framework requires. Use the OWASP Risk Calculator for application-level risks, and CISO Assistant’s built-in risk module for organizational risks. Our risk assessment guide covers the methodology.
-
Security policies - write the core policies: information security policy, acceptable use, access control, incident response. These don’t need to be 50-page documents. Two to five pages each, written in plain language, is better than comprehensive policies nobody reads.
Phase 2: Core controls (Weeks 5-12)
-
Access control and authentication - implement MFA, enforce least privilege, document access review processes.
-
Encryption and data protection - TLS everywhere, encrypted storage, documented key management.
-
Incident response - document the process, assign roles, define notification timelines (especially the NIS2 24h/72h/1-month cascade).
-
Vulnerability management - regular scanning, defined patching cadence, tracked remediation.
-
Supplier security - assess your critical vendors, define security requirements in contracts. The Supplier Risk Assessment tool gives you a structured way to score vendors, and our vendor security guide covers the CISO Assistant workflow.
Phase 3: Maturity (Weeks 13-24)
-
Business continuity - document recovery plans, define RTO/RPO objectives. Our BIA Calculator helps quantify business impact for each process.
-
Training and awareness - security awareness program, role-based training, documented completion.
-
Monitoring and audit - logging strategy, security monitoring, internal audit schedule.
-
Statement of Applicability - for ISO 27001, this is the mandatory document listing all Annex A controls and your justification for including or excluding each. Our SoA guide covers this in detail.
Step 4: Choose your tools
You need three categories of tools for a compliance program. Here’s what works without spending on enterprise licensing.
GRC platform (central compliance management)
This is your single source of truth for frameworks, controls, risks, and evidence. We’re biased toward CISO Assistant - we deploy and manage it for clients - but we covered the alternatives honestly in our open-source GRC comparison.
What matters for multi-framework compliance:
- Pre-loaded frameworks (avoid manual data entry)
- Automatic cross-framework mapping
- Risk management linked to controls
- Evidence attachment capability
- Self-hostable (for data sovereignty)
Deploy with a single docker compose up and you have a running instance. For production deployment with backups, monitoring, and hardening, see our deployment services.
Assessment tools (quantify your gaps)
Before and during implementation, you need to measure where you stand. We built free tools for this:
- ISO 27001 Gap Analysis - evaluate every ISMS clause and Annex A control
- NIS2 Readiness Assessment - score your readiness across all NIS2 domains
- DPIA Calculator - GDPR-aligned data protection impact assessments
- OWASP Risk Calculator - application security risk scoring
Each generates a PDF report you can use internally or share with auditors.
Evidence and documentation
For evidence collection, you don’t need an automated platform on day one. Start with a structured folder system:
/evidence
/access-control
screenshot-mfa-config-2026-03.png
access-review-log-Q1-2026.csv
/incident-response
ir-plan-v2.pdf
tabletop-exercise-notes-2026-02.md
/risk-management
risk-register-export-2026-03.csvLink evidence to controls in your GRC platform. When auditors ask for proof that MFA is implemented, you point to the evidence attached to that control in CISO Assistant - not to a random folder on SharePoint.
Step 5: Build for audit readiness, not audit day
A common mistake is treating compliance as a project with an end date. You pass the audit, celebrate, and then let everything decay until the next audit cycle.
The better approach: make compliance part of your operational rhythm.
Monthly: Review open risk items, update evidence for any controls that changed, check that policies are still accurate.
Quarterly: Conduct internal control testing (pick 5-10 controls and verify they’re working), review third-party risk assessments, update your asset inventory.
Annually: Full risk assessment cycle, management review, internal audit, update your Statement of Applicability.
If you do this consistently, audit preparation becomes a two-week effort instead of a three-month panic. The GRC platform maintains the continuous record that proves it.
Common mistakes that kill compliance programs
After dozens of implementations, these are the patterns that cause failure.
Starting with policy writing instead of risk assessment. Policies should reflect your actual risks. If you write policies first, they’ll be generic templates that don’t match your organization. Start with risk assessment, then write policies that address what you found.
Trying to be 100% compliant immediately. No organization goes from zero to fully compliant. Aim for 70-80% in the first cycle, with a documented plan for addressing the remaining gaps. Auditors respect honest gap tracking more than claimed perfection.
Not assigning control owners. Every control needs an owner - a specific person responsible for its implementation and ongoing maintenance. “The security team” is not an owner. “Jane from engineering” is.
Duplicating work across frameworks. This is the entire point of cross-mapping. If your ISO 27001 implementation already satisfies 60% of SOC 2 requirements, don’t start SOC 2 from scratch. Map what you’ve already done.
Choosing tools before understanding requirements. Don’t pick a GRC platform and then figure out what you need it to do. Run the gap analysis first, understand your scope, and then evaluate tools against your actual requirements.
What this costs in practice
Let’s be explicit about the real cost of a multi-framework compliance program using open-source tools.
| Item | Cost |
|---|---|
| GRC platform (CISO Assistant, self-hosted) | €5-20/month (server) |
| Assessment tools (InfoSecFlow) | Free |
| Your team’s time (first 6 months) | 10-20 hours/week |
| External penetration test | €3,000-8,000/year |
| ISO 27001 certification audit (if pursuing) | €5,000-15,000 |
| Total first year | €8,000-23,000 |
Compare that to a commercial GRC platform alone (€10,000-50,000/year) plus the same audit and pentest costs. The open-source path saves €10,000-40,000 per year on software, every year, permanently.
The trade-off is your team’s time for setup and maintenance. If you have one person with basic Docker knowledge and an interest in security, that trade-off strongly favors open source.
Getting started today
The best way to start is to measure where you are right now. Run through these assessments - they take 15-30 minutes each and produce a PDF you can share with your team:
- ISO 27001 Gap Analysis - evaluate your ISMS clause and Annex A control coverage
- NIS2 Readiness Assessment - check if NIS2 applies and where your gaps are
- OWASP Risk Calculator - score your top application security risks
Once you have baseline scores, deploy CISO Assistant to start mapping controls and tracking progress. If you want a hands-on walkthrough first, explore the live demo.
And if you’d rather have someone handle the deployment and initial configuration so your team can focus on the compliance work itself, that’s what we do.
Related reading: open-source GRC platform comparison, ISO 27001 compliance with CISO Assistant, NIS2 directive requirements and deadlines, NIS2 requirements checklist - article by article, implementing NIS2 using ISO 27001 controls.
