Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.matproof.com/llms.txt

Use this file to discover all available pages before exploring further.

Frameworks

This page covers how frameworks work in Matproof: how to add one, how cross-framework control mapping reduces duplicate work, and where to find the dedicated guide for each framework.

What’s supported

Matproof ships 16 frameworks ready to adopt:
FrameworkRegion / Domain
DORAEU financial services
NIS2EU cybersecurity
GDPREU data protection
BaFin MaRiskGerman banking risk management
ISO 27001Information security management (ISMS)
ISO 42001AI management systems
ISO 9001Quality management
SOC 2Trust services criteria
HIPAAUS healthcare data
PCI DSSPayment card security
NEN 7510Dutch healthcare
NIST CSFNIST Cybersecurity Framework
NIST 800-53US federal control catalog
EU AI ActEU AI governance
Cyber Resilience ActEU product security
CSRDEU sustainability reporting
If you need a framework that isn’t on this list — TISAX, CIS Controls, BSI IT-Grundschutz, a national transposition layer, an internal control catalog — you build it yourself with Custom Frameworks. Custom frameworks behave identically to built-in ones (same control mapping, same evidence flow, same audit export).

Adding a framework

1

Open Settings → Frameworks

From the sidebar, go to Settings → Frameworks. You see all currently active frameworks plus an Add framework button.
2

Pick from the catalog

Browse the catalog of 16 built-in frameworks plus any custom frameworks your organization has built. Click Add on the one you want.
3

Set the scope (some frameworks only)

A few frameworks ask for additional scope before activation:
  • NIST 800-53 — pick the baseline (LOW / MODERATE / HIGH or full catalog)
  • PCI DSS — pick your merchant level
  • CSRD — pick the reporting year(s) you’re preparing for
  • Custom frameworks — pick which version of the framework to adopt
4

Run gap assessment

Matproof scans your existing evidence, policies, and risks against the new framework’s controls and produces a gap report. Controls already covered by overlapping frameworks are auto-marked compliant; the rest become open work.
5

Assign control owners

Open the framework’s controls list and assign each open control to a team member. Without owners, evidence doesn’t get collected and the score doesn’t move.

Cross-framework control mapping

The single biggest reason Matproof exists: a control implemented once should satisfy every framework that requires it. Concrete example: 
"Multi-factor authentication enforced for all privileged accounts"
  → satisfies:
     - ISO 27001  A.5.17, A.8.2, A.8.5
     - SOC 2      CC6.1, CC6.2
     - DORA       Article 9(4)(c)
     - NIS2       Article 21(2)(d), 21(2)(j)
     - HIPAA      164.312(d)
     - PCI DSS    8.4
Collect the evidence once (e.g. an Okta admin export showing MFA enforcement). Matproof links it to all 6 frameworks. The control’s status flips to “Implemented” everywhere it’s referenced. This is why pursuing multiple certifications in parallel takes far less than 6× the effort of a single certification — the overlap typically lands at 50–70%.

Viewing framework status

Every active framework has its own dashboard at /[orgId]/frameworks/[frameworkInstanceId]:
  • Compliance score — percentage of controls with sufficient unexpired evidence
  • Controls by status — implemented / in-progress / not started / not applicable
  • Findings — open gaps and non-conformities (see Findings)
  • Upcoming evidence expirations — evidence falling out of date in the next 90 days
  • Recent activity — control updates, evidence uploads, policy changes
  • Versioning — when the framework’s underlying standard updates, you can migrate to the new version while keeping evidence history

Removing or deactivating a framework

You can deactivate a framework if your organization no longer needs it (e.g. you sunset a SOC 2 audit because you switched to ISO 27001). Deactivation:
  • Hides the framework from the dashboard and reports
  • Preserves all controls, evidence, and history (you can reactivate later)
  • Does not delete shared evidence — controls reused by other active frameworks keep their evidence
To deactivate: Settings → Frameworks → [framework] → Deactivate. To permanently remove (rare; usually only for custom frameworks you no longer maintain): contact support@matproof.com.

Audit export

Before an audit, export the framework’s complete evidence package:
  1. Open the framework dashboard
  2. Click Export → Evidence Package
  3. Choose format: ZIP (recommended for auditors), PDF (executive summary), CSV (control list only)
  4. The ZIP contains: control list with statuses, all linked evidence, policy versions, risk register entries, vendor entries, and findings — folder-organized to match the framework’s chapter structure
Most external auditors accept Matproof’s evidence package format directly, no further reformatting needed.

Custom Frameworks

Build your own frameworks for transpositions or industry standards

Controls

The shared layer beneath every framework

Findings

Track gaps across every framework in one view

Evidence Collection

Automate evidence from your existing tools