Framework-mapped controls, built for execution

One control surface, many frameworks

Most regulated organisations are accountable to more than one framework. A healthcare provider runs NSQHS plus AHPRA registration plus, in many cases, ISO 27001 for their tech stack. A fintech carries an AFS licence and an APRA prudential standard and a SOC 2 for their banking partners. Each framework asks for the same kinds of evidence (risk decisions, control execution, incident records, training attestations) described in different language.

FormaOS maps frameworks once. A single piece of evidence (a signed policy acknowledgement, an access review export, a vendor assessment) satisfies the relevant clauses across every framework your organisation is bound to. When a regulator updates a standard, the mapping updates centrally and the work items in flight inherit the change.

How the mapping is built

• Obligation library. Each framework is decomposed into atomic obligations, not the top-level clause numbers but the specific operational requirements underneath them. ISO 27001 alone produces around 120 atomic obligations once Annex A is unpacked.
• Control catalogue. Each obligation maps to one or more FormaOS controls. Controls are tangible: a workflow, an access review, a policy approval cycle, an evidence requirement.
• Evidence inheritance. Evidence collected against a control automatically satisfies every framework obligation that maps to it. A single quarterly access review can land in your SOC 2, ISO 27001, and HIPAA evidence bundles without manual duplication.
• Coverage telemetry. Each framework displays a live readiness score derived from evidence freshness, control owner activity, and outstanding findings. Buyers can see the gaps before the auditor does.

What "mapped" means here

FormaOS does not certify your organisation. Certification is performed by accredited assessors against a documented control environment. What FormaOS does is make the control environment continuously defensible: every control has a named owner, every obligation has a path to evidence, every audit window opens with a ready-to-export bundle rather than a six-week scramble. Most customers see audit prep collapse from weeks to days within the first cycle on platform.

If you need a specific framework that is not listed in the pack set above (APRA CPS 234, the AESCSF, the Essential Eight at Maturity Level 2), the obligation library is extensible. Talk to our team about your framework set during the compliance plan walkthrough.