Canonical Controls
Canonical controls are a cross-framework mapping layer that unifies equivalent security requirements across multiple compliance frameworks — including SOC 2, ISO 27001, GDPR, HIPAA, PCI DSS, LGPD, and CCPA.
Rather than treating each framework's controls in isolation, canonical controls establish a shared identity for requirements that address the same underlying security objective. A single canonical control can map to several framework-specific controls simultaneously, enabling smarter overlap detection, unified evidence collection, and consistent status reporting across your compliance program.
How It Works
Each canonical control represents a universal security requirement — for example, Logical Access Control or Encryption at Rest. Framework-specific controls are then mapped to these canonical controls, reflecting the degree to which they address the same requirement.
Canonical Control: Logical Access Control (AC-001)
├── SOC 2 CC6.1
├── ISO 27001 A.5.15
└── HIPAA §164.312(a)(1)
This structure powers several capabilities across the platform:
- Overlap detection — When you activate a second framework, the platform identifies controls already addressed by your existing program.
- Evidence sharing — Evidence collected for one framework can be reused for equivalent controls in another, reducing duplication.
- Status propagation — Satisfying a control in one framework can automatically satisfy its equivalent in another, depending on mapping confidence.
- Coverage reporting — Understand how much of each framework is already covered through your canonical control mappings.
Security Domains
Canonical controls are organized into 17 security domains. The table below lists each domain, its control codes, and the area of security it covers.
| Domain | Controls | Description |
|---|---|---|
| Access Control | AC-001 – AC-005 | Logical access, physical access, identity management, privilege management, and provisioning |
| Cryptography | CR-001 – CR-003 | Encryption at rest, encryption in transit, and key management |
| Logging & Monitoring | LM-001 – LM-003 | Audit logging, security monitoring, and log integrity protection |
| Change Management | CM-001 – CM-002 | Change control processes and secure software development lifecycle (SDLC) |
| Backup & Recovery | BR-001 – BR-003 | Data backup, disaster recovery, and business continuity planning |
| Incident Response | IR-001 – IR-003 | Response program, detection and analysis, and breach notification |
| Vendor Management | VM-001 – VM-002 | Third-party risk assessment and supplier agreements |
| Data Protection | DP-001 – DP-004 | Data classification, minimization, data subject rights, and privacy by design |
| Security Policy | SP-001 – SP-003 | Information security policy, risk assessment, and compliance management |
| Security Awareness | SA-001 | Security training and awareness programs |
| Vulnerability Management | VU-001 – VU-002 | Vulnerability scanning and penetration testing |
| Network Security | NS-001 – NS-002 | Network controls and network segregation |
| Asset Management | AM-001 – AM-002 | Asset inventory and endpoint protection |
| Human Resources Security | HR-001 – HR-002 | Personnel screening and employment terms |
| Consent & Legal Basis | CL-001 – CL-002 | Lawful basis for processing and consent management |
| International Data Transfer | IT-001 | Cross-border data transfer mechanisms |
| Governance | GV-001 – GV-002 | Data Protection Officer (DPO) designation and records of processing activities |
The platform currently includes 42 canonical controls with 168 crosswalk mappings across all supported frameworks.
Mapping Confidence Levels
Each mapping between a canonical control and a framework-specific control is assigned a confidence level that reflects the degree of equivalence between them.
| Level | Meaning | Platform Behavior |
|---|---|---|
| Exact | The controls address the same requirement and require the same evidence. | Evidence and status are automatically shared across mapped frameworks. |
| Partial | The controls overlap in scope, but evidence may not be fully transferable. | The platform surfaces the relationship and notifies you, but does not auto-propagate status. |
| Related | The controls are thematically similar but address distinct requirements. | Displayed as a reference relationship only — no automation is applied. |
Mapping confidence directly influences how the platform handles evidence reuse and status propagation. For exact mappings, satisfying a control in one framework will satisfy its equivalent in all mapped frameworks. For partial and related mappings, review is required before any crosswalk credit is applied.
As new frameworks are added to the platform, their controls are mapped to the existing canonical control library wherever equivalences exist, maximizing reuse across your compliance program.