Architect · Control design
Run a separate control set for ISO 27001, another for SOC 2, and another for NIST CSF, and you pay for the same control three times, evidence it three ways, and reconcile three audits. The unified control framework is one control set, designed for your organisation and crosswalked to every standard you answer to, so a single piece of evidence satisfies all of them.
Scope agreed in writing before any work. No obligation.
What you are commissioning
One named engagement from the Architect track backs this page. Scope is sized to the standards you answer to and agreed in writing before any work begins.
Architect trackTypically 3–6 weeks
Design the control set once and evidence every standard at once.
Best for teams answering to more than one standard.
Includes
Deliverables
You hold, or are pursuing, ISO 27001 and SOC 2, perhaps NIST CSF or a sector regime on top, and you are running them as parallel projects that duplicate most of the work.
Each audit asks for evidence in its own shape, your team reformats the same controls every cycle, and nobody can say cleanly how the standards relate. The crosswalk makes the relationship explicit.
Your control descriptions are too vague to implement consistently or to validate. You need control specifications precise enough that an engineer can build them and an assessor can test them.
The method
We design a single control set for your organisation, anchored on the NIST SP 800-53 control catalogue rather than invented from scratch, so it is comprehensive, recognised, and stable as standards revise.
Every control is mapped across ISO 27001, SOC 2, and NIST CSF, aligned to the current ISO 27001:2022 Annex A structure, so a single implemented and evidenced control satisfies each standard's corresponding requirement at the same time.
Controls are written to be implemented and validated, not just listed. Each carries enough specification that your engineers know what to build and your assessor knows what to test, which is where vague control libraries quietly fail.
When the next standard or regime arrives, you map it into the existing set rather than starting a new program. The unified set is what stops compliance growing linearly with every new obligation.
The economics
The unified control set is where the cost of a multi-framework program quietly collapses.
Questions
Because it is a mature, comprehensive control catalogue that the major frameworks already relate to, which makes it a stable spine to crosswalk from. Anchoring on a recognised catalogue rather than a bespoke list means the set is defensible and survives standard revisions without a rebuild.
No, it serves them. You still certify to ISO 27001 and attest to SOC 2; the unified set is the single internal control library that maps to both, so you implement and evidence once and present in each standard's shape. The certificate still comes from an independent body.
Often that is the better starting point. We assess what you have, anchor and de-duplicate it against the catalogue, fix the mappings, and tighten the specifications, rather than discarding work that is sound. The goal is one coherent set, not a greenfield for its own sake.
The architecture decides what good looks like; the control framework is how that design is expressed as testable, evidenced controls mapped to your standards. They pair naturally, and the control set is what carries the architecture into an audit.
A unified control set, the cross-framework mapping, and control specifications precise enough to build and test against. It is the internal source of truth your build, your audits, and your platform all run from.
One conversation, then the scope and the price in writing. Your enquiry arrives already marked for unified control framework.