Group security policy
Enterprise-wide controls codified once, mapped to every framework.
Custom frameworks · OSCAL ready
Author your own controls. Map them once. Reuse forever.
Build internal policies, sector regulations, customer questionnaires, or hybrid frameworks. Use the same evidence engine, the same workflows, the same auditor exports as our catalog frameworks.
What custom is for
Six categories, one engine
Strategic security review
Bank- or insurer-grade questionnaires answered from live evidence.
NIS2 / DORA
Sector regulations not yet in our catalog — author once, reuse.
PIPL / LGPD / POPIA
Country-specific privacy regimes alongside GDPR / DPDP.
FedRAMP, IRAP, CMMC
Government baselines mapped to your control library.
Customer-defined
When a single customer's security review becomes a recurring program.
Import or author
Bring your library — or start fresh
OSCAL-native ingestion, plus structured editors and bulk import for everything else.
Many-to-many mapping
Author once, satisfy many frameworks
Custom controls map cleanly to catalog frameworks. Evidence collected once feeds every audit.
ACME-SEC-001Privileged access management
CC6.1 (SOC 2)A.5.15 (ISO)Art 32 (GDPR)
ACME-SEC-014Change management discipline
CC8.1 (SOC 2)A.8.32 (ISO)
ACME-SEC-027Vulnerability management cadence
CC7.1 (SOC 2)A.8.8 (ISO)164.308 (HIPAA)
ACME-SEC-042Vendor security oversight
CC9.2 (SOC 2)A.5.19 (ISO)
Your controls. Our engine.
Bring your control library and let it inherit every workflow, evidence integration, and auditor export the catalog frameworks already use.