FOUNDED 2025 · INDEPENDENT UK PRACTICE
InfoSecAI
The Brief DISPATCH 001
FRAMEWORKS & STANDARDS 13 MAY 2026 8 MIN READ

The Multi-Framework Crosswalk Every UK Security Leader Should Have on Their Wall

Most organisations are now reporting against three or four frameworks at once. The same controls show up in ISO 27001, NIST CSF, CIS Controls, DORA and NIS 2, but the language differs and the evidence requirements diverge in places that matter at audit time. This dispatch sets out the single matrix we put on the wall in any new engagement.

The problem with parallel frameworks

If you run security or compliance for a UK firm of any meaningful size, you are almost certainly being asked to demonstrate alignment to more than one framework. ISO 27001 sits at the core for most. A SaaS provider adds SOC 2 for North American customers. A financial firm overlays DORA. A manufacturer overlays NIS 2. An organisation building anything with a model in it now overlays ISO 42001 and the EU AI Act. Each adds language. Each adds documentation. None of them remove a single control.

The temptation is to run a parallel programme per framework. A separate workstream for ISO. A separate workstream for DORA. A separate evidence room for SOC 2. The cost goes up linearly, the cognitive load goes up exponentially, and the audit fatigue inside the security team becomes the dominant operational risk.

The fix is not a new framework. It is a single matrix that maps the controls you already operate to every framework that asks about them, and one row of evidence that satisfies all callers at once.

Build the control once. Map it many times. Evidence it once.

The 30-domain matrix in full

Thirty control domains cover the working surface of every framework we encounter in UK senior practice. Not thirty controls. Thirty domains, each containing the cluster of activities that organisations actually run.

The domains break down as follows: governance and accountability (3), risk management (2), policy and standards (1), human resources security (2), asset and information management (2), access management (3), cryptography and key management (1), physical and environmental security (1), operational security (3), network and communications security (2), application and software security (2), supplier and third-party risk (2), incident management (2), business continuity and operational resilience (2), and compliance and assurance (2).

Each domain has a clear owner inside the organisation, a clear set of artefacts it produces, and a clear set of frameworks it satisfies. The thirtieth row, governance, anchors all of them and is the row most often broken at audit.

Where ISO 27001 and NIST CSF 2.0 diverge in practice

Both frameworks describe the same security operation. The divergence is structural, not operational, and it matters at audit time in three places.

First, scope. ISO 27001 demands a tightly scoped ISMS with a documented boundary. NIST CSF 2.0 has no equivalent concept; the framework is profile-based and presumes you scope the profile yourself. The result is that an ISO-led organisation moving to NIST CSF needs to retain the scope statement as an internal artefact even though no NIST auditor will request it. Drop the scope statement and the next ISO surveillance audit produces a finding.

Second, risk treatment. ISO 27001 ties risk treatment decisions to the Statement of Applicability, with each Annex A control either selected, justified as excluded, or marked not applicable with rationale. NIST CSF has no SoA. The mapping requires the organisation to retain the SoA discipline regardless of which framework the board is asking about that quarter.

Third, the new Govern function. NIST CSF 2.0 introduced governance as a peer function alongside Identify, Protect, Detect, Respond and Recover. ISO 27001 places governance inside Clause 5 (Leadership) and the broader management system. Same content, different home. The implication: if you wrote your governance reporting against ISO Clause 5, you need a one-page crosswalk to NIST CSF Govern subcategories before any NIST-grounded customer assurance request will land cleanly.

The evidence artefacts auditors actually request

In practice, every framework asks for the same fourteen evidence artefacts. The labels change. The substance does not.

  • Information security policy, approved at executive level, dated within the last twelve months.
  • Risk register with treatment decisions recorded, owner, and review date.
  • Statement of Applicability or its equivalent control inventory.
  • Asset and information inventory, including data classification.
  • Access reviews, dated, signed, with exceptions logged.
  • Vulnerability management evidence covering scope and remediation SLA.
  • Change management records for the audit period.
  • Incident register with categorisation, timeline and lessons learned.
  • Business continuity and disaster recovery test evidence, including outcomes.
  • Supplier register with risk tier, contractual security clauses, and assurance status.
  • Awareness and training records, including completion and exception list.
  • Internal audit programme and reports.
  • Management review minutes covering performance, risks and resourcing.
  • Evidence of board or executive oversight of the security function.

If you can produce all fourteen on demand, you are audit-ready for ISO 27001, SOC 2, NIST CSF reporting, the security pillar of DORA, the cybersecurity risk-management measures of NIS 2, and the bulk of any customer assurance questionnaire that lands. The artefacts are the contract. The framework labels are commentary.

One question to ask before the matrix opens

Before any crosswalk exercise is useful, the security leader needs an answer to one prior question: who, on the executive team, owns the obligation each framework creates?

If the answer is the CISO for all of them, the programme is not yet operating at the level a UK regulator expects. DORA is owned by the COO or the Chief Operating Risk Officer. NIS 2 is owned, in supervisory practice, by the legal-entity director with responsibility for the regulated activity. ISO 27001 is owned operationally by the CISO but signed off by the management representative recorded on the certificate. SOC 2 is owned by the CFO or COO in most service organisations because the controls describe how the service is operated, not how IT secures the service.

Get the ownership map right before the crosswalk opens. The matrix is a tool for the people in the room. If the wrong people are in the room, the matrix will surface a list of orphaned controls and the programme will stall inside three quarters.

Download the 30-domain crosswalk. The full one-page matrix, with ISO 27001, NIST CSF 2.0, CIS Controls v8, DORA pillars and NIS 2 measures mapped, is available as a four-page PDF in the InfoSecAI Insights library.

Paul Jolliffe, Founder of InfoSecAI
WRITTEN BY

Paul Jolliffe

FOUNDER · INFOSECAI · MBA · CISSP · ISO 27001:2022 LA / LI / IA · PRINCE2 Practitioner

Twenty years of senior security leadership across financial services, healthcare, government, telecoms and technology. Independent UK practice founded 2025.

Book a 30-minute working consultation About the practice
02Keep reading
INDEX

Back to The Brief

 DISPATCH 002 · 20 MAY 2026

The First 90 Days as a vCISO. What I Actually Do.
03The Brief · subscribe

One email, when there is something worth saying.

Each dispatch sent on the day it is published. No tracking pixels, no marketing automation. Unsubscribe in a single click.