Frameworks built-in, mapped, and always in sync

episki ships with pre-mapped programs for every major framework so your team never rebuilds the same control twice. Launch fast, stay audit-ready, and prove trust to every buyer.
Explore the free trialBook a demo
Framework coverage

Choose the framework, episki handles the mapping

Every framework includes ready-to-use controls, mapped evidence, and audit-ready exports so your first audit feels like your tenth.
SOC 2 Type I/II
Pre-built Trust Service Criteria, AI-drafted narratives, and board-ready readiness reports.
  • Control owners & narratives documented once
  • Automated control testing reminders
  • Auditor portal with SOC 2 summaries
ISO 27001
Build and certify your ISMS with pre-mapped Annex A controls, risk treatment workflows, and auditor-ready SoA exports.
  • Statement of Applicability generator
  • Risk register tied to control treatments
  • Surveillance audit monitoring built in
HIPAA
Protect PHI with mapped administrative, physical, and technical safeguards tied to real-time monitoring.
  • BAA tracking & vendor assurances
  • Incident response runbooks baked in
  • Audit-friendly evidence locker
PCI DSS
Translate DSS requirements into actionable engineering tasks with network segmentation, logging, and access controls.
  • Scheduled log retention verification tasks
  • Quarterly vulnerability cadence templates
  • QSA portal with scoped access
NIST CSF
Align Identify, Protect, Detect, Respond, and Recover domains with dashboards execs can trust.
  • Maturity scoring & heat maps
  • Risk register synced to controls
  • Auto-generated board updates
CMMC
Meet DoD cybersecurity requirements with pre-mapped CMMC levels, NIST 800-171 controls, and assessment-ready evidence packages.
  • Level 1, 2, and 3 practices mapped to controls
  • C3PAO assessment preparation workspace
  • Cross-mapped to NIST CSF and ISO 27001
GDPR
Operationalize EU data-protection obligations with records of processing, DPIAs, data-subject request workflows, and breach timers.
  • Article 30 records of processing kept current
  • DPIA templates with risk acceptance flows
  • 72-hour breach notification timers
FedRAMP
Build toward FedRAMP Low, Moderate, or High with NIST 800-53 baselines, control inheritance, and continuous monitoring artifacts.
  • 800-53 baselines mapped to your control library
  • SSP / SAR / POA&M document workflows
  • Continuous monitoring evidence cadences
HITRUST CSF
Run HITRUST e1, i1, or r2 assessments with the HITRUST CSF mapped to your existing controls and evidence.
  • e1, i1, r2 scoping support
  • Assessment-handler-friendly evidence packets
  • Cross-mapped to HIPAA, SOC 2, ISO 27001
NIST 800-53
Manage federal control baselines (Low / Moderate / High) with mapped control families, overlays, and tailoring records.
  • All 20 control families pre-mapped
  • Overlays and tailoring captured in-platform
  • Crosswalk to NIST CSF, FedRAMP, CMMC
NIST 800-171
Protect CUI as a DoD contractor with the 110 controls of NIST 800-171 — the foundation underneath CMMC Level 2.
  • 14 control families covering CUI
  • SSP and POA&M workflows ready out of the box
  • Lift-and-shift path to CMMC Level 2
ISO 27701
Stand up a Privacy Information Management System (PIMS) as an extension of ISO 27001, mapped to GDPR and CCPA.
  • Privacy-specific Annex A and B controls
  • PII controller vs. processor workflows
  • GDPR Article-mapping crosswalk included
ISO 42001
Build the world's first certifiable AI Management System (AIMS) — agent registry, risk treatments, and operational controls.
  • Agent registry and AI use-case inventory
  • Risk treatment plans tuned for AI risks
  • Mapped to NIST AI RMF and the EU AI Act
SOX
Manage IT general controls and key reports for Sarbanes-Oxley with structured testing cycles and external-auditor portals.
  • ITGC catalog with quarterly test cadences
  • Segregation-of-duties tracking
  • Walkthrough scheduling with external auditor
SOC 1 Type I/II
Demonstrate effective internal control over financial reporting for customers who consume your service in their SOX programs.
  • Control objectives and subservice carve-out tracking
  • User Entity Control documentation
  • Cross-mapped to SOC 2 for shared scope
CCPA / CPRA
Operationalize California consumer-privacy obligations — DSAR fulfillment, opt-out signals, and sensitive-PI handling.
  • DSAR intake portal and fulfillment SLA timers
  • Global Privacy Control (GPC) signal handling
  • Sensitive PI inventory and use-limitation workflow
Automation accelerators

Launch once, reuse forever

episki keeps every framework synchronized so new certifications feel like a configuration change, not a reimplementation.
Unified control graph
Map one control to every framework so updates propagate instantly.
Evidence library
Centralized evidence locker keeps documents, configs, and screenshots organized per control.
AI-powered drafting
AI suggests narratives, testing procedures, and remediation steps so you move faster.

Ready to see your frameworks in episki?

Start the free trial to import your controls, organize evidence, and invite your auditor in under an hour.
Start free trialBook a walkthrough