Frameworks built-in, mapped, and always in sync

episki ships with pre-mapped programs for every major framework so your team never rebuilds the same control twice. Launch fast, stay audit-ready, and prove trust to every buyer.
Explore the free trialBook a demo
Framework coverage

Choose the framework, episki handles the mapping

Every framework includes ready-to-use controls, mapped evidence, and audit-ready exports so your first audit feels like your tenth.
SOC 2 Type I/II
Pre-built Trust Service Criteria, AI-drafted narratives, and board-ready readiness reports.
  • Control owners & narratives documented once
  • Automated control testing reminders
  • Auditor portal with SOC 2 summaries
ISO 27001
Build and certify your ISMS with pre-mapped Annex A controls, risk treatment workflows, and auditor-ready SoA exports.
  • Statement of Applicability generator
  • Risk register tied to control treatments
  • Surveillance audit monitoring built in
HIPAA
Protect PHI with mapped administrative, physical, and technical safeguards tied to real-time monitoring.
  • BAA tracking & vendor assurances
  • Incident response runbooks baked in
  • Audit-friendly evidence locker
PCI DSS
Translate DSS requirements into actionable engineering tasks with network segmentation, logging, and access controls.
  • Scheduled log retention verification tasks
  • Quarterly vulnerability cadence templates
  • QSA portal with scoped access
NIST CSF
Align Identify, Protect, Detect, Respond, and Recover domains with dashboards execs can trust.
  • Maturity scoring & heat maps
  • Risk register synced to controls
  • Auto-generated board updates
CMMC
Meet DoD cybersecurity requirements with pre-mapped CMMC levels, NIST 800-171 controls, and assessment-ready evidence packages.
  • Level 1, 2, and 3 practices mapped to controls
  • C3PAO assessment preparation workspace
  • Cross-mapped to NIST CSF and ISO 27001
GDPR
Operationalize EU data-protection obligations with records of processing, DPIAs, data-subject request workflows, and breach timers.
  • Article 30 records of processing kept current
  • DPIA templates with risk acceptance flows
  • 72-hour breach notification timers
FedRAMP
Build toward FedRAMP Low, Moderate, or High with NIST 800-53 baselines, control inheritance, and continuous monitoring artifacts.
  • 800-53 baselines mapped to your control library
  • SSP / SAR / POA&M document workflows
  • Continuous monitoring evidence cadences
HITRUST CSF
Run HITRUST e1, i1, or r2 assessments with the HITRUST CSF mapped to your existing controls and evidence.
  • e1, i1, r2 scoping support
  • Assessment-handler-friendly evidence packets
  • Cross-mapped to HIPAA, SOC 2, ISO 27001
NIST 800-53
Manage federal control baselines (Low / Moderate / High) with mapped control families, overlays, and tailoring records.
  • All 20 control families pre-mapped
  • Overlays and tailoring captured in-platform
  • Crosswalk to NIST CSF, FedRAMP, CMMC
NIST 800-171
Protect CUI as a DoD contractor with the 110 controls of NIST 800-171 — the foundation underneath CMMC Level 2.
  • 14 control families covering CUI
  • SSP and POA&M workflows ready out of the box
  • Lift-and-shift path to CMMC Level 2
ISO 27701
Stand up a standalone Privacy Information Management System (PIMS) under ISO/IEC 27701:2025, mapped to GDPR and CCPA.
  • Controller and processor privacy controls
  • Certify with or without ISO 27001
  • GDPR Article-mapping crosswalk included
ISO 42001
Build the world's first certifiable AI Management System (AIMS) — agent registry, risk treatments, and operational controls.
  • Agent registry and AI use-case inventory
  • Risk treatment plans tuned for AI risks
  • Mapped to NIST AI RMF and the EU AI Act
SOX
Manage IT general controls and key reports for Sarbanes-Oxley with structured testing cycles and external-auditor portals.
  • ITGC catalog with quarterly test cadences
  • Segregation-of-duties tracking
  • Walkthrough scheduling with external auditor
SOC 1 Type I/II
Demonstrate effective internal control over financial reporting for customers who consume your service in their SOX programs.
  • Control objectives and subservice carve-out tracking
  • User Entity Control documentation
  • Cross-mapped to SOC 2 for shared scope
CCPA / CPRA
Operationalize California consumer-privacy obligations — DSAR fulfillment, opt-out signals, and sensitive-PI handling.
  • DSAR intake portal and fulfillment SLA timers
  • Global Privacy Control (GPC) signal handling
  • Sensitive PI inventory and use-limitation workflow
NY DFS Part 500
Meet the New York DFS Cybersecurity Regulation (23 NYCRR 500) — CISO program, MFA, asset inventory, and the annual certification.
  • Second Amendment requirements (MFA, asset inventory)
  • 72-hour and ransomware-payment reporting timers
  • Section 500.17 annual certification builder
NIST AI RMF
Operationalize the NIST AI Risk Management Framework — Govern, Map, Measure, Manage — with an AI and agent registry.
  • Govern / Map / Measure / Manage workflow
  • AI, model, and agent inventory with risk tiers
  • Cross-mapped to ISO 42001 and the EU AI Act
EU AI Act
Classify AI by risk tier and stand up the high-risk obligations under EU Regulation 2024/1689.
  • Risk-tier classification per AI system
  • High-risk obligations as tracked controls
  • Cross-mapped to ISO 42001 and the NIST AI RMF
DORA
Meet the EU Digital Operational Resilience Act — ICT risk, incident reporting, resilience testing, and the Register of Information.
  • ICT risk management and incident reporting
  • Register of Information on ICT third parties
  • Resilience testing, including TLPT where required
NIS2
Comply with the EU NIS2 Directive — Article 21 risk-management measures and Article 23 incident reporting.
  • Article 21 measures as living controls
  • 24h / 72h / 1-month incident reporting timers
  • Cross-mapped to ISO 27001 and NIST CSF
CIS Controls
Implement the CIS Critical Security Controls v8.1 — 18 controls and 153 safeguards across Implementation Groups IG1-IG3.
  • 18 controls, 153 safeguards as a control library
  • IG1 / IG2 / IG3 scoping by size and risk
  • Crosswalk to NIST CSF, ISO 27001, and SOC 2
ISO 27017
Add the ISO/IEC 27017:2015 cloud security code of practice to your ISO 27001 ISMS.
  • Cloud-specific control guidance plus 7 cloud controls
  • Shared-responsibility model documented
  • Assessed alongside ISO 27001
ISO 27018
Protect PII in public clouds with ISO/IEC 27018:2019, added to your ISO 27001 ISMS and mapped to GDPR.
  • Cloud PII processor controls
  • Subprocessor and data-location transparency
  • Crosswalk to ISO 27701 and GDPR
CSA STAR
Complete the CSA STAR program with Cloud Controls Matrix v4 and the CAIQ — Level 1 or Level 2.
  • CCM v4 control library and CAIQ
  • STAR Level 1 self-assessment or Level 2 certification
  • Crosswalk to ISO 27001 and SOC 2
Cyber Essentials
Achieve UK Cyber Essentials and CE Plus — the five technical controls with mandatory cloud MFA.
  • Firewalls, configuration, access, malware, updates
  • Self-assessed CE and verified CE Plus
  • Crosswalk to ISO 27001 and NIST CSF
TISAX
Prepare for a TISAX assessment based on the VDA ISA catalogue for the automotive supply chain.
  • VDA ISA catalogue as living controls
  • Assessment levels AL1 / AL2 / AL3 and labels
  • Crosswalk to ISO 27001 Annex A
FFIEC
Stay FFIEC examination-ready after the CAT sunset by mapping to NIST CSF 2.0 or the CRI Profile.
  • CAT-to-CSF / CRI Profile migration
  • IT Examination Handbook readiness
  • Crosswalk to GLBA and NY DFS
GLBA
Meet the GLBA Safeguards Rule — qualified individual, risk assessment, encryption, MFA, and FTC breach notice.
  • The Safeguards Rule elements as controls
  • 30-day FTC breach notification workflow
  • Crosswalk to FFIEC, NY DFS, and SOC 2
StateRAMP
Reach StateRAMP Authorized status for state and local government with NIST 800-53 baselines and FedRAMP reciprocity.
  • Low / Moderate / High 800-53 baselines
  • Continuous monitoring and POA&M tracking
  • FedRAMP reciprocity and shared evidence
ISO 22301
Build a certifiable Business Continuity Management System (BCMS) per ISO 22301:2019.
  • Business impact analysis and recovery objectives
  • Continuity plans, exercises, and reviews
  • Shares the ISO structure with ISO 27001
SOC 3
Publish a public, general-use SOC 3 report from the same Trust Services Criteria as your SOC 2.
  • General-use report, no NDA required
  • Issued alongside your SOC 2 Type 2
  • Reuses your SOC 2 controls and evidence
PIPEDA
Comply with Canada's PIPEDA — the 10 fair information principles, access requests, and breach reporting.
  • Ten fair information principles as controls
  • Privacy Commissioner breach reporting
  • Crosswalk to GDPR and CCPA
LGPD
Comply with Brazil's LGPD — legal bases, data-subject rights, DPO, and ANPD breach notification.
  • Lawful-basis mapping and records of processing
  • Data-subject request workflow
  • Crosswalk to GDPR and CCPA
POPIA
Comply with South Africa's POPIA — the eight conditions for lawful processing and Information Regulator reporting.
  • Eight conditions for lawful processing
  • Information officer and data-subject requests
  • Crosswalk to GDPR and LGPD
Automation accelerators

Launch once, reuse forever

episki keeps every framework synchronized so new certifications feel like a configuration change, not a reimplementation.
Unified control graph
Map one control to every framework so updates propagate instantly.
Evidence library
Centralized evidence locker keeps documents, configs, and screenshots organized per control.
AI-powered drafting
AI suggests narratives, testing procedures, and remediation steps so you move faster.

Ready to see your frameworks in episki?

Start the free trial to import your controls, organize evidence, and invite your auditor in under an hour.
Start free trialBook a walkthrough