One Control, Many Frameworks - a Real GRC Control Graph
SentriProof reduces 76 frameworks and 275 framework-specific controls to roughly 90–100 canonical controls connected by 396 cross-framework mappings. Collect evidence for one control and it counts everywhere it maps - SOC 2, ISO 27001, HIPAA, PCI, GDPR, and 9 industry packs that reach well beyond tech.
Illustrative product view
One control, many frameworks
The tax on multi-framework compliance is duplication - maintaining a near-identical control once for SOC 2, again for ISO, again for HIPAA. SentriProof maintains the canonical control once and connects it, through 396 mappings, to each framework’s equivalent requirement. Evidence collected once satisfies many.
| Canonical control | Maps to |
|---|---|
| Access review / least privilege | SOC 2 CC6.x · ISO 27001 A.9 · HIPAA §164.308(a)(4) · PCI 7 |
| Encryption in transit & at rest | SOC 2 CC6.7 · ISO A.10 · HIPAA §164.312(a) · PCI 3/4 |
| Change management | SOC 2 CC8.1 · ISO A.12 · PCI 6 |
| Incident response | SOC 2 CC7.x · ISO A.16 · HIPAA §164.308(a)(6) · GDPR Art.33 |
Beyond tech: 9 industry packs
GRC tools usually stop at the SaaS security baseline. SentriProof ships that baseline and then keeps going into the regulated, physical-world verticals where compliance is not optional.
- SOC 2, ISO 27001, HIPAA, PCI DSS and GDPR for the tech and security baseline
- OSHA and construction-safety packs for the built environment
- EPA and PHMSA packs for oil, gas and pipeline operators
- Childcare licensing and food-safety packs for regulated consumer verticals
- 76 frameworks and 275 framework-specific controls in total, all reduced to a shared canonical set
Operational, not just a policy binder
How the control graph stays true
- 1
Daily checks
Operational checks run continuously - MFA coverage, access reviews, backup verification - not once a year before the audit.
- 2
Governance close
A periodic close reconciles control status, exceptions and owner sign-off, the way a finance close reconciles the books.
- 3
Evidence room
Control results, policies and artifacts are DB-persisted and linked to the frameworks they satisfy.
- 4
Insurance readiness
The same control state feeds a cyber-insurance readiness view, so the questionnaire answers itself from real status.
Frequently asked questions
How many frameworks does SentriProof cover?
76 frameworks and 275 framework-specific controls, reduced to roughly 90–100 canonical controls connected by 396 cross-framework mappings - so one canonical control can satisfy the equivalent requirement in SOC 2, ISO 27001, HIPAA, PCI and more at once.
What does “one control, many frameworks” mean?
Instead of a separate control for every framework, you maintain a canonical control once. Its 396 mappings connect it to each framework’s requirement, so evidence you collect for a SOC 2 access review also counts toward ISO A.9, HIPAA and PCI 7.
Does it cover non-tech, regulated industries?
Yes - beyond SOC 2, ISO, HIPAA, PCI and GDPR there are 9 industry packs, including OSHA and construction safety, EPA and PHMSA for oil, gas and pipelines, and childcare and food-safety packs for regulated consumer verticals.
Are the readiness scores an attestation?
No - the readiness and control scoring is a rule-based heuristic and is openly labeled that way. The controls, policies, mappings and evidence beneath the score are real and DB-persisted, so the number rolls up from inspectable data rather than a manual estimate.
What is the evidence room?
A persisted store of control results, policies and artifacts linked to the frameworks they satisfy, plus a governance-close and insurance-readiness view - so an audit or a cyber-insurance questionnaire draws on live control state instead of a last-minute scramble.
Keep going
Try the calculator
Stay in the loop
One practical finance briefing a week - new guides, checklists, and benchmarks.
See the security depth, not the slideware
Walk the SOC engine, the governed MCP server, and the control graph live - with the honest caveats on the table, not hidden.
Talk to us