Workflow

Cross-framework mapping

How OneComply links controls across DORA, ISO 27001, NIS2, GDPR, CSSF 22/806, and CRA without over-claiming regulatory satisfaction.

Owner: Compliance EngineeringLast reviewed: 2026-05-11

Frameworks

6

DORA, ISO 27001, NIS2, GDPR, CSSF, CRA

Controls

378

Current built-in library

Dashboard metric

Weighted

Partial/related mappings are not full satisfaction

Update guard

CI tests

Broken refs and phantom codes fail validation

Rendering diagram…
Mapping sources, validation, review, and product surfaces.

What a mapping means

A cross-framework mapping links one OneComply control to one or more controls in other frameworks. It means the same implementation work may support multiple obligations, but it does not automatically mean the target obligation is fully satisfied.

OneComply separates reuse potential from regulatory satisfaction. Dashboard coverage uses weighted mapping strength so related or partial links cannot be counted as complete compliance.

Relationship strength

Rendering diagram…
Relationship strength controls how mappings affect dashboard coverage.
  • Equivalent — the implementation is expected to satisfy the target control with the same evidence package.
  • Partial — the implementation supports the target control but needs reviewer confirmation or supplemental evidence.
  • Related — useful context for reviewers; not treated as direct satisfaction.

Where mappings are used

  • Framework dashboards show weighted reuse potential for active tenant controls only.
  • Control Mapping Concierge uses curated source-library crosswalks first, then exact references, normalized codes, and internal mapping references.
  • Evidence carry-forward links imported evidence to the accepted control and to non-related mapped controls in the same tenant, with inherited-link notes for audit traceability.
  • Exports preserve OneComply IDs, customer aliases, and mapped target references so reviewers can reconcile legacy control IDs.

How we keep mappings updated

  1. Update the canonical framework control library and bump the framework library version.
  2. Run mapping validation tests for duplicate codes, broken references, self-references, duplicate targets, retired phantom prefixes, source-library crosswalks, and CRA extended mappings.
  3. Use the framework sync workflow to propagate changed mappedTo arrays to existing tenant controls.
  4. Review dashboard overlap after sync. The dashboard uses tenant controls, so a framework that has not been initialized by a tenant is not counted as active coverage.
  5. Record regulator/legal interpretation changes separately from engineering reference fixes.

No silent compliance claims

Cross-framework mapping is a productivity and evidence-reuse feature. Final obligation satisfaction still depends on reviewer decisions, evidence completeness, applicability, and legal/compliance interpretation for the customer's entity type.

Current safeguards

  • Broken static mappedTo references fail automated tests.
  • External source-library crosswalk targets must resolve to real OneComply controls.
  • CRA extended cross-mapping targets must resolve to real OneComply controls.
  • Retired phantom prefixes such as DORA-RST, DORA-RCV, and DORA-BCK are blocked from returning.
  • Curated external crosswalk matches are labelled separately from weaker internal mapping-reference matches.

Continue reading

Control Mapping Concierge

Spreadsheet import, review, commit, rollback.

Evidence Pipeline

How evidence is linked and retained.

DORA Framework

DORA controls and workflows.