Frameworks & Controls
Claw GRC ships with 11 compliance frameworks and 1,026 pre-seeded controls. Activate the frameworks you need, manage control status, assign owners, and map evidence — all from one interface.
Available Frameworks
All 11 frameworks are pre-loaded with their official control sets at the time of platform release. Framework content is updated when new versions are published by the governing body.
| Framework | Controls | Best For |
|---|---|---|
| SOC 2 Type II | AICPA Trust Service Criteria — 95 controls across CC, A, C, P, PI categories | 95 controls |
| ISO 27001:2022 | International information security management standard — 93 controls in 4 themes | 93 controls |
| ISO 42001 | AI Management System standard — controls for responsible AI development and deployment | 42 controls |
| EU AI Act | European Union AI Act requirements for high-risk AI systems | 85 controls |
| NIST AI RMF | NIST AI Risk Management Framework — GOVERN, MAP, MEASURE, MANAGE functions | 72 controls |
| NIST 800-53 Rev5 | Federal security and privacy controls — 20 control families | 165 controls |
| NIST CSF 2.0 | Cybersecurity Framework — IDENTIFY, PROTECT, DETECT, RESPOND, RECOVER, GOVERN | 108 controls |
| OWASP LLM Top 10 | Top 10 LLM security risks with detection and mitigation controls | 48 controls |
| CMMC 2.0 | Cybersecurity Maturity Model Certification for DoD contractors — Levels 1–3 | 110 controls |
| FedRAMP Moderate | Federal Risk and Authorization Management Program — cloud services for government | 325 controls |
| HIPAA | Health Insurance Portability and Accountability Act security and privacy rules | 75 controls |
Activating a Framework
Inactive frameworks exist in the platform but don't contribute to your compliance score. To activate a framework:
- Navigate to Dashboard → Frameworks
- Click the framework card you want to activate
- Click Activate Framework in the top-right
- Choose whether to apply the default control status assignments or start all controls as
not_implemented - Click Confirm Activation
Upon activation, the framework's controls are added to your organization's compliance posture and your overall score is immediately recalculated. A framework with all controls in not_implemented state will lower your overall score — plan activations accordingly, or use the score preview before confirming.
Score preview before activation
The activation confirmation modal shows a score projection — your current score vs. your projected score after activation with all controls starting at their default state. Use this to understand the impact before committing.Control Status Lifecycle
Every control in every active framework has a status that represents its implementation maturity. The four valid states are:
| Status | Description | Score Contribution |
|---|---|---|
| not_applicable | This control does not apply to your organization. Excluded from score calculation. Requires justification note. | Excluded |
| not_implemented | The control has been acknowledged but not yet implemented. Actively reduces your score. | 0% |
| partial | The control is partially implemented. Some evidence exists but the full requirement is not met. | 50% |
| implemented | The control is fully implemented with sufficient fresh evidence. Contributes fully to your score. | 100% |
Changing control status
Control status changes are audited — every status change records who made it, when, and the previous value. To change a control's status:
- Navigate to Frameworks → [Framework] → Controls
- Find the control you want to update (use the search bar or filter by category)
- Click the status badge to open the status editor
- Select the new status and optionally add a justification note
- Click Save
not_applicable requires a justification
Marking a control asnot_applicable requires entering a written justification explaining why the control doesn't apply to your environment. This justification is included in generated audit reports and will be reviewed by auditors.Assigning Control Owners
Each control can be assigned to a team member who is responsible for its implementation and evidence collection. Ownership assignment enables:
- Email/Slack notifications when evidence becomes stale
- Ticket assignment when a control-related finding is created
- Accountability tracking in the activity feed
- Filtered views so team members see "their" controls
Assign owners individually from the control detail view, or use bulk assignment to assign an entire control category to a team member at once:
- Go to Frameworks → [Framework] → Controls
- Filter by category (e.g., "Access Control")
- Select all with the header checkbox
- Click Bulk Assign → select team member → Assign
Control Categories
Controls are organized into categories that map to the official framework structure. For SOC 2, the categories are the Trust Service Criteria:
| Category | Description |
|---|---|
| CC (Common Criteria) | Security, availability, processing integrity, confidentiality, and privacy controls that apply to all principles |
| A (Availability) | Controls ensuring systems are available for operation and use as committed |
| C (Confidentiality) | Controls protecting confidential information from unauthorized access |
| PI (Processing Integrity) | Controls ensuring system processing is complete, valid, accurate, timely, and authorized |
| P (Privacy) | Controls over collection, use, retention, disclosure, and disposal of personal information |
Cross-Framework Control Mapping
One of Claw GRC's most powerful features is cross-framework control mapping. When you implement evidence for a control in one framework, that evidence can automatically satisfy related controls in other active frameworks.
For example, implementing an access control policy (SOC 2 CC6.1) can partially satisfy:
- ISO 27001 A.5.15 — Access Control
- NIST 800-53 AC-2 — Account Management
- FedRAMP AC-2 — Account Management
The platform shows cross-framework mappings in the control detail view under "Satisfies in other frameworks". Evidence linked to the primary control will be suggested for mapping to the related controls.
Cross-mapping is suggestive, not automatic
Claw GRC will suggest evidence mappings across frameworks but won't apply them automatically. An authorized team member must confirm each cross-framework mapping. This prevents incorrect assumptions that could mislead auditors.