Compliance Frameworks
Overview
The Frameworks section lets you track your organization's compliance against industry-standard security frameworks. Each framework contains controls that must be implemented and verified.
Supported Frameworks
SOC 2
Service Organization Control 2 - Type I and Type II
ISO 27001
Information Security Management System
ISO 27701
Privacy Information Management - extension to ISO 27001
ISO 42001
AI Management System - responsible AI practices
HIPAA
Health Insurance Portability and Accountability Act
GDPR
General Data Protection Regulation
CCPA
California Consumer Privacy Act
DORA
Digital Operational Resilience Act for EU financial services
NIS 2
EU directive on network and information security
AI Act
EU regulatory framework for artificial intelligence
Cyber Essentials
UK government-backed cybersecurity certification
Custom
Create custom frameworks for internal standards
Framework Structure
Every framework is organized into sections containing controls. The exact structure varies by framework:
SOC 2 — Trust Service Categories
SOC 2 organizes controls into Trust Service Categories (TSC):
| Category | Description |
|---|---|
| Security (CC) | Common Criteria — the foundation of every SOC 2 report |
| Availability (A) | System availability commitments |
| Processing Integrity (PI) | Accurate and complete processing |
| Confidentiality (C) | Protection of confidential information |
| Privacy (P) | Personal information handling |
You choose which categories are in scope when adding the framework.
ISO 27001 — Annex A Domains
ISO 27001 uses Annex A control domains such as Organizational Controls, People Controls, Physical Controls, and Technological Controls.
Other Frameworks
Each framework uses its own terminology (HIPAA has Administrative, Physical, and Technical Safeguards; GDPR has Articles; NIS 2 has risk management measures; etc.), but in Bastion they all follow the same workflow: sections contain controls, controls require evidence.
Controls
Controls are specific requirements within each section:
- Control ID — Unique identifier (e.g., CC6.1 for SOC 2, A.8.1 for ISO 27001)
- Description — What the control requires
- Test Procedure — How compliance is verified
- Evidence Required — Documentation needed
- Status — Pass, Fail, In Progress, Not Applicable
Managing Frameworks
Adding a Framework
- Navigate to Compliance → Frameworks
- Click Add Framework
- Select from available frameworks
- Configure scope (which sections and controls apply)
- Assign control owners
Framework Dashboard
Each framework shows:
- Overall Progress — Percentage of controls passing
- Section Breakdown — Progress per framework section
- Test Results — Recent test outcomes
- Open Issues — Controls requiring attention
Working with Controls
Control Statuses
| Status | Meaning |
|---|---|
| Passing | Control is implemented and verified |
| Failing | Control is not implemented or evidence missing |
| In Progress | Implementation underway |
| Not Applicable | Control does not apply to your scope |
| Not Started | Control has not been evaluated |
Testing Controls
Select Control
Click on a control to open its detail view.
Review Requirements
Understand what the control requires and the test procedure.
Collect Evidence
Upload evidence or verify automated collection.
Run Test
Execute the test procedure (automated or manual).
Document Results
Record the test outcome and any notes.
Automated Testing
Many controls can be automatically tested through integrations:
- Identity Controls - User access verified via identity provider
- Endpoint Controls - Device compliance via MDM
- Code Controls - Dependency scanning via VCS integration
- Access Controls - Permission audits via cloud integrations
Enable integrations to maximize automated testing. Manual testing should be the exception, not the rule.
Evidence Management
Evidence Types
- Screenshots - Visual proof of configurations
- Documents - Policies, procedures, diagrams
- Exports - System-generated reports
- Logs - Audit trails and activity logs
- Automated - Collected directly from integrations
Uploading Evidence
- Open the control requiring evidence
- Click Add Evidence
- Select evidence type and upload file
- Add description and date
- Save evidence
Evidence Best Practices
Date Evidence Appropriately
Evidence should cover your audit period. Ensure screenshots and exports include visible dates.
Be Specific
Label evidence clearly so auditors can understand what it demonstrates without explanation.
Avoid Sensitive Data
Redact passwords, API keys, and PII from screenshots and exports.
Control Ownership
Assigning Owners
Each control can have an assigned owner responsible for:
- Implementing the control
- Collecting evidence
- Responding to auditor questions
Owner Responsibilities
- Monitor - Track control status regularly
- Maintain - Keep evidence current
- Respond - Address failures promptly
- Communicate - Update compliance team on changes
Reporting
Framework Reports
Generate reports showing:
- Control status summary
- Evidence inventory
- Gap analysis
- Remediation plans
Export Options
- PDF - Formatted report for stakeholders
- Excel - Data for analysis
- Auditor Package - Bundle for external auditors