Most compliance teams are running the same play four different ways. There is an ISO 27001 folder, a SOC 2 folder, a GDPR folder, and now a DORA folder. Each folder has its own evidence-collection checklist. Each checklist maps to roughly the same set of controls — access management, encryption, incident response, vendor oversight — written in four different dialects. When audit season arrives, practitioners race to reformat the same screenshots, re-explain the same processes, and re-label the same policies for each assessor.
The fix is not more tooling. It is a different architecture: a unified control library in which each control is written once, mapped to every relevant framework simultaneously, and generates evidence once per cycle. Done well, the illustrative reduction in audit-prep effort is well over half — not because you are cutting corners, but because you are eliminating redundancy that was never producing quality anyway.
What exactly is a unified control library?
A unified control library is a structured registry in which every security and compliance control is defined as a single authoritative record — a control statement, an owner, an evidence type, and a testing cadence — with a separate mapping layer that links that record to one or more framework obligations.
The key insight is that the control itself is framework-agnostic. "Multi-factor authentication is enforced for all privileged access" is a control. Whether it satisfies an ISO 27001 Annex A access-control objective, a SOC 2 Trust Services Criteria logical-access requirement, or a DORA ICT access-management obligation is a mapping concern, not a design concern. Separating the two layers is what makes scale possible.
Without this separation you end up with one record per framework reference — which is how you arrive at 400 "controls" that are really 60 controls expressed six ways each.
Why do most organisations get this wrong?
The anti-pattern is framework-first design. The team prepares for ISO 27001, receives a spreadsheet organised around Annex A clause numbers, and builds their control set around that structure. A year later they pursue SOC 2 and start a new spreadsheet organised around the Trust Services Criteria. Nothing in either spreadsheet was designed to be compared with the other.
The result is organisational — silos of evidence that are unmergeable in practice, even when most of the underlying controls are identical. Every audit becomes a ground-up rebuild of something you have already done.
A secondary failure mode is treating the mapping as optional metadata. Teams build a control library, then add a "frameworks" column as a tag. The tag is rarely updated, never validated, and ignored by auditors. Mapping has to be structural and tested, not decorative.
How do you build a library that holds up?
Start with the intersection, not the union. Pull the Annex A control families, the Trust Services Criteria categories, the GDPR technical and organisational measures, and the DORA ICT risk-management requirements. Before you write a single control, identify the common ground: every framework wants you to manage access, protect data in transit, test your incident response, and oversee your third parties. These intersection areas account for the majority of audit evidence in most programmes. Write controls here first, in plain language, without any framework vocabulary embedded in the control statement itself.
Use a three-field structure at minimum. Every control record needs: (1) a stable internal identifier — not a framework reference number; (2) a control statement in your organisation's operational language; (3) a mapping table listing framework, domain, and an alignment confidence level (full, partial, or out-of-scope). The alignment confidence level is the most overlooked field. "Partial" alignment means the control satisfies part of the requirement but something else is needed. Leaving it unlabelled creates audit surprises.
Write evidence requirements in the control, not in the audit checklist. This is the leverage point. If your access-management control specifies that evidence is a quarterly access-review export plus a configuration screenshot of MFA enforcement, that evidence requirement is the same for ISO 27001, SOC 2, and DORA. The auditor's checklist just points to the same artefact. When you store evidence requirements in the checklist rather than the control, you reassemble them from scratch every cycle.
Map at the obligation level, not the clause level. Framework clauses are structural containers. What matters is the obligation within the clause — the thing you are actually required to demonstrate. Two clauses across two frameworks may share an identical underlying obligation (for example, "confirm that access rights are revoked promptly on role change"). Mapping at the obligation level reveals more overlap than clause-to-clause mapping and produces fewer false-positive gaps.
Validate mappings with a test, not a self-assessment. For each control-to-obligation mapping, write a one-line test: "Given this evidence package, would an assessor accept this control as satisfying this obligation?" Work through it with someone who has actually sat across the table from external auditors for each framework. Self-assessed mappings are optimistic by a wide margin.
What are the genuine limits of cross-mapping?
Cross-mapping is not a licence to collapse everything into one control. Some frameworks impose obligations that are genuinely distinct in scope, timing, or depth. Regulatory notification timelines vary in ways that cannot be unified. Data-residency requirements under some national GDPR implementations impose obligations that ISO 27001 and SOC 2 simply do not touch. DORA's ICT third-party oversight requirements go further on contractual content than most general vendor-management controls will cover.
The correct response to genuine divergence is a supplementary control, not a forced mapping. A supplementary control exists solely to satisfy a specific framework obligation with no cross-mapping value. These should be the minority. If your library has more supplementary controls than cross-mapped ones, the foundation is wrong — go back and raise the altitude of your core controls.
Frequently Asked Questions
Does a unified library mean one evidence package across all audits? Not exactly. Auditors and assessors still work from their own frameworks. What changes is the production of evidence — it happens once, and each auditor draws from the same artefact store. Packaging may vary; production should not.
How do we handle controls that are mature for one framework but underdeveloped for another? This is normal. Model the mapping with an alignment confidence of "partial" and attach a gap-closure task to the control record. The library reflects your current state, not an aspiration.
At what team size does this start to pay off? The crossover point is lower than most teams expect. Illustratively, once you are managing three or more concurrent framework obligations, the overhead of maintaining separate control sets exceeds the overhead of building a unified library.
Can we use existing spreadsheets as the starting point? Yes, but treat them as raw material, not as the structure. Extract every distinct control statement, deduplicate, rewrite in framework-neutral language, and only then rebuild the mapping layer.
Where do you go from here?
The unified control library is the foundation that makes everything downstream faster — continuous monitoring, automated evidence collection, AI-assisted gap analysis, and multi-framework audit readiness in weeks rather than months. None of those capabilities deliver their full value on top of a fragmented control set.
If you want to see how Aigis GRC structures the mapping layer in practice — including how obligation-level cross-mapping surfaces genuine gaps rather than cosmetic ones — explore the platform at agrc.ai.


