Assessing one framework establishes posture across mapped controls in all the others. The framework intelligence layer is the single biggest differentiator vs. legacy TPRM tools — and the reason a single Controls Maturity assessment can establish HIPAA, NIST CSF 2.0, and ISO 27001 posture in one pass.
Verisq ships with the full text of the eight most-asked-for control frameworks already loaded — not as references, but as live control objectives that assessments can map against, score, and report on.
Assessing one framework establishes posture across mapped controls in all the others. The propagation is non-destructive — it surfaces candidates for reviewer acceptance, never auto-writes across frameworks. The reviewer accepts, modifies, or rejects each implied rating with a justification captured in the audit trail.
The result: the same control evidence set covers every framework you're mapped to. ISO 27001 evidence accepts into NIST CSF 2.0. SOC 2 evidence accepts into ISO 27001. NIST 800-53 evidence accepts into FedRAMP baseline coverage. One assessment, multi-framework coverage.
When a previously-accepted implied rating diverges from a later direct assessment, the drift report surfaces the gap. Weekly drift digest emails the GRC lead with the top divergent rows. PDF export for working papers. The drift report is the single best signal for "we're erosion-aware and rebaselining proactively" that auditors look for.
Two frameworks on the X and Y axes. Mapping density and tenant posture overlaid as a heatmap. Filter by FedRAMP baseline, CSF function, mapping confidence, or posture status. Print-ready PDF and CSV exports for board materials. The matrix view is the deliverable that tells a CEO "we cover these eight frameworks with this density and this posture" without a five-page memo behind it.
Tenant-private frameworks for internal standards, board-mandated control sets, or industry-specific overlays. The seeded eight stay authoritative; tenant frameworks layer on top without affecting other tenants. Cross-mapping a tenant framework against the seeded eight follows the same propagation rules — your internal framework inherits the multi-framework coverage on day one of authoring.
Framework intelligence is the difference between buying a TPRM tool and buying a posture engine. A TPRM tool collects answers. A posture engine derives coverage from those answers, surfaces drift before the auditor finds it, and supplies the working papers when the audit arrives. The seeded eight cover the regulatory landscape most organisations live in; tenant-private framework support covers the rest.
Cross-framework propagation is included from RR Core. FedRAMP baseline rollup and tenant-authored frameworks are Enterprise capabilities.