• Compliance
  • NIST CSF
  • ISO 27001
  • GDPR
  • NIS2

30 compliance documents from a single assessment: how it works

Security policy, ISO 27001 SoA, risk register, business continuity plan, DPIA, records of processing, NIS2 scope memo… How one assessment aligned on NIST CSF 2.0 generates 30+ deliverables ready for your customers and auditors.

Komplyo2 min read

A customer security questionnaire. An ISO 27001 audit. A data-protection authority inquiry. A NIS2 scope request. Four counterparts, four vocabularies — and, in many SMEs, the same work redone four times by a security lead who is short on one thing above all: time.

Our conviction: these documents all describe the same reality — your security practices. Capture that reality once, properly, and everything else can be generated, not written.

The principle: assess once, project everywhere

Komplyo uses NIST CSF 2.0 as its backbone: 106 subcategories, one maturity question each. Every answer is then projected through a mapping table onto ISO 27001, SOC 2 (TSC), GDPR Article 32, NIS2, the CRA and the ANSSI hygiene guide. We never ask the same question twice under two different labels.

Every generated document cites its sources: which answers, which requirements covered, on what date. That is what makes the deliverables defensible in front of an auditor, not merely presentable.

What comes out of the assessment

Governance and steering: global information security policy (ISP), acceptable-use charter, information classification policy, teleworking policy, team awareness deck, management review and internal audit programme.

Risk and continuity: risk register (pre-modelled scenarios, Excel export), business impact analysis (BIA), business continuity plan, incident response pack (procedures + log).

ISO 27001 and SOC 2: exportable Statement of Applicability (SoA), SOC 2 system description, prioritised certification roadmap (Risk × Urgency × Ease), exportable as a presentation.

GDPR: records of processing activities (RoPA), data protection impact assessment (DPIA), data processing agreement (DPA) template, data subject request (DSAR) handling procedure.

NIS2 and CRA: classification memo (essential or important entity — see our guide), Article 21 coverage table, 24h/72h notification procedures, CRA technical documentation and coordinated vulnerability disclosure (CVD) policy.

Over 30 deliverables in total, in French and English, as Word or Excel files — editable, because a compliance document has to live.

Why this beats a template library

A downloaded template describes a generic company. Our documents describe yours: the measures you declared in place appear as such, and the gaps show up in the roadmap instead of being papered over. An auditor spots a generic template in ten minutes; a document consistent with your assessment holds up.

And when your practices evolve, you update the relevant answer — the documents regenerate. The scored history traces your progression, which is precisely what NIS2 (management accountability) and ISO 27001 (continual improvement) require.

Where to start

The free diagnostic — 23 questions, about 5 minutes — gives you a first score per CSF function and a GDPR snapshot. Your answers carry over: if you move on to the full assessment, you don't start from scratch. Same principle, from the first click to the audit file.