Komplyo
Features

Everything you need to run security and compliance.

Komplyo turns a single NIST CSF 2.0 assessment into an executive dashboard, multi-framework projections, audit-ready documents and a prioritised action plan. Assess once, project everywhere.

Executive dashboard & CSF 2.0 maturity

A global score and maturity per NIST CSF 2.0 function (Govern, Identify, Protect, Detect, Respond, Recover) on the Tier 1–4 scale. Two depths: essentials (SMB quick-start) or the full certification path.

  • Global score and per-function maturity bands
  • Essentials depth (SMB subset) or full (106 subcategories)
  • Persisted score history for audit defensibility
  • Per-function pages with actions to take and resources
Komplyo executive dashboard: global score and NIST CSF 2.0 maturity by function

Assess once, project everywhere

Your CSF 2.0 answers automatically feed ISO 27001, SOC 2 (TSC) and GDPR Article 32 through the mappings table. We never ask the same question twice.

  • One implemented control → N compliances (coverage badges)
  • Lenses activated by objective, never by score
  • Derived then comprehensive readiness per framework
  • Targeted deduplication of redundant questions
ISO 27001 and SOC 2 readiness projected from the CSF 2.0 assessment

ISO 27001 Statement of Applicability & SOC 2 workspace

A dedicated certification workspace: per-control readiness, inline gap answering, and an editable, exportable ISO 27001 SoA. SOC 2 covers the CC / A / C / PI / P criteria.

  • Editable, exportable ISO 27001 SoA
  • Coverage of all 93 Annex A controls + ISMS clauses
  • SOC 2 (TSC) criteria derived from CSF + COSO complements
  • Inline gap answering, persisted on every entry
ISO 27001 Statement of Applicability (SoA) editor in Komplyo

GDPR conformity by article & Art. 30 register

A parallel privacy axis (not a maturity score): compliance status per article, gaps to close, and a record of processing activities (Art. 30).

  • Compliant / partial / missing / not-applicable per article
  • Structured records of processing (Art. 30)
  • GDPR axis toggle per assessment
  • Security-of-processing and operational-privacy articles covered
GDPR conformity by article and Art. 30 records of processing

NIS2 scope analysis

Determine whether NIS2 applies to your organisation and what it implies, from the same assessment answers.

  • NIS2 applicability analysis
  • Expected measures mapped against your CSF posture
  • A clear read on the gaps to address
NIS2 scope and applicability analysis

Prioritised roadmap & risk register

A roadmap ranked by priority (Risk × 0.4 + Urgency × 0.3 + Ease × 0.3) and a 16-scenario scored risk register. xlsx / pptx exports for your committees.

  • Transparent prioritisation of the actions to take
  • 16-scenario scored risk register
  • xlsx and pptx exports ready for the steering committee
  • Persisted roadmap selections
Komplyo prioritised action plan and risk register

Generated policies & incident-response pack

Generate an information security policy and an incident-response pack in .docx, assembled by rules from your gaps — with per-control coverage badges.

  • Ready-to-customise .docx documents
  • CSF / ISO / SOC 2 / GDPR coverage badges per control
  • EU-resident file storage, org-guarded download
  • Incident-response pack included
Generated security policies in .docx with coverage badges

Vendor security questionnaires (TPRM)

Answer your customers' security questionnaires and assess your own vendors, reusing the evidence from your assessment.

  • Vendor / customer questionnaires
  • Reuse assessment answers as evidence
  • Centralised third-party tracking
Vendor security questionnaires (TPRM) in Komplyo

Ready to see where you stand?

Start the free diagnostic: 23 questions, ~5 minutes, no credit card. Your answers carry over into the full assessment.