Compliance journey

    Turn your policies and controls into framework readiness and auditor-ready evidence

    What is the compliance journey?

    The compliance journey is a guided path that turns the work you already do in Anzen - policies, controls, control tests, issues and risks - into a clear answer to one question: are we audit-ready against a framework like ISO 27001? You pick a framework, Anzen lays out its requirements, you map your controls to them, and a live readiness picture shows how far you have got. It is not a separate silo: it is a lens over the controls and evidence you already manage. The journey, the readiness dashboard and your Statement of Applicability are free; only the auditor-ready PDF export is part of the paid Anzen Compliance add-on.

    Frameworks

    Open Compliance from the sidebar and you land on a framework overview, not a single hard-coded standard. Today you can choose:

    • ISO/IEC 27001:2022 - the full set of 93 Annex A controls, each with a suggested test and a matching set of policy templates.
    • NIS2 Directive - the cybersecurity risk-management measures from the EU NIS2 Directive, as a control set (policy templates are not bundled yet, so you bring your own policies).

    The model is framework-agnostic, so more frameworks slot in over time without changing how anything works, and each framework tracks its own readiness independently.

    How everything connects

    Compliance ties the parts of Anzen together, with the control as the hub:

    FrameworkISO 27001 / NIS2Statement of Applicabilityapplicable? · justification · statusone row per requirementPolicywhat you say you doControlwhat you actually doRiskon the registerIssuefrom a failed testRisk Reportadoptcovered byimplementsmitigatestest failsraisesexposureReadiness, per requirement:adoptedtestedevidenced
    • Policies are what you say you do. A policy section carries a clause reference (for example A.5.15), and when you turn a section into a control Anzen remembers where it came from.
    • Controls are what you actually do - the safeguards. Each control is mapped to one or more framework requirements, so the framework knows which controls cover it.
    • Control tests are the proof. A test records a pass or fail with evidence, which is what turns "we have a control" into "we can show it works".
    • Issues are where it broke. A failing control test raises an issue, with a severity, linked back to the control.
    • Risks are the business exposure. Controls reduce risks, issues roll up to the risks they affect, and the Risk Report turns open issues into a euro exposure figure.

    So a single control at once satisfies a framework requirement, implements a policy clause, is proven by tests, mitigates risks, and - when it fails - raises an issue that shows up on the risk report. Compliance readiness and risk exposure are simply two views over the same controls, tests and issues.

    Readiness: adopted, tested, evidenced

    For every requirement that applies to you, Anzen rolls up the controls mapped to it and their latest test into one of three nested states:

    • Adopted - the requirement has at least one control in place against it.
    • Tested - adopted, and at least one of those controls has actually been tested.
    • Evidenced - tested, and the latest test is a pass with evidence attached, so it is ready to show an auditor.

    The headline "X of N adopted / tested / evidenced" counts these across the requirements that apply to you. Requirements you exclude (with a justification) drop out of the total, and the same numbers appear on your dashboard so progress is visible at a glance.

    Statement of Applicability

    The Statement of Applicability (SoA) is the table at the heart of compliance: one row per framework requirement. For each one you record whether it is applicable, a justification (required when you exclude a control, as auditors expect), the controls mapped to it, and the status of their latest test. It is editable in place and always reflects your live control and test data, so it is never a stale spreadsheet. The SoA is free to view and maintain; exporting it as an auditor-ready PDF is part of the Anzen Compliance add-on.

    The guided journey

    The journey walks you from nothing to audit-ready in a few steps. Each step does real work, and you can stop and come back at any time - nothing is lost, and re-running a step only adds what is missing:

    1. Pick a framework and adopt it. Anzen seeds every requirement as a Statement-of-Applicability row.
    2. Define the scope - the parts of your organisation the framework applies to.
    3. Adopt policies - bring the framework's policy templates into your workspace as drafts to review and publish (where templates exist).
    4. Generate and map controls - create the framework's controls and map them to their requirements in one click.
    5. Schedule evidence - set up control tests so passing results start building your evidence.
    6. Review and export - check your readiness and, with the add-on, export the SoA and an evidence pack.

    Pricing and the auditor export

    The compliance journey, the readiness dashboard and the Statement of Applicability are free on every plan - they are how Anzen helps you see where you stand. The paid part is the Anzen Compliance add-on (€79 / month), which unlocks the auditor-ready export: your Statement of Applicability as a PDF and a period-based evidence pack that bundles the actual evidence for the audit period you choose - completed control tests with sign-offs and attached files, the mandating policies, exception trails and even ITSM tickets as operating evidence - all on your own letterhead. Activate it from the Add-ons page. AI drafting of policies and controls is handled by the separate Anzen Extract add-on.