Frameworks, Nexurion · Compliance, AI governance, federal, privacy

§ I · Blended management system

One control set. Multiple audits.

A blended management system maps a single set of controls onto every framework that calls for them. Run the access review once: satisfy SOC 2, ISO 27001, HIPAA, PCI, and 800-171 in the same motion. Write evidence once. Cite it everywhere.

See how we sequence audits →

Live · one control firing across frameworks

CTRL · 06.1

Quarterly access review

Evidence ·
Q2 2026 · Okta export · 142 users

SOC 2

CC6.2

ISO 27001

A.5.18

HIPAA

§164.308(a)(4)

PCI DSS

7.1.4

NIST 800-171

3.1.5

1 control → 5 audits satisfied

Common control

SOC 2 (TSC)

ISO 27001 : 2022

HIPAA Security

NIST 800-171

▸Logical access provisioning & review

CC6.1, CC6.2, CC6.3

A.5.15, A.5.16, A.5.18

§164.308(a)(3)(ii)(B–C); (a)(4)

3.1.1, 3.1.2, 3.1.5

What you produce

A quarterly user-access review exported from your IdP: list of every user, their role, manager attestation that access is still appropriate, and remediation log for accounts removed.

Okta exportManager sign-offRemediation logJoiner/leaver tickets

Cited as

Same artifact, four citations. SOC 2 reads it as periodic access review (CC6.2). ISO as user-rights review (A.5.18). HIPAA as access authorization & modification (§164.308). NIST as account management (3.1.1, 3.1.5).

▸Encryption in transit & at rest

CC6.1, CC6.7

A.8.24

§164.312(a)(2)(iv); (e)(2)(ii)

3.5.10, 3.13.8, 3.13.16

What you produce

A cryptographic inventory: every data store and every transport with the algorithm, key length, key custodian, and rotation schedule. Plus a sampled config screenshot per system.

KMS configTLS posture reportAlgorithm inventoryKey rotation log

Cited as

SOC 2 cites it as logical & physical access (CC6.7). ISO as use of cryptography (A.8.24). HIPAA as encryption addressable specs. NIST as system & communications protection (3.13).

▸Vulnerability management & pentesting

CC7.1, CC4.1

A.8.8, A.8.29

§164.308(a)(1)(ii)(A–B); (a)(8)

3.11.2, 3.11.3, 3.14.1

What you produce

A vulnerability scan cadence + remediation log with mean time to remediate by severity, plus your most recent third-party pentest report and management response.

Qualys / Tenable scansMTTR reportPentest letterRisk register

Cited as

SOC 2 reads it as monitoring (CC7.1) + risk identification (CC4.1). ISO as technical vuln management (A.8.8). HIPAA as risk analysis & evaluation. NIST as flaw remediation (3.14.1).

▸Vendor / third-party risk management

CC9.2

A.5.19, A.5.20, A.5.21

§164.308(b); §164.314(a)

3.1.20, 3.16.1, 3.16.3

What you produce

A vendor inventory with tiering, signed agreements (DPA / BAA / flow-down clauses), the most recent SOC 2 / ISO report on file for each tier-1 vendor, and an annual review log.

Vendor inventoryBAAs / DPAsSub-service reportsAnnual review

Cited as

SOC 2 as vendor & business-partner management (CC9.2). ISO as supplier security (A.5.19–21). HIPAA as business-associate contracts. NIST as external-system relationships (3.1.20).

▸Incident response & breach disclosure

CC7.3, CC7.4, CC7.5

A.5.24–A.5.28

§164.308(a)(6); §164.410

3.6.1, 3.6.2, 3.6.3

What you produce

An incident response plan, the most recent tabletop exercise report, your incident log for the audit period, and disclosure-template letters mapped to each regulator's clock (HIPAA 60 days, GDPR 72 hours, state breach laws).

IR plan + RACITabletop after-actionIncident logDisclosure templates

Cited as

SOC 2 as incident detection / response / communication (CC7.3–5). ISO as information-security incident management. HIPAA as security incident procedures + breach notification. NIST as the 800-171 IR family (3.6).

Excerpt from our internal crosswalk · click any row to see the evidence pattern · Request the full sheet →

§ II · Industries

Start here if you know what you do.

Each card is a vertical we serve. The framework chips below show what applies: bold chips lead the engagement, the rest are paired or follow.

§ 01 · Healthcare & life sciences

Lead practice

Hospitals, dental, medical practices & health-tech.

HIPAA HITRUST SOC 2 Type 1/2 ISO 27001 GDPR U.S. state privacy

6 frameworks

Playbook →

§ 02 · Financial services & FinTech

Lead practice

Banks, lenders, payments, wealth, insurtech.

GLBA DORA SOX PCI DSS SOC 2 Type 1/2 ISO 27001 U.S. state privacy

7 frameworks

Playbook →

§ 03 · Accounting & professional services

Active practice

CPA firms, tax, audit & advisory.

SOC 2 Type 1/2 GLBA / FTC Safeguards IRS Pub 4557 AICPA WISP U.S. state privacy

5 frameworks Accounting playbook →

§ 04 · Insurance

Active practice

Carriers, brokers, MGAs & adjusters.

GLBA SOC 2 Type 1/2 ISO 27001 HIPAA (health lines) U.S. state privacy

5 frameworks Insurance playbook →

§ 05 · Government contractors (GovCon)

Lead practice · CCPs

DoD primes & subs, federal civilian, cleared work.

CMMC L1 / L2 FedRAMP Mod / High NIST 800-171 NIST 800-53 FISMA

5 frameworks · L3 when DoD scopes

Playbook →

§ 06 · B2B SaaS & technology

Lead practice

Startups, scale-ups, enterprise software.

SOC 2 Type 1/2 ISO 27001 ISO 27017 (cloud) ISO 27018 (PII) GDPR ISO 42001 (if AI)

6 frameworks

Playbook →

§ Cross-cutting · Any firm building or using AI

Cross-cutting

AI governance applies on top of whatever you already run.

ISO 42001 NIST AI RMF EU AI Act OWASP LLM Top 10 MITRE ATLAS

5 frameworks · sits alongside your industry stack AI governance practice →

§ III · Frameworks

Start here if you know which standard.

Twenty-two frameworks grouped by family. Bold left-edge marker = a practice we lead with. Click any card for the deep page.

Trust & assurance 6 frameworks

The attestations and certifications enterprise buyers ask for first: SOC 2, the ISO management-system family, and continuity. We lead with SOC 2 and ISO 27001.

Federal & defense 5 frameworks

CMMC and FedRAMP are the two doors into federal work in 2026. NIST 800-171 sits underneath both. CCPs on staff: FedRAMP-experienced practitioners.

CMMC Levels 1 & 2

CCPs on staff

Defense IB→

FedRAMP Mod / High

Experts on staff

Cloud · federal→

NIST 800-171

Lead

CUI · DIB→

NIST 800-53

Active

Federal systems→

FISMA compliance

Active

Federal · statute→

Healthcare 2 frameworks

HIPAA is the law. HITRUST is the framework auditors and partners ask you to prove HIPAA against. We run them as a pair.

HIPAA Security & Privacy

Lead

Statute · OCR→

HITRUST r2 / e1 / i1

Lead

Certification · health→

Financial 3 frameworks

The three federal regimes financial firms run against: plus PCI for anyone touching card data. We lead the FTC Safeguards rewrite for non-bank lenders and FinTech.

Gramm-Leach-Bliley / FTC Safeguards

Lead

Statute · FTC→

Sarbanes-Oxley 404 ITGCs

Lead

Public co. · ITGC→

PCI DSS v4.0

Lead

Card data→

Privacy 5 frameworks

Privacy used to be one statute. Now it's a patchwork: federal sectoral laws, state omnibus laws, EU regulation, and tax-prep rules. We map your data flows once and walk you through every regime that applies.

EU GDPR

Lead

Regulation · EU→

Mass 201 CMR 17.00

Active

State · MA→

U.S. state privacy bundle

Lead

14+ states · 2026→

IRS Pub 4557

Active

Tax prep · IRS→

AICPA WISP framework

Active

CPA firms→

AI governance 5 frameworks

The AI-specific frameworks: certifiable management systems, voluntary risk frameworks, regulation, and the two practitioner threat models that map AI risk to actual attacks.