Compliance Frameworks
BleedWatch maps your security findings to major compliance frameworks, giving you a real-time compliance score and control-by-control breakdown. Instead of manual audits and spreadsheets, your compliance posture updates automatically as findings are created and resolved.
Supported Frameworks
| Framework | Scope | Typical Use Case |
|---|---|---|
| GDPR | EU data protection | Organizations processing EU personal data |
| NIS2 | EU cybersecurity directive | Essential and important entities in the EU |
| ISO 27001 | Information security management | Organizations seeking ISO certification |
| PCI DSS 4.0 | Payment card data security | Merchants and payment service providers |
| SOC 2 | Service organization controls | SaaS and cloud service providers |
| DORA | Digital operational resilience | Financial entities in the EU |
BleedWatch automatically suggests relevant frameworks based on your organization's jurisdiction. EU-based organizations will see NIS2 and GDPR highlighted as mandatory frameworks.
Compliance Score
Each framework shows an overall compliance score from 0% to 100%, calculated from the status of individual controls:
| Control Status | Meaning | Impact on Score |
|---|---|---|
| Pass | All findings for this control are resolved or no findings apply | Positive |
| Fail | Open findings exist that violate this control | Negative |
| Not Observable | BleedWatch doesn't have enough data to assess this control | Neutral (excluded from calculation) |
The score formula: Pass / (Pass + Fail) × 100. Controls marked "Not Observable" are excluded — the score reflects only what BleedWatch can verify.
Score Trend
The 90-day compliance score trend chart is available on Premium plans and above.
Track how your compliance posture evolves over time. The trend chart shows daily score snapshots for the past 90 days, helping you:
- Demonstrate improvement to auditors and leadership
- Detect regressions when new findings impact compliance
- Correlate changes with specific remediation efforts
Control Breakdown
Below the score card, a table lists every control in the selected framework:
| Column | Description |
|---|---|
| Control ID | The framework's control identifier (e.g., A.8.2 for ISO 27001) |
| Control Name | Human-readable control description |
| Category | Control category or domain |
| Status | Pass / Fail / Not Observable |
| Findings | Number of open findings mapped to this control |
Control Drilldown
Click any control row to open a detail panel showing:
- Control description — Full text of the compliance requirement
- Mapped findings — Every BleedWatch finding that affects this control, with severity and status
- Remediation guidance — Steps to bring this control into compliance
- Evidence — What BleedWatch observed to determine the control status
How Findings Map to Controls
BleedWatch uses a deterministic mapping engine that connects finding types to framework controls:
| Finding Type | Example Framework Controls |
|---|---|
| Exposed secrets | ISO 27001 A.9.4, PCI DSS 8.3, SOC 2 CC6.1 |
| Vulnerable dependencies | ISO 27001 A.12.6, PCI DSS 6.3, NIS2 Art.21(2)(e) |
| SSL/TLS issues | PCI DSS 4.1, ISO 27001 A.10.1, DORA Art.9 |
| Missing security headers | PCI DSS 6.4, SOC 2 CC6.6 |
| Exposed credentials (dark web) | GDPR Art.33, NIS2 Art.23, ISO 27001 A.16.1 |
| WAF bypass / Origin exposure | PCI DSS 6.6, ISO 27001 A.13.1, NIS2 Art.21(2)(d) |
Mappings are updated as BleedWatch adds new finding types.
Using Compliance for Audits
Generating Compliance Evidence
- Select the framework your auditor requires
- Review each control's status and associated findings
- Export the compliance report from Reports → Builder with the "Compliance" section enabled
- The report includes: framework name, date, overall score, control-by-control status, and remediation history
Preparing for Certification
For ISO 27001 or SOC 2 certification:
- Start with the compliance view to identify all failing controls
- Prioritize remediation of failed controls by category
- Track score improvement over 90 days (Premium plan)
- Generate the compliance report monthly to show auditors your trajectory
- Use the control drilldown to document evidence for each requirement
NIS2 Incident Reporting
If you're subject to NIS2, BleedWatch's compliance view helps you meet the 24-hour incident notification requirement by:
- Mapping critical findings to NIS2 Article 23 (incident reporting)
- Providing timestamps for when incidents were detected and resolved
- Generating evidence packs with finding details and remediation steps
Troubleshooting
Score Shows 0%
A zero score means either no findings have been created yet, or all controls are marked "Not Observable." Ensure that:
- You have active assets configured
- At least one scan cycle has completed
- The selected framework matches your organization's activity
Controls Stuck on "Not Observable"
Some controls require specific finding types that BleedWatch may not have detected yet. For example, SSL/TLS controls require a domain scan — if you haven't added domains to your assets, these controls won't be assessable.
Score Dropped Suddenly
A sudden score drop usually means new findings were created that map to previously passing controls. Check Findings for recent critical or high-severity findings, and review the compliance drilldown to see which controls were affected.
Related
- Attack Surface — Visualize how findings connect across your exposure
- Reports — Generate compliance evidence packs
- Alerts — Get notified when compliance score drops below a threshold