Implement is where mapped requirements become controls that are owned, evidenced, and current, so the audit is a state you are in, not a sprint you survive. No more reconstructing evidence the week before the auditor arrives.
Evidence lifecycle — one document, multiple controls
WHAT IMPLEMENT IS
Implement is the part of Acuna where mapped requirements become operational controls, typed, owned, health-scored, and backed by versioned evidence through Draft, Submitted, Approved, and Expired states, so audit readiness is a continuous record rather than a quarterly scramble. It is included in the core platform, not a paid add-on.
The week before an audit, a team without Implement is reconstructing evidence: who signed off on what, which policy version was current, whether the access review ran. Implement removes that job by making evidence a continuous record, not a pre-audit assembly.
Evidence
Control ownership
Framework expansion
WITHOUT IMPLEMENT
Evidence assembled from inboxes and shared drives the week before the audit.
WITHOUT IMPLEMENT
Controls assigned in a spreadsheet; owner list drifts after each reorganisation.
WITHOUT IMPLEMENT
Adding DORA or NIS2 means a second tracker, a second evidence folder, a second program.
WITH IMPLEMENT
Evidence collected continuously, versioned, and linked to the control it satisfies.
WITH IMPLEMENT
Each control has a named owner in the platform, updated when responsibility changes.
WITH IMPLEMENT
Adding a framework maps against controls you already have, not a fresh set of records.
Every piece of evidence in Implement has a status: Draft, Submitted, Approved, or Expired. Approved evidence feeds the control effectiveness score and the audit-readiness view. When evidence expires it is flagged and protected from deletion, so the record is never quietly lost. A piece of evidence can link to multiple controls at the same time, with per-link notes, so one policy document covers every control it satisfies without being duplicated.
Draft, Submitted, Approved, Expired. Every piece of evidence has a tracked state.
Versioned attachments: new versions do not overwrite history.
One document can link to multiple controls with per-link notes.
Expired evidence is flagged and protected from deletion.
Start from a template-based measures library aligned with ISO 27001, SOC 2, NIS2, and DORA. Each control is typed (preventive, detective, corrective), owned, statused, and linked to requirements, assets, processes, and risks. A measure is the template practice; a control is the operational record. One measure spawns as many controls as the organisation needs, and each carries its own health score.
Typed controls: preventive, detective, corrective. Searchable by ID, owner, status, and relationships.
Link each control to requirements, assets, processes, and risks in the same graph.
Measure vs control: template practice vs operational record. One measure, many controls.
Bulk operations: set status, maturity, owner, scopes, and links across many controls at once.
Control health is not a manual label. Recurring validation tasks drive the score: a task completed on time gives the control 100. Late or still in progress: 75. Overdue and not started: 0. The score cascades from control to measure to requirement, so a single overdue task surfaces at every level. Click the health badge to see the exact breakdown.
All recurring tasks completed within the scheduled window.
At least one task is running past its due date or still in flight.
A required validation has not been started and is past due.
Controls do not operate in isolation. Implement includes a process register with a full tree view and a third-party register with typed vendors, risk tiers, and contacts. Both registers link into the same GRC graph, so a control tied to a process is visible next to the third parties that touch it.
PROCESS REGISTER
Tree view with nested sub-processes.
Link to assets, controls, requirements, risks, and third parties.
BCI, RTO, and RPO when Business Continuity is enabled.
Attach SOPs and files as evidence on the process.
THIRD-PARTY REGISTER
Types: vendor, service provider, contractor, partner.
Risk tiers from critical to low; maintain contacts.
Links to assets, processes, controls, and requirements.
Complements Supplier Shield for deeper due diligence.
Comply defines the control library and the crosswalk. Implement builds it out: owners, evidence, health, registers. Operate keeps it current on a cadence. Assure turns it into an audit pack. All four are included in the core Acuna platform, priced by program scope, not per seat. Supplier Shield and Data Privacy are the separate paid extensions.
07 · WHO USES IT
Turn mapped requirements into named controls with the right type, owner, and evidence attached, so every assertion can be backed without a search.
Show which controls are live, who owns them, and what artefacts back each assertion, without assembling the picture from multiple systems.
Reassign work, normalise maturity, and keep registers aligned after reorganisations or tool consolidation, without touching every record individually.
FAQ
Related answers
Cross-framework control mapping identifies where requirements from different frameworks overlap — for example, ISO 27001 A.8.5 (access control) and NIS2 Article 21(2)(i) (access management) describe essentially the same practice. By mapping these overlaps, organisations implement and evidence a control once instead of duplicating effort per framework. In Acuna, mappings can be direct (manual), derived via 58 curated reference measures across 11 domains, or suggested by AI with confidence scores. Batch mapping lets you align entire domains in one operation.
In Acuna, a measure is a template-level practice drawn from curated libraries aligned with frameworks like ISO 27001 and NIST CSF. It describes what should be done. A control is the operational record you create from a measure — typed (preventive, detective, or corrective), owned, statused, and linked to specific requirements, assets, processes, and risks. You implement and attest at the control level; measures standardise the underlying practice across your programme. One measure can spawn multiple controls in different scopes.
Each control in Acuna displays a colour-coded health badge — green (healthy), orange (at risk), or red (unhealthy). Health is driven primarily by recurring task completion: a task completed on time scores as healthy (100), completed late scores as at risk (75), in progress but not past due as at risk (75), and not started past due as unhealthy (0). These scores cascade upward through measures and requirements so operational slippage surfaces in the control and programme views, not only in a task list. Click any health badge for a breakdown explaining which tasks contributed to the current score.
In Acuna, evidence records follow four states: Draft (being compiled), Submitted (sent for approval), Approved (locked and timestamped), and Expired (no longer current). Each record captures collection, review, and expiry dates, supports versioned file attachments, and can be linked to multiple controls with per-link notes. Approvers receive notifications and can request changes before accepting. Approved evidence contributes to control effectiveness and audit readiness metrics. Expired evidence is flagged visually and cannot be deleted without administrator approval, preserving the audit trail.
Implement is where you build the operational backbone of your compliance programme. You create measures from curated libraries or custom definitions, instantiate controls from those measures, assign owners, set statuses, and link controls to the requirements they satisfy. The pane also manages your asset inventory (IT systems, data stores, physical locations), process register, and risk catalogue. Everything connects: a control is linked to one or more requirements, one or more assets, and optionally to risks — so you can trace from a framework clause all the way down to the specific system and team responsible.
In Implement, each measure represents a security or compliance practice (e.g. 'Access reviews are performed quarterly'). Measures are linked upward to one or more requirements across frameworks — one measure can satisfy clauses in ISO 27001, NIS2, and SOC 2 simultaneously. Controls are the operational instances of measures: they carry an owner, implementation status, control type (preventive, detective, corrective), and linked evidence. This three-tier hierarchy (requirement → measure → control) is how Acuna avoids duplicate work across multi-framework programmes.
Each control can have one or more recurring tasks — for example, 'Review access rights quarterly' or 'Test backup restoration monthly.' Tasks are assigned an owner, frequency (daily, weekly, monthly, quarterly, annually, or custom), and a due date. When a task is completed on time, it scores 100 (healthy). Completed late scores 75 (at risk). In progress but not overdue scores 75. Not started past due scores 0 (unhealthy). These scores roll up to the parent control, then to the measure, then to the requirement — so a missed task surfaces as a visible gap at every level of the programme.
Vanta is purpose-built for companies getting their first SOC 2. For organizations running multiple frameworks simultaneously (ISO 27001, SOC 2, NIS2, DORA, GDPR), Vanta's single-framework origins show. The best Vanta alternatives for multi-framework programs include platforms built for continuous compliance across mature, overlapping obligations. Acuna is designed from the ground up for multi-framework control mapping, shared evidence, and audit defensibility at enterprise scale. Drata and OneTrust each address adjacent problems. Choose based on whether your program is scaling compliance depth or adding your first certification.
GET STARTED
Book a 30-minute demo scoped to the frameworks you carry and see the evidence lifecycle and control library built on them. You talk to the people who run the program. Priced by program scope, not per seat. Data in Switzerland and the EU.