Unified Control Framework (UCF)
Map once, comply many — a single assessment can satisfy controls across multiple compliance frameworks simultaneously.
On this page
What Is the UCF?
The Unified Control Framework is ComplyWise's proprietary cross-mapping layer that links individual compliance controls across multiple frameworks to shared universal controls. Instead of assessing the same security practice separately for SOC 2, ISO 27001, and HIPAA, you assess it once against its UCF universal control, and the result automatically propagates to all mapped framework-specific controls.
- 60 universal controls covering the full breadth of security and compliance domains
- Cross-maps to 510+ controls across 7 supported frameworks
- Assessment propagation — one assessment satisfies multiple frameworks
- Reduces duplicate effort by 40–70% in multi-framework environments
Supported Frameworks
The UCF currently maps controls across seven industry-standard compliance frameworks. Each framework's controls are tagged to one or more universal controls based on their intent and requirements. New frameworks can be added by the ComplyWise team or configured as custom frameworks by Enterprise customers.
- SOC 2 Type II — 49 controls (Trust Services Criteria)
- CMMC 2.0 — 85 controls (Levels 1 and 2, with level selection)
- ISO 27001:2022 — 93 controls (Annex A)
- HIPAA — 61 controls (Security Rule + Privacy Rule)
- HITRUST CSF — 66 controls
- NIST CSF 2.0 — 77 controls (6 core functions)
- PCI DSS 4.0 — 79 controls
UCF Domains
Universal controls are organized into domains that represent broad security areas. Each domain contains related universal controls that map to specific framework controls. Domains include Access Control, Asset Management, Awareness & Training, Business Continuity, Change Management, Communications Security, Compliance, Cryptography, Data Protection, Governance, Human Resources, Incident Management, Operations Security, Physical Security, Risk Management, Supplier Management, System Acquisition, and Vulnerability Management.
- 18 security domains covering NIST, ISO, and industry best practices
- Domain-level scorecard for quick compliance health assessment
- Filter and browse controls by domain across all frameworks
- Domain scores contribute to overall compliance posture rating
UCF Scorecard
The UCF Scorecard provides a single view of your compliance health across all frameworks. It shows the assessment status of each universal control — compliant, partially compliant, non-compliant, or not assessed — and calculates an aggregate score. The scorecard also highlights which framework controls are automatically satisfied by each universal control assessment.
- Real-time scorecard accessible from the dashboard
- Per-domain breakdown with visual progress indicators
- Framework coverage view: see which framework controls each UCF control satisfies
- Export scorecard as JSON for external analysis
Assessing Against the UCF
Assessments can be created manually or populated automatically from scan results. Manual assessments allow you to set a compliance status and add notes or evidence links for each universal control. Automated assessments are created when scan results evaluate the corresponding controls. Both types update the same UCF scorecard in real time.
- Manual assessment via UCF dashboard with status selection
- Automated assessment from compliance scan results
- Evidence attachment supported for each assessment
- Assessment history maintained for audit trail
Multi-Framework Efficiency
The primary benefit of the UCF is efficiency in multi-framework compliance programs. Organizations pursuing SOC 2 and HIPAA simultaneously, for example, can leverage the UCF to assess overlapping controls once. The platform automatically identifies which universal controls map to both frameworks and propagates results. This eliminates redundant assessments and provides a clear picture of cross-framework compliance coverage.
- Cross-framework overlap visualization on the coverage page
- Single assessment effort for shared security controls
- Framework-specific gap analysis derived from UCF posture
- Enterprise customers can extend the UCF with custom control mappings