Compliance is an operating system
Map obligations to controls and evidence across every framework. Collect evidence once, satisfy multiple audits. No more compliance theater.
One Evidence Artifact
vulnerability-scan-report.pdf
SOC 2
CC7.1
ISO 27001
A.12.6.1
GDPR
Art. 32
One artifact satisfies multiple frameworks
The Problem
Compliance is an operating system problem
Most compliance tools are document managers pretending to be platforms.
Evidence duplication
The same scan report is uploaded to three different frameworks manually. Changes require three updates.
Framework silos
SOC 2, ISO, and GDPR live in separate workflows even though they share 70% of controls.
Manual collection
Evidence is gathered by hand, screenshots, exports, and emails. No automation, no freshness guarantees.
Core Concept
Declared state vs observed reality
Most compliance failures happen because what is documented does not match what is enforced.
MFA required for all users
Policy documented in SSO config
12 users without MFA enrolled
Postava detected enforcement gap
SOC 2 CC6.1 finding
Control declared but not enforced
Enforce MFA or update policy
Auto-remediation available
Quarterly restore testing
DR plan requires quarterly tests
Last test: 8 months ago
Evidence collection shows gap
ISO A.12.3.1 exception
Backup policy not followed
Schedule restore test
Task created with deadline
Critical findings closed
Ticketing system shows resolved
3 findings still exploitable
Napad validation failed
Vuln mgmt audit failure
Closure without validation
Reopen and validate
Evidence chain updated
Declared
MFA required for all users
Policy documented in SSO config
Observed
12 users without MFA enrolled
Postava detected enforcement gap
Impact
SOC 2 CC6.1 finding
Control declared but not enforced
Action
Enforce MFA or update policy
Auto-remediation available
Declared
Quarterly restore testing
DR plan requires quarterly tests
Observed
Last test: 8 months ago
Evidence collection shows gap
Impact
ISO A.12.3.1 exception
Backup policy not followed
Action
Schedule restore test
Task created with deadline
Declared
Critical findings closed
Ticketing system shows resolved
Observed
3 findings still exploitable
Napad validation failed
Impact
Vuln mgmt audit failure
Closure without validation
Action
Reopen and validate
Evidence chain updated
Regulativa continuously compares declared policies against observed enforcement state from Odbrana, Napad, and Postava.
Architecture
Six core layers
Regulativa models compliance as a system, not a checklist.
Obligations
What you must do (laws, contracts, standards)
Controls
How you do it (policies, procedures, technical)
Evidence
Proof you did it (logs, reports, attestations)
Mappings
Which evidence satisfies which control
Gaps
What is missing or incomplete
Automation
Evidence collection from other products
How It Works
From obligation to evidence
See how Regulativa maps a single control to linked objects across the platform.
Compliance Mapping
ISO 27001A.8.8 Management of technical vulnerabilities
Information about technical vulnerabilities shall be obtained, exposure evaluated, and appropriate measures taken.
Linked Objects
Control Readiness
Action Required
Review evidence package before audit deadline (Dec 15)
Coverage
Supported frameworks
Regulativa is a compliance operating system, not a document library. Pre-built control mappings for major frameworks.
Security Graph
How Regulativa feeds the platform
Regulativa writes evidence mappings to the shared security graph. Other modules consume them.
Regulativa writes
Evidence mappings with status
Control coverage, gaps, audit readiness
Other modules use it for
Odbrana
Control-aware scanning
Napad
Compliance-focused testing
Postava
Compliance hardening
Risk Engine
Compliance risk score
Evidence flows in automatically
Odbrana → Regulativa
Scan reports become vulnerability evidence
Napad → Regulativa
Pentest findings become validation evidence
Postava → Regulativa
Hardening configs become control evidence
Continuous Updates
Evidence refreshes automatically