Cyber Security Framework as a Service

Get audit-ready. Stay audit-ready.

CSFaaS runs your entire GRC program: 40+ frameworks, risks, policies, vendors and audits in one live platform. Every control mapped, every proof one click away.

Free forever Starter planNo credit card requiredSet up in minutes

Evidence acceptedA.8.24 · just now

app.csfaas.com/dashboard

General

Dashboard

Audit

Frameworks

Policies & Controls

PoliciesControls

Risks

DemandsRisksRemediation

Catalogs

Third PartiesSystems

Forms

Evidences

DashboardWorkspace · Acme Industries

Live

Frameworks4 active

ISO-27001ISO/IEC 27001:202294%

SOC-2SOC 2 Type II81%

NIST-CSFNIST CSF 2.072%

DORADORA58%

Policies18 / 20 approved

Approved18

Pending2

In progress1

Audits1 open

ISO 27001 surveillanceOpen

Findings0 Major NC2 Minor NC

Internal audit 2025Closed

Risk heat map3 above appetite

1211213124212321111

Likelihood × impact · 18 risks−12%

ActivityLive

Evidence accepted · A.8.24 Cryptography policy12s

Control review · Access provisioning, passed1m

Risk updated · Vendor SLA breach, mitigating4m

Policy v3.2 published · Information Security Policy9m

Audit finding closed · F-2024-03114m

Third party assessed · CloudHost EU, Tier 121m

Review completed · Supplier Security Policy32m

Demand D-104 in progress · analyst review38m

Review coming up · MailRelay reassessment47m

Form sent · Annual vendor review 20261h

Evidence accepted · A.8.24 Cryptography policy12s

Control review · Access provisioning, passed1m

Risk updated · Vendor SLA breach, mitigating4m

Policy v3.2 published · Information Security Policy9m

Audit finding closed · F-2024-03114m

Third party assessed · CloudHost EU, Tier 121m

Review completed · Supplier Security Policy32m

Demand D-104 in progress · analyst review38m

Review coming up · MailRelay reassessment47m

Form sent · Annual vendor review 20261h

94%ISO 27001audit ready

The framework library

40+ frameworks, ready out of the box.

ISO 27001:2022

SOC 2 (AICPA TSC)

CCCS – Baseline Controls for SME

DORA

HIPAA

ISO 9001:2015

NCA CSCC

NCA ECC

NCA TCC

NIST AI 100-1

NIST SP 800-37

NCA OSMACC

PCI DSS

ISO 27001:2022

SOC 2 (AICPA TSC)

CCCS – Baseline Controls for SME

DORA

HIPAA

ISO 9001:2015

NCA CSCC

NCA ECC

NCA TCC

NIST AI 100-1

NIST SP 800-37

NCA OSMACC

PCI DSS

NIST CSF

CCB CyberFundamentals

CMMC

GDPR

IAPP CIPM

NCA CCC

NCA DCC

NCA OTCC

NIS2

NIST PF

NIST SP 800-53

NIST SP 1300

ISO 42001:2023

NIST CSF

CCB CyberFundamentals

CMMC

GDPR

IAPP CIPM

NCA CCC

NCA DCC

NCA OTCC

NIS2

NIST PF

NIST SP 800-53

NIST SP 1300

ISO 42001:2023

Browse the full framework library

frameworks ready to deploy: ISO 27001, SOC 2, NIST, GDPR, DORA, NIS2 and more

spreadsheets. Your entire GRC program in one platform, not in Excel

of activity recorded by the database itself, an audit trail no one can skip

€0

to start. The Starter plan is free, forever, and your data exports anytime

The platform

Twelve modules. One operating picture.

Most tools store your compliance. CSFaaS runs it, every module reads and writes the same living model of your organization, so a change anywhere is truth everywhere. Browse the modules at your own pace.

01Frameworks

Import a framework. Inherit the work.

Deploy ISO 27001, SOC 2 or NIST in minutes: controls, owners and maturity tracking included. Cross-mapping carries every implemented control into the next framework you adopt.

Controls cross-mapped between frameworks, so nothing is done twice
Version diffs imported automatically (2013 → 2022 remapped for you)
Implemented → partially → not applicable, tracked per element

See it in action

app.csfaas.com/dashboard/frameworks/iso-27001

ISO/IEC 27001:2022, Annex A93 controls · 4 owners · evidence linked

94% covered

A.5.1Policies for information securityImplemented100%

A.8.12Data leakage preventionPartially implemented64%

A.8.16Monitoring activitiesNot implemented28%

A.5.19Supplier relationships securityNot applicable0%

Coverage by domain

Organizational91%

People88%

Physical76%

Technological68%

Versions

v2022ISO/IEC 27001:2022Active

v2013ISO/IEC 27001:2013Archived

Diff imported, 31 controls remappedAuto

02Controls

One control library. Every framework satisfied.

A single library of controls shared by all your frameworks, each with an owner, a maturity level and a review cadence, so progress anywhere is progress everywhere.

Maturity tracked on the real scale, from Initial to Optimized
Implement once and satisfy ISO, SOC 2 and NIST simultaneously
Evidence and policies linked at the control level

See it in action

app.csfaas.com/dashboard/controls

Controls library348 controls · shared across every framework

92% implemented

All · 348Organizational · 142Technical · 121People · 85

L4Access provisioning & deprovisioningMR92%

L4Encryption key managementAS85%

L3Secure development lifecycleJL71%

L3Vulnerability managementAS66%

L2Asset inventory accuracyMR44%

Maturity distribution

L5 Optimized · 12%L4 Managed · 31%L3 Defined · 38%L2 Developing · 19%

03Policies

Policies that stay alive after publication.

Author, version and approve policies with a real editorial workflow, then let periodic reviews keep them honest long after the PDF would have gone stale.

Version history with approval workflows on every document
Periodic reviews keep every policy owned and current
Policies linked to the frameworks and controls they satisfy

See it in action

app.csfaas.com/dashboard/policies

Policies & periodic reviewsVersioned · approved · reviewed

18 / 20 current

v3.2Information Security PolicyApproved

v2.0Access Control PolicyPending

v1.4Incident Response PlanApproved

v1.0Supplier Security PolicyReview due

90%Reviews on time

97%Approved

Approval flow, Access Control Policy v2.0

01Draft completed, J. LaurentDone

02Review & approvalPending

03PublicationQueued

Linked to frameworks & controlsOwner + reviewer on every document

04Risks

Risk the board understands, and engineers can act on.

Qualitative matrices for the management review, quantitative loss exposure for decisions that need numbers, both reading from the same risk register.

Configurable qualitative matrix with live heat mapping
Quantitative analysis with annualized loss exposure curves
Risk appetite thresholds with live breach alerts

See it in action

app.csfaas.com/dashboard/risks

Risk operationsQualitative matrix · quantitative ALE

3 above appetite

Likelihood × impact

1211213124212321111

Annualized loss exposure

P95€ 410K residual−38% post-treatment

Top risks

R-031Vendor SLA breach, DataLake IncKBMitigating

R-027Phishing campaign exposureJLAbove appetite

R-019Backup integrity, RPO driftASAccepted

Treatment plan · 7 actions in flightDemand workflow · analyst → assurance

05Demands

Every risk request, through one front door.

Teams raise demands; analysts assess; assurance validates; requesters get a full restitution. A real workflow with SLAs, not an inbox full of threads.

Analyst → assurance review flow with full traceability
Per-priority SLAs tracked live on every demand
Stakeholders invited per demand, scoped read-only

See it in action

app.csfaas.com/dashboard/risks/demands

Risk demandsIntake → analyst review → assurance → closure

9 in flight

New · 4In Progress · 3Pending Closure · 2Completed · 9

D-104New SaaS onboarding, HR suiteIn ProgressSLA 2d

D-102Pen test scope extensionPending informationP1

D-099Access exception, finance APICompleted2d ago

D-097Vendor contract renewal reviewNewnew

Workflow activity

D-104 in progress · analyst review, A. Sorel3m

D-099 completed · requester notified18m

D-102 pending information · requester asked26m

D-103 risk response provided · pending assurance41m

D-097 created · scoped to 2 systems1h

D-104 in progress · analyst review, A. Sorel3m

D-099 completed · requester notified18m

D-102 pending information · requester asked26m

D-103 risk response provided · pending assurance41m

D-097 created · scoped to 2 systems1h

Per-priority SLAs, tracked liveStakeholders invited per demand

06Remediation

From finding to fixed. Visibly.

Every treatment action lives on a board with an owner, a deadline and a link back to the risk or finding it answers. Closure is verified, not declared.

Every action carded with owner, difficulty and deadline
Review health on each plan, on schedule, coming up, overdue
Closure verified against the originating risk

See it in action

app.csfaas.com/dashboard/risks/remediation

Remediation plansActions linked to risks, findings & controls

7 in flight

Open · 4

Rotate access keysMediumAS

Vendor MFA rolloutLowKB

Update DR runbookLowMR

Open · in progress

DLP agent deploymentComing upJL

Backup restore drillOverdueAS

Log retention policyDue in 12dMR

Pending validation · 2

TLS 1.2 deprecationPending validationJL

Admin session timeoutPending validationAS

S3 bucket auditCompletedKB

Review health18 on schedule2 coming up1 overdue

Owners assigned, progress auditedClosure verified against the risk

07Systems

Know what you run, and what it would cost to lose.

A registry of every system with confidentiality, integrity and availability levels that propagate straight into risk scoring and vendor assessments.

C·I·A classification on every system
Classification drives risk scoring automatically
Linked to vendors, policies and evidence

See it in action

app.csfaas.com/dashboard/systems

Systems registry112 systems · C·I·A classified · risk-linked

Registry synced

Core banking APIInternalC3I3A388

Customer portalWebC3I2A376

HR suiteSaaSC2I2A164

Data warehouseCloudC3I3A251

Office networkInfraC1I2A247

Classification

Critical, full triad at level 312

High, mixed levels28

Moderate & low72

Classification drives risk scoringLinked to vendors, policies & evidence

08Third parties

Every vendor, classified, scored and reviewed.

A living vendor registry with tiering, risk scores and review SLAs, plus security questionnaires sent and tracked from the platform itself.

Tiering, risk scoring and review SLAs per third party
DORA & NIS2 ICT provider registers built in
Questionnaires sent from Forms, answers filed as evidence

See it in action

app.csfaas.com/dashboard/third-parties

Third parties48 vendors · tiered, scored & reviewed

Registry synced

CloudHost EUIaaSTier 192SLA met

PaySwiftPaymentsTier 184SLA met

MailRelaySaaSTier 261Review due

DataLake IncAnalyticsTier 247SLA breach

LegacyCRMOn-premTier 333Offboarding

Security questionnaires

Annual vendor review 20269/12

DORA ICT provider assessment5/5

Review SLAs

On schedule44

Due this month4

DORA & NIS2 ICT registers built inQuestionnaires sent from Forms

09Audit

Walk into audits with the answers already filed.

Run internal and external audits in the platform: document review, control sampling, findings and responses, against evidence that is already organized.

Audit campaigns with findings and response tracking
Auditor access scoped to exactly what they need
Exports that mirror exactly what the auditor will ask for

See it in action

app.csfaas.com/dashboard/audit

Audit managerISO 27001 surveillance · external

Fieldwork, day 2

Document review100%

Control sampling76%

Findings & responses40%

Closing report,

Evidence vault

access-review-Q2.xlsx · accepted by auditornow

pentest-report-2026.pdf · linked to A.8.82m

backup-restore-test.mp4 · uploaded8m

F-2026-014 · finding raised, Minor NC15m

dpa-cloudhost-signed.pdf · version 3 archived22m

crypto-policy-v3.pdf · signed URL issued31m

access-review-Q2.xlsx · accepted by auditornow

pentest-report-2026.pdf · linked to A.8.82m

backup-restore-test.mp4 · uploaded8m

F-2026-014 · finding raised, Minor NC15m

dpa-cloudhost-signed.pdf · version 3 archived22m

crypto-policy-v3.pdf · signed URL issued31m

Findings

F-014Supplier review cadence not documentedMinor NC · response due

F-013Crypto inventory incompleteMinor NC · in remediation

OFI4 opportunities for improvementLogged

0 Major NCEvery file versioned · workspace-scoped

10Forms

Ask anything. Track everything.

Build questionnaires once and send them to vendors, teams or auditees. Completion tracked live, answers filed where they belong.

Drag-and-drop builder with rich text answers
Response rates and completion tracked live
Answers attach to vendors and controls as evidence

See it in action

app.csfaas.com/dashboard/forms

Forms & questionnairesBuilt once · sent to vendors and teams

2 campaigns live

Vendor security review 202624 QSent · 1275%

Employee security awareness quiz10 QClosed100%

DORA ICT register intake16 QDraft,

Responses

CloudHost EU · questionnaire answered, 24/249m

MailRelay · opened, in progress1h

PaySwift · answers under review2h

DataLake Inc · opened, 60% complete4h

CloudHost EU · questionnaire answered, 24/249m

MailRelay · opened, in progress1h

PaySwift · answers under review2h

DataLake Inc · opened, 60% complete4h

75%Response rate

Rich text answers · evidence attachmentsCompletion tracked live

11Evidences

Proof with provenance, not a shared drive.

Every file versioned, linked to its control, framework or vendor, and served only through time-limited signed URLs from workspace-scoped storage.

Versioned files linked at the control level
Time-limited signed URLs, nothing public, ever
Complete version history on every file

See it in action

app.csfaas.com/dashboard/evidences

Evidence vaultVersioned · linked to controls · served signed

100% versioned

By module

Controls148

Frameworks96

Audits54

Policies41

Third parties33

Latest files

access-review-Q2.xlsx · accepted by auditornow

pentest-report-2026.pdf · linked to A.8.82m

backup-restore-test.mp4 · uploaded8m

F-2026-014 · finding raised, Minor NC15m

dpa-cloudhost-signed.pdf · version 3 archived22m

crypto-policy-v3.pdf · signed URL issued31m

access-review-Q2.xlsx · accepted by auditornow

pentest-report-2026.pdf · linked to A.8.82m

backup-restore-test.mp4 · uploaded8m

F-2026-014 · finding raised, Minor NC15m

dpa-cloudhost-signed.pdf · version 3 archived22m

crypto-policy-v3.pdf · signed URL issued31m

Time-limited signed URLs onlyWorkspace-scoped storage buckets

12Reviews

Nothing expires quietly.

The periodicity hub watches every control, policy, vendor and system review, who owns it, when it is due, and what is overdue, across the entire program.

Every item has an owner and a review cadence
Overdue and upcoming reviews surfaced program-wide
Exemptions visible, never hidden

See it in action

app.csfaas.com/dashboard/reviews

Reviews & ownershipPeriodicity across every module

90% on time

90%Reviews on time

90%Versions approved

86%Coverage

Upcoming reviews

CTRLAccess provisioning, quarterlyOverdue 2d

POLSupplier Security PolicyComing up · 3d

TPMailRelay annual reassessmentComing up · 9d

SYSData warehouse classificationScheduled · Jul

Every item has an owner & a cadence“Not required” visible, never hidden

✦CSFaaS AssistantWorkspace-scopedRead-only

Which ISO 27001 controls are still missing evidence before the audit?

3 controls need attention:

A.8.16Monitoring activitiesNo evidence since Q1

A.5.19Supplier relationshipsEvidence outdated, v1 only

A.8.12Data leakage preventionOwner unassigned

Read from: Frameworks · Evidences · Reviews

Summarize the gaps for the audit kickoff meeting.

Ask about your program…↵

AI assistant

Ask your compliance anything.

A built-in analyst that reads your live program, and only yours. Every answer is scoped by the same row-level security as your team, and it can never change a thing.

Sees exactly what you can see, workspace-scoped through your own session
Read-only by design: it informs, it never edits
Answers grounded in your real frameworks, risks and evidence

See it answer live

Why CSFaaS

Industry-leading features. Zero compromises.

Everything that makes teams pick CSFaaS over the incumbents, and stay.

Multi-Tenant Architecture

Manage multiple workspaces, clients, and business units with complete data isolation.

Multi-Framework Compliance

Streamline compliance across ISO 27001, NIST, GDPR, and 40+ frameworks automatically.

Real-Time Insights

Data-driven decisions with live dashboards, analytics, and audit-ready reports.

No Vendor Lock-In

Full data portability: export anytime, integrate seamlessly, scale without restrictions.

Scalable & Growth-Ready

Perfect for startups to enterprises, including managed service providers.

Role-Based Governance

Built-in collaboration tools with granular permissions and real-time workflows.

Full Customization

Tailor policies, workflows, and controls to meet your specific requirements.

Transparent Pricing

Start free, scale affordably, no hidden costs or surprise fees.

Always Up-to-Date

Continuous updates with new frameworks and evolving compliance features.

Collaboration

Compliance is a team sport.

Live presence shows who is editing what, with a polite hand-over instead of overwritten work. Mentions, comments and a real inbox keep everyone on the same page without leaving the platform.

Live editing lock with hand-over, so no more silent overwrites
An inbox of everything you follow: items, mentions, reviews
Comments with @mentions on policies, risks, controls and more

See it in action

InboxEverything you follow, in one place

3 unread

MRM. Robert mentioned you · Access Control Policy v2

JLHand requested · Risk matrix settings

ASNew evidence · A.8.24 Cryptography2m

Comments, Supplier Security Policy

JLJ. Laurent @marie can you confirm the supplier review cadence?

MDM. Dupont Confirmed, quarterly. Updating the control now.

MRM. Robert is editingRisk matrix settingsRequest hand

Framing, featuresSwitch capabilities for the whole workspace

Live for everyone

Quantitative risk analysis

Risk demands workflow

Forms & questionnaires

Databases module

Tickets

Risk matrix

3×34×45×5

Qualitative levelsEditable

Catalogs, Databases module

StatusesTypesLabelsEditable

Your vocabulary, across every module

Hidden modules vanish for everyoneRoles & permissions stay granular

Customization

Switch off everything you don’t need.

Your program, your shape. Framing toggles turn whole capabilities on or off for the workspace, the risk matrix bends to your methodology, and the catalogs speak your vocabulary.

Per-workspace feature framing: hidden modules vanish for everyone
Configurable risk matrix and editable qualitative levels
Editable catalogs: statuses, types and labels speak your vocabulary

Shape it to your org

How it works

Scope. Operate. Prove.

From an empty workspace to a defensible program, without a single spreadsheet.

Scope

Choose your frameworks, import your catalogs, declare your systems and set your risk appetite. Your program scaffolds itself around them.

Operate

Assign owners, treat risks, review controls, collect evidence. Every change is logged at the database level and the right people are notified, automatically.

Prove

Auditors, clients and the board read from the same live posture you do. Export when asked. Be ready always.

Architecture

Secure by design. Down to the database.

A compliance platform should pass its own audit, so isolation, encryption and traceability are enforced where they cannot be bypassed: in the database itself.

Isolation in the database itself

Tenant separation is enforced by PostgreSQL row-level security on every table, not by application code that can forget to check.

Encrypted everywhere

TLS for every connection, encryption at rest for every byte. Your evidence never travels or sleeps in the clear.

2FA and granular roles

TOTP two-factor authentication and role-based permissions, scoped per workspace and per module.

Evidence with provenance

Files live in workspace-scoped storage, versioned, and are only ever served through time-limited signed URLs.

A native audit trail

Activity events are emitted by the database, not by scripts: a record of who changed what that cannot be skipped.

European hosting

Data residency in the EU with GDPR-aligned processing. Your compliance platform is itself compliant.

The switch

Retire the spreadsheet.

Most compliance programs run on heroic Excel work. Here is what changes the day you stop.

The spreadsheet way

✕Versions named final_v7_FINAL.xlsx

✕Evidence buried in email threads

✕The audit trail is someone’s memory

✕Reviews happen when someone remembers

✕Access control is "please don’t edit this"

The CSFaaS way

One living source of truth, always current

Evidence versioned and linked to its control

An audit trail written by the database itself

Reviews scheduled, owned and surfaced before they slip

Roles, 2FA and row-level security on every table

Pricing

Start free. Scale when it pays for itself.

No per-framework fees, no surprise tiers. One plan that is free forever, one that removes every limit.

Starter

Everything you need to start, free forever

Free

Get started free

Up to 2 team members
2 compliance frameworks
Up to 20 policies
Up to 50 third parties & systems
5 risk assessments / month
7 days activity logs
2 GB secure storage

Most chosen

Premium

Unlimited compliance for fast-growing organizations

€390/ month

Get started

Up to 10 team members
Unlimited frameworks
Unlimited policies
Unlimited third parties & systems
Unlimited risk assessments
6 months activity logs
10 GB secure storage
Priority support

Enterprise

Tailored to your organization

Custom

Unlimited users, policies, frameworks, assets, and evidence storage
Enterprise SSO integration (Microsoft Entra ID, Google Workspace, Okta, and custom identity providers)
Advanced connectors and automated evidence collection (AWS, Azure, GitHub, Jira, and more)
Custom integrations and feature development tailored to your compliance requirements
Dedicated instance, flexible deployment options, and enhanced security controls
White-glove onboarding, priority support, and dedicated compliance guidance

Compare every feature in detail

Prefer experts to run it for you?

Our operating partner DarkProtect deploys and runs CSFaaS end to end: the platform, the program and the people behind it.

Meet DarkProtect

Managed Compliance

CSFaaS deployed and operated for you: continuous evidence, live posture.

Risk & Compliance Advisory

ISO 27001, SOC 2, NIST CSF, GDPR, DORA & NIS2 programs that pass review.

Security Assessments

Penetration testing, cloud & config review, threat modeling.

Virtual CISO

Senior security leadership on demand: strategy, reporting, ownership.

From the library

Latest compliance insights.

Frameworks decoded, regulations translated, practice over theory, from the team behind the platform.

Browse all articles