Compliance tracking
without a full GRC platform

Track compliance controls alongside your security findings

Compliance assessments generate enormous volumes of data: control requirements, evidence documents, finding-to-control mappings, and status updates that change throughout the audit lifecycle. Managing this in spreadsheets leads to version conflicts, missed controls, and audit-day panic. SecPortal's compliance tracking module provides a structured, centralised register for every control across ISO 27001, SOC 2, and Cyber Essentials, directly integrated with your findings and engagement data.

When a team member identifies a vulnerability during a compliance audit, they log the finding in SecPortal and map it to the relevant framework controls in a single action. The control status updates automatically based on linked findings, giving auditors and clients a real-time view of compliance posture without manual spreadsheet maintenance. This integration between findings and compliance data is what sets SecPortal apart from generic project management tools that treat security and compliance as separate concerns.

Pre-built frameworks ready to use

Four-tier control status tracking

Comprehensive compliance toolkit

SecPortal combines manual control management with intelligent automation. Pre-built templates get you started instantly, finding-to-control mapping keeps data connected, and AI-generated summaries turn raw control data into the narrative reports that auditors and executives need. Every action is timestamped and attributed, building the evidence trail that compliance demands.

Ready for external auditors

When the auditor arrives, you need structured evidence, not a folder of unsorted documents. SecPortal organises compliance data in the format auditors expect, with clear traceability from identified issues to affected controls and remediation outcomes.

Keep compliance evidence current between audits

Compliance evidence ages on two axes: the framework cadence and the underlying state of the control. The audit evidence half-life research covers how SOC 2, ISO 27001, PCI DSS, NIST, and HIPAA evidence stays valid, the change triggers that invalidate evidence inside the calendar window, and the reproducibility properties that keep the audit trail durable between assessments. The companion security control drift research covers the upstream side: how controls erode between audits along the asset, scope, ownership, configuration, and compensating-control axes, and how the divergence ledger keeps the registered state honest against the live operating state.

The reproducibility property is delivered by the workspace activity log, which records every status change, evidence upload, and control update with the actor, the entity, and a timestamp, so the audit narrative regenerates from a query rather than from a static spreadsheet.

For the cross-control evidence ledger that pairs each artefact to its source system, retention class, currency state, and named owner, see the audit evidence tracker template. It works as a standalone artefact for teams running compliance evidence in spreadsheets and as a structural reference for teams running it inside SecPortal so the tracker entry points at the live system rather than at a static screenshot.

For the operating workflow that closes control gaps between assessments, with named owners, evidence requirements per control, and a verified-closure rule, see the control gap remediation workflow. It is the GRC discipline that turns a static control register into a live engagement record so audit lookback questions resolve from one record rather than from a multi-system reconciliation sprint.

For programmes operating against more than one framework, see the cross-framework control mapping crosswalk workflow. It defines a canonical internal control library, hangs ISO 27001, SOC 2, PCI DSS, NIST, and any sector overlay (HIPAA, FedRAMP, SWIFT CSP, FFIEC, MAS TRM, IEC 62443, NIS2, DORA) as cross-framework citations, and lets the same operating evidence produce every framework view rather than running parallel evidence-collection cycles per framework.