Run Your Own Control Framework Next to the Standards You Already Own
Your extra controls end up in a side spreadsheet that drifts
Published frameworks rarely match your environment one-to-one. Sector regulators, group security policies, and contractual obligations add controls that ISO 27001 or NIST CSF never anticipated — and those requirements still need owners, evidence, and audit scope.
The usual workaround is a parallel spreadsheet of "extra" controls that lives outside the system of record. It drifts, it duplicates evidence captured elsewhere, and it breaks when an auditor asks how a single control maps across two frameworks at once.
Managing several control hierarchies side by side then becomes the job itself — reconciling overlap, chasing the same evidence twice, and defending scope decisions you made months ago.
What you can do with Custom Control Sets
- Create custom control sets with full control definitions for any internal or regulatory requirement.
- Build a hierarchy of categories, subcategories, and controls that mirrors your real framework structure.
- Set control applicability and audit scope so each assessment covers only what genuinely applies.
- Enable average-maturity scoring per control set to report progress consistently.
- Import controls from external sources instead of re-keying each one by hand.
- Toggle built-in standards on or off per organization to match each entity's obligations.
- Link multiple standards to the same evidence so one artifact satisfies overlapping requirements.
What it delivers to your program
- Audit-ready across every framework — custom and built-in controls live in one register, ready to show on request.
- No duplicated evidence work — shared evidence across standards removes the second and third re-collection pass.
- Defensible scope decisions — applicability and audit-scope settings record why a control does or doesn't apply.
- Consistent maturity reporting — average-maturity scoring gives leadership a comparable view across control sets.
- Faster framework onboarding — import controls and extend existing standards instead of building from zero.
Built for compliance
DPMS helps you evidence the controls behind these frameworks. It supports your program — it does not certify you against any standard.
| What DPMS does | Maps to | How |
|---|---|---|
| Manages your information security control set | ISO 27001 (Annex A controls) | Custom and built-in controls in one hierarchy with average-maturity scoring |
| Documents control applicability and audit scope | ISO 27001 (Statement of Applicability) | Per-organization applicability toggles with recorded scope decisions |
| Evidences cybersecurity risk-management measures | NIS2 Art. 21 | Control sets mapped to required measures with linked, shareable evidence |
| Organizes controls by function and category | NIST CSF | Hierarchical categories and subcategories aligned to your chosen framework |
Why Priverion
Unlike general-purpose GRC tools that treat custom frameworks as a separate module, Priverion lets your own control sets coexist and cross-link with built-in standards in a single hierarchy. Because the platform unifies privacy and information security, one piece of evidence can satisfy a custom requirement, an ISO control, and a NIS2 measure at once — without re-keying or maintaining a parallel tracker. Shared evidence and a shared hierarchy are the moat: they are what remove the duplication.
Questions CISOs ask before a demo
Can I create a framework that isn't a published standard?
Can custom controls reuse evidence from built-in standards?
Can I turn off standards that don't apply to a given entity?
Can I bring in controls I already maintain elsewhere?
Explore related capabilities
Ready to govern every framework in one place?
