LowerPlane takes a unified approach to compliance management. Instead of managing each framework in isolation, LowerPlane maps controls across all 50+ supported frameworks to eliminate redundant work and give you a single view of your compliance posture.

The Multi-Framework Advantage

Most compliance frameworks share significant overlap. An access control requirement in ISO 27001 maps directly to similar requirements in SOC 2, HIPAA, GDPR, and PCI-DSS. LowerPlane leverages this overlap so you implement each control once and satisfy multiple frameworks simultaneously.

400+ Controls

A unified control library spanning all 50+ frameworks with cross-mapping relationships.

80-90% Overlap

The majority of controls map across frameworks, dramatically reducing duplicated effort.

Single Evidence

One piece of evidence can satisfy requirements in multiple frameworks at the same time.

How Control Mapping Works

LowerPlane maintains a control mapping table that defines relationships between controls across frameworks. Each mapping includes a confidence score indicating how closely the controls align. For example, implementing an access control policy might satisfy:
  • ISO 27001 A.9.1.1 - Access control policy
  • SOC 2 CC6.1 - Logical and physical access controls
  • HIPAA 164.312(a)(1) - Access control
  • GDPR Article 32 - Security of processing
  • PCI-DSS Requirement 7 - Restrict access to cardholder data
When you mark a control as implemented and attach evidence, LowerPlane automatically updates the compliance status across all mapped frameworks.

Supported Frameworks

The international standard for information security management systems (ISMS). ISO 27001 provides a systematic approach to managing sensitive information through risk management processes.Key areas: Information security policies, asset management, access control, cryptography, physical security, operations security, communications security, system development, supplier relationships, incident management, business continuity, and compliance.Best for: Organizations operating internationally or serving enterprise customers who require ISO certification.
The Service Organization Control 2 framework evaluates service organizations based on five Trust Services Criteria: security, availability, processing integrity, confidentiality, and privacy.Key areas: Control environment, communication and information, risk assessment, monitoring activities, control activities, logical and physical access, system operations, and change management.Best for: SaaS companies and service organizations that need to demonstrate security practices to enterprise customers.
The Health Insurance Portability and Accountability Act establishes standards for protecting sensitive patient health information (PHI).Key areas: Administrative safeguards, physical safeguards, technical safeguards, and breach notification requirements. Includes Business Associate Agreement (BAA) management and security incident tracking.Best for: Healthcare organizations, health tech companies, and any business that handles protected health information.
The General Data Protection Regulation is the EU’s comprehensive data protection law governing the collection, processing, and storage of personal data.Key areas: Lawful processing, data subject rights, Records of Processing Activities (ROPA), Data Protection Impact Assessments (DPIA), Data Subject Requests (DSR), and cross-border data transfers.Best for: Any organization that processes personal data of EU residents, regardless of where the organization is located.
The Payment Card Industry Data Security Standard defines security requirements for organizations that handle payment card data.Key areas: Network security, cardholder data protection, vulnerability management, access control, monitoring and testing, and information security policy. Includes Cardholder Data Environment (CDE) scoping and ASV scan management.Best for: Any organization that processes, stores, or transmits payment card data.

Compliance Scoring

LowerPlane calculates a readiness score for each enabled framework based on three dimensions:
DimensionDescriptionWeight
ControlsPercentage of controls marked as implemented or partially implemented40%
EvidencePercentage of required evidence collected and current (not expired)35%
PoliciesPercentage of required policies published and acknowledged25%
Your overall compliance score is displayed on the dashboard and updated in real time as you make progress.
The readiness score is an internal metric to help you track progress. It does not guarantee audit success, but a score above 80% typically indicates strong audit preparedness.

The Compliance Dashboard

Your compliance dashboard provides a centralized view of your compliance program:
  • Framework readiness scores - Visual progress indicators for each enabled framework
  • Gap analysis - Controls, evidence, and policies that still need attention, prioritized by severity
  • Recent activity - Latest evidence collections, policy updates, and control changes
  • Upcoming deadlines - Evidence renewals, policy reviews, and training due dates
  • Integration health - Status of connected tools and last sync times
Dashboard data is powered by materialized views that refresh periodically to ensure fast load times even with large datasets. The scores you see reflect near-real-time compliance status.

Getting Started with Compliance

1

Enable Frameworks

Select the frameworks your organization needs from Compliance > Frameworks. See Frameworks for details.
2

Run an Assessment

Complete the security assessment to establish a baseline score. See Assessments.
3

Review Controls

Browse your controls, assign owners, and begin implementation. See Controls.
4

Collect Evidence

Connect integrations for automated collection and upload manual evidence. See Evidence.
5

Create Policies

Generate required policies from templates and manage approvals. See Policy Management.