Connecting documents to controls and frameworks transforms scattered files into structured compliance evidence. Proper mapping makes audits efficient and demonstrates systematic compliance management.
Why Document Mapping Matters
Mapping provides:
Quick evidence retrieval during audits
Clear traceability from control to proof
Automated evidence organization by framework
Confidence that all controls have supporting documentation
Reduced audit preparation time
Without mapping, documents are just files in storage. With mapping, they become structured compliance evidence.
How Mapping Works
Each document can link to:
Controls: Specific security requirements the document supports
Frameworks: Compliance standards the document addresses
Policies: Related policy documents
When you link a document to a control, it automatically associates with all frameworks that control serves.
[Screenshot needed: Document detail showing mapped controls and frameworks]
Linking Documents to Controls
From the Document
Open the document detail page
Navigate to the Mapped Elements or Controls tab
Click Link Control or Add Control
Search and select relevant controls
Save
From the Control
Open the control detail page
Go to the Documents tab
Click Add Document
Select from existing documents or upload new
Save
Either approach creates the same linkage.
Common Document-to-Control Mappings
Access Control Documents:
User directory exports → Access management controls
MFA enrollment reports → Authentication controls
Access review sign-offs → Periodic review controls
Security Assessment Documents:
Penetration test reports → Vulnerability management, secure development
Vendor security reviews → Vendor risk management
Risk assessments → Risk management controls
Operational Documents:
Incident response reports → Incident management controls
Change logs → Change management controls
Backup verification → Business continuity controls
Contractual Documents:
Business Associate Agreements → Vendor controls, privacy controls
Data Processing Agreements → Data protection controls
Customer security agreements → Multiple controls depending on requirements
One Document, Multiple Controls
Many documents support multiple controls:
Example: Penetration Test Report
Vulnerability management control
Secure development control
Network security control
Configuration management control
Link it once to all applicable controls. The document appears in each control's evidence.
Framework-Level Mapping
Some documents support entire frameworks rather than specific controls:
Organizational charts
Security program overviews
Executive security presentations
Compliance roadmaps
These can be associated directly with frameworks without control-level mapping.
Evidence Gaps and Coverage
DSALTA highlights controls lacking document evidence:
Controls with Evidence: Show linked documents count Controls Needing Evidence: Flagged for attention Framework Coverage: Percentage of controls with sufficient documentation
Use these indicators to prioritize document collection and mapping.
[Screenshot needed: Control showing evidence count or gap indicator]
Automated vs. Manual Evidence
Distinguish between evidence types:
Automated Evidence: Collected from integrations
Continuously updated
Always current
Linked automatically to relevant controls
Manual Evidence: Uploaded documents
Requires periodic updates
Needs explicit mapping
Provides context automation can't capture
Both types appear together in control evidence views.
Document Mapping for Audits
During audits, auditors request evidence by control. Well-mapped documents enable:
Quick Response: "Show me evidence for CC6.7" → Instantly pull all linked documents Complete Packages: Generate framework-specific evidence packages automatically Audit Trail: Demonstrate systematic evidence management Confidence: Know you have evidence before auditors ask
Organizing Multi-Framework Evidence
When managing multiple certifications:
Shared Evidence: Document linked to control serving SOC 2, ISO 27001, and GDPR Framework-Specific: Some documents only relevant to one framework Inheritance: Control mapping automatically creates framework associations
This efficient reuse means less total documentation for multiple certifications.
Best Practices
Map During Upload: Link documents to controls immediately, not later Regular Reviews: Verify mappings remain accurate as controls evolve Complete Coverage: Ensure every control has appropriate evidence Quality Over Quantity: One excellent document beats multiple mediocre ones Keep Current: Update or replace documents as they age
Using Document Maps for Planning
Document mapping reveals:
Which controls are well-documented
Which need more evidence
Where evidence is aging and needs refresh
What documentation to prioritize
Use these insights to plan evidence collection efforts efficiently.
Next Steps
To create effective document mappings:
Review controls for your active frameworks
Identify which controls lack sufficient documentation
Upload and map priority documents first
Set reminders to update mapped documents periodically
Verify mappings before audit preparations begin
Well-mapped documents transform compliance from reactive to proactive.