This table shows the 27 compliance areas where SOC 2 and NIST CSF controls overlap. When you mark a control as implemented in either framework, Venvera automatically propagates the status to the equivalent control in the other.
| Compliance Area | SOC 2 | NIST CSF |
|---|---|---|
| Encryption | CC6.1, CC6.7 | PR.DS-01, PR.DS-02 |
| Access Control | CC6.1 | PR.AA-01 |
| Identity Management | CC6.2 | PR.AA-01, PR.AA-03 |
| Authentication & MFA | CC6.1, CC6.3 | PR.AA-03 |
| Access Rights Review | CC6.2, CC6.3 | PR.AA-05 |
| Privileged Access Management | CC6.3 | PR.AA-05 |
| Network Security | CC6.6 | PR.IR-01 |
| Vulnerability Management | CC7.1 | ID.RA-01, PR.PS-01 |
| Logging & Monitoring | CC7.1, CC7.2 | DE.CM-01, DE.AE-02 |
| Incident Management | CC7.3, CC7.4 | RS.MA-01, RS.AN-03 |
| Incident Classification | CC7.3 | DE.AE-04 |
| Incident Reporting | CC7.5 | RS.CO-02 |
| Incident Response Team | CC7.4 | RS.MA-02 |
| Business Continuity | A1.1, A1.2 | RC.RP-01, RC.RP-03 |
| Backup & Restoration | A1.2 | RC.RP-03 |
| Third-Party Risk Management | CC9.2 | GV.SC-03 |
| Supplier Due Diligence | CC9.2 | GV.SC-06 |
| Risk Assessment | CC3.2 | ID.RA-03, ID.RA-05 |
| Information Security Policy | CC1.1 | GV.PO-01 |
| Security Awareness & Training | CC1.4 | PR.AT-01 |
| Data Classification | CC6.5, C1.1 | PR.DS-10 |
| Change Management | CC8.1 | PR.PS-01 |
| Secure Development | CC8.1 | PR.PS-06 |
| Security Testing | CC4.1 | ID.IM-02 |
| Record Keeping | CC7.2 | DE.CM-01 |
| Configuration Management | CC6.1 | PR.PS-01 |
| Malware Protection | CC6.8 | DE.CM-09 |
For details on how propagation works, thresholds, and the auto-mapped badge, see the Cross-Framework Control Propagation overview article.