ForgeAwareness
Get started
← Back to shop

Compliance Crosswalks — Map Awareness Training to Your Framework

Defensible mappings of every ForgeAwareness product to NIST CSF 2.0, ISO 27001:2022, CIS Controls v8.1, SOC 2, PCI DSS 4.0.1, and HIPAA — with audit evidence templates a QSA will actually accept.

Section 1 of 6~5 min read
Download raw ↗

Compliance Crosswalks — Map ForgeAwareness content to your framework

Audience: CISOs, GRC leads, compliance officers, internal auditors Use case: Mapping security awareness program controls to regulatory and certification frameworks Frameworks covered: NIST CSF 2.0 · ISO/IEC 27001:2022 · CIS Controls v8.1 · SOC 2 (TSC 2017) · PCI DSS v4.0.1 · HIPAA Security Rule

What this crosswalk gives you

A defensible mapping between every ForgeAwareness product (courses, toolkits, bundles, games) and the specific control identifiers in six major frameworks. Each mapping tells you:

  1. Which control(s) the product helps satisfy
  2. What evidence an auditor would accept
  3. What other controls still need their own treatment (i.e. what training alone doesn't cover)

Designed for the question every auditor asks: "Show me how you satisfy [Control ID]."

The files

FilePurpose
01-Master-Mapping.mdThe single-table view: every ForgeAwareness product × every framework. Print and pin.
02-Frameworks-Reference.mdThe actual control text for the awareness-relevant clauses in each of the six frameworks. So you can quote them to auditors.
03-Product-Mappings.mdPer-product detail. For each product, every control it satisfies, every evidence artifact, and what's still out of scope.
04-Audit-Evidence-Templates.mdTemplates for the artifacts auditors actually ask for: training records, completion reports, attestations, retention statements.
05-How-To-Use.mdPractical guide for compliance leads — when to use which framework, common audit gotchas, and how to present this evidence.

Important caveats — read these before showing to leadership

  1. This is a mapping, not legal advice. Your specific audit scope, materiality, and regulator interpretations may differ. Run it past your QSA, lead auditor, or counsel before relying on it for a control attestation.

  2. Training is one control, not all of them. Every framework cited here has dozens of controls that awareness training does not satisfy (access management, encryption, physical security, etc.). This crosswalk covers only the controls where training is the primary or contributing evidence.

  3. Framework versions matter. The crosswalk targets:

    • NIST Cybersecurity Framework 2.0 (Feb 2024)
    • ISO/IEC 27001:2022 + Annex A
    • CIS Controls v8.1 (June 2024)
    • SOC 2 Trust Services Criteria 2017 (the 2022 points-of-focus update is incorporated)
    • PCI DSS v4.0.1 (June 2024)
    • HIPAA Security Rule 45 CFR Part 164, Subpart C (the proposed 2025 update is noted where applicable)

  4. Completion records are usually the unit of evidence. Auditors don't typically watch the course. They check that the right people completed it, by when, and that records are retained. ForgeAwareness courses produce completion records through SCORM/LMS export — confirm your LMS captures these and that retention matches your policy.

  5. Personalization matters for some controls. PCI 12.6, HIPAA 164.308(a)(5), and NIST CSF PR.AT-02 specifically call for training content that maps to your role-based responsibilities and environment. Use the customization wizard to tokenize your tools, team, and policy links so the content reflects what your auditors expect to see.

Quick start for compliance leads

  1. Identify your in-scope framework(s). Most organizations need 2–4 of the six.
  2. Open 01-Master-Mapping.md and filter columns to your framework. This is your initial scoping artifact.
  3. For each control where you currently rely on awareness training, open 03-Product-Mappings.md and find which ForgeAwareness product gives you the strongest evidence.
  4. For each product you license, generate the audit-binder artifact using the templates in 04-Audit-Evidence-Templates.md.
  5. For each control awareness training does NOT cover, this crosswalk tells you so explicitly. Pair with your IAM, encryption, logging, and IR programs.

Versioning

VersionDateNotes
1.02026-06-03Initial release. NIST CSF 2.0, ISO 27001:2022, CIS v8.1, SOC 2 TSC 2017+2022 PoF, PCI DSS 4.0.1, HIPAA Security Rule.

When frameworks update materially (annually for some), this crosswalk is refreshed. License includes lifetime updates.