Cybereen / Platform / Multi-standard mapping
PLATFORM CAPABILITY

One control. Many standards. No duplication.

Cybereen pre-maps the overlap between Essential Eight, ISO 27001, ISO 27002, APRA CPS 234, APRA CPS 230, ISO 42001, and NIST CSF — so the work you do for one audit counts toward the next.

See the overlap in your stack → See how it works
7 standards mapped work, many audits Full · Partial · Implies
PRE-MAPPED · 7 STANDARDS
Essential Eight · 8 ISO 27001 · 93 ISO 27002 · 93 APRA CPS 234 · 36 APRA CPS 230 · 41 ISO 42001 · 38 NIST CSF 2.0 · 106
WHAT YOU GET

Work once. Audit many. Stop duplicating.

Mapping in Cybereen isn't a spreadsheet of cross-references. It's an engine that watches every control you implement and quietly counts it toward every standard it satisfies.

Pre-mapped overlaps for 8 standards (and counting).

Essential Eight, ISO 27001, ISO 27002, APRA CPS 234, APRA CPS 230, ISO 42001, NIST CSF 2.0 — already cross-walked by our team. You don't build the mapping; you use it.

E8 · ISO · APRA · NIST

Work-once dashboards across multiple audits.

One assessment progress bar updates many standards in real time. Hit 80% on E8 ML2 and watch ISO and NIST coverage move with it — no parallel spreadsheets.

One bar · Many standards

Gap analysis that respects what you've already covered.

Cybereen shows you only the unique controls each new standard adds — not the shared base you've already done. Adopt a second framework in days, not quarters.

Only what's new
HOW IT WORKS

Three steps. Years of leverage.

From "which controls overlap?" to a live, scored, multi-standard view of your program — without ever building a cross-walk yourself.

Step 01

Pick your active standards.

Tick the standards your auditors actually ask about. Add more later — the mapping engine recalculates overlap in seconds, not weeks.

Essential Eight ML28 ctrls
ISO 27001 : 202293 ctrls
APRA CPS 23436 ¶
NIST CSF 2.0106 ctrls
ISO 42001 (AI)38 ctrls
Step 02

See the overlap map.

Cybereen highlights which controls double-, triple-, or quadruple-count. Dark cells are the heaviest hitters — one control answering four standards at once.

CONTROLE8ISONIST
MFA
×4
×4
×4
Patching
×3
×3
×2
Backups
×3
×2
×2
Logging
×2
×3
×3
App ctrl
×3
×2
×1
Step 03

Work the unique controls.

Focus effort on the controls each standard adds, not on re-doing the shared base. Adopt a new standard and you'll typically face a fraction of the work you feared.

+APRABoard notification ¶35NEW
+APRAIncident notify APRA ¶36NEW
+APRAThird-party assurance ¶24NEW
+APRAAudit by independent ¶33NEW
SHARED23 ¶ already met by ISOREUSED
USE CASE

350-person AU healthcare provider. Three standards. One program.

Privacy-regulated, APRA-adjacent through their underwriting, and contractually obliged to Essential Eight ML2 by their largest payer. Three audits, three vocabularies — until the overlap engine consolidated them.

HEALTHCARE · AU-WIDE · 350 STAFF · TRIPLE AUDIT

From 387 controls across three standards down to 142 they actually manage.

Before Cybereen: a 600-row spreadsheet trying to track three frameworks side-by-side, with the security manager re-typing the same evidence into three different cells. After: one program. The mapping engine showed 63% of controls were shared across all three — leaving a much shorter list of genuinely unique work.

387 → 142
Controls actually
managed by the team
63%
Shared across all
three standards
3 → 1
Spreadsheets retired,
one program live
~6 wks
Saved per audit
cycle by the GRC lead

"I stopped maintaining a triple-column spreadsheet the week we turned this on. We work one program. Three audits read it differently — that's the mapping engine's problem, not mine anymore."

— HEAD OF RISK · AU HEALTHCARE PROVIDER, 350 STAFF
PART OF THE PLATFORM

Mapping is the multiplier for everything else.

One assessment progress bar updates many standards. One piece of evidence fulfils every mapped control. One heat map shows coverage across every framework you've turned on.

Feeds from

Maturity Assessments
one progress bar, many standards
Evidence Library
one artefact, many controls
YOU ARE HERE

Multi-standard mapping

The overlap engine that watches every control you implement and counts it toward every standard it satisfies. Full / Partial / Implies scoring, transparent methodology, customisable.

7 STANDARDS PRE-MAPPED CUSTOMISABLE METHODOLOGY PUBLIC

Surfaces in

Reporting
heat map across standards
Gap planner
only what's genuinely new
ONE PROGRAM MODEL
Implement a control once. It scores in every standard that asks for it, lights up the heat map, and tells your gap planner what's actually left to do. No retyping. No reconciling. No parallel spreadsheets.
FAQ

The three we get asked first.

Whose mappings are these? +
Cybereen's, maintained against the official standards. Our team cross-walks each standard control-by-control, then re-validates the mapping every time a standard revises (annual cycle for most, faster for ISO drafts). The methodology is public — we publish the rubric we use to decide what counts as Full, Partial, or Implies, so your auditor can scrutinise our reasoning, not just our output.
Can I add custom mappings? +
Yes — overlay your own mappings on top of Cybereen's defaults. Tenant-level custom mappings sit alongside ours and are visually distinguished in the UI (your edits are marked with your tenant badge). You can add mappings for in-house frameworks, contractual control libraries, or industry codes we don't ship out of the box. Cybereen's defaults are never overwritten — your overlay can extend or override per-cell, and you can roll back at any time.
What about partial overlaps? +
We score overlap as Full, Partial, or Implies. Full means the source control fully satisfies the target — same scope, same evidence works. Partial means you've covered the spirit but may need supplementary evidence (for example, MFA enforced for admins satisfies the principle of access control under APRA CPS 234, but APRA also expects board-level reporting which a screenshot alone won't cover). Implies means doing the source materially reduces the work for the target but doesn't on its own evidence it. Every cell tells you which scoring band it sits in, why, and what supplementary evidence (if any) the target standard would still ask for.

Stop maintaining the triple-column spreadsheet.

Turn on the standards your auditors ask about. We'll show you which controls already overlap, what's genuinely new, and how much work you don't actually need to do.

See the overlap in your stack → See the full platform