Compliance Crosswalks: One Control, Many Obligations

Purpose

This document explains how Thinkwerke reduces compliance overhead by mapping a single technical control to multiple regulatory and assurance frameworks.

Instead of implementing controls separately for each regulation, we build shared, evidence-producing controls that satisfy multiple obligations simultaneously.

Why Crosswalks Matter

Organisations operating in EU-regulated environments typically face:

  • ISO 27001

  • NIS2 Directive

  • Cyber Resilience Act (CRA)

  • GDPR

  • Customer security requirements

  • Industry questionnaires and tenders

Without crosswalks, teams duplicate work, create inconsistent controls, and struggle to explain coverage.

Crosswalks solve this structurally.

Thinkwerke Crosswalk Philosophy

Thinkwerke crosswalks are:

  • Control-centric, not document-centric

  • Grounded in real implementations

  • Evidence-first

  • Maintained alongside systems

Each control answers three questions:

  1. What requirement does this control satisfy?

  2. Where is it implemented technically?

  3. What evidence proves it continuously?

Core Crosswalk Dimensions

Each crosswalk maps across four dimensions:

  • Regulatory requirement

  • Technical control

  • Operational process

  • Evidence artefact

This ensures traceability from law to pipeline.

Example: Vulnerability Management Crosswalk

A single vulnerability management workflow can satisfy:

  • ISO 27001 A.12 / A.8

  • NIS2 Article 21 (risk management measures)

  • CRA vulnerability handling obligations

  • Customer assurance requirements

Mapped elements include:

  • Detection tooling

  • Severity classification

  • SLA enforcement

  • Workflow ownership

  • Exportable evidence

ISO 27001 ↔ NIS2 Crosswalk

Key alignment areas:

  • Risk management

  • Incident detection and response

  • Access control

  • Logging and monitoring

  • Supplier and service management

Thinkwerke ensures these are implemented once and mapped cleanly to both frameworks.

See also: ISO/IEC 27001: Compliance Mapping NIS2 Directive: Operational Security & Resilience

NIS2 ↔ CRA Crosswalk

NIS2 and CRA overlap heavily in:

  • Secure software lifecycle (SSLM)

  • Vulnerability disclosure and remediation

  • Supply-chain security

  • Incident handling

Thinkwerke aligns these through:

  • CI/CD-integrated controls

  • SBOM and dependency governance

  • Evidence-producing workflows

See also: Cyber Resilience Act (CRA): Product & Software Engineering

GDPR ↔ Security Framework Crosswalk

GDPR privacy requirements intersect with:

  • Access control

  • Logging and traceability

  • Data minimisation

  • Incident detection

Privacy controls are mapped alongside security controls, ensuring GDPR is enforced technically — not just documented.

See also: GDPR: Privacy Engineering & Data Protection by Design

Customer & Tender Alignment

Crosswalks extend beyond regulation into:

  • Customer questionnaires

  • RFP and tender responses

  • Partner security assessments

Evidence generated for regulators is reused for customer assurance with minimal adaptation.

Evidence Reuse Model

Crosswalks enable:

  • One control → many requirements

  • One evidence artefact → many stakeholders

  • Reduced audit fatigue

  • Faster tender responses

This significantly reduces recurring compliance workload.

Maintaining Crosswalks Over Time

Crosswalks are kept current through:

  • Change management integration

  • Architecture updates

  • Pipeline evolution

  • Regulatory updates

They are living artefacts, not static spreadsheets.

Key Takeaway

Compliance scales when controls are engineered once, mapped correctly, and proven continuously.

Crosswalks turn regulatory complexity into a manageable, auditable operating model.