Skip to main content

Governance intelligence for access, cloud, and SaaS. Now in early access

Nuxari
Compliance & Readiness

Built-in control library

Overview of Nuxari's built-in controls mapped to SOC 2 and ISO 27001, control categories, statuses, and how evidence drives control progress.

Last updated: June 2026

Control statuses reflect the evidence you have collected and accepted. Nuxari does not mark controls as compliant or audit-ready on your behalf — you drive this by collecting, reviewing, and accepting evidence.

What the control library is

The built-in control library is a set of pre-structured controls that map operational activities to SOC 2 Trust Services Criteria and ISO 27001 Annex A categories. Each control specifies what evidence is required, which policies must be approved, and what risks must be treated before it can reach a ready state.

Controls are not self-certifying. A control status of "ready for audit" reflects that all required evidence has been collected, reviewed, and accepted within Nuxari — not that an external auditor has validated it.

Control categories

Access Control

SOC 2 CC6, ISO 27001 A.8.2–A.8.5

Access reviews completed, RBAC enforced, privileged access managed with PIM, offboarding access revocation.

Audit and Accountability

SOC 2 CC7, ISO 27001 A.8.15

Audit log retained, log access monitored, evidence of all significant platform actions.

Incident Response

SOC 2 CC7.3–CC7.5, ISO 27001 A.5.24–A.5.28

Incident response policy approved, incident records documented, post-incident review completed.

Availability

SOC 2 A1, ISO 27001 A.8.6

System uptime monitoring active, connector health tracked, edge agent heartbeat current.

Vendor Management

SOC 2 CC9.2, ISO 27001 A.5.19–A.5.22

Vendor register maintained, DPA signed for data-handling vendors, vendor risk reviews completed on schedule.

AI Governance

Emerging frameworks

AI usage logged, AI recommendations reviewed before execution, AI bypass attempts audited.

Control statuses

Every control in the library has one of the following statuses, driven by evidence completeness:

Not started

The control has not been configured or assigned an owner.

Designed

The control has a defined approach, assigned owner, and linked policy — but no evidence has been collected yet.

Implemented

The control is actively operating. Initial evidence has been collected.

Operating

The control has been operating for a sustained period with consistent evidence.

Ready for audit

All required evidence is accepted, policies are approved, risks are treated, and the control is ready to present to an external auditor.

Blocked

One or more blockers prevent progress: missing owner, unaccepted evidence, unapproved policy, unresolved high risk, or overdue review.

How evidence drives control status

Each control has a defined list of required evidence items. As you collect and accept each item, the control moves forward:

  • Evidence collected and accepted advances the control toward operating or ready_for_audit.
  • Expired evidence (past its renewal date) reverts the control and triggers a blocked state.
  • An unapproved required policy blocks the control regardless of evidence status.
  • A high or critical unresolved risk mapped to a control blocks its readiness until treated.

Related docs

Evidence collection

How to collect and accept evidence

Policy center

Policy approval workflow

Risk register

Risk treatment and acceptance

Compliance troubleshooting

Fix blocked controls and missing evidence

Was this page helpful?