CIS, SOC 2 & ISO 27001 compliance mapping
Every Noxen finding maps to one or more controls in CIS Controls v8, SOC 2 Trust Services Criteria, and ISO 27001:2022 Annex A. Use the export as evidence supplement for an auditor — not as a certification claim.
Read this first
Noxen does not certify your fleet. The compliance mapping is a cross-reference: "this finding relates to these controls" — useful evidence that your vulnerability-management process is producing artefacts your auditor will recognise. Your auditor still drives the actual assessment, and many controls require evidence from sources Noxen doesn't see (HR processes, change management, encryption-at-rest configurations, etc.).
Enable the mapping
Settings → Compliance → Include mapping on exports. With the toggle on, every PDF / CSV / NDJSON export adds a compliance-references column or appendix; it's a no-op for formats that don't support extra columns (Slack/Discord webhooks).
What's mapped
CVE findings → CIS Controls v8
- 7.3 Perform Automated Operating System Patch Management — every CVE finding cites this. The finding's existence is evidence the gap was detected; the remediation column shows what'd close it.
- 7.4 Perform Automated Application Patch Management — additional cite for non-OS-package CVEs (third-party software, container-bundled libraries).
- 7.7 Remediate Detected Vulnerabilities — cites with status (open / in-progress / resolved based on finding lifecycle).
Exposed admin surfaces → CIS, SOC 2, ISO
- CIS 4.4 Implement and Manage a Firewall on Servers — applies when the surface is reachable from outside the host's expected network boundary.
- CIS 12.6 Use of Secure Network Management and Communication Protocols — applies for plaintext admin protocols (HTTP-only Grafana, unencrypted Redis).
- SOC 2 CC6.1 Logical and Physical Access Controls — every unauth admin surface is a CC6.1 deficiency.
- ISO 27001:2022 A.8.20 Network Security + A.8.21 Security of Network Services.
Weak TLS → CIS, SOC 2, ISO
- CIS 3.10 Encrypt Sensitive Data in Transit — TLS 1.0/1.1, weak ciphers, expiring certs all cite this.
- SOC 2 CC6.7 Restrict the Transmission of Data and CC7.1 Detect Configuration Changes.
- ISO 27001:2022 A.8.24 Use of Cryptography.
Missing security headers → mostly informational
These don't map cleanly to most compliance frameworks (CIS doesn't cover web-app headers; SOC 2 / ISO cite them indirectly under "secure configuration" controls). Noxen surfaces the relevant indirect cites where applicable but is honest that header gaps are usually a hygiene finding, not a compliance one.
CSV format
With compliance enabled, the CSV gains three columns:
cis_v8_controls,soc2_tsc_controls,iso_27001_2022_controls
"7.3, 7.4, 7.7","CC6.1, CC7.1","A.8.8, A.8.20"
"4.4, 12.6","CC6.1","A.8.20, A.8.21"Comma-separated within each cell (RFC 4180 quoted), since one finding can map to multiple controls in the same framework. Pivot tables / SQL imports want a long-format split — easy to generate downstream.
PDF appendix
The PDF report adds a final appendix per host: a table of findings × controls. For an auditor this is the most useful view — it organises by control rather than by finding, so you can answer "what evidence do I have for ISO A.8.20?" with one lookup.
NDJSON enrichment
NDJSON exports add a compliance object to each
finding event:
"compliance": {
"cis_v8": ["7.3", "7.4", "7.7"],
"soc2": ["CC6.1", "CC7.1"],
"iso_27001_2022": ["A.8.8", "A.8.20"]
}Useful for SIEM dashboards that group by control rather than severity ("Splunk: count CIS 7.3 findings by host over the last 30 days").
What's not covered
Frameworks that deal with physical security (CIS 1.x asset inventory of physical hardware), HR controls (SOC 2 CC1.x), board/governance items (SOC 2 CC2.x), or encryption-at-rest configurations (Noxen doesn't probe block-device encryption) aren't in Noxen's mapping. Those need separate evidence sources.