March 29, 2026
Three months ago, I introduced “The Deterministic SOC2 API.” The response was silence, then traffic, then Google ranking, then the AI Overview citing my articles as the definitive source on deterministic decision logs.
But one question kept surfacing in the way people searched.
They searched for “ISO 27001 decision logs.” They searched for “multi‑framework audit trails.” They searched for “how to prove AI decisions comply with both SOC2 and ISO.”
They had the same problem in a different framework.
Today, that gap closes.
The Multi‑Framework Reality
Companies running parallel compliance programs know the pain. You have SOC2 for your US customers. You have ISO 27001 for your European contracts. You have overlapping controls, separate audits, duplicate evidence.
The same access control decision that satisfies SOC2 CC6.1 also satisfies ISO 27001 A.9.2.1. The same change management decision that satisfies SOC2 CC7.1 also satisfies ISO 27001 A.12.1.2.
But until now, no single system captured both.
One API call. One decision. Two framework citations.
What a Multi‑Framework Decision Looks Like
Here’s a real example from our API, updated today:
Input (a privileged access request):
{
“scenario_summary”: “Emergency production access”,
“observed_signals”: [“admin added to IAM role”, “no change ticket found”],
“known_context”: [“incident response active”, “on‑call engineer approved”]
}
Output (simplified):
{
“decision_posture”: “proceed”,
“confidence”: 75,
“compliance_references”: [
“SOC2 CC6.1 — Logical Access Security”,
“SOC2 CC7.2 — System Monitoring”,
“ISO27001 A.9.2.1 — User Access Provisioning”,
“ISO27001 A.12.4.1 — Event Logging”
],
“decision_rationale”: “Emergency access requested during active incident. On‑call approval present. SOC2 CC6.1 requires access controls; exception granted due to incident. ISO 27001 A.9.2.1 requires documented access provisioning; emergency deviation logged. Monitoring will capture any anomalous activity post‑access.”,
“clarifying_question”: null
}
This is not evidence collection. This is decision‑level audit across multiple frameworks.
- One decision
- Two frameworks
- Four control citations
- Full rationale
- Deterministic, replayable, verifiable
Why This Matters for ISO 27001
ISO 27001 requires an Information Security Management System (ISMS) that is risk‑based, documented, and continuously improved. The standard’s Annex A controls (A.5 through A.18) cover everything from access control to incident management.
What ISO 27001 auditors actually look for:
| Control | What They Want | Your API Provides |
| A.9.2.1 (User access provisioning) | Proof that access decisions followed policy | Deterministic logs with access signal mapping |
| A.12.1.2 (Change management) | Evidence that changes were reviewed and approved | Decision rationale with change signal detection |
| A.12.4.1 (Event logging) | Tamper‑proof record of security events | Deterministic, replayable decision logs |
| A.8.1.1 (Asset inventory) | Visibility into what systems are being protected | Asset‑related signals mapped to control |
| A.5.1.1 (Information security policies) | Proof that controls align with documented policies | Decision rationale cites policy where applicable |
No compliance platform captures these at the decision level. No one.
Write on Medium
The Overlap That Saves Months
The same input signals that map to SOC2 CC6.1 map directly to ISO 27001 A.9.2.1. The same change management signals map to SOC2 CC7.1 and ISO 27001 A.12.1.2.
This is not a coincidence. The frameworks were designed to be complementary. But the tools that implement them treat them as separate.
One API. One decision. Two frameworks. No duplication.
What This Means for Compliance Teams
If you’re running SOC2 and ISO 27001 in parallel:
- You no longer need separate evidence collection
- You no longer need separate audit trails
- You no longer need to explain to auditors why the same decision appears in two different systems
Your auditors see one record: the decision, the rationale, the control mapping for both frameworks, all in one place.
What This Means for Engineering Teams
If you’re building systems that need to comply with both frameworks:
- You call one API
- You get back compliance references for both frameworks
- You store one log entry
- You satisfy two audit requirements
That’s not efficiency. That’s leverage.
What This Means for the Market
The shift from single‑framework to multi‑framework compliance is accelerating. Companies don’t just need SOC2. They need SOC2 + ISO 27001 + HIPAA + FedRAMP.
The platforms that treat each framework as a separate module are falling behind.
We treat frameworks as mappings. One API. Infinite frameworks. One price.
What’s Next
The API now returns both SOC2 and ISO 27001 references. HIPAA, FedRAMP, and cyber insurance controls are in development.
The lattice is growing.
If you’re running parallel compliance programs and wondering why your decision logs don’t cover both frameworks — now you know.
It’s not that it’s hard. It’s that no one built it. Until now.
Founder & CEO, Decision Security Layer
decseclayer@gmail.com
API Docs
Top comments (0)