Frameworks

Troubleshooting & FAQ

title: Troubleshooting & FAQ description: Frequently asked questions and troubleshooting for frameworks in Tidal Control sidebar_position: 3

Troubleshooting & FAQ

Frequently Asked Questions

Which framework should I choose for my organization?

Choose based on your industry and goals:

For general information security maturity:

  • ISO 27001 - Broadly applicable, internationally recognized, certifiable
  • NIST Cybersecurity Framework - Flexible, practical, no certification required
  • CIS Controls - Concrete implementation guidance, priority-based

For specific compliance requirements:

  • GDPR - Recommended when processing EU personal data
  • SOC 2 - Essential for SaaS providers and cloud services with customers in the USA
  • NIS 2 - Mandatory for critical sectors (energy, transport, finance)
  • EU AI Act - Recommended when developing or using AI systems

For different organization sizes:

  • Startups/SMB - Start with ISO 27001, CIS Controls or NIST Framework
  • Expansion to US - SOC 2 for reporting on historical control operation relevant to customers
  • Large organizations - Combination of ISO 27001 + sector-specific frameworks

Strategic considerations:

  • Customer requirements - Which certification do your customers ask for?
  • Industry standards - What is common in your industry?
  • Audit planning - When do you want to be certified?
  • Resource availability - How much time and expertise do you have?
Tip

Start strategy: Begin with the framework that has the highest business priority. Add overlapping frameworks later for maximum efficiency through control reuse.

How do I determine which controls to link to which requirements?

Systematic approach for control mapping:

First conduct requirements analysis:

  1. Read requirements completely - Understand what exactly is being asked
  2. Identify keywords - Which activities, processes or assets?
  3. Determine scope - What falls within/outside these requirements?
  4. Check dependencies - Which other requirements are related?

Control assessment:

  • Functionality match - Does the control do what the requirement asks?
  • Scope coverage - Does the control cover the complete requirement?
  • Evidence quality - Can the control provide adequate proof?
  • Operational maturity - Is the control actually implemented?

Check the mapping:

  • One-to-one mapping - Ideally one control covers one requirement completely
  • No gaps - All aspects of requirement are covered
  • No overlap - Avoid duplicate controls for the same requirement
  • Evidence matches - The evidence shows that the requirement is met

Can I use the same control for multiple frameworks?

Yes, this is exactly the power of Tidal Control - maximum reuse efficiency.

Cross-framework mapping benefits:

  • Efficiency - Implement once, comply with multiple standards
  • Consistent quality - Same control standards across frameworks
  • Centralized governance - One control owner for multiple compliance requirements
  • Cost efficiency - Less duplication of effort and resources

How to identify reuse:

  1. Compare requirements - Look for similar requirements between frameworks
  2. Control inventory - Which controls are broadly applicable?
  3. Gap analysis - Where are universally applicable controls missing?
  4. Strategic mapping - Plan control architecture for multiple frameworks

Practical reuse examples:

Firewall Management Control can cover:
- ISO 27001: A.13.1.1 (Network controls)  
- SOC 2: CC6.1 (Logical access)
- NIST: AC-4 (Information flow enforcement)
- CIS Control 12 (Network monitoring)

Backup & Recovery Control can cover:
- ISO 27001: A.12.3.1 (Information backup)
- SOC 2: CC6.2 (Availability) 
- NIST: CP-9 (Information system backup)
- NIS 2: Backup requirements

Why don't my progress percentages match?

Understanding progress calculation:

"Assigned" percentage:

  • Numerator: Number of controls with owners assigned
  • Denominator: Total number of controls linked to framework
  • Update trigger: When owners are assigned/changed

"Implemented" percentage:

  • Numerator: Number of controls with OK status (all tasks completed and tests 'passed')
  • Denominator: Total number of controls linked to framework
  • Update trigger: When tasks or tests change status

"Audited" percentage:

  • Numerator: Number of completed assessment tasks
  • Denominator: Total number of assessment tasks from controls linked to framework
  • Update trigger: When assessment tasks are marked as "Closed"

Common percentage discrepancies:

Too low Implemented percentage:

  • Outstanding tasks - Check task status in controls page
  • Wrong task type - Assessment tasks don't count for Implemented

Too low Audited percentage:

  • Assessment tasks missing - Create one or more assessment tasks for linked controls
  • Open assessments - Assessment tasks are started but not completed

Inconsistent ratios:

  • Implemented > Assigned - Controls without owners but with completed tasks. Especially during initial implementation and use of manual tasks.
  • Audited > Implemented - Assessments done before implementation completed

Come across an issue we haven't covered?

Send an email to support@tidalcontrol.com, and we'll get in touch as soon as possible.

Info

Gathering support info: Note which browser you're using, exact error messages, and which steps you've already tried. This significantly speeds up the solution.

Next
Getting started with Controls