Manage governance, risk, and compliance across SOC 2, ISO 27001, PCI DSS, NIST CSF, CMMC, HIPAA, CIS Controls, and NIST 800-171 from a single platform. One unified assessment engine maps 146 questions to every framework simultaneously — so you answer once and get compliance scores everywhere.
The unified assessment engine contains 146 questions organized across 14 security domains. Each question maps to requirements across all 8 supported compliance frameworks. Answer once, and Fair TPRM automatically calculates compliance percentages for every framework — eliminating duplicate assessments and redundant compliance work.
Every question belongs to a security domain, and every domain maps to controls across all 8 frameworks. Here are six of the fourteen domains included in the assessment engine.
12 questions covering security program leadership, strategy, budget allocation, board reporting, and organizational risk appetite. Establishes the foundation for a mature security program.
14 questions covering user account lifecycle, authentication mechanisms, privileged access controls, access reviews, and separation of duties across systems and environments.
12 questions covering data classification, encryption at rest and in transit, privacy controls, data loss prevention, retention policies, and cross-border data transfer safeguards.
21 questions covering firewalls, network segmentation, secure development lifecycle, API security, web application firewalls, and penetration testing across infrastructure and applications.
12 questions covering SIEM deployment, centralized logging, continuous monitoring, vulnerability scanning, threat detection, and security operations center capabilities.
19 questions covering backup procedures, disaster recovery planning, regulatory compliance tracking, audit readiness, business impact analysis, and recovery time objectives.
Plus 8 more domains covering endpoints, incident management, supply chain, physical security, HR, and cryptography.
Fair TPRM uses a NIST CSF-aligned maturity model with four tiers to evaluate security program maturity across all 14 domains. Each domain receives a maturity score based on assessment responses, and scores are visualized on a radar chart for at-a-glance comparison. Historical trend tracking lets you measure improvement over time.
Every assessment question is mapped to requirements across these 8 compliance frameworks. Complete one assessment and see your compliance posture across all of them.
| Framework | Version | Mapped Questions |
|---|---|---|
| NIST CSF 2.0 | 2.0 | 146 |
| ISO/IEC 27001 | 2022 | 146 |
| SOC 2 Type II | 2017 | 146 |
| PCI DSS | 4.0 | 132 |
| CMMC / NIST 800-171 | v2.0 | 97 |
| CIS Controls | v8 | 95 |
| NIST SP 800-171 | Rev 2 | 90 |
| HIPAA Security Rule | 2013 | 61 |
Attach evidence files directly to controls and assessment responses. All evidence is encrypted at rest using AES-256-CBC and protected in transit by TLS 1.3. Track evidence freshness with automated expiry dates, and manage the full evidence lifecycle through four statuses — Current, Expired, Superseded, and Draft — so auditors always know which artifacts are authoritative.
Beyond assessments and evidence, Fair TPRM provides a full suite of GRC capabilities — controls, crosswalks, policies, audits, risk registers, and continuous monitors — all in one platform.
Document security measures, map controls to framework requirements across multiple standards, track implementation status and effectiveness. Each control links to evidence and assessment responses.
Compare coverage between frameworks. See how SOC 2 compliance maps to ISO 27001, identify gaps, and eliminate redundant compliance work with side-by-side requirement mapping.
Full policy lifecycle from draft through review, approval, publication, and retirement. Version tracking and periodic review scheduling ensure policies stay current and auditable.
Plan audits, execute fieldwork, record findings with severity ratings, assign remediation tasks, and track closure through to verified resolution. Complete audit trail from planning to close-out.
Track organizational risks with likelihood/impact scoring on a 1–25 scale. Link risks to controls, set treatment strategies (Accept, Mitigate, Transfer, Avoid), and monitor residual risk over time.
Automated compliance checks running hourly, daily, weekly, or monthly. Link monitors to controls and track pass/fail history over time to demonstrate continuous compliance to auditors.
Fair TPRM calculates compliance percentages using a transparent, auditable formula. Conforming requirements receive 100% weight, partially conforming requirements receive 50% weight, non-conforming requirements receive 0% weight, and requirements marked as not applicable are excluded from the denominator entirely. The result is a clear, defensible compliance score for every framework.
The GRC dashboard provides a single-pane-of-glass view across your entire compliance program. See framework compliance scores as a color-coded heatmap, track control implementation progress, monitor evidence freshness, review open audit findings by severity, check policy review status, verify monitor health, and summarize your risk register — all from one screen.
Because GRC and TPRM share the same platform, compliance scores feed directly into vendor assessments — and vendor risks inform your compliance posture.