Compliance Coverage

GrantFlow is a cloud-native Privileged Access Management (PAM) solution designed to help organizations meet critical security and compliance requirements. This page documents how GrantFlow addresses specific controls from leading regulatory frameworks, making it easier to demonstrate compliance to auditors and stakeholders.

Overview

GrantFlow implements preventive controls that address privileged access management requirements across multiple compliance frameworks. Rather than relying solely on detective controls like session recording, GrantFlow proactively prevents unauthorized access through Just-In-Time provisioning, time-bound grants, mandatory approval workflows, and comprehensive audit trails.

The platform's core capabilities align with these control categories:

Category	Description	GrantFlow Feature
Privileged Access Management	Control over administrative accounts	JIT Activation, Eligibility Management
Least Privilege	Minimal necessary rights	Time-bound Grants, Role-based Access
Access Control	Access restrictions and enforcement	Approval Workflows, Policy Enforcement
Audit & Accountability	Traceability and evidence	Immutable Audit Trail
Access Reviews	Regular verification	Recertification, Eligibility Reviews
Segregation of Duties	Separation of functions	Multi-Approver Workflows

Proactive Security Model

GrantFlow focuses on preventing unauthorized access before it occurs, rather than just recording what happens during sessions. This approach—combining Zero Standing Privileges, JIT Access, and mandatory business justification—addresses the root cause of privileged access risk.

SOC 2 Trust Services Criteria

SOC 2 compliance centers on five Trust Services Criteria: Security, Availability, Processing Integrity, Confidentiality, and Privacy. GrantFlow provides strong coverage for the Security (Common Criteria) requirements.

Security Controls

Control	Description	Coverage	Evidence Provided
CC6.1	Logical access security	✅ Complete	JIT activations eliminate standing privileges
CC6.2	Authentication before access	✅ Complete	Entra ID integration, approval workflows
CC6.3	Access rights removal	✅ Complete	Automatic deprovisioning at expiration
CC6.6	Access reviews	✅ Complete	Access reviews, eligibility audits
CC6.7	Privileged access restrictions	✅ Complete	Time-bound grants, business justification
CC7.2	System monitoring	✅ Supported	Audit trail of all privileged actions
CC7.3	Security event evaluation	✅ Supported	Filterable audit events, export capability
CC8.1	Change authorization	⚠️ Partial	Approval workflows for role activations

Audit Evidence

GrantFlow automatically generates the following evidence for SOC 2 audits:

Activation history with timestamps showing exactly when privileged access was granted and revoked
Approval protocols including approver identities and approval timestamps
Business justifications documented for every access request
Deprovisioning logs demonstrating automatic access removal
Eligibility matrix reports showing who has potential access to which resources

ISO 27001:2022 Annex A

ISO 27001 is the international standard for information security management. GrantFlow addresses controls in both the Organizational (A.5) and Technological (A.8) domains.

Organizational Controls (A.5)

Control	Name	Coverage	Customer Benefit
A.5.15	Access Control Policy	✅ Direct	Policy-based access rules enforced automatically
A.5.16	Identity Management	✅ Direct	Unified directory for Entra ID and Active Directory
A.5.17	Authentication Information	✅ Supported	Integration with Entra ID MFA
A.5.18	Access Rights	✅ Direct	JIT provisioning, automatic revocation
A.5.24	Incident Management	⚠️ Supported	Audit logs support incident investigation
A.5.25	Security Event Assessment	⚠️ Supported	Filterable audit events
A.5.28	Evidence Collection	✅ Direct	Immutable audit trail for forensic analysis
A.5.33	Protection of Records	✅ Direct	Append-only audit collections

Technological Controls (A.8)

Control	Name	Coverage	Customer Benefit
A.8.2	Privileged Access Rights	✅ Complete	Core product—JIT, time-bound, approval-based
A.8.3	Information Access Restriction	✅ Direct	Role-based eligibility, policy enforcement
A.8.5	Secure Authentication	✅ Supported	Entra ID integration with MFA support
A.8.10	Information Deletion	✅ Direct	Auto-deprovisioning logs
A.8.15	Logging	✅ Direct	Comprehensive audit trail
A.8.18	Privileged Utility Programs	✅ Direct	Control over admin tools via roles

ISO 27001 Certification Support

GrantFlow provides the technical controls and audit evidence needed to support your organization's ISO 27001 certification. The platform generates documentation demonstrating compliance with Annex A controls related to privileged access management.

NIST 800-53 Rev. 5

NIST Special Publication 800-53 provides a catalog of security and privacy controls for federal information systems. GrantFlow addresses key controls in the Access Control (AC) and Audit and Accountability (AU) families.

Access Control Family

Control	Name	Coverage	Description
AC-2	Account Management	✅ Direct	Account lifecycle, eligibility management
AC-2(2)	Automated Temporary Accounts	✅ Complete	JIT activations with automatic expiration
AC-2(4)	Automated Audit Actions	✅ Complete	Audit events for all account changes
AC-2(6)	Dynamic Privilege Management	✅ Complete	Core feature—time-based privileges
AC-2(7)	Privileged User Accounts	✅ Complete	Dedicated PAM for privileged accounts
AC-3	Access Enforcement	✅ Direct	Policy-based access control
AC-5	Separation of Duties	✅ Supported	Multi-approver workflows
AC-6	Least Privilege	✅ Complete	Time-bound grants, minimal rights
AC-6(1)	Authorize Access to Security Functions	✅ Direct	Eligibility for specific roles
AC-6(2)	Non-privileged Access	✅ Supported	Separate admin/user roles
AC-6(5)	Privileged Accounts	✅ Complete	Restriction to defined roles
AC-6(7)	Review of User Privileges	✅ Direct	Access reviews, recertification
AC-6(9)	Log Use of Privileged Functions	✅ Complete	Audit trail of all activations
AC-6(10)	Prohibit Non-privileged Users	✅ Direct	Eligibility-based access control

Audit and Accountability Family

Control	Name	Coverage
AU-2	Auditable Events	✅ Complete
AU-3	Content of Audit Records	✅ Complete
AU-6	Audit Review and Analysis	✅ Supported
AU-9	Protection of Audit Information	✅ Complete
AU-12	Audit Generation	✅ Complete

CIS Controls v8

The CIS Critical Security Controls provide prioritized cybersecurity best practices. GrantFlow addresses controls in Safeguards 5 (Account Management) and 6 (Access Control Management).

Control	Safeguard	Coverage	Description
5.1	Establish Account Inventory	✅ Direct	Accounts, eligibilities, assignments
5.2	Use Unique Passwords	✅ Supported	Password vault integration (planned)
5.3	Disable Dormant Accounts	✅ Direct	Auto-deprovisioning, access reviews
5.4	Restrict Administrator Privileges	✅ Complete	Core product—JIT admin access
5.5	Establish Service Account Inventory	✅ Direct	Service account management
6.1	Establish Access Granting Process	✅ Complete	Approval workflows
6.2	Establish Access Revoking Process	✅ Complete	Auto-deprovisioning
6.3	Require MFA for External Apps	✅ Supported	Entra ID MFA integration
6.5	Require MFA for Admin Access	✅ Supported	Entra ID MFA support
6.6	Inventory of Auth Systems	✅ Direct	Connectors, directory integration
6.7	Centralize Access Control	✅ Complete	Unified PAM platform
6.8	Define Role-Based Access	✅ Complete	Eligibility matrix, role policies

PCI DSS 4.0

The Payment Card Industry Data Security Standard requires strict access controls for cardholder data environments. GrantFlow helps meet requirements in sections 7 (Restrict Access), 8 (Identify Users), and 10 (Log and Monitor).

Requirement	Description	Coverage
7.1	Restrict access by business need	✅ Complete
7.2.1	Coverage of systems	✅ Direct
7.2.2	Assignment based on job function	✅ Direct
7.2.4	Appropriate privileges	✅ Complete
7.2.5	Access reviews	✅ Direct
7.2.5.1	Review of all access privileges	✅ Direct
8.2.1	Unique user IDs	✅ Supported
8.2.2	Verify identity before modifying auth	✅ Supported
8.3.1	MFA for CDE access	✅ Supported
8.4.2	MFA for all CDE access	✅ Supported
8.6.1	System/application accounts	✅ Direct
8.6.3	Password protection for service accounts	⚠️ Planned
10.2.1	Audit logs enabled	✅ Complete
10.2.1.1	Individual user access	✅ Complete
10.2.1.2	Actions by admins	✅ Complete

HIPAA Security Rule

The HIPAA Security Rule establishes standards for protecting electronic protected health information (ePHI). GrantFlow addresses both Administrative and Technical Safeguards.

Administrative Safeguards (§164.308)

Standard	Implementation	Coverage
Access Authorization	Role-based access	✅ Direct—Eligibility management
Access Establishment/Modification	Process for granting access	✅ Direct—Approval workflows
Termination Procedures	Revoke access	✅ Direct—Auto-deprovisioning
Workforce Clearance	Appropriate access	✅ Direct—Access reviews
Security Incident Procedures	Incident response	⚠️ Supported—Audit logs
Evaluation	Periodic assessment	✅ Supported—Access review reports

Technical Safeguards (§164.312)

Standard	Implementation	Coverage
Access Controls	Unique user ID	✅ Direct
Access Controls	Emergency access	⚠️ Planned—Break-glass feature
Access Controls	Automatic logoff	✅ Direct—Time-bound sessions
Audit Controls	Hardware/software mechanisms	✅ Complete—Audit trail
Person or Entity Authentication	Verify identity	✅ Supported—Entra ID integration

The General Data Protection Regulation requires appropriate technical and organizational measures to ensure data security. GrantFlow supports GDPR Article 32 requirements for access control and accountability.

Requirement	Coverage	Description
Confidentiality	✅ Direct	Least privilege, access control
Integrity	✅ Supported	Audit trail, change tracking
Availability	✅ Supported	Azure high availability
Access Control	✅ Complete	Role-based, time-bound access
Regular Testing	⚠️ Supported	Access reviews as part of testing
Documentation	✅ Direct	Audit trail as evidence

GDPR Article 32(4) requires that only authorized persons process data. GrantFlow ensures compliance by:

Granting access only to eligible individuals through approval workflows
Documenting every access with user identity, timestamp, and justification
Automatically revoking access rights upon expiration

NIS2 Directive

The NIS2 Directive (EU 2022/2555) establishes cybersecurity requirements for essential and important entities across the European Union.

Requirement	Article	Coverage
Access Control Policies	Art. 21(2)(i)	✅ Complete
Privileged Account Management	Art. 21(2)(i)	✅ Complete
MFA/Strong Authentication	Art. 21(2)(j)	✅ Supported
Zero Standing Privileges	Best Practice	✅ Complete
Incident Logging	Art. 21(2)(g)	✅ Complete
Least Privilege	Art. 21(2)(i)	✅ Complete
Supply Chain Security	Art. 21(2)(d)	⚠️ Supported
Basic Cyber Hygiene	Art. 21(2)(g)	✅ Direct

GrantFlow addresses NIS2-specific requirements including:

Dedicated admin accounts: Separate administrative roles
24-hour incident reporting: Complete audit history for rapid incident response
Zero Trust alignment: Never trust, always verify principle

DORA

The Digital Operational Resilience Act establishes ICT risk management requirements for financial entities in the EU.

Requirement	Article	Coverage
ICT Access Control	Art. 9(4)	✅ Complete
User Identification	Art. 9(4)(b)	✅ Complete
Account Management Procedures	Art. 9(4)(c)	✅ Complete
Access Restrictions	Art. 9(4)(d)	✅ Complete
Privileged Access Management	Art. 9(4)(e)	✅ Complete
Logging of ICT Operations	Art. 12	✅ Complete
ICT Third-Party Risk	Art. 28-30	⚠️ Supported

GrantFlow's JIT access model reduces ICT risks by minimizing the attack surface, while the audit trail supports the 24-hour incident reporting requirement.

NIST Cybersecurity Framework 2.0

The NIST CSF provides a flexible framework for managing cybersecurity risk. GrantFlow addresses controls across the Protect and Detect functions.

Function	Category	Coverage
PROTECT	Identity Management (PR.AA)	✅ Complete
PROTECT	Access Control (PR.AC)	✅ Complete
PROTECT	Awareness Training (PR.AT)	⚠️ Not direct
DETECT	Continuous Monitoring (DE.CM)	✅ Supported
DETECT	Anomaly Detection (DE.AE)	⚠️ Planned
RESPOND	Analysis (RS.AN)	✅ Supported
RECOVER	Recovery Planning (RC.RP)	⚠️ Not direct

BSI IT-Grundschutz

The BSI IT-Grundschutz is the German standard for information security management, widely adopted in the DACH region.

Building Block	Requirement	Coverage
ORP.4	Identity and Authorization Management	✅ Complete
ORP.4.A1	Rules for user setup	✅ Eligibility management
ORP.4.A2	Setup and modification of permissions	✅ Approval workflows
ORP.4.A3	Documentation of permissions	✅ Audit trail
ORP.4.A6	Permission revocation	✅ Auto-deprovisioning
ORP.4.A9	Identification and authentication	✅ Entra ID integration
ORP.4.A12	IAM concept development	✅ PAM as a Service
ORP.4.A16	Privileged permissions	✅ Core product
OPS.1.1.3	Patch and change management	⚠️ Via approval workflows
DER.1	Detection of security events	✅ Audit trail

Coverage Summary

This matrix summarizes GrantFlow's coverage of primary controls across all supported frameworks.

Framework	Primary Controls	Coverage	Core Strength
SOC 2	CC6 (Access Control)	95%	JIT + Audit
ISO 27001	A.8.2 (Privileged Access)	100%	Complete
NIST 800-53	AC-2, AC-6 (Access Control)	95%	Dynamic Privilege
CIS Controls v8	5, 6 (Account/Access)	90%	Centralized PAM
PCI DSS 4.0	7, 8, 10 (Access, Auth, Audit)	85%	Access Reviews
HIPAA	Access Controls	85%	Audit Trail
GDPR Art. 32	Access Control, Logging	80%	Documentation
NIS2	Art. 21 (Security Measures)	85%	Zero Trust
DORA	Art. 9 (ICT Risk Management)	85%	PAM + Audit
BSI Grundschutz	ORP.4 (Permissions)	85%	IAM Concept

Preventive vs. Detective Controls

Understanding the difference between preventive and detective controls helps explain GrantFlow's compliance approach.

Traditional Approach: Session Recording

Session recording captures user activities during privileged sessions, providing:

Video or keystroke recording of actions
Post-incident forensic analysis
Compliance evidence of what was done

GrantFlow Approach: Prevention First

GrantFlow implements preventive controls that stop unauthorized access before it occurs:

Requirement	Session Recording	GrantFlow
Traceability	Video/keystroke	Who, when, why, how long
Privilege control	After the fact	Proactive—prevents unauthorized access
Least privilege	Observation only	Enforcement—time-bound, JIT
Audit trail	Session recordings	Activation history, approvals
Incident response	Replay for analysis	Audit logs, correlation IDs

Auditor Talking Point

GrantFlow implements preventive controls rather than only detective controls. Instead of recording what an administrator does, we prevent unauthorized access through Zero Standing Privileges, Just-In-Time Access, time-bound grants, mandatory business justification, and approval workflows. Each of these measures is fully audited and demonstrable.

What Preventive Controls Achieve

These capabilities are not replaceable by session recording alone:

Control	Session Recording	GrantFlow
Least privilege enforcement	❌	✅
Automatic access revocation	❌	✅
Approval workflows	❌	✅
Business justification	❌	✅
Access reviews	❌	✅

Feature Roadmap

GrantFlow continues to expand its compliance coverage with planned enhancements.

Currently Available

Just-In-Time privileged access
Approval workflows with multi-approver support
Comprehensive immutable audit trail
Access reviews and recertification
Entra ID and Active Directory integration

Planned Enhancements

Feature	Target	Compliance Impact
SIEM Integration	Q1 2025	Strengthens CC7.2, CC7.3, A.8.15
Step-Up MFA	Q1 2025	Strengthens CC6.2, A.8.5, PCI 8.4.2
Break-Glass Access	Q1 2025	Addresses HIPAA emergency access
Password Vault	Q2 2025	Addresses PCI 8.6.3, CIS 5.2
Session Recording	Q2 2025	Completes monitoring controls

For more information on GrantFlow's security capabilities, see:

Security Architecture—Technical details on cryptographic controls and data protection
Audit Events—Understanding the audit trail and evidence collection
Approver Policies—Configuring approval workflows for separation of duties

Overview​

SOC 2 Trust Services Criteria​

Security Controls​

Audit Evidence​

ISO 27001:2022 Annex A​

Organizational Controls (A.5)​

Technological Controls (A.8)​

NIST 800-53 Rev. 5​

Access Control Family​

Audit and Accountability Family​

CIS Controls v8​

PCI DSS 4.0​

HIPAA Security Rule​

Administrative Safeguards (§164.308)​

Technical Safeguards (§164.312)​

GDPR Article 32​

NIS2 Directive​

DORA​

NIST Cybersecurity Framework 2.0​

BSI IT-Grundschutz​

Coverage Summary​

Preventive vs. Detective Controls​

Traditional Approach: Session Recording​

GrantFlow Approach: Prevention First​

What Preventive Controls Achieve​

Feature Roadmap​

Currently Available​

Planned Enhancements​

Related Resources​