RiskWatch
Cyber Security Platform · NIST CSF 2.0

Cyber security assessments, framework-agnostic.

Score once. Satisfy four. NIST CSF 2.0 with the new Govern function, plus pre-built crosswalks to ISO 27001, CIS Controls v8, SOC 2, and NIST 800-53.

  • NIST CSF 2.0 with the new Govern function
  • Cross-framework crosswalks · ISO 27001 · CIS v8 · SOC 2
  • Auto-scoring · evidence collection · finding-to-task workflows
  • 80% time saved vs manual assessment process
Start 30-day free trialWatch 4-min platform tour
No credit card · CSF 2.0 ships day 1 · 14 frameworks built in
app.riskwatch.com / cyber
Live · 4 frameworks
Cyber posture · composite
0/100
0 vs Q3
Open findings38
Critical / High11
Closed Q4142
MTTR14d
NIST CSF
0%
ISO 27001
0%
CIS v8
0%
SOC 2
0%
Top 5 findings · by days remaining
Unpatched RCE · CVE-2024-3094
0d
MFA missing · 47 admin accounts
0d
S3 bucket · public read
0d
EDR coverage gap · Linux fleet
0d
Backup failures · DB cluster
0d
Trusted by CISO and infosec teams across regulated industries
Oracle
AWS
Pinterest
NTT DATA
WWT
Stryker
Avery Dennison
Trane
Oracle
AWS
Pinterest
NTT DATA
WWT
Stryker
Avery Dennison
Trane
Oracle
AWS
Pinterest
NTT DATA
WWT
Stryker
Avery Dennison
Trane
What it is

What is cyber security assessment software?

Capture the control once. The crosswalk feeds NIST CSF, ISO 27001, SOC 2, and CIS v8 at the same time. Pre-built libraries for NIST CSF 2.0, ISO 27001:2022, CIS Controls v8, SOC 2, NIST 800-53/171, PCI DSS, and HIPAA Security ship on day one — with MITRE ATT&CK mapping and finding-to-task workflows so a gap closes the same week it surfaces. Also called IT risk assessment software, cyber risk management software, or cybersecurity audit software.

Why teams move to RiskWatch

Three frameworks. Three audits. Same controls, three times.

CISO teams we talk to are running NIST CSF for the board, ISO 27001 for certification, SOC 2 for the customer, and CIS v8 for the practitioners. Same evidence, four spreadsheets. Here's what that costs.

Pain #1

NIST CSF spreadsheet. ISO 27001 spreadsheet. SOC 2 spreadsheet.

Same controls, three workbooks, three audits a year. Score once on NIST CSF 2.0 — auto-satisfy ISO 27001 Annex A, CIS v8, and SOC 2 trust services criteria via pre-built crosswalks.

Pain #2

Findings live in the assessment. Tasks live in Jira.

Auditor finds a gap. Two weeks later you remember to file a Jira ticket. Six months later it's open. Findings convert to tracked tasks with owner and due date — synced bidirectionally to Jira / ServiceNow.

Pain #3

Maturity plateaus once the assessment is done.

Score 78% in March, score 78% in October, every audit cycle. Continuous reassessment with quarterly cadence per CSF function — trend the score, prove improvement.

14+
Cyber frameworks built in
NIST CSF 2.0 · ISO 27001 · CIS v8 · SOC 2 · more
14
Score once, satisfy four
Cross-framework crosswalks built in
80%
Time saved per assessment
vs manual spreadsheet process
The platform

Every module a modern infosec team needs — in one platform.

Sixteen modules sharing the framework library, asset register, evidence vault, and audit trail. Built around cross-framework crosswalks so one source of truth feeds every audit.

Cyber Dashboard

Posture on one screen

Composite cyber score, per-framework rollup, top-N findings, MTTR, evidence freshness — readable in 10 seconds.

Framework Library

Every cyber framework, ready to assess

NIST CSF 2.0, ISO 27001/27002, CIS Controls v8, SOC 2, NIST 800-53 / 800-171, PCI DSS, HIPAA Security.

Assessment Engine

Score against any framework

Question-by-question with evidence capture. Compliance / Non-compliance / Other / Not Answered states per question.

Cross-Framework Crosswalks

Score once, satisfy four

Pre-built mappings between CSF, ISO 27001, CIS v8, SOC 2, NIST 800-53. One answer cascades automatically.

Vulnerability Tracker

CVE-aware finding management

Capture CVE references, CVSS scores, asset linkage, exploitability context. Auto-prioritize by exploit-in-the-wild flags.

Control Library

1,000+ pre-mapped controls

Each control linked to NIST 800-53, ISO 27002, CIS v8, and trust services criteria. Add your custom controls inline.

Continuous Monitoring

Quarterly cadence, automatic

Reassessment per CSF function on quarterly cadence. Reminders, escalation, evidence-refresh prompts.

Threat Intel Mapping

MITRE ATT&CK aligned

Map threats to ATT&CK techniques. Show which controls mitigate which adversary tactics across the kill chain.

Finding → Task

Findings that route themselves

Convert findings into tracked tasks with owner, due date, status. Bidirectional sync with Jira and ServiceNow.

Risk Scoring

Inherent · Residual · Target

Three scores per finding, aligned to NIST 800-30. Track residual reduction across the assessment lifecycle.

Asset Register

What you actually protect

On-prem, cloud, SaaS, OT/ICS. Asset criticality drives finding priority and reassessment cadence.

Evidence Vault

Documents and configs in one place

Tie evidence to controls, controls to frameworks, frameworks to audits. Auditor-readable in two clicks.

Custom Reports

Audit-ready exports

Per-framework, per-function, per-quarter. PDF + Word + Excel. Pre-formatted for ISO certification audits.

Mass Edit

Update 200 controls in an Excel paste

Bulk assessment edits, bulk evidence attach, bulk owner reassignment — without IT involvement.

Bulk Upload

Onboard 1,000 assets in 5 minutes

CSV import for assets, controls, findings. CMDB sync (ServiceNow, Lansweeper) keeps the inventory current.

Audit Trail

"Who closed this finding?" answered instantly

Timestamped log of every score change, evidence upload, finding-status transition. Admissible for ISO surveillance audits.

NIST CSF 2.0

All six functions. Including the new Govern.

The Govern function — added in CSF 2.0 in February 2024 — covers cybersecurity risk strategy, expectations, policy, oversight, and supply-chain risk management. Every other tool is still catching up. RiskWatch ships with the full Govern function from day one, including all Implementation Examples per subcategory.

  • All 6 CSF 2.0 functionsGovern (new), Identify, Protect, Detect, Respond, Recover
  • Govern function deep-diveRisk strategy, supply chain, oversight — added in v2.0
  • Tier-aware maturityTier 1 Partial → Tier 4 Adaptive across functions
  • Quarterly reassessmentautomatic cadence per function, not all-at-once
See CSF 2.0 in action
NIST Cybersecurity Framework 2.0
NEW v2.0
Function
Govern
Risk strategy · roles · supply chain · oversight
Function
Identify
Asset mgmt · governance · risk assessment
Function
Protect
Access control · awareness · data security
Function
Detect
Continuous monitoring · anomalies · events
Function
Respond
Response planning · communications · analysis
Function
Recover
Recovery planning · improvements · communications
All 6 functions →Pre-mapped · score in real time
One assessment · multi-framework crosswalk
NIST CSF 2.0 sub-categories
GV.OC-01
Mission · risk objectives
NIST CSF 2.0 · Govern
PR.AA-03
Identity proofing
NIST CSF 2.0 · Protect
DE.CM-01
Network monitoring
NIST CSF 2.0 · Detect
Auto-satisfied controls
Cross-mapped
ISO 27001 Annex A
5.2 · 5.16 · 8.16 satisfied
Cross-mapped
CIS Critical Controls v8
1, 4, 13 covered
Cross-mapped
SOC 2 Trust Services
CC1 · CC6 · CC7 satisfied
Score once →Satisfy 4 frameworks at the same time
Cross-framework crosswalks

Score once. Satisfy four.

Pre-built mappings between NIST CSF 2.0, ISO 27001 Annex A, CIS Controls v8, SOC 2 Trust Services Criteria, and NIST 800-53. Score a CSF subcategory and watch the linked controls light up across every framework. Conflicts are flagged so you know which framework is the binding constraint.

  • One source assessmentNIST CSF 2.0 question-by-question scoring
  • ISO 27001 satisfiedAnnex A controls auto-mapped from CSF answers
  • CIS v8 covered18 critical controls cross-referenced to CSF subcategories
  • SOC 2 readytrust services criteria pre-mapped to ATT&CK + CSF
  • NIST 800-53 satisfiedcontrol families auto-populated for federal audits
Four anchor frameworks

Pick your starting point. We map to the rest.

Anchor 1
NIST CSF 2.0

Govern · Identify · Protect · Detect · Respond · Recover

Anchor 2
ISO 27001/27002

Annex A organizational, people, physical, technological controls

Anchor 3
CIS Controls v8

18 critical controls · IG1/IG2/IG3 maturity levels

Anchor 4
SOC 2

Trust Services Criteria · CC1–CC9 · CA · PI · A · C

How it works

From first scan to audit-ready in five stages.

Most teams complete stages 1–3 in their first week. Stage 4 runs continuously. Stage 5 is on-demand the moment your auditor (or board) asks.

1
Stage 01·Day 1

Pick a framework

NIST CSF 2.0 by default. Or ISO 27001, CIS v8, SOC 2, NIST 800-53 / 800-171. Or your custom library.

2
Stage 02·Day 2–7

Score and capture evidence

Question-by-question scoring with evidence upload. Auto-fill from prior assessments. Evidence vault per control.

3
Stage 03·Week 2

Cross-map to satisfy more

One CSF score auto-populates ISO 27001, CIS v8, SOC 2 mappings. Spot which framework still has gaps.

4
Stage 04·Continuous

Convert findings to tasks

Findings route to Jira / ServiceNow with owner, due date, status. Quarterly reassessment cadence runs automatically.

Stage 05·On-demand

Report and certify

Per-framework reports, MITRE ATT&CK coverage maps — board-ready in two clicks.

Customer stories

Three audits a year that stopped tripling the work.

Real CISOs. Real cross-framework wins. Real Tier-3 maturity targets hit.

Cross-framework crosswalks turned three audits a year into one assessment. Same evidence vault for ISO, SOC 2, and CSF.
MK
Marcus K.
CISO · SaaS · 2,400 employees
Audits unified
3 → 1
ISO + SOC 2 + CSF
Maturity reached
Tier 3
across 6 functions
Time-to-deploy
4 weeks
first cross-mapped audit

Cross-framework crosswalks turned three audits a year into one assessment. ISO 27001 surveillance audit, SOC 2 Type 2, and CSF maturity all read from the same evidence vault.

MK
Marcus K.
CISO · SaaS · 2,400 employees

MITRE ATT&CK mapping changed how we present to the board. They stopped asking 'are we compliant?' and started asking 'which adversary tactics are we weakest against?' That's a better conversation.

EH
Elena H.
Director of Security · Healthcare · 6,500 employees

We hit Tier 3 Repeatable across all six CSF 2.0 functions in nine months. The Govern function deep-dive helped us articulate risk strategy in a way our previous tool never did.

BJ
Bryan J.
VP Cyber Risk · FinTech · 1,800 employees
Frameworks supported

If your auditor asks for the framework, we ship the library.

Fourteen cyber frameworks pre-built, all cross-mapped. Plus MITRE ATT&CK technique coverage and federal-specific frameworks (NIST 800-53/800-171, FedRAMP, CMMC 2.0).

NIST CSF 2.0
6 functions · 22 categories
ISO 27001:2022
Annex A · 93 controls
ISO 27002:2022
Implementation guidance
CIS Controls v8
18 critical controls
SOC 2
Trust Services Criteria
NIST 800-53 r5
Federal control catalog
NIST 800-171 r3
CUI / DFARS
PCI DSS v4
Cardholder data
HIPAA Security
§164.308–§164.316
FedRAMP
Cloud federal baseline
CMMC 2.0
DoD contractor cyber
MITRE ATT&CK
Adversary techniques
OWASP ASVS
App security verification
ISO 27017/27018
Cloud security + privacy
+20 more
Custom on request
Free resources

Take RiskWatch home before you sign anything.

Three downloads. Use them to evaluate, share with your team, or build the business case for replacing four cyber spreadsheets.

Most popular
Cyber Checklist · 28 pages
CSF 2.0
NIST CSF 2.0 Cyber Checklist
GV
ID
PR
DE
RS
PDF · 28 pages · Print-ready

Cyber Security Assessment Checklist

Twenty-eight pages built on NIST CSF 2.0 — all 6 functions, all 22 categories, all subcategories. Print, walk your environment, tally maturity tiers, and assemble an executive summary.

  • NIST CSF 2.0 (with Govern function)
  • Tier 1–4 maturity scorecard
  • Executive summary template
Get the checklist
Crosswalk · 2026
Crosswalk
CSF · ISO · CIS · SOC 2
RISKWATCH 2026
Excel · 4-tab crosswalk

Cyber Framework Crosswalk

Pre-built crosswalk between NIST CSF 2.0, ISO 27001 Annex A, CIS Controls v8, and SOC 2 trust services criteria. Use as a control-mapping reference or migration source.

  • 4-framework cross-mapping table
  • Conflict-flag column
  • Implementation guidance per row
Get the crosswalk
Buyer's Guide
Buyer's Guide
Cyber Assessment Platform
2026 Vendor Comparison
Vendor matrix
Crosswalk depth comparison
Implementation timelines
22-page PDF

Cyber Assessment Platform Buyer's Guide

Vendor scorecard, crosswalk-depth comparison, MITRE ATT&CK coverage benchmarks, pricing by org size, and implementation timelines. The shortlist tool for cyber RFPs.

  • Feature matrix · 6 vendors
  • Editable scorecard template
  • Pricing benchmarks
Get the guide
FAQ

Common questions, answered up front.

About NIST CSF 2.0, ISO 27001, CIS Controls v8, SOC 2, MITRE ATT&CK, and how RiskWatch maps between all of them.

What is cyber security assessment software?
Cyber security assessment software is a platform that helps organizations assess, score, and report on their cybersecurity posture against frameworks like NIST CSF, ISO 27001, CIS Controls, SOC 2, NIST 800-53, and HIPAA Security. RiskWatch ships with all of these as built-in libraries, plus pre-built cross-framework crosswalks so a single assessment satisfies multiple frameworks simultaneously, MITRE ATT&CK threat-mapping, finding-to-task workflows with Jira/ServiceNow sync, and continuous reassessment cadences per function.
How does NIST CSF 2.0 differ from CSF 1.1?
NIST CSF 2.0 (released February 2024) adds a sixth function: Govern. The original five — Identify, Protect, Detect, Respond, Recover — remain. Govern covers cybersecurity risk strategy, expectations, policy, oversight, and supply-chain risk management. CSF 2.0 also broadens the framework's audience beyond critical infrastructure to all organizations, refines outcome categories and subcategories, and adds Implementation Examples for each subcategory. RiskWatch ships with the full CSF 2.0 library, including the new Govern function and Implementation Examples.
How do cross-framework crosswalks work?
When you score a question in NIST CSF 2.0 (e.g. PR.AA-03 'Identity proofing'), the platform automatically resolves which controls in ISO 27001 Annex A (5.16, 5.17), CIS Controls v8 (Control 5, 6), SOC 2 (CC6.1, CC6.2), and NIST 800-53 (IA-2, IA-4) are simultaneously satisfied or partially satisfied. You score once; four frameworks update. Conflicts (where one framework requires more rigor than another) are flagged so you know which is the binding constraint.
What's the difference between NIST CSF, ISO 27001, and CIS Controls v8?
NIST CSF is an outcome-based framework — what you should achieve, organized into 6 functions and 22 categories. ISO 27001 is a certification standard with a management system (ISMS) plus 93 specific controls in Annex A. CIS Controls v8 is a prescriptive list of 18 critical safeguards prioritized by maturity (IG1/IG2/IG3). They cover the same security domain at different levels of abstraction. RiskWatch maps between all three so you can pick whichever your auditor wants and the others come along automatically.
How does MITRE ATT&CK integration work?
Each control in the library is mapped to the MITRE ATT&CK techniques it mitigates. When you complete an assessment, the platform shows your coverage across the kill chain — which tactics (Initial Access, Execution, Persistence, etc.) you're strongest against and which adversary techniques have the thinnest control coverage. This lets you brief the board in adversary terms ("we're weakest against credential access") rather than control-list terms ("we have gaps in CC6.1").
Does it integrate with Jira and ServiceNow for findings?
Yes. Findings convert to tracked tasks with bidirectional sync to Jira (Cloud and Data Center) and ServiceNow ITSM. Status changes in Jira propagate back to RiskWatch, so when a developer marks a ticket Done, the linked finding's status updates and evidence refresh prompts fire. CMDB sync from ServiceNow also pulls the asset inventory automatically, eliminating duplicate inventory maintenance.
How long does implementation take?
Most teams complete their first NIST CSF 2.0 assessment within a week. Pre-built libraries, evidence-vault auto-population from prior assessments (if migrating from another tool), and Jira/ServiceNow integrations remove the typical 2–3 month setup. Enterprise multi-org deployments with custom mappings (e.g. NERC CIP for utilities, CMMC 2.0 for defense contractors), SSO, and CMDB sync typically complete in 60 days.
Is there a free trial?
Yes. The 30-day free trial requires no credit card and includes full access — every framework library (NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, NIST 800-53/800-171, PCI DSS, HIPAA), cross-framework crosswalks, MITRE ATT&CK mapping, and Jira/ServiceNow integration previews. You can run a real cyber assessment against your own environment and decide before purchasing.
Ready to retire four cyber spreadsheets?

Run your first CSF 2.0 assessment this week.

Start a 30-day free trial — every framework library, cross-framework crosswalks, MITRE ATT&CK mapping, and Jira/ServiceNow integration previews. No credit card required.

Start free trialBook a demo

No credit card required · 30-day free trial · Cancel anytime