Compliancy as a Graph

Visualize your organization's compliance posture against regulatory frameworks. This guide shows you how to build a Compliance Graph — a structured, visual assessment of how well your organization meets its policy requirements.

Follow-up to Policy as Graph

Policy as Graph answers "What must we comply with?" — mapping a regulation's structure. Compliancy as Graph answers "How well do we actually comply?" — assessing your organization's readiness against those requirements.

What is a Compliancy Graph?

A Compliancy Graph maps your organization's compliance controls, evidence, and gaps against a regulatory baseline. Instead of spreadsheets full of status columns, stakeholders can visually explore compliance coverage, identify gaps, and trace evidence.

Challenge	Compliancy Graph Solution
Spreadsheet Chaos	Visual, navigable compliance map with status coloring
Hidden Gaps	Uncovered requirements stand out immediately (gray nodes)
Audit Preparation	Trace from requirement → control → evidence in one view
Cross-Framework Overlap	One graph can map controls to multiple regulations
Stakeholder Reporting	Export heatmap as PDF/CSV for management dashboards

How It Works: The Compliance Metamodel

Compliancy as a Graph uses the Business Analysis profile because compliance assessment is structurally identical to vendor evaluation:

BA Concept	Compliance Equivalent	Example
Subject (Term)	Regulation / Framework	"GDPR", "ISO 27001"
Capability	Domain / Chapter	"Data Protection", "Access Control"
Requirement	Policy Requirement	"Art. 32 — Security of processing"
Evaluation	Control / Measure	"Encryption at rest", "Annual penetration test"
Evidence	Proof / Documentation	"Audit Report AR-2025-03", "SOC 2 Certificate"
Stakeholder	Responsible Party	"DPO", "CISO"

Evidence is a first-class Term type — not just a text field. Each Evidence node has its own description and additional information, can be linked to multiple Controls, and is visible in path tracing (Regulation → Requirement → Control → Evidence).

The BA profile's heatmap, scoring, and semantic checks work directly for compliance.

Building a Compliancy Graph

Step 1: Establish the Regulatory Baseline

Start by defining the requirements you need to comply with. You can either:

Option A: Import an existing Policy Graph

If you've already built a Policy Graph, export it and re-import into a new BA document:

1. Open your Policy Graph → File > Export > JSON
2. Create a new document → File > New from Template > Tool Selection
3. Import the policy structure → File > Import > JSON
4. The policy articles become your Requirements backbone

Option B: Generate with AI

Use an LLM prompt to generate the compliance backbone directly:

Create a Termboard Compact Format mapping for [GDPR / ISO 27001 / SOC 2 / DORA]
compliance assessment.

Structure it as:
- Capabilities = regulation domains/chapters
- Requirements = specific articles/controls that need compliance

Include columns:
- xfield:Importance with MoSCoW values (Must, Should, Could, Won't)
- xfield:Risk Level with values (Critical, High, Medium, Low)

## Terms
# name | description | type | xfield:Importance | xfield:Risk Level
# ------
Data Protection | GDPR Chapter IV | capability | Must | Critical

## Relations
# source | relationName | target
# ------
Data Protection | supports | GDPR

Import via File > Import > Compact Format. See the Compact Format documentation for more details.

Option C: Build manually

1. Add a Subject node as the root (e.g., "GDPR Compliance 2025")
2. Add Capability nodes for each major domain (e.g., "Data Protection", "Data Subject Rights", "Security")
3. Link them to the Subject with supports
4. Add Requirement nodes for each specific article/control
5. Link Requirements to Capabilities with Is Requirement Of

Step 2: Configure Compliance Extra Fields

Set up Extra Fields to track compliance-specific metadata. Use the Visible Term Types setting to scope each field to the right node type:

1. Open Settings > Document > Extra Fields
2. Add the following fields:

Field	Type	Values	Visible Term Types
Compliance Status	Dropdown	Compliant · Partially Compliant · Non-Compliant · Not Assessed	Evaluation
Risk Level	Dropdown	Critical · High · Medium · Low	Requirement
Evidence Type	Dropdown	Policy · Audit Report · Test Result · Certificate · Training	Evidence
Review Date	Date	(assessment date)	Evaluation

3. Activate color mapping on Compliance Status:
   • Compliant → 🟢 Green
   • Partially Compliant → 🟡 Amber
   • Non-Compliant → 🔴 Red
   • Not Assessed → ⚪ Gray

Term-Type Scoping

By setting Visible Term Types, each Extra Field only appears in the sidebar for the relevant node type. This keeps the UI clean — Compliance Status only shows for Controls, Risk Level only for Requirements, etc.

See Extra Fields for configuration details.

Step 3: Add Controls (Evaluations)

For each Requirement, add one or more Controls that describe what your organization does to comply:

1. Right-click a Requirement → Business Analysis > Add Evaluation
2. Name the control (e.g., "AES-256 Encryption at Rest", "Annual DPIA Process")
3. Fill in the Extra Fields:
   • Compliance Status: Your current assessment
   • Review Date: When this was last assessed or is due for review

Evaluation Sets for Multiple Assessments

Use Evaluation Sets to track compliance over time or across frameworks:

• "Q1 2025 Assessment", "Q3 2025 Assessment" — track progress
• "GDPR", "ISO 27001" — same control mapped to multiple frameworks

Step 4: Link Evidence

For each Control, add Evidence nodes that document proof of compliance:

1. Add an Evidence node (e.g., "Audit Report AR-2025-03", "Encryption Policy v2.1")
2. Link it to the Control with an evidenced by Relation
3. Use the Evidence node's Description and Additional Information fields to capture:
   • What the document contains
   • Where it is stored (link, file reference)
   • Validity period or expiry date

Evidence nodes can be linked to multiple Controls — for example, a SOC 2 audit report may serve as evidence for several controls at once.

Evidence is Hidden by Default

Like Evaluations, Evidence nodes are hidden by default to keep the backbone clean. Parent Controls show a ⊕N badge indicating connected hidden nodes. Toggle visibility via Controls > Show Term Type Legend.

Step 5: Visualize Compliance with Heatmap

1. In the style bar, find the Scenario dropdown (under Analysis)
2. Select your assessment period (Evaluation Set)
3. The graph transforms into a compliance heatmap:
   • Requirements and Capabilities are colored based on their roll-up scores
   • Gaps (unassessed requirements) appear in gray

Global Overview (No Scenario Selected)

With no scenario selected, the graph shows:

• Controls → individual Compliance Status colors (across all Evaluation Sets)
• Requirements → colored by Risk Level or Importance
• Capabilities → white (neutral)

This gives a holistic view of your compliance posture at a glance.

Step 6: Identify Gaps and Risks

Use Termboard's tools to systematically find compliance gaps:

Semantic Checks (Tools > Model Checks):

• Orphan Requirements — Policy requirements without any controls
• Unlinked Evaluations — Controls not connected to requirements
• Missing Scores — Controls with an Evaluation Set but no compliance status
• Incomplete Evaluation Sets — Requirements assessed in some periods but not others
• Controls Without Evidence — Compliant controls with zero Evidence relations
• Orphan Evidence — Evidence nodes not linked to any Control

Find Path (Left Sidebar > Find Path):

• Trace the chain from a high-level regulation → domain → requirement → control → evidence
• Answer questions like "What controls address Article 32?" or "Which requirements have no evidence?"

Filter and Select (Left Sidebar > Filter):

• Filter by Compliance Status = "Non-Compliant" to see all failing controls
• Filter by Risk Level = "Critical" to focus on high-priority gaps

Step 7: Export for Stakeholders

CSV Export (with active scenario):

1. Click Export CSV next to the scenario dropdown
2. Download a flat file with Domain, Requirement, Risk Level, Control, Status, Evidence
3. Import into Excel for further analysis or board reporting

PDF Export for audit packages:

1. File > Export > PDF
2. Creates a navigable document with the full compliance graph

Compact Format for AI-powered analysis:

1. File > Export > Compact Format
2. Feed to an LLM: "Based on this compliance graph, summarize our GDPR readiness and highlight the top 5 gaps"

Example Use Cases

GDPR Compliance Assessment

Layer	Examples
Subject	GDPR Compliance 2025
Capabilities	Data Protection, Lawful Processing, Data Subject Rights, International Transfers
Requirements	Art. 5 (Principles), Art. 6 (Lawfulness), Art. 25 (Privacy by Design), Art. 32 (Security)
Controls	Encryption policy, consent management platform, DPO appointment, annual DPIA
Status	✅ Compliant, ⚠️ Partially, ❌ Non-compliant

ISO 27001 Gap Analysis

Model the Annex A controls as Requirements, your existing security measures as Controls, and identify which controls are missing or inadequate before your certification audit.

SOC 2 Readiness

Map Trust Services Criteria (Security, Availability, Processing Integrity, Confidentiality, Privacy) as Capabilities, specific criteria as Requirements, and your organizational controls as Evaluations.

DORA (Digital Operational Resilience)

Organize by audience (IT, Risk, Compliance, Board) — each audience domain becomes a Capability, regulatory requirements become Requirements, and organizational measures become Controls.

Cross-Framework Compliance

Map a single control to multiple framework requirements:

• "AES-256 Encryption" evaluates both GDPR Art. 32 AND ISO 27001 A.10.1.1
• Instantly see which controls serve double duty across frameworks

Best Practices

1. Start with the backbone — Map all requirements before adding controls. A complete backbone ensures no gaps are invisible
2. Use Risk Levels — Tag each requirement with Critical/High/Medium/Low to focus remediation efforts
3. Track evidence, not just status — A "Compliant" control without documented evidence is a risk during audits
4. Version your assessments — Use Evaluation Sets for each assessment period (e.g., "Q1 2025") to track progress over time
5. Run Model Checks regularly — Catch orphan requirements and missing scores before they become audit findings
6. Use Compare Models — Compare two versions of your compliance graph to see what changed between assessments
7. Keep controls granular — One control per specific measure, not "we have a security policy" covering everything
8. Assign ownership — Use Stakeholder nodes to assign compliance responsibility for each domain

Related Guides

• Policy Graph — Map regulation structure (the prerequisite)
• Business Analysis — Full BA profile guide with scoring and heatmaps
• Knowledge Graph — General knowledge graph creation
• Domain Profiles — Profile configuration
• Extra Fields — Custom metadata fields
• Chat with Model — AI-powered compliance Q&A