Which compliance frameworks does VeilScan map to?

VeilScan maps findings to ISO 27001:2022 (Annex A controls), SOC 2 Type II (Trust Services Criteria CC6, CC7, CC9), GDPR Article 32 (appropriate technical measures), PCI DSS v4.0 (Requirements 6 and 11), and Cyber Essentials (secure configuration, patch management, access control).

Can VeilScan compliance reports be submitted to auditors?

Yes. VeilScan produces signed PDF reports with a compliance mapping table designed for audit submission. Each report includes a verification token that auditors can use to confirm the report was generated by VeilScan and has not been altered. The signed PDF satisfies the 'documented evidence of vulnerability scanning' requirement in ISO 27001 and SOC 2 audits.

Does VeilScan mapping cover all controls in a framework?

No. VeilScan maps findings to the specific controls that vulnerability scanning evidence can satisfy. Frameworks like ISO 27001 and SOC 2 have many controls outside the scope of external vulnerability scanning — governance, access management, incident response, and others. VeilScan evidence covers the technical controls that external scanning can demonstrate: vulnerability management, secure configuration, and monitoring.

Feature

Compliance Mapping: Audit-Ready Evidence from Every Scan

Quick Answer: Every VeilScan PDF report includes a compliance mapping table showing which findings affect which controls across ISO 27001:2022, SOC 2 Type II, GDPR Article 32, PCI DSS v4.0, and Cyber Essentials. The table is formatted for direct submission to auditors and includes remediation guidance for each affected control.

Why do compliance audits require vulnerability scanning evidence?

ISO 27001, SOC 2, PCI DSS, and GDPR all require organisations to maintain documented evidence of ongoing vulnerability management. A one-off penetration test once a year is often insufficient — auditors increasingly require evidence of continuous or periodic external scanning, with documented findings and remediation records.

VeilScan's compliance mapping bridges the gap between technical scan results and the language auditors use. Rather than handing an auditor a raw list of CVEs, you provide a signed, timestamped report that maps each finding to the specific control it affects and documents the remediation guidance.

Which frameworks and controls does VeilScan map to?

ISO 27001:2022 — Annex A controls including A.8.8 (Management of technical vulnerabilities), A.8.9 (Configuration management), A.8.20 (Networks security), and related controls. VeilScan findings map to the specific Annex A clause numbers, making it straightforward to demonstrate compliance evidence during an audit.
SOC 2 Type II — Trust Services Criteria CC6 (Logical and Physical Access Controls), CC7 (System Operations), and CC9 (Risk Mitigation). External vulnerability scan evidence supports CC6 and CC7 controls related to identifying and remediating vulnerabilities.
GDPR Article 32 — the requirement to implement appropriate technical measures to ensure security of processing. Regular external vulnerability scanning and documented remediation is evidence of a technical security programme.
PCI DSS v4.0 — Requirement 6 (Develop and Maintain Secure Systems and Software) and Requirement 11 (Test Security of Systems and Networks). PCI DSS explicitly requires external vulnerability scanning by an Approved Scanning Vendor (ASV) or documented equivalent.
Cyber Essentials — Secure configuration, patch management, and access control themes. VeilScan findings related to misconfiguration, exposed services, and outdated software map directly to Cyber Essentials self-assessment criteria.

What does the compliance table in a PDF report look like?

The compliance mapping table in each VeilScan PDF report contains:

Each verified finding listed by asset and vulnerability type
The affected framework controls (e.g. ISO 27001 A.8.8, SOC 2 CC7.1)
The severity and Business Impact Score of the finding
Remediation guidance specific to that finding
Whether the finding has been remediated in subsequent scans (in delta reports)

The table is formatted for direct presentation to auditors, legal counsel, or enterprise customers requesting security evidence.

How does compliance mapping help with security questionnaires?

Enterprise customers and procurement teams increasingly send security questionnaires as part of vendor onboarding. Questions like "Do you perform regular external vulnerability scanning?" and "Do you have documented evidence of vulnerability remediation?" can be answered with a VeilScan report.

Each VeilScan PDF includes a verification token at veilscan.net/verify/[token]. Third parties — enterprise customers, investors, auditors — can confirm the report was generated by VeilScan and has not been altered, without accessing your VeilScan account.

See: PDF Reports feature · VeilScan for Fintech Compliance

What are the most common questions?

Is compliance mapping available on all plans?

Compliance mapping in the PDF report is available on paid plans. The free plan dashboard shows findings but does not include the compliance table or PDF export. See all plans for details.

Does VeilScan make me compliant with ISO 27001 or SOC 2?

No. Compliance with ISO 27001 or SOC 2 requires addressing many controls across governance, access management, incident response, and other domains that are outside the scope of external vulnerability scanning. VeilScan provides the technical vulnerability management evidence that satisfies specific controls within these frameworks. Full compliance requires a broader programme.

Can I use VeilScan alongside a penetration test for audit evidence?

Yes. Many auditors accept a combination of continuous automated scanning (VeilScan) and an annual penetration test as evidence of a mature vulnerability management programme. The combination is stronger than either alone. VeilScan reports and pentest reports can be submitted together to cover both continuous monitoring and deep manual testing.

Get compliance-ready scan evidence. Paid plans include signed PDF reports with compliance mapping tables. View plans → · Back to all features