Master Framework Library
This section is for Concerto team members who manage the platform-level framework library. Tenant users interact with frameworks after they've been deployed to their organization.
The Master Framework Library is the platform-level source of truth for compliance frameworks. Operators curate controls, evidence requests, and recurring activities here, then deploy them to tenant organizations.
How It Works
Master Framework Library (platform level)
↓ Deploy to tenant
Tenant Framework (organization level, customizable copy)
When a framework is deployed to a tenant:
- All controls, evidence requests, and recurring activities are copied to the tenant
- Tenants can customize their copy (modify descriptions, add controls, change owners)
- Changes to the master do not auto-propagate to existing tenant copies
- Re-deploying updates creates new records; it does not overwrite tenant customizations
Supported Frameworks
| Framework | Standard |
|---|---|
| SOC 2 | Trust Services Criteria (Type I and Type II) |
| ISO 27001 | Information Security Management Systems |
| ISO 42001 | Artificial Intelligence Management Systems |
| PCI DSS 4.0 | Payment Card Industry Data Security Standard |
| HIPAA | Health Insurance Portability and Accountability Act |
Managing Frameworks
Access from the platform admin view under Master Frameworks.
Framework Structure
Each framework contains three record types:
| Record Type | Description |
|---|---|
| Controls | Individual compliance requirements with implementation guidance |
| Evidence Requests | What evidence demonstrates control compliance, with validity periods and collection guidance |
| Recurring Activities | Periodic tasks that maintain compliance, with cadence and ownership |
Cross-Framework Mappings
Controls can be mapped across frameworks. For example:
- SOC 2 CC6.1 maps to ISO 27001 A.9.1.1 and HIPAA §164.312(a)
- One implementation can satisfy multiple framework requirements
This enables tenants to implement a control once and satisfy requirements across multiple audits.
CSV Import/Export
Individual Import
Import controls, evidence requests, or recurring activities individually via their respective CSV formats. Each record type has its own column structure.
Unified Export/Import
The unified format exports/imports all record types in a single 17-column CSV file:
| Use Case | Description |
|---|---|
| Bulk framework creation | Load an entire framework from a single file |
| Environment migration | Move framework data between dev/staging/production |
| Version control | Track framework definitions in Git |
| Backup | Offline backup of framework definitions |
Delimiter Handling
Multi-value fields (e.g., related controls, framework mappings) use:
| Delimiter | Usage |
|---|---|
Semicolon (;) | Primary delimiter — used in exports |
Pipe (|) | Alternative delimiter — accepted on import |
Both are supported on import. Export always uses semicolons.
Deploying to Tenants
- Select a framework in the Master Library
- Click Deploy to Tenant
- Select the target organization
- Choose which record types to deploy (controls, evidence, recurring activities)
- Records are copied to the tenant's framework
Re-Deployment
Deploying again to a tenant that already has the framework:
| Behavior | Description |
|---|---|
| New records | Added to the tenant (matched by control ID) |
| Existing records | Not overwritten — tenant customizations are preserved |
| Report | Shows what was added vs. skipped |
Integration Mappings
When managing integrations at the platform level, operators can pre-map integration outputs to:
- Evidence Requests — Integration data auto-populates specific evidence
- Recurring Activities — Integration data satisfies recurring compliance tasks
These mappings are inherited by tenants when they connect the integration, reducing setup time.