Compliance reviews, grounded in your own sources
Normain reads your standards, policies and client evidence and returns structured, verifiable answers, each one linked to the exact clause it came from. Your team reviews and signs off in a fraction of the time.
Recognize the work you do every day
These are the reviews GRC and compliance teams run by hand today: the same documents, the same questions, the same matrices. Normain does the reading and gives you structured, source-linked answers to check and sign off.
Regulatory gap analysis
Assess your current state against a target framework, control by control, and produce the gap matrix that feeds your Statement of Applicability and remediation roadmap.
- For every control assessed as partially implemented, identify the specific sub-requirement not met and cite the evidence reviewed.
- Which controls satisfy both ISO 27001:2022 Annex A and the SOC 2 Common Criteria, so we can consolidate to a single control statement?
- Where a control is applicable but no implementing policy exists, flag it as a documentation gap and propose a remediation owner.
- Which 2022 Annex A controls are new versus our previous SoA, and are they addressed?
Third-party and vendor risk
Review each vendor's evidence against the same checklist, so onboarding and periodic re-reviews take minutes instead of an afternoon of reading each report.
- From the test-of-controls table, list every control with an exception, the auditor's testing method, and management's response.
- Which subservice organizations are carved out, and do any of them process our regulated data?
- Extract the Complementary User Entity Controls (CUECs) we must implement, and map each to an internal owner.
- Does the coverage period leave any gap since the previous report, and is the ISO certificate in scope and valid?
Policy and control framework review
Ask a set of pointed questions across your policy library at once, to prove coverage, catch contradictions, and find what is overdue for review.
- Does our Access Control Policy require phishing-resistant MFA for privileged access, and which clause states it?
- Which framework requirements have no backing policy clause?
- Where do two policies conflict, for example on password length or data retention?
- Which policies are past their stated review date as of today?
Hear what our customers say

Normain fits directly into our current business processes and made an impact from day one
Mattias Ullsten
Founder & Managing Director, Advisense

The volume and quality of this benchmark would have been impossible without Normain’s AI technology
Frederik Otto
AvS Advisors
The same engine, on the work every team shares
Whatever you specialise in, these patterns cut across every industry we serve.
See it on your own documents
Bring a standard and a client file. We will show you source-linked answers in minutes.