Solutions / Governance, Risk & Compliance

Compliance reviews, grounded in your own sources

Normain reads your standards, policies and client evidence and returns structured, verifiable answers, each one linked to the exact clause it came from. Your team reviews and signs off in a fraction of the time.

Your documents
SOC 2 Type II
ISO 27001 cert
SIG Lite
Question
Any exceptions or deviations noted in this SOC 2 report?
2 minor exceptions, both with management responses.
High confidenceSource p.42
How it works
1
Add your knowledge
Standards, internal policies and the client evidence your team relies on. Normain reads and understands each source.
2
Define the questions once
Tell Normain what to extract, how to analyze it and what the output should look like. It handles the framework logic and scoring.
3
Get verified output
Structured answers in seconds, every finding linked to its source, so your team reviews, challenges and signs off with confidence.
Built for GRC teams

Recognize the work you do every day

These are the reviews GRC and compliance teams run by hand today: the same documents, the same questions, the same matrices. Normain does the reading and gives you structured, source-linked answers to check and sign off.

Spreadsheet project

Regulatory gap analysis

Built forISMS managers · GRC analysts · advisory consultants

Assess your current state against a target framework, control by control, and produce the gap matrix that feeds your Statement of Applicability and remediation roadmap.

Gap analysis
Data sources
ISO/IEC 27001:2022 Annex A
Statement of Applicability
SOC 2 (Trust Services Criteria)
NIST CSF 2.0
Question
Assessment
Explanation & evidence
1
Does A.8.16 Monitoring activities meet the control objective?
Partial
Endpoint logging enabled; no central review of security events. SoA p.12; SIEM config.
2
If partially met, what remediation is required and who owns it?
Action
Define a weekly SOC log-review procedure. Owner: Security Operations.
SoA p.12
Example questions
  • For every control assessed as partially implemented, identify the specific sub-requirement not met and cite the evidence reviewed.
  • Which controls satisfy both ISO 27001:2022 Annex A and the SOC 2 Common Criteria, so we can consolidate to a single control statement?
  • Where a control is applicable but no implementing policy exists, flag it as a documentation gap and propose a remediation owner.
  • Which 2022 Annex A controls are new versus our previous SoA, and are they addressed?
…and any others you write.
Repeat project

Third-party and vendor risk

Built forThird-party risk analysts · DPOs · procurement

Review each vendor's evidence against the same checklist, so onboarding and periodic re-reviews take minutes instead of an afternoon of reading each report.

Repeat for each vendor
Data source
Opinion
Exceptions
Cert
Acme Cloud — SOC 2
Unqualified
2 (minor)
Valid
Meridian LLP — SOC 2
Qualified
1 (open)
Expired
Northwind — SOC 2
Unqualified
0
Valid
SOC 2 §4, p.42
Example questions
  • From the test-of-controls table, list every control with an exception, the auditor's testing method, and management's response.
  • Which subservice organizations are carved out, and do any of them process our regulated data?
  • Extract the Complementary User Entity Controls (CUECs) we must implement, and map each to an internal owner.
  • Does the coverage period leave any gap since the previous report, and is the ISO certificate in scope and valid?
…and any others you write.
Simple project

Policy and control framework review

Built forGRC analysts · policy managers

Ask a set of pointed questions across your policy library at once, to prove coverage, catch contradictions, and find what is overdue for review.

One clear answer
Data sources
Information Security Policy
Access Control Policy
Incident Response Plan
BCDR plan
Access Control Policy
Instruction
Is phishing-resistant MFA required for privileged access?
Answer
Yes. Section 4.2 mandates FIDO2 / WebAuthn for all administrative roles, and explicitly disallows SMS one-time passwords.
High confidence§4.2Review
Policy register
Instruction
Which policies are overdue for review?
Answer
Two of eleven. The Incident Response Plan and the BCDR Plan have passed their 12-month review date.
High confidenceRegister r.3, r.9Review
Example questions
  • Does our Access Control Policy require phishing-resistant MFA for privileged access, and which clause states it?
  • Which framework requirements have no backing policy clause?
  • Where do two policies conflict, for example on password length or data retention?
  • Which policies are past their stated review date as of today?
…and any others you write.

Hear what our customers say

Normain fits directly into our current business processes and made an impact from day one

Mattias Ullsten
Founder & Managing Director, Advisense

The volume and quality of this benchmark would have been impossible without Normain’s AI technology

Frederik Otto
AvS Advisors

Beyond GRC

The same engine, on the work every team shares

Whatever you specialise in, these patterns cut across every industry we serve.

Benchmarking a set of reports
Line up annual reports, policies or filings side by side, one row each, every figure linked to the page it came from.
Answering a due-diligence questionnaire
Turn an inbound security or ESG questionnaire into answers drawn straight from your own published documents.
Monitoring regulatory change
Track what moved in a standard or regulation and see exactly which of your controls and policies it touches.

See it on your own documents

Bring a standard and a client file. We will show you source-linked answers in minutes.

SOC 2 Type II · ISO 27001 · GDPR