What's New in EAF v3: and Why It Matters for Your Compliance Program
We recently shipped a major upgrade to the Easy Audit Framework (EAF) - the universal control taxonomy that powers how your organization maps to compliance frameworks like SOC 2, ISO 27001, HIPAA, GDPR, and more.
We recently shipped a major upgrade to the Easy Audit Framework (EAF) - the universal control taxonomy that powers how your organization maps to compliance frameworks like SOC 2, ISO 27001, HIPAA, GDPR, and more.
Here's what changed, why we did it, and what it means for you.
The Short Version
EAF v2 used a single, flat list of ~504 controls. Every framework requirement, every monitoring test, and every policy mapped directly to one of those controls.
EAF v3 replaces that flat list with a two-level hierarchy: 140 broad control areas, each broken down into ~494 specific objectives. Think of it like going from a single filing cabinet to an organized system of folders and subfolders - the same information, but now you can easily find what you're looking for.
What Was Wrong with v2?
Nothing, at first. EAF v2 was built on a foundation of CPA-verified, framework-to-framework mappings. The original approach was straightforward: compliance professionals manually mapped SOC 2 requirements to a flat list of controls, creating a clean one-to-one relationship. 330 SOC 2 requirements mapped neatly to 330 controls, each verified by a CPA for accuracy.
The issues started when we added more frameworks. Rather than mapping every new framework from scratch - an expensive, time-consuming process - the natural approach was to leverage the existing mappings. One framework’s verified mappings became the bridge to the next.
This transitive mapping approach worked in theory, but it created a compounding problem in practice. Each hop through an intermediate framework introduced imprecision. If two ISO 27001 Annex A controls mapped to one SOC 2 COSO Principle, and two NIST CSF requirements mapped to each of the two Annex A controls, you ended up with four NIST requirements mapped to a single COSO Principle. After review by a set of experts, these mappings would be brought back under control, but it left us with a lengthy process for adding new frameworks, and sometimes over-mapped frameworks to ensure no mappings were missed.
The result was what we internally called the “mapping explosion.”
EAF v2: Frameworks chain through flat controls, creating implicit cross-framework dependencies.
How v3 Fixes This
EAF v3 introduces a simple but powerful structural change: areas and objectives.
Areas (140 total) are broad control domains - things like “Secure Configurations” or “Data Subject Rights.” They represent the what of your compliance program at a high level.
Objectives (~494 total) sit underneath areas and define specific, testable goals. So instead of one catch-all “Secure Configurations” control, you now get distinct objectives like:
• EA0429.01: Ensure Mobile Device Integrity
• EA0429.02: Maintain Configuration Baselines
• EA0429.03: Manage Credential and Key Configurations
Each framework requirement now maps to the specific objective it actually relates to, not just the broad area. And each mapping includes a relationship type (equivalent, subset, superset, or intersects) so even with dynamic controls unique to each customer, we can ensure full coverage of the subscribed frameworks.
EAF v3: Each framework requirement maps to a specific objective under a clear area hierarchy.
How Migration Works
If you’re an existing EasyAudit customer, you don’t need to start from scratch. We built a complete migration system that preserves your existing work:
Gap analysis: We compare your current v2 controls against the v3 objective structure and show you exactly what’s covered and what’s new.
Automated remapping: 85% of v2 controls have a direct one-to-one match in v3. The remaining 15% have close partial matches that are flagged for your review.
Safe rollback: Every migration creates an immutable snapshot of your pre-migration state. If anything looks off, you can roll back with a single action.
The migration happens on your schedule, per organization. Your existing controls, evidence, and audit history are preserved throughout the process, and our dedicated compliance expert will help guide you through.
What This Means for You
New frameworks FAST
Frameworks are mapped to EAF Objectives using our Mapping Engine, and then approved by a set of experts. Adding support for new frameworks just went from weeks to days.
Cleaner multi-framework support
If your organization is pursuing SOC 2 and ISO 27001 and HIPAA, you’ll see exactly where those frameworks overlap at the objective level and where they diverge.
Smarter monitoring
Automated compliance tests now map to precise objectives rather than broad areas. This means fewer false positives, more targeted remediation, and clearer reporting on what’s actually passing or failing.
What’s Next
EAF v3 is the foundation for everything we’re building going forward - from more granular risk scoring to automated evidence linking to expanded framework support. By getting the taxonomy right, we’ve unlocked a level of speed and precision that simply wasn’t possible before.
If you have questions about your organization’s migration timeline or want to see the gap analysis for your controls, reach out to your EasyAudit contact or email us at support@easyaudit.ai.