One Audit. Four Standards. Zero Duplication.
How to Build a Master Questionnaire as Your Single Source of Truth for ISO 27001, ISO 42001, NIST 800-53, and GDPR
I want to tell you about a problem that is quietly draining compliance teams at SaaS companies right now — and a structural fix that changed how we think about audits entirely.
Here is the situation most security and compliance leaders find themselves in. You hold ISO 27001 certification. Your enterprise customers require NIST 800-53 Rev 5 verification. GDPR applies because you handle European personal data. And now, with AI baked into your product, ISO 42001 is on the table too. Four frameworks. Four sets of controls. Four different auditors asking different versions of the same fundamental questions.
The instinctive response is to build four compliance programs — one for each standard. Four spreadsheets, four evidence libraries, four cycles of internal prep, four rounds of answering the same question about your access control policy worded slightly differently each time.
We did this at client. It was expensive, repetitive, and structurally fragile. Every time a policy changed, we had to update it in four places. Evidence collected for one audit sat invisible to the others. The left hand genuinely did not know what the right hand was doing.
Then we asked a different question: What if there was only one audit?
The Insight That Changes Everything
Across ISO 27001:2022, ISO 42001:2023, NIST SP 800-53 Rev 5, and GDPR, the vast majority of what auditors actually want to know falls into the same 18 operational domains: governance, risk management, access control, data protection, cryptography, incident response, business continuity, supplier management, secure development, and so on.
The standards differ in language, structure, and emphasis. But the underlying security and privacy reality they are probing — your policies, your controls, your evidence — is the same reality. An ISO 27001 auditor asking about your access control policy (A.5.15) and a NIST assessor asking about AC-1 are fundamentally asking the same organization the same question. Your Access Control Policy v1.3 answers both of them.
This is the foundation of the Master Questionnaire approach: write the question once, map the answer to every standard it satisfies simultaneously.
Why Most Multi-Standard Programs Fail Structurally
Before describing what to build, it is worth being precise about why the typical approach breaks down. The problem is not effort or intention — compliance teams work hard. The problem is architecture.
Most organizations build what I call parallel catalogs: one spreadsheet or GRC module per standard, each with its own question set, its own evidence columns, its own status tracking. When the ISO 27001 auditor asks about incident response and the GDPR auditor asks about breach notification, they get two separate answers pointing to the same IR Procedure — but there is no structural connection between them. If you update the procedure, you have to remember to update both rows in both sheets. You usually do not. Inconsistencies accumulate. Auditors notice.
The second failure is ID scheme collision. This sounds technical but it matters enormously in practice. If your internal questionnaire uses “IR-01” for your Incident Response domain questions and NIST SP 800-53 uses “IR-1” for the same family, you end up with ID conflicts that make cross-referencing impossible. You cannot write a formula or filter that reliably maps one to the other. We ran into exactly this problem in our own workbook, discovering 173 NIST Moderate baseline controls that existed only in a standalone NIST catalog with no connection whatsoever to the master question set.
The third failure is scope mismatch. NIST SP 800-53 Rev 5 Moderate baseline has approximately 235 distinct controls across 20 families when enhancements are included. ISO 27001:2022 has 93 Annex A controls. ISO 42001:2023 has 38 AI-specific controls. GDPR has 99 Articles. Organizations routinely under-scope their questionnaires, sampling 26 or 30 NIST controls and calling it “covered.” A real Moderate baseline assessment covers every control — AC-1 through SR-12, including every enhancement number that the baseline requires.
The Architecture of a Single Source of Truth
Here is how to build it correctly.
Start with 18 operational domains, not four standards.
The domains should reflect how your organization actually operates: Governance & Policies, Scope & Context, Risk Management, Access Control & Identity, Data Protection & Privacy, Cryptography & Key Management, Network & Infrastructure Security, Secure Development, Incident Response, Business Continuity, Supplier & Third-Party Management, Physical & Environmental Security, Human Resources Security, Audit Logging & Monitoring, Configuration & Change Management, AI Governance, Compliance & Internal Audit, and Cross-Border Data Transfers.
Every question you write lives in one of these domains. The domain structure is standard-agnostic — it reflects your operational reality, not any single framework’s chapter structure.
Write questions that satisfy multiple standards simultaneously.
Take access control as an example. Rather than writing four separate questions — one citing ISO 27001 A.5.16, one citing NIST AC-2, one citing GDPR Art. 32, one citing ISO 42001 A.6.2.2 — you write one question: “Describe the complete joiner-mover-leaver process. How are accounts created, modified, and deactivated? What is the maximum time to deprovision a terminated user?”
This single question satisfies ISO 27001:2022 A.5.16 and A.5.18, NIST SP 800-53 Rev 5 AC-2, AC-2(1), AC-2(3), and AC-2(5), and GDPR Art. 32. One answer. Four standards. That is not a shortcut — that is what a mature account management process actually looks like when described completely.
Use a collision-free ID scheme from the start.
This is a technical detail that pays significant dividends. Cross-standard questions should use domain-based prefixes that do not clash with any standard’s own naming: G- for Governance, A- for Access Control, INC- for Incident Response (not IR-, which collides with the NIST IR family), BCP- for Business Continuity, CFG- for Configuration Management (not CM-, which collides with NIST CM), CRY- for Cryptography, and so on.
NIST-specific questions — those covering Moderate baseline controls not addressed by any cross-standard question — should use a clearly distinct scheme: NIST-{family}-{sequence}, for example NIST-AC-07 for AC-7, NIST-PE-04 for PE-13. This makes the source of every question unambiguous and allows you to filter programmatically by standard without collision.
The Master tab is the only place answers live.
Every auditor view — ISO 27001 tab, ISO 42001 tab, NIST tab, GDPR tab — is a filtered subset of the Master, not an independent document. When the answer to a question changes, you update it once in the Master. The filter propagates to all auditor views automatically. If you find yourself maintaining two versions of an answer, your architecture has a flaw.
Add a Question Source column.
This single column distinguishes between cross-standard questions (one question, many standards) and NIST-specific questions (one control, one question). It tells any auditor looking at the sheet exactly what they are looking at and why the question exists. It also tells your team where to invest effort — cross-standard questions with a “★ Shared” marker satisfy three or more frameworks simultaneously and should be answered first.
What the Numbers Look Like in Practice
When we implemented this at client, the numbers clarified the approach nicely.
We ended up with 213 total questions in the Master: 104 cross-standard questions covering all 18 operational domains, and 109 NIST-specific questions covering NIST Moderate baseline controls that needed dedicated coverage. The NIST auditor view contains 212 questions — covering 235 distinct NIST controls — all filtered directly from the Master. The ISO 27001 view contains 209 questions. The GDPR view contains 206. The ISO 42001 view contains 138, reflecting that ISO 42001’s scope is intentionally narrower.
Of the 213 total questions, 56 are marked as shared controls — meaning a single answer to that question satisfies three or more standards simultaneously. These 56 questions are the highest-leverage evidence collection effort in your entire audit programme. Answer them well and you have satisfied the core control requirements of all four frameworks for the most critical domains: risk management, access control, encryption, incident response, supplier management, data protection, logging, and business continuity.
Before this restructure, we had a v3 workbook with 104 questions in the Master and 187 in a standalone NIST tab with zero structural connection between them. The root cause was that the NIST tab had been built as a separate catalog with NIST family-based IDs that clashed with our domain IDs, making cross-referencing impossible. This is a common mistake and worth naming explicitly: a NIST tab that cannot be proven to be a filtered view of the Master is not a single source of truth — it is a second source of truth, which is the same as no single source of truth at all.
The Columns That Make It Work
A Master Questionnaire has a specific anatomy. Every row needs:
Q-ID — unique, collision-free identifier following your scheme.
Domain — the operational domain, not the standard’s chapter.
Audit Question — written to satisfy all applicable standards simultaneously, framed around your actual controls and evidence.
Audit Type — Document Review, Technical Review, Interview, Sample, or combinations. This tells both your team and the auditor what kind of evidence the question expects.
ISO 27001:2022 reference — official Annex A control IDs (A.5.1 through A.8.34) and Clause references (Cl.4 through Cl.10). Not approximated — exact.
ISO 42001:2023 reference — official Annex A control IDs (A.2.2 through A.10.4) and Clause references. ISO 42001 Annex A objectives (A.x.1 entries) are not controls — the controls begin at A.x.2. This distinction matters when an ISO 42001 auditor checks your SoA.
NIST SP 800-53 Rev 5 reference — official control IDs with enhancement numbers. AC-2(1) is a different control from AC-2. A Moderate baseline assessment distinguishes between them. If your questionnaire collapses AC-2 and all its enhancements into a single cell without specifying which enhancements apply, your NIST assessor will push back.
GDPR reference — specific Article numbers at sub-article precision. Art. 5(1)(c) is different from Art. 5(1)(e). Art. 28(3) specifies the mandatory clauses in a DPA. Approximated references like “Art. 32 generally” are insufficient for a DPO-level review.
Answer column — blank, awaiting your response. This is the most important column in the workbook. It is where your security reality meets the standards’ requirements.
Status — a dropdown: Implemented, Partial, Not Implemented, N/A, Not Tested. The Partial status is particularly important — it tells auditors and management exactly where gaps exist without overstating or understating compliance.
Evidence / Document Reference — the policy name, version, section, screenshot, log excerpt, or configuration that proves the answer. This column is pre-filled with hints when you build the questionnaire (e.g., “Access Control Policy v1.3; 90-day review evidence; LastPass configuration”) and updated with actual references during audit preparation.
Question Owner — the individual responsible for providing the answer and evidence. Compliance does not happen in a CISO’s office alone. Owners span IT, HR, Legal, DevOps, the AI Officer, and the DPO.
Auditor Notes — reserved for the auditor. Your team does not pre-fill this column. It is the auditor’s workspace during the actual audit session.
Shared Control flag — a star marker for questions satisfying three or more standards. Your audit preparation team should complete all starred questions first. They represent the core of your compliance posture across every framework.
The Audit Session Experience
Here is what this looks like in practice when you sit down with an auditor.
Your ISO 27001 auditor receives the ISO 27001 filtered view tab. They see 209 questions, each with official Annex A or Clause references, your pre-populated answer, a status, and an evidence reference. They work through the Auditor Notes column adding their observations. They do not need to navigate the NIST questions or the AI governance section unless a control overlaps.
Your NIST assessor receives the NIST view tab: 212 questions covering 235 controls across all 20 families from AC through SR. Both cross-standard questions (where your Access Control Policy satisfies AC-1, AC-2, AC-3 simultaneously) and NIST-specific questions (AC-7 lockout thresholds, AC-11 device lock, SC-15 collaborative device controls) are visible, with the Question Source column clearly labeling each type.
Your DPO or privacy auditor receives the GDPR view: 206 questions covering Articles 5 through 83, with cross-references to the ISO 27001 and ISO 42001 controls that satisfy the same requirement. The RoPA question, the DPIA question, the data subject rights process question, the breach notification procedure — all answered once in the Master, surfaced here for the privacy auditor’s review.
What none of these auditors receive is a contradictory answer. Because there is only one answer. There is only one Master.
The AI Governance Layer
ISO 42001:2023 deserves specific attention because it is the newest of the four standards and the one most organizations are building from scratch rather than extending from existing programs.
The standard requires several things that have no direct analog in ISO 27001 or NIST. AI System Impact Assessments (AISIAs) are mandatory for every AI system in scope — a structured analysis of potential impacts on individuals, groups, and society, resulting in a Low, Medium, or High impact classification. This feeds directly into how much human oversight, transparency, and testing is required for each system. Your AI governance questions need to cover this lifecycle: system registration, AISIA, responsible design principles (A.6.1.3), verification and validation testing (A.6.2.4), controlled deployment (A.6.2.5), monitoring (A.8.5), and AI-specific incident management (A.8.4).
The AI data governance controls — A.7.2 through A.7.6 covering data quality, provenance, and preparation — have meaningful overlap with GDPR’s data minimisation (Art. 5(1)(c)), purpose limitation (Art. 5(1)(b)), and privacy by design (Art. 25) requirements. A single well-written question about AI data governance can cover all of these simultaneously, but only if you know both standards well enough to write it that way.
The EU AI Act adds a classification layer that sits above ISO 42001 rather than within it: your AI systems need to be assessed against the Act’s risk tiers (prohibited, high-risk Annex III, limited risk, minimal risk) with resulting compliance obligations. This is an AIX-domain question in the Master with no NIST equivalent — which is fine, because not every question needs to satisfy all four standards. The single source of truth principle does not mean every question covers every standard; it means every answer lives in one place.
Five Principles to Build By
If I were starting this process from scratch at a new organization, I would anchor on five principles from day one.
Official control IDs only. Approximated references create ambiguity that auditors exploit. If your ISO 27001 reference says “A.5 generally” instead of “A.5.15; A.5.16; A.5.18,” a thorough auditor will ask which specific controls you are claiming coverage for and you will have to reconstruct the mapping under pressure. Use the exact IDs from the published standards. ISO 27001:2022 Annex A runs from A.5.1 to A.8.34. NIST 800-53 Rev 5 AC-2(1) is a separate control from AC-2. These distinctions are in the standards for a reason.
Full coverage, not sampling. A Moderate NIST baseline assessment covers approximately 235 controls. An ISO 27001 audit covers all 93 Annex A controls. Sampling — picking representative controls from each family — may satisfy a checkbox exercise but it will not satisfy a thorough assessor and it will not actually tell you where your gaps are. The discipline of building complete coverage is also the discipline of discovering what you do not have implemented yet.
One answer, not four. If you catch yourself writing the same answer in two different tabs, your architecture is broken. Fix the architecture, not the duplicate. The structural constraint — all auditor views are filtered subsets of the Master — should make duplication physically impossible.
Gaps are information, not failure. The Partial and Not Implemented status options are not admissions of guilt — they are the output of an honest audit programme. A questionnaire where everything is marked Implemented before an auditor has looked at it is not a compliance programme; it is a liability. Real compliance posture requires knowing where you stand, including the uncomfortable parts.
The questionnaire is a living document, not a pre-audit scramble. The most valuable thing a Master Questionnaire does is shift compliance from a periodic event to a continuous state. When your IR procedure changes, you update the INC-01 answer. When you onboard a new AI service provider, you update the AIX-09 answer and the SUP-03 answer. The questionnaire should be reviewed quarterly, updated continuously, and owned by named individuals — not assembled in the three weeks before an auditor arrives.
A Note on AI-Assisted Compliance
One of the most significant changes in compliance practice over the last two years is the ability to use AI tools to populate questionnaire answers from an organization’s existing knowledge base — policies, procedures, security documentation, vendor assessments, architecture documents.
This does not replace human judgment. The Answer column in a Master Questionnaire still requires a human to verify accuracy, attach actual evidence references, and set a status they are willing to defend in an audit. But it dramatically compresses the time between “questionnaire template built” and “questionnaire ready for auditor review.”
At ShareVault, where our knowledge base includes our Security Policy, Access Control Policy, AI Management Policy, Incident Response Procedure, Risk Assessment Procedure, Privacy Policy, and Security & Availability documentation, an AI tool can populate an initial draft of most answers from these sources and flag which questions have insufficient documentation to answer — which is itself valuable information.
The key discipline is the same as for all AI-assisted work: the human remains accountable for the output. The AI drafts; the owner reviews, corrects, and signs off. The auditor evaluates the answer, not the method used to produce it.
Where to Start
If you are managing compliance across multiple standards and you recognize the structural problems described here, the path forward is straightforward even if the work is substantial.
Start with a gap analysis of what you currently have. Count your actual questions per standard. Map each one to the official control ID it is claiming to satisfy. Find the NIST families you have not covered at all (typically MA, MP, PE, PL, and SR are the most common gaps). Identify whether your auditor view tabs are provably filtered subsets of a master, or independent catalogs that happen to cover some of the same ground.
Then rebuild the Master with the architecture described above. It takes time to write 213 questions with precise official references. But you write them once. After that, every audit, every evidence collection cycle, and every questionnaire from a customer or prospect draws from the same source.
That is the value of a single source of truth. Not that compliance becomes easy — but that every effort you invest in it compounds instead of fragmenting.
The client team holds ISO 27001:2022 certification (SHA-27K-PRI) and ISO 42001:2023 certification (SHA-AIMS-20260129), maintains NIST SP 800-53 Rev 5 Moderate baseline verification, and operates under GDPR as both a data controller and processor for European customers. The Master Audit Questionnaire described in this article was built through iterative refinement of our own internal compliance programme.
#InformationSecurity #Compliance #ISO27001 #ISO42001 #NIST #GDPR #AuditPreparation #AIGovernance #DataProtection #CyberSecurity #GRC #CISO #DPO #SaaS #RiskManagement
AI Vulnerability Scorecard: Discover Your AI Attack Surface Before Attackers Do
Your Shadow AI Problem Has a Name-And Now It Has a Score
Most AI Security Tools Won’t Pass an Audit. Here’s a 15-Minute Way to Find Out.
InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot | Comprehensive vCISO Services | ISMS Services | AIMS Services | Security Risk Assessment Services | Mergers and Acquisition Security
- One Audit – Four Standards – Zero Duplication
- GDPR Isn’t a Checkbox. It’s the Privacy Standard Your Organization Can’t Afford to Ignore
- Most companies deploying AI in the EU still don’t know what tier they’re in
- You Can’t Certify What You Haven’t Mapped: The Case for an ISO 27001 Gap Assessment
- The New Identity Perimeter: Machines, Agents, and the Trust Problem
