---
title: "Nobody Complies With a PDF. Turn It Into Tasks."
canonical_url: "https://www.sorena.io/resources/framework-into-a-to-do-list"
source_url: "https://www.sorena.io/resources/framework-into-a-to-do-list"
author: "Sorena AI Team"
description: "A framework is action work in disguise. ISO 27001 has 93 Annex A reference controls to evaluate, and NIS2 Article 21 has 10 measure areas to address."
published_at: "2026-07-05"
keywords:
  - "compliance framework"
  - "ISO 27001 controls"
  - "NIS2 requirements"
  - "obligation mapping"
  - "control mapping"
  - "compliance tasks"
  - "assessment automation"
  - "audit readiness"
---
**[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform

[Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io)

---

# Nobody Complies With a PDF. Turn It Into Tasks.

*Sorena AI Team | Compliance Automation | 2026-07-05*

> You do not comply with a standard by reading it. You comply by doing the specific things it asks, one by one, with someone accountable for each. A framework is obligations in disguise. The work is turning it into a to-do list nobody can ignore.

![A compliance framework PDF turned into owned, tracked tasks across ISO 27001 and NIS2 requirements](https://cdn.sorena.io/cdn-cgi/image/width=1400,quality=88,format=auto/images/resources/framework-into-a-to-do-list.png)

## Key takeaways

- A framework is action work, not a document. ISO/IEC 27001:2022 carries 93 Annex A reference controls that an organization evaluates through risk treatment and the Statement of Applicability.
- NIS2 Article 21(2) lists 10 minimum cybersecurity risk-management measure areas that essential and important entities must address with appropriate and proportionate controls. Reading them is not complying with them.
- The gap between a PDF and compliance is manual: someone has to extract every requirement, assign an owner, and track it to done.
- Extract obligations into owned, tracked tasks once, grounded in a single source, and the framework stops being a wall of text and starts being work that moves.

## A PDF is not compliance

A framework arrives as a document. A standard, a directive, a customer requirement. It looks like knowledge. It is actually a work order in disguise.

Reading it changes nothing. Filing it changes nothing. The only thing that moves the needle is doing the specific things it asks and proving you did them. Every framework is a list of obligations wearing a document costume. Compliance starts the moment you strip off the costume and turn each obligation into a task someone owns.

## Count the obligations, not the pages

**The scale hides in plain sight.** [ISO/IEC 27001](/artifacts/global/iso-27001), ISO's information security management system requirements standard, carries 93 controls in Annex A of its 2022 edition. They are not automatically 93 mandatory implementation tasks for every organization. They are reference controls to evaluate, select where applicable, implement when needed, or exclude with a documented rationale in the [Statement of Applicability](/artifacts/global/iso-27001/statement-of-applicability-evidence-workflow).

Standards do not stand alone either. NIST publishes [SP 800-53](/artifacts/global/nist-sp-800-53-rev-5) supplemental mappings that help organizations compare its control catalog with [ISO/IEC 27001](/artifacts/global/iso-27001). NIST warns those mappings are not automatically one-to-one, which is exactly the point: a single control theme can support more than one framework, but the mapping still needs judgment. Count the decisions, owners, and evidence, not just the pages, and the real size of the job appears. For the detailed crosswalk problem, see [NIST 800-53 vs ISO 27001](/artifacts/global/nist-sp-800-53-rev-5/nist-800-53-vs-iso-27001).

## Regulation has the same shape

**It is not just voluntary standards.** Law works the same way. The European Commission describes [NIS2](/artifacts/eu/nis2-directive) as requiring essential and important entities to take appropriate cybersecurity risk-management measures, and [Article 21(2)](/artifacts/eu/nis2-directive/article-21-control-by-control-evidence) of the directive lists 10 minimum measure areas, from risk analysis and incident handling to supply chain security and business continuity.

Ten headings sounds manageable. It is not. Each one expands into policies to write, controls to run, and evidence to keep, with proportionality and sector context still mattering. The directive tells you what to achieve, not who on your team does it or by when. That translation is the actual work, and no PDF does it for you. When the rules change, tracking what moved is a job of its own, which is why teams pair framework work with a live [regulatory watch](/solutions/law-tracker). The same holds for [ESG and sustainability rules](/solutions/esg-compliance): another set of obligations that only count once someone owns each one.

## Show the requirement becoming work

**A requirement becomes useful when it has six fields.** Source requirement, plain-language obligation, control or task, owner, due date, and evidence. Add status and reviewer, and now the PDF has become operating work.

That is the extraction pipeline: ingest the framework, split obligations, map controls, assign owners, request evidence, and produce an audit package. The magic is not that AI read the document. The value is that nobody has to wonder which sentence became which task, or which task proves which obligation.

## The translation is manual, and that is the tax

**Somebody has to do the extraction by hand.** Between the document and a working compliance program sits a slow, manual step: read the requirement, decide what it means for your context, find who should own it, set a deadline, and track it to done. Multiply that by 93 [ISO 27001](/artifacts/global/iso-27001) Annex A controls to evaluate, or 10 [NIS2](/artifacts/eu/nis2-directive) Article 21 measure areas that fan out into policies, controls, and evidence, across every framework you carry.

This is where weeks disappear. Not in the doing, in the sorting. Teams re-read the same clauses, argue over ownership in meetings, and lose track of which obligations are covered and which are still open. The framework becomes a source of dread instead of a plan. The tax is the manual translation, and it is paid over and over.

## Extract once, own forever

**Do the translation once, correctly, and keep it.** The fix is to turn the framework into structured, owned, tracked work the first time you touch it, then stop rebuilding that mapping from scratch. Each applicable obligation or selected control becomes a line item with a responsible person, a status, and the evidence attached to it.

This is what [Sorena Assessment](/solutions/assessment) does. It ingests a framework, standard, or questionnaire, extracts the requirements, maps them to your context, assigns actions, and tracks each one to completion. [ISO 27001](/artifacts/global/iso-27001) Annex A stops being a wall of text and becomes a set of decisions and tasks that move. What was a document becomes a plan, and the plan has owners.

## One source under every task

**Tasks without a shared source drift.** The moment obligations live in scattered spreadsheets and inboxes, versions diverge and answers go stale. A single control gets tracked three ways by three people, and nobody knows which is current.

Every extracted obligation in Sorena is grounded in the [Single Source of Truth](/solutions/ssot). One canonical record of what the requirement says, who owns it, its status, and its evidence. Because the same control or evidence can often support [ISO 27001](/artifacts/global/iso-27001), [NIS2](/artifacts/eu/nis2-directive), and other frameworks, mapping it once and grounding it once means you reuse the work where the underlying requirement really overlaps. No twelfth copy of the truth. No re-litigating what was already decided.

## A framework that actually moves

**Compliance is a to-do list, so treat it like one.** When obligations are extracted, owned, and tracked in one place, the framework stops being a document you dread and becomes work that visibly progresses. You see what is done, what is open, and who is on the hook, at any moment.

Start with one framework. Extract it into tasks, assign the owners, attach the evidence, and watch the wall of text turn into a plan. Nobody complies with a PDF. They comply with a list of tasks that someone owns and someone finishes. Turn the document into the list.

## Frequently asked questions

**Why isn't reading and understanding a framework enough?**

Because compliance is measured by what you do and can prove, not by what you have read. [ISO 27001:2022](/artifacts/global/iso-27001) has 93 Annex A reference controls that must be evaluated through risk treatment and the [Statement of Applicability](/artifacts/global/iso-27001/statement-of-applicability-evidence-workflow), while [NIS2](/artifacts/eu/nis2-directive) [Article 21(2)](/artifacts/eu/nis2-directive/article-21-control-by-control-evidence) lists 10 minimum cybersecurity risk-management measure areas for covered entities to address. Until the applicable requirements become owned, tracked work, nothing operational has changed.

**Do we have to redo this mapping for every framework?**

No. Sorena Assessment extracts requirements once and grounds them in the Single Source of Truth. Because the same control, evidence, or risk-management activity can often support [ISO 27001](/artifacts/global/iso-27001), [NIS2](/artifacts/eu/nis2-directive), and other frameworks, you map and answer it once, then reuse it where the overlap is real instead of rebuilding the work each time.

**Who owns the tasks once a framework is extracted?**

People do. Sorena assigns each obligation to a responsible owner with a status and attached evidence. The system handles extraction, mapping, and tracking; humans make the decisions and close the items. Every task is traceable back to the exact requirement it satisfies.

## Sources

- [ISO/IEC 27001:2022, Information security management systems (ISO)](https://www.iso.org/standard/27001?ref=sorena.io)
- [ISO/IEC JTC 1/SC 27 Journal, ISO/IEC 27002:2022 and 93 controls](https://committee.iso.org/files/live/sites/jtc1sc27/files/resources/Journal%202025.pdf?ref=sorena.io)
- [NIS2 Directive: securing network and information systems (European Commission)](https://digital-strategy.ec.europa.eu/en/policies/nis2-directive?ref=sorena.io)
- [Directive (EU) 2022/2555 (NIS2), EUR-Lex](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022L2555&ref=sorena.io)
- [NIST SP 800-53 Rev. 5 supplemental materials and mappings (NIST CSRC)](https://csrc.nist.gov/pubs/sp/800/53/r5/upd1/final?ref=sorena.io)

## Keep reading

- [The Answer's in One Clause. Stop Reading the Whole Stack.](/resources/stop-reading-400-pages.md)
- [You Already Answered This. Twice. Last Quarter.](/resources/you-already-answered-this.md)
- [Audit Season Should Be Boring.](/resources/make-audit-season-boring.md)


---

[Privacy Policy](https://www.sorena.io/privacy.md) | [Terms of Use](https://www.sorena.io/terms-of-use.md) | [DMCA](https://www.sorena.io/dmca.md) | [About Us](https://www.sorena.io/about-us.md)

(c) 2026 Sorena AB (559573-7338). All rights reserved.

Source: https://www.sorena.io/resources/framework-into-a-to-do-list.md
