Skip to main content
FORTISEU
Audit & Assurance

Audit-Ready Evidence. Always Current.

Spend time on analysis, not evidence collection

Internal and external auditors need timely, verifiable evidence mapped to specific control requirements. FortisEU provides a read-only auditor view with pre-mapped evidence, version history, collection timestamps, and framework-specific export packs — eliminating weeks of back-and-forth requests.

Create AccountSchedule Demo
Pain Points

The challenges you face

Evidence Request Cycles

Weeks of back-and-forth with control owners: request evidence, receive the wrong version, request again, wait for the owner to find the right document. Each audit cycle repeats this pattern across hundreds of controls.

Stale Evidence

Documents from last year presented as current. Penetration test reports beyond their validity window. Policy documents that have not been reviewed since the last audit. Evidence staleness undermines audit confidence.

Unmapped Evidence

Evidence exists somewhere — in shared drives, ticketing systems, cloud consoles — but it is not linked to specific controls. Auditors spend more time locating and verifying evidence than analysing it.

Multi-Framework Audit Scope

One audit engagement covering NIS2 and ISO 27001 simultaneously. Different frameworks, different control numbering, but overlapping requirements. Mapping evidence across frameworks manually is error-prone and time-consuming.

Platform Capabilities

How FortisEU helps

Evidence Collection

Automated evidence collection with timestamps, source attribution, and version history. Every piece of evidence shows when it was collected, from which system, and which control it satisfies. No more chasing control owners.

Explore

Compliance Automation

Pre-mapped controls across 84+ frameworks. View the complete control inventory, gap analysis, and compliance scores before starting your audit. Cross-framework mapping shows how controls satisfy multiple requirements.

Explore

Regulatory Exports

Framework-specific audit packs with one click: ISO 27001 Statement of Applicability, NIS2 Art. 21 measures, DORA ICT risk framework. Each export includes mapped evidence, collection dates, and audit trail.

Explore

Executive Dashboards

Audit-relevant analytics: compliance score trends, evidence freshness distribution, control ownership coverage, and remediation velocity. Historical data shows improvement trajectory over time.

Explore

Risk Management

Risk register with historical snapshots. View risk assessment methodology, scoring criteria, treatment plans, and residual risk acceptance records. Full audit trail of risk register changes with timestamps.

Explore

Asset Registry

Complete asset inventory with classification, ownership, and criticality ratings. Asset-to-control mapping shows which assets are covered by which controls, supporting scope validation and completeness testing.

Explore
Daily Workflow

A day with FortisEU

08:00

Login to auditor view — review assigned control scope, 247 controls across ISO 27001 and NIS2

Compliance Automation
09:00

Evidence verification — check collection timestamps and source systems, flag 3 items past freshness threshold

Evidence Collection
10:30

Cross-framework mapping review — verify ISO 27001 A.12 controls also satisfy NIS2 Art. 21(2)(e)

Compliance Automation
13:00

Risk register examination — review historical risk trends, treatment plan completion rates, residual risk acceptance

Risk Management
14:30

Export audit findings report — PDF with control gaps, evidence deficiencies, and remediation recommendations

Regulatory Exports
16:00

Remediation tracking — verify corrective actions from previous audit have been implemented with evidence

Evidence Collection
Framework Coverage

Frameworks you work with

ISO 27001SOC 2NIS2DORA
The evidence was already there, already mapped, already timestamped. What used to take us three weeks of requests took three hours of review.

Lead Auditor, Big Four Advisory (anonymised)

FAQ

Common questions

What does the auditor view look like?

FortisEU provides a read-only auditor portal scoped to the specific audit engagement. Auditors see the control inventory for their assigned frameworks, with each control linked to its evidence artifacts. The view includes compliance scores, gap analysis, evidence freshness indicators, and risk register access — without the ability to modify any data. Audit findings can be recorded directly in the platform for remediation tracking.

How is evidence freshness guaranteed?

Each evidence type has a configurable freshness policy: penetration tests valid for 12 months, vulnerability scans weekly, policy reviews annually, access reviews quarterly. FortisEU monitors these thresholds continuously and displays freshness status alongside each evidence artifact. Auditors can immediately see which evidence is current (green), approaching expiry (amber), or stale (red) without manual verification of document dates.

Can I export evidence packs?

Yes. FortisEU generates framework-specific audit packs as structured PDF exports. Each pack includes the control inventory, mapped evidence with collection timestamps and source attribution, gap analysis summary, remediation status, and risk context. Exports can be scoped to specific frameworks (ISO 27001 SoA, NIS2 Art. 21, DORA Art. 6) or generated as a comprehensive cross-framework pack for multi-standard audits.

How does cross-framework mapping help audits?

When auditing an organisation against both ISO 27001 and NIS2, cross-framework mapping shows exactly how each ISO 27001 Annex A control maps to NIS2 Article 21 requirements. This eliminates the need to review the same control twice under different frameworks. Auditors can validate that a single access control policy satisfies both ISO 27001 A.9.2 and NIS2 Art. 21(2)(i), reducing audit scope overlap and improving engagement efficiency.

Is there an audit trail of changes?

Every change in FortisEU is recorded in an immutable audit log: control modifications, evidence uploads, risk register changes, policy approvals, and user access events. Each entry includes the actor, timestamp, previous value, and new value. The audit trail is exportable and satisfies ISO 27001 A.12.4 (logging and monitoring) and NIS2 Art. 21(2)(g) (security monitoring) requirements. Retention policies are configurable per regulatory requirement.

Related

Also relevant for

Compliance Operations

For Compliance Officers

Stop maintaining spreadsheets. Start maintaining compliance.

Learn moreSecurity Leadership

For CISOs

From multi-framework chaos to unified security posture

Learn moreRisk Management

For Risk Managers

From static registers to dynamic, quantified risk management

Learn more

See FortisEU for Auditors

Create an account and explore the platform, or talk to our team about enterprise deployment.

Create AccountSchedule Demo