> ## Documentation Index
> Fetch the complete documentation index at: https://docs.matproof.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Custom Frameworks

> Build your own compliance frameworks, transposition layers, or industry standards entirely in the Matproof UI.

# Custom Frameworks

The Custom Frameworks editor lets you create and maintain compliance frameworks that aren't shipped out of the box — national transpositions of EU regulations (e.g. country-specific DORA or NIS2 implementations), industry-specific standards (TISAX, CIS Controls, internal policies), or proprietary control sets your organization or auditors require.

Custom frameworks behave exactly like built-in ones: they participate in cross-framework control mapping, support evidence automation, and produce audit-ready reports.

## When to Use Custom Frameworks

* **National transposition layers** — Add country-specific articles on top of an EU base framework (e.g. German BSI IT-Grundschutz on top of NIS2, Italian or French DORA national transposition)
* **Industry standards** — TISAX, CIS Controls, NIST SP 800-171, FedRAMP overlays, sector-specific schemes
* **Internal control catalogs** — Your own corporate security baseline, supplier code of conduct, ESG framework
* **Auditor-requested frameworks** — Custom control sets your auditor or regulator needs you to track

## What You Can Build

A custom framework in Matproof has the same structure as a built-in one:

| Object                | Purpose                                                                                           |
| --------------------- | ------------------------------------------------------------------------------------------------- |
| **Framework**         | Top-level container — name, version, description, regulator/source                                |
| **Requirements**      | The articles, controls, or clauses of the framework (e.g. "Article 9: Risk Management")           |
| **Control Templates** | Reusable controls that satisfy one or more requirements (e.g. "Quarterly access review")          |
| **Policy Templates**  | Document templates that the framework requires (e.g. "Incident Response Policy")                  |
| **Task Templates**    | Recurring tasks that produce evidence (e.g. "Annual penetration test", "Quarterly access review") |

Each requirement can be linked to one or more controls; controls can be linked to one or more policy templates; and policy/task templates can be reused across multiple custom and built-in frameworks.

## Building a Custom Framework

<Steps>
  <Step title="Open the Framework Editor">
    Go to **Settings > Custom Frameworks** and click **Create Framework**.
  </Step>

  <Step title="Define the framework metadata">
    Set the name, version, regulator/issuing body, jurisdiction, and a description. Choose whether the framework is mandatory or voluntary in your context.
  </Step>

  <Step title="Add requirements">
    Open the framework and add requirements one by one — each gets an identifier (e.g. "A.5.1"), a title, and a description. You can group requirements into chapters or domains.
  </Step>

  <Step title="Attach controls">
    For each requirement, attach one or more control templates. You can reuse controls already defined in built-in frameworks (so a single control can satisfy ISO 27001 A.5.15 *and* your custom framework's section 3.2).
  </Step>

  <Step title="Attach policies and tasks">
    Optionally link policy templates and task templates to controls so the framework drives the right document and evidence creation when adopted.
  </Step>

  <Step title="Publish and adopt">
    Publish the framework version. It now appears in Settings > Frameworks alongside built-in ones — your team adopts it the same way as DORA or NIS2.
  </Step>
</Steps>

## Versioning

Custom frameworks are versioned. When the underlying regulation or standard changes, create a new version of the framework — Matproof tracks the diff between versions and lets you migrate adopted controls forward without losing evidence history.

## API Access

Every custom framework operation is also available via the [REST API](/api-reference) — useful when you maintain framework definitions in source control or want to sync them from an external system. Endpoints cover frameworks, requirements, controls, policies, and tasks.

## Limitations

* Custom frameworks count against your plan's **framework limit**. See [Plans & Pricing](/features/plans). Enterprise plans include unlimited custom frameworks.
* Cross-framework control mapping is automatic for controls you reuse across frameworks; Matproof does not auto-map between custom frameworks based on text similarity (you control the linkage explicitly).

## Getting Started

<CardGroup cols={2}>
  <Card title="Frameworks Overview" href="/frameworks/dora">
    See built-in frameworks before deciding what to build custom
  </Card>

  <Card title="API Reference" href="/api-reference">
    Manage custom frameworks programmatically
  </Card>
</CardGroup>
