Nexus Comply — Compliance Mapping

Topic

Compliance · Governance

Frameworks

UU PDP · ISO 27001:2022

Scoring

Deterministic (no AI)

API

/comply/frameworks · /comply/report

What it does

Nexus Comply ships two control frameworks and maps each control to the Nexus capabilities that evidence it. Then, instead of asking you to self-attest, it reads your real deployment state and scores every control as covered, gap or manual. The score is computed from live signals — there is no model and no guessing, so the same deployment always scores the same way and an auditor can trace every result back to a concrete capability.

• Two frameworks — UU PDP (UU No. 27 Tahun 2022) with 11 controls, and ISO/IEC 27001:2022 Annex A (technological subset) with 12 controls.
• Three states — each control is scored covered, gap or manual.
• Deterministic — coverage comes from real deployment signals, not AI — reproducible and explainable.
• Actionable gaps — every gap carries a concrete recommendation for how to close it.
• Dynamic coverage — the score rises as you enable the capabilities behind each control.

The two frameworks

List the available frameworks and their control counts with comply-frameworks.

• UU PDP — Undang-Undang No. 27 Tahun 2022, Indonesia's Personal Data Protection law. 11 controls covering the obligations a personal-data controller carries.
• ISO/IEC 27001:2022 Annex A — the technological subset of Annex A controls, 12 in total, covering the technical safeguards of an ISMS.

How coverage is scored

Each control is tied to one or more real signals from your deployment. When the signals are present, the control scores covered; when a capability exists but evidence has to be supplied by a human, it scores manual; otherwise it is a gap with a recommendation. Signals Nexus reads include:

• Audit log present and the SHA-256 hash chain verified.
• Encryption-at-rest enabled.
• RBAC configured.
• Threat-intel IOCs present in the store.
• SOAR playbooks defined.
• Nexus Canary honeytokens deployed.
• Notification channels configured.
• NDR active.

How to use it

nexus-cli comply-frameworks

nexus-cli comply-report --framework uu-pdp

nexus-cli comply-report --framework iso27001

Coverage is dynamic

The score is not a one-time grade — it tracks the state of your deployment. As an example, one deployment's UU PDP coverage went from 22% to 78% after enabling encryption-at-rest, importing threat intel, deploying Canary honeytokens, configuring notification channels, and defining a SOAR playbook. Every enabled capability flips one or more controls fromgap to covered.

REST API

GET /comply/frameworks                  # list frameworks + control counts
GET /comply/report?framework=uu-pdp     # score UU PDP against live state
GET /comply/report?framework=iso27001   # score ISO 27001:2022 Annex A

A report returns the framework, its name, a summary with the coverage breakdown, the list of gaps (each with a recommendation), and the full per-control detail:

{
  "framework": "uu-pdp",
  "name": "UU PDP (UU No. 27 Tahun 2022)",
  "summary": {
    "total": 11,
    "covered": 7,
    "gap": 3,
    "manual": 1,
    "coverage_percent": 78
  },
  "gaps": [
    {
      "id": "...",
      "ref": "...",
      "title": "...",
      "recommendation": "..."
    }
  ],
  "controls": [ /* ... */ ]
}

Indonesia-first

Most compliance tooling stops at international standards. Nexus Comply leads with UU PDP— Indonesia's Personal Data Protection law — so a local DPO or auditor sees the obligations they are actually accountable for, mapped to capabilities you already run. That local-market focus is a deliberate differentiator: ISO 27001 is there for the global ISMS story, but UU PDP is first.

Tips

• Run the report before an audit and walk the gaps list — each one names exactly what to enable.
• Lead UU PDP work with the uu-pdp framework; use iso27001 for the broader ISMS story.
• Re-run after every capability change to watch coverage_percent climb.
• Hand the report plus a verified audit log to your auditor or DPO as a single evidence package.