Index
Here is a framework interconnection diagram — it shows the containment relationships, control counts, and how each framework maps to the tiers:---
ISO 27001 as the governance wrapper
ISO 27001 is not a control framework in the same way the others are — it is a management system standard. Clauses 4 through 10 define how you govern security: how you set context and scope (clause 4), demonstrate leadership commitment (clause 5), plan and treat risks (clause 6), provide resources and awareness (clause 7), operate and document (clause 8), measure performance (clause 9), and run management review and corrective action (clause 10). None of the other frameworks in your stack have an equivalent governance scaffold. This is why ISO 27001 sits as the outer wrapper in the diagram — it is the engine that keeps the whole system alive and auditable, regardless of which control tier you are operating in.
In Confluence terms, this means your 12 policy pages and your risk register, audit schedule, management review records, and corrective action log are all ISO 27001 deliverables. They are not duplicated per framework. NIST 800-171 and DEFSTAN 05-138 each have their own evidence requirements, but the management system that governs that evidence is ISO 27001.
The critical containment relationship: CMMC and NIST 800-171
The most important interconnection to understand is that CMMC Level 1 is a strict subset of NIST 800-171. The 17 CMMC Level 1 practices come directly from FAR clause 52.204-21 and map one-to-one into specific NIST 800-171 controls across several of the 14 control families. CMMC Level 2 is defined as all 110 NIST 800-171 controls — nothing more, nothing less.
This means your Advanced tier pages in Confluence do not need to maintain a separate CMMC section. If you write your NIST 800-171 control pages correctly, CMMC Level 2 compliance is a natural outcome. For CMMC Level 1 specifically, the 17 practices are a view into the Fundamental tier, which is why the small "⊂ feeds" connectors appear in the diagram pointing from both Cyber Essentials and CMMC Level 1 toward NIST 800-171 in the Advanced tier.
How Cyber Essentials, CMMC Level 1, and DEFSTAN Level 0 relate
These three Fundamental tier frameworks address the same basic hygiene concerns but from different regulatory contexts — UK public sector supply chain (Cyber Essentials), US federal contracting (CMMC Level 1), and UK defence supply chain (DEFSTAN Level 0). Their overlap is substantial:
Cyber Essentials' five domains (firewalls, secure configuration, access control, malware protection, and patch management) map almost entirely into the CMMC Level 1 practices. DEFSTAN Level 0 is broadly described as "Cyber Essentials Plus" — it requires the same five domains but adds an independently assessed verification rather than self-attestation. For your Confluence pages, this means a single well-written procedure page on, say, Access Control can satisfy all three frameworks simultaneously, with a small Scroll Content Manager block at the bottom flagging the DEFSTAN-specific assessment requirement where it differs.
The practical authoring rule is: write the control page to the most demanding interpretation within the Fundamental tier (which is DEFSTAN Level 0's verified standard), and all three frameworks are satisfied. You then use SCM variants to surface only the relevant framework reference to each audience — a standard member of staff does not need to see the FAR clause citation, but a compliance officer does.
How DEFSTAN 05-138, NIST 800-171, and ISO 27001 Annex A align
At the Advanced tier, these three frameworks cover much of the same ground but with different emphases. NIST 800-171 is heavily focused on protecting Controlled Unclassified Information (CUI) in non-federal systems — its 14 control families range from access control and audit and accountability through to system and communications protection. ISO 27001 Annex A (now structured via ISO 27002:2022) has 93 controls across four groups: organisational, people, physical, and technological. The technological group has the heaviest overlap with NIST 800-171, with roughly 65–70 of the 110 NIST controls having a direct or near-direct Annex A counterpart.
DEFSTAN 05-138 is the UK-specific layer that wraps around both. Its Profile 1 (basic) aligns closely with NIST 800-171's lighter-weight controls and ISO 27001 Annex A's technological group. Profile 2 (enhanced) adds controls for more sensitive defence work and overlaps with the full NIST 800-171 set plus selected Annex A organisational and people controls around personnel security.
For your Confluence cross-reference library (the Reference Library section in the original architecture), the most valuable document you can build is a three-way control mapping table: NIST 800-171 control ID in the first column, corresponding ISO 27001 Annex A control in the second, DEFSTAN 05-138 reference in the third, and a Cyber Essentials domain tag in the fourth where applicable. This table becomes the single source of truth that every control page links back to, and it is what an auditor reviewing multi-framework compliance will want to see first.
What this means for Confluence authoring in practice
Every control page you write should be structured to satisfy multiple frameworks simultaneously. The page metadata (Confluence labels and properties) carries the framework references; the body text is written once. Scroll Content Manager then adjusts the depth of guidance shown rather than the underlying requirement.
Click any framework box in the diagram above to get a detailed control-by-control breakdown for that specific framework, or ask me to produce the cross-framework mapping table directly.