Answers/

How do measures and controls link to requirements in Acuna?

In Implement, each measure represents a security or compliance practice (e.g. 'Access reviews are performed quarterly'). Measures are linked upward to one or more requirements across frameworks — one measure can satisfy clauses in ISO 27001, NIS2, and SOC 2 simultaneously. Controls are the operational instances of measures: they carry an owner, implementation status, control type (preventive, detective, corrective), and linked evidence. This three-tier hierarchy (requirement → measure → control) is how Acuna avoids duplicate work across multi-framework programmes.