Compliance matrix: How to make one actually used

Most businesses comply with the requirements that apply to them. The problem is proving it: to the auditor, to the customer demanding ISO in a tender, or to the authorities. A compliance matrix turns «we have control» into something you can demonstrate. Here's what it is, how to create one, and a template you can start with today.

Book a demo

It often starts with an email. One of the major clients sends a qualification form before contract renewal: «Document compliance with the following requirements.» Forty rows, deadline in two weeks. And the answers are scattered across three binders, a SharePoint folder, and the quality manager's head.

It's the day most companies create their first compliance matrix. This article is for you if you want to make it before that email arrives.

What is a compliance matrix?

A compliance matrix is a structured overview (usually a table) that links each individual requirement a company must meet to the documentation, process, and person responsible for ensuring that the requirement is actually complied with.

The demands can come from multiple directions simultaneously:

  • Laws and regulations – the Working Environment Act, the internal control regulations, Transparency Act, GDPR
  • Standards – ISO 9001, ISO 14001, ISO 45001
  • Customer requirements – qualification requirements in tenders, supplier requirements from large players
  • Internal requirements – own policies, ethical guidelines, board decisions

The matrix answers three questions for each requirement: What do they require of us? How do we meet it? Who is responsible? When an auditor, client, or regulatory authority asks, you won't have to search. You look it up.

Compliance matrix or compliance manual – what's the difference?

The concepts are often confused, but they perform two different jobs:

Compliance matrix

FormTable/overview
ReplyingWhich the claim applies, and where they are covered
Used byQuality Manager, Auditor, Management
Typical scope1–10 pages

Compliance Manual

FormText document
ReplyingHow We are working to comply with them
Used byAll employees
Typical scope20–100 pages

The matrix is the map, the manual is the terrain. In practice, the matrix should come first, because it reveals which requirements apply and where the gaps are, and the manual (and procedures) is written to fill them. Many companies do the opposite. They write a thick manual first, and discover during the audit that it doesn't cover the requirements anyone actually makes.

Alexander Reinhardt Kästel, managing director at Business Online, throws his hands up in triumph in an office chair outdoors, with a laptop on his lap – the feeling of having the compliance matrix in place before the audit.

Why does a company need a compliance matrix?

The reviewer is asking for it. For ISO certification and follow-up audits, the compliance matrix is the quickest proof that the management system covers the standard's requirements. Without it, the auditor (and you) will have to search through the documentation clause by clause.

2. Customers require it in tenders. Major players in the oil and gas, construction and industrial sectors often require suppliers to document compliance with specific requirements, sometimes with a pre-prepared requirements matrix to be filled out. If you already have your own matrix, the job is largely done.

3. The Transparency Act affects you through your customers. The law requires large companies to conduct due diligence assessments of their supply chains. However, the requirements also affect smaller businesses because their customers need to document sine Suppliers. A matrix showing how you handle human rights and working conditions makes you a simpler supplier to choose.

4. It uncovers gaps before they become deviations. When the requirements are listed systematically, you quickly see what is covered by a procedure, what is «built into the walls», and what is actually not taken care of at all.

How to create an effective compliance matrix – step by step

Map out what requirements apply to you

Start broadly: legislation and regulations for the industry, standards you are (or will be) certified to, requirements from key customers, and your own internal policies. The Norwegian Labour Inspection Authority's industry guidelines are a good starting point. Don't do this alone in the office. Those working out on projects know what requirements customers actually impose.

Break the requirements down into controllable points

«We shall follow ISO 9001» is not one point in the matrix, it's a hundred. Break it down to the level where one requirement can be linked to one answer: one clause, one paragraph, one customer requirement per row.

Match each requirement to documentation and process

For each row: Which document, procedure or system demonstrates that the requirement has been met? Be honest here. «Covered verbally» or «everyone knows it» is not documentation – it is a row that should be marked red.

Set owner and status on each row

Every requirement needs a name (not a department) and a status. Use a simple scale: Covered / Partially covered / Not covered. Partially and not covered will be granted an extension and measures. You will then also have received a prioritised action plan.

Get the matrix into the management system – not into a drawer

A compliance matrix stored in a local Excel file on the quality manager's PC becomes outdated the day the quality manager changes jobs. The matrix should be located in the document management system with version control and an approval workflow, so that everyone can always find the current version and see what has been changed since the last.

Revise it regularly, and when there are changes

Set a fixed frequency (minimum annual, preferably before management review) plus event-driven review: new law, new standard version, new major client, new business area. Laws change. The matrix must keep up.

Mal: This is what the compliance matrix can look like

Deviations must be handled with root cause analysis and corrective actions

Cover
SourceISO 9001 clause 10.2
This is how we fulfil it5-phase deviation process in the KHMS system
DocumentationProcedure KV-04 + Deviation log
ResponsibleQuality manager
Next revisionQ1 2027

Supply chain risk assessment

Partial – subcontractors missing
SourceTransparency Act Section 4
This is how we fulfil itAnnual supplier evaluation with risk scoring
DocumentationSupplier Register + Evaluation Form
ResponsiblePurchasing Manager
Next revision30.06.2026

Employees must have documented safety training

Cover
SourceInternal Control Regulations § 5
This is how we fulfil itCertificate and course overview per employee
DocumentationCertificate Register
ResponsibleHR Manager
Next revisionQ3 2026

Customer X requires ISO 45001 compliance for the framework agreement.

Not covered – certification in progress
SourceContract 2026-014
This is how we fulfil itHMS management system according to ISO 45001
DocumentationDeclaration of Conformity + HSEQ Manual
ResponsibleCEO
Next revision01.09.2026

The fields are the most important. You fill in the content yourselves
demand.

Get the compliance matrix as a fillable document

The three most common mistakes

1. The matrix is created for the audit – and dies afterwards

If the matrix is only opened the week before an audit, it's an alibi, not a tool. Link it to fixed routines: management reviews, internal audits, onboarding new clients.

2. Everything is marked as «covered»

A matrix without red and yellow rows rarely means perfect operation. As a rule, it means that no one has looked properly. Auditors know this too.

3. The requirements have been copied, not translated

Pasting standard text verbatim renders the matrix useless for anyone other than the person who wrote it. Explain what the requirement means. To dere, with their own words and their process names.

How to keep the compliance matrix alive with Business Online

A compliance matrix is only useful as long as it is up-to-date and accessible. In Business Online KHMS, it is located in the document management system (QDMS), which provides:

  • Version control and approval workflow. New versions undergo defined approval, and previous versions are traceable. An auditor can view both the current matrix and its history.

  • A shared library. All employees will always find the latest version, without wondering if the Excel file on the shared drive is the newest one.

  • Notification of changes. Oupdates are published as an internal news item with a link, so that changes in requirements actually reach those affected.

And several of the rows in the matrix can point directly into the system instead of to static documents: the deviation requirements in ISO 10.2 are covered by The deviation system, the Transparency Act's supplier requirements regarding supplier evaluation, and competency requirements of certificate overview. The auditor can go from the requirement directly to the evidence that the routine is being followed.

How Business Online meets the requirements of ISO 9001, 14001 and 45001 clause by clause, we have documented in a separate review, in practice our own compliance matrix.

FAQ

A table linking each requirement the company must comply with (laws, standards, customer requirements) to the documentation, process, and person responsible for the requirement, with a status per requirement.

The matrix is an overview of which requirements apply and where they are met. The manual describes how the company works to comply with them. Create the matrix first.

A minimum of annually (preferably before management review), and additionally when changes occur: new legislation, new standard versions, new customer requirements, or new business areas.

No, the word «compliance matrix» is not in the standard. However, ISO 9001 requires you to map relevant requirements (clause 4.2), and in ISO 14001 and 45001, the requirement is even more direct: Clause 6.1.3 obliges you to determine the requirements that apply to you («compliance obligations» in 14001, «legal and other requirements» in 45001) and maintain documented information that is updated when changes occur, and clause 9.1.2 requires that compliance be regularly evaluated with documented results. A matrix is the simplest way to fulfil all of this.

A compliance matrix is not something you create for the auditor. It is the overview that makes the audit a pleasant visit.

See how the matrix, the deviations and the documents are related

The compliance matrix is strongest when the different fields point directly into the system where the job is done. See how it works in practice.

Book a demo
Take the growth check
Talk to sales
Talk to sales