The disclosure herein describes determining the compliance of software applications to compliance standards based on capabilities of the software applications. The capabilities of a software application are identified, and the compliance controls of a compliance standard are identified from respective data stores. The capabilities are mapped to the compliance controls based on defined capability map data. Based on at least one capability of the software application being mapped to each compliance control of the compliance standard, a positive compliance indicator is provided, whereby compliance of the software application with the compliance standard is confirmed. The described systems and methods provide efficient means for determining compliance of software applications based on defined capabilities that are abstracted to be comparable to a variety of compliance controls.