ISO 15189:2022 - Medical Laboratories Requirements for Quality and Competence

International (ISO)

v2022 (4th edition)

11 domains

89 controls

ISO 15189:2022 (4th edition) specifies requirements for quality and competence in medical (clinical) laboratories. It covers examination processes (pre-examination, examination, post-examination), quality management systems, and resource requirements specific to medical laboratories. Applicable to clinical chemistry, haematology, microbiology, pathology, immunology, and other medical laboratory disciplines. Accreditation to ISO 15189 is increasingly required by healthcare regulators and insurers. The 2022 revision introduces risk-based thinking and aligns with ISO/IEC 17025:2017 structure.

Unverified

Framework summaries on this platform are AI-assisted interpretations for educational and compliance planning purposes. They do not reproduce or replace the official standards. Refer to the authoritative source for the definitive text. Framework names and trademarks belong to their respective organisations.

Framework Domains (11)

Annex A

1 controls

Controls in the Annex A domain of ISO 15189:2022 - Medical Laboratories Requirements for Quality and Competence — 1 controls
Code	Title	Description
A.1	Point-of-Care Testing Additional Requirements	Laboratory provides oversight for point-of-care testing including governance, training and quality assurance.

Clause 4: General Requirements

5 controls

Controls in the Clause 4: General Requirements domain of ISO 15189:2022 - Medical Laboratories Requirements for Quality and Competence — 5 controls
Code	Title	Description
ISO-15189-4.1	Impartiality	Requires laboratories to operate free of bias and conflicts of interest, with identification and management of risks to...
ISO-15189-4.2	Confidentiality	Requires secure management of patient data with controlled disclosure, including legally enforceable commitments to conf...
ISO-15189-4.3	Requirements regarding patients	Requires consideration of patient input in methods, cost transparency, and obtaining informed consent for examinations.
ISO-17025-4.1	Impartiality	Requires laboratory activities to be undertaken impartially, with identification and management of risks to impartiality...
ISO-17025-4.2	Confidentiality	Requires the laboratory to be responsible for managing and protecting all information obtained during laboratory activit...

Clause 5: Structural and Governance Requirements

6 controls

Controls in the Clause 5: Structural and Governance Requirements domain of ISO 15189:2022 - Medical Laboratories Requirements for Quality and Competence — 6 controls
Code	Title	Description
ISO-15189-5.1	Legal entity	Requires the laboratory to be a legal entity or a defined part of a legal entity that is legally accountable for its lab...
ISO-15189-5.2	Laboratory director	Specifies competence requirements, responsibilities, and authority of the laboratory director including duty delegation.
ISO-15189-5.3	Laboratory activities	Requires documentation of the scope of laboratory activities spanning pre-examination, examination, and post-examination...
ISO-15189-5.4	Structure and authority	Requires a defined organizational hierarchy with clear roles, responsibilities, and reporting relationships.
ISO-15189-5.5	Objectives and policies	Requires measurable objectives and policies aligned with ISO 15189 and commitment to good professional practice at all l...
ISO-15189-5.6	Risk management	Requires proactive identification, assessment, and mitigation of risks to patient safety and laboratory operations.

Clause 6: Resource Requirements

16 controls

Controls in the Clause 6: Resource Requirements domain of ISO 15189:2022 - Medical Laboratories Requirements for Quality and Competence — 16 controls
Code	Title	Description
27006-6.1	Competence of personnel	Competence requirements for personnel involved in the certification process
27006-6.2	Personnel Records	Maintain up to date records of qualifications, training, experience and performance for ISMS personnel.
ISO-15189-6.1	General	Requires the laboratory to have the resources needed to carry out its activities in accordance with the requirements of...
ISO-15189-6.2	Personnel	Specifies competency requirements, authorization processes, continuing education obligations, and maintenance of qualifi...
ISO-15189-6.3	Facilities and environmental conditions	Requires controls for contamination prevention, adequate ventilation, proper storage, and appropriate amenities.
ISO-15189-6.4	Equipment	Requires proper selection, acceptance testing, regular maintenance, and adverse event reporting for all laboratory equip...
ISO-15189-6.5	Equipment calibration and metrological traceability	Requires SI unit alignment, documented measurement uncertainty, and metrological traceability of measurement results.
ISO-15189-6.6	Reagents and consumables	Requires procedures for receipt, storage, acceptance testing, inventory control, and adverse event reporting for reagent...
ISO-15189-6.7	Service agreements	Requires formal contracts with users and POCT operators defining responsibilities, service levels, and expectations.
ISO-15189-6.8	Externally provided products and services	Requires supplier qualification processes and ongoing monitoring of performance for externally sourced products and serv...
ISO-17025-6.1	General	Requires the laboratory to have personnel, facilities, equipment, systems, and support services necessary for its activi...
ISO-17025-6.2	Personnel	Requires competent personnel with verified skills, qualifications, and ongoing training for their assigned functions.
ISO-17025-6.3	Facilities and environmental conditions	Requires facilities that enable correct performance of laboratory activities including environmental monitoring and cont...
ISO-17025-6.4	Equipment	Requires proper calibration, maintenance, and verification protocols for all equipment used in laboratory activities.
ISO-17025-6.5	Metrological traceability	Requires establishing and maintaining metrological traceability of measurement results to SI units or recognized referen...
ISO-17025-6.6	Externally provided products and services	Requires vendor validation and qualification procedures for externally provided supplies, reagents, and services.

Clause 7: Process Requirements

19 controls

Controls in the Clause 7: Process Requirements domain of ISO 15189:2022 - Medical Laboratories Requirements for Quality and Competence — 19 controls
Code	Title	Description
ISO-15189-7.1	General	Requires documented procedures for all laboratory processes from pre-examination through post-examination.
ISO-15189-7.2	Pre-examination processes	Covers patient information management, request handling, sample collection, transportation, receipt, and storage procedu...
ISO-15189-7.3	Examination processes	Requires method verification/validation, measurement uncertainty evaluation, reference interval establishment, and resul...
ISO-15189-7.4	Post-examination processes	Covers result reporting, clinical advice, sample retention, and disposal in accordance with regulations.
ISO-15189-7.5	Nonconforming work	Requires detection, evaluation, documentation, and correction of nonconforming laboratory work.
ISO-15189-7.6	Data and information management	Requires validation of information systems, documented downtime procedures, and oversight of off-site data providers.
ISO-15189-7.7	Complaints	Requires structured receipt, investigation, and objective resolution of complaints from patients and other stakeholders.
ISO-15189-7.8	Continuity and emergency preparedness	Requires business continuity planning with regular testing to ensure service during disruptions and emergencies.
ISO-17025-7.1	Review of requests, tenders and contracts	Requires procedures for reviewing requests and contracts to ensure the laboratory can meet requirements.
ISO-17025-7.10	Nonconforming work	Requires procedures for managing nonconforming work including evaluation of significance and corrective actions.
ISO-17025-7.11	Control of data and information management	Requires validation and verification of laboratory information management systems used for data collection and reporting...
ISO-17025-7.2	Selection, verification and validation of methods	Requires establishing procedures to test the reliability and repeatability of testing and calibration methods.
ISO-17025-7.3	Sampling	Requires documented sampling plans and procedures where the laboratory performs sampling of substances or materials.
ISO-17025-7.4	Handling of test or calibration items	Requires procedures for transportation, receipt, handling, protection, storage, retention, and disposal of test items.
ISO-17025-7.5	Technical records	Requires complete and accurate technical records for each laboratory activity including observations and data.
ISO-17025-7.6	Evaluation of measurement uncertainty	Requires identification of the contributions to measurement uncertainty and evaluation for all calibrations and tests.
ISO-17025-7.7	Ensuring the validity of results	Requires procedures for monitoring the validity of results including participation in proficiency testing programmes.
ISO-17025-7.8	Reporting of results	Requires clear, accurate, and unambiguous reporting of results including all required information.
ISO-17025-7.9	Complaints	Requires a documented process for receiving, evaluating, and making decisions on complaints.

Clause 8: Management System Requirements

18 controls

Controls in the Clause 8: Management System Requirements domain of ISO 15189:2022 - Medical Laboratories Requirements for Quality and Competence — 18 controls
Code	Title	Description
ISO-15189-8.1	General requirements	Requires a structured quality management system ensuring consistent compliance with ISO 15189.
ISO-15189-8.2	Management system documentation	Requires documented quality policies, objectives, leadership commitment, and personnel access to documentation.
ISO-15189-8.3	Control of documents	Requires document approval, periodic review, version control, and access safeguards for management system documents.
ISO-15189-8.4	Control of records	Requires real-time creation, traceable amendments, and retention based on legal and clinical requirements.
ISO-15189-8.5	Actions addressing risks and opportunities	Requires identification, evaluation, and prioritization of risks and opportunities for improvement of the management sys...
ISO-15189-8.6	Improvement	Requires continual enhancement of the management system using audit data, feedback, and performance metrics.
ISO-15189-8.7	Nonconformities and corrective actions	Requires immediate correction of nonconformities, root cause analysis, and verification of corrective action effectivene...
ISO-15189-8.8	Evaluations	Requires quality indicators, internal audit planning, and compliance verification through systematic evaluation.
ISO-15189-8.9	Management reviews	Requires periodic management system assessment with documented decisions, actions, and resource allocation.
ISO-17025-8.1	Options	Provides two compliance pathways: Option A (implementing a management system meeting ISO/IEC 17025 requirements) or Opti...
ISO-17025-8.2	Management system documentation	Requires establishing, documenting, and maintaining policies and objectives for the management system.
ISO-17025-8.3	Control of management system documents	Requires procedures for controlling documents associated with the management system.
ISO-17025-8.4	Control of records	Requires establishing and maintaining legible records that provide evidence of meeting management system requirements.
ISO-17025-8.5	Actions to address risks and opportunities	Requires considering risks and opportunities associated with laboratory activities and taking planned actions.
ISO-17025-8.6	Improvement	Requires identifying and selecting opportunities for improvement and implementing necessary actions.
ISO-17025-8.7	Corrective actions	Requires structured procedures for addressing non-conformities including root cause analysis and verification.
ISO-17025-8.8	Internal audits	Requires developing audit schedules that verify adherence to all quality processes at planned intervals.
ISO-17025-8.9	Management reviews	Requires management to review the management system at planned intervals to ensure suitability and effectiveness.

General Requirements

3 controls

Controls in the General Requirements domain of ISO 15189:2022 - Medical Laboratories Requirements for Quality and Competence — 3 controls
Code	Title	Description
4.1	Password Policy	Ensure passwords used to access SWIFT components and connected systems are sufficiently resistant against common passwor...
4.2	Multi-Factor Authentication	Prevent that a compromise of a single authentication factor allows access to SWIFT systems by implementing multi-factor...
4.3	Determining Scope of SMS	Boundaries and applicability of SMS are determined considering services, locations and interfaces.

Management System

4 controls

Controls in the Management System domain of ISO 15189:2022 - Medical Laboratories Requirements for Quality and Competence — 4 controls
Code	Title	Description
8.5	Control effectiveness review	Review the effectiveness of implemented risk treatment controls and adjust as needed.
8.7	Protection against malware	Implement protection against malware combined with appropriate user awareness.
8.8	Management of technical vulnerabilities	Obtain timely information about technical vulnerabilities, evaluate exposure and take appropriate measures.
8.9	Management Reviews	Top management reviews QMS at planned intervals to ensure continuing suitability, adequacy and effectiveness.

Process Requirements

7 controls

Controls in the Process Requirements domain of ISO 15189:2022 - Medical Laboratories Requirements for Quality and Competence — 7 controls
Code	Title	Description
7.2	Security Training and Awareness	Ensure all staff are aware of and fulfil their security responsibilities by performing regular awareness activities and...
7.3	Risk evaluation	Compare analysed risks against acceptance criteria to prioritize treatment.
7.4	Asset valuation	Assign values to assets reflecting their business importance and sensitivity.
7.5	Threat assessment	Identify and assess threats relevant to assets and the operating environment.
7.6	Vulnerability assessment	Identify and assess vulnerabilities that could be exploited by threats causing harm.
7.7	Likelihood estimation	Estimate the likelihood of threats exploiting vulnerabilities using consistent criteria.
7.8	Consequence estimation	Estimate business consequences arising from successful realization of risks.

Resource Requirements

7 controls

Controls in the Resource Requirements domain of ISO 15189:2022 - Medical Laboratories Requirements for Quality and Competence — 7 controls
Code	Title	Description
6.2	Approach selection	Select event-based or asset-based risk identification approaches based on context.
6.3	Information security awareness, education and training	Provide personnel and relevant interested parties with appropriate awareness, education and training and regular policy...
6.4	Logging and Monitoring	Record security events and detect anomalous actions and operations within the local SWIFT environment.
6.5	Preparing and Distributing Audit Report	Audit team leader prepares audit report and distributes it within agreed time to defined recipients.
6.6	Confidentiality or non-disclosure agreements	Identify, document, review and have signed confidentiality or non-disclosure agreements that reflect the needs to protec...
6.7	Conducting Audit Follow-up	Follow-up activities verify completion of corrective actions and effectiveness in addressing audit findings.
6.8	Externally Provided Products and Services	Externally provided products and services that affect laboratory activities are evaluated and approved.

Structural and Governance

3 controls

Controls in the Structural and Governance domain of ISO 15189:2022 - Medical Laboratories Requirements for Quality and Competence — 3 controls
Code	Title	Description
5.1	Logical Access Control	Enforce the security principles of need-to-know access, least privilege, and separation of duties for operator accounts.
5.2	Token Management	Ensure the proper management, tracking, and use, where applicable, of connected and disconnected hardware authentication...
5.4	Establishing Audit Programme	Audit programme is established including scope, schedules, methods, resources and procedures.

Your Compliance Coverage

If you comply with ISO 15189:2022 - Medical Laboratories Requirements for Quality and Competence, you already cover:

NIST SP 800-171A Rev 3 - Assessing CUI Security Requirements

24%

21 controls mapped

Compare →

PIC/S Guide to Good Manufacturing Practice for Medicinal Products

22%

20 controls mapped

Compare →

ISO/IEC 17025:2017 - General Requirements for Testing and Calibration Laboratories

21%

19 controls mapped

Compare →

+ 414 more: AS9100D - Aerospace Quality Management System (20%), ISO/IEC 27003:2017 (20%)

See all 417 mapped frameworks ↓

Maps to 417 other frameworks

89 total controls

NIST SP 800-171A Rev 3 - Assessing CUI Security Requirements

21 source controls mapped|14 target controls covered

24%

PIC/S Guide to Good Manufacturing Practice for Medicinal Products

20 source controls mapped|9 target controls covered

22%

ISO/IEC 17025:2017 - General Requirements for Testing and Calibration Laboratories

19 source controls mapped|12 target controls covered

21%

AS9100D - Aerospace Quality Management System

18 source controls mapped|13 target controls covered

20%

ISO/IEC 27003:2017

18 source controls mapped|13 target controls covered

20%

AS9100D:2016 - Quality Management Systems for Aviation, Space, and Defence

18 source controls mapped|13 target controls covered

20%

SWIFT CSCF

18 source controls mapped|15 target controls covered

20%

SQF Code Edition 9 - Safe Quality Food

17 source controls mapped|6 target controls covered

19%

BRCGS Global Standard for Food Safety Issue 9

17 source controls mapped|12 target controls covered

19%

South Korea ISMS-P

16 source controls mapped|8 target controls covered

18%

IEC 62304:2015 Medical Device Software Lifecycle Processes

16 source controls mapped|7 target controls covered

18%

ISO 19011

16 source controls mapped|6 target controls covered

18%

ISO 45001:2018

15 source controls mapped|6 target controls covered

17%

ISO 20000-1

15 source controls mapped|7 target controls covered

17%

SWIFT CSCF v2024

15 source controls mapped|9 target controls covered

17%

ISO 9001:2015

15 source controls mapped|7 target controls covered

17%

ICH Q10 - Pharmaceutical Quality System

14 source controls mapped|5 target controls covered

16%

21 CFR Part 211 - Current Good Manufacturing Practice

14 source controls mapped|5 target controls covered

16%

ISO 13485

14 source controls mapped|10 target controls covered

16%

ISO/IEC 27006:2024

13 source controls mapped|7 target controls covered

15%

ISO 14001

13 source controls mapped|4 target controls covered

15%

NIST SP 800-82 Revision 3: Guide to Industrial Control Systems (ICS) Security

12 source controls mapped|7 target controls covered

13%

ISO 41001:2018 - Facility Management Systems

12 source controls mapped|11 target controls covered

13%

ISO 39001:2012 - Road Traffic Safety Management

12 source controls mapped|11 target controls covered

13%

ISO 50001:2018 - Energy Management Systems

12 source controls mapped|11 target controls covered

13%

ISO 22313:2020 - Guidance on Business Continuity Management Systems

12 source controls mapped|11 target controls covered

13%

ISO 20400:2017 - Sustainable Procurement

12 source controls mapped|7 target controls covered

13%

PAS 1192-5:2015 - Security-Minded Approach to BIM and Digital Built Environments

12 source controls mapped|9 target controls covered

13%

New Zealand Information Security Manual (NZISM)

12 source controls mapped|9 target controls covered

13%

South Korea Cloud Security Assurance Program (CSAP)

12 source controls mapped|9 target controls covered

13%

NRC 10 CFR 73.54 - Nuclear Facility Cybersecurity

12 source controls mapped|11 target controls covered

13%

Singapore Government Instruction Manual on ICT&SS Management (IM8)

12 source controls mapped|7 target controls covered

13%

US OFAC Sanctions Compliance Framework

12 source controls mapped|4 target controls covered

13%

21 CFR Part 58 - Good Laboratory Practice (GLP)

12 source controls mapped|3 target controls covered

13%

ISO/IEC 25012:2008 - Data Quality Model

12 source controls mapped|3 target controls covered

13%

NAIC Insurance Data Security Model Law (MDL-668)

12 source controls mapped|9 target controls covered

13%

TISAX - Trusted Information Security Assessment Exchange

11 source controls mapped|11 target controls covered

12%

CISA Cross-Sector Cybersecurity Performance Goals (CPG) 2.0

11 source controls mapped|8 target controls covered

12%

Protective Security Policy Framework (PSPF) Release 2024

11 source controls mapped|13 target controls covered

12%

NIST Cybersecurity Framework 2.0

11 source controls mapped|9 target controls covered

12%

UK Gambling Commission - Cyber Resilience Requirements

11 source controls mapped|7 target controls covered

12%

RBI Cybersecurity Framework for Banks

11 source controls mapped|8 target controls covered

12%

APRA CPS 234

11 source controls mapped|10 target controls covered

12%

ASIS SPC.1-2009 - Organizational Resilience Standard

11 source controls mapped|4 target controls covered

12%

ISO 27005

11 source controls mapped|8 target controls covered

12%

ISO 31000:2018

11 source controls mapped|2 target controls covered

12%

Illinois Biometric Information Privacy Act (BIPA)

11 source controls mapped|6 target controls covered

12%

DAMA-DMBOK2 - Data Management Body of Knowledge (2nd Edition)

11 source controls mapped|4 target controls covered

12%

FDA Quality Management System Regulation (QMSR)

10 source controls mapped|4 target controls covered

11%

OWASP DevSecOps Maturity Model (DSOMM)

10 source controls mapped|8 target controls covered

11%

UK Telecommunications (Security) Act 2021

10 source controls mapped|3 target controls covered

11%

ISO 28001:2007 Supply Chain Security Management

10 source controls mapped|4 target controls covered

11%

Annex 11 to EU GMP - Computerised Systems

10 source controls mapped|5 target controls covered

11%

NIST SP 800-124 Revision 2 - Guidelines for Managing the Security of Mobile Devices

10 source controls mapped|7 target controls covered

11%

OWASP Top 10:2025

10 source controls mapped|7 target controls covered

11%

Papua New Guinea National Cybersecurity Policy & Cybercrime Act (2016)

10 source controls mapped|7 target controls covered

11%

ISO 13485:2016

10 source controls mapped|4 target controls covered

11%

MTCS (Singapore)

10 source controls mapped|4 target controls covered

11%

ITAR - International Traffic in Arms Regulations

10 source controls mapped|4 target controls covered

11%

Florida Digital Bill of Rights (FDBR)

10 source controls mapped|2 target controls covered

11%

ISO 56002

10 source controls mapped|10 target controls covered

11%

ISO 37002:2021 - Whistleblowing Management Systems

10 source controls mapped|9 target controls covered

11%

Regulation on the European Health Data Space (EHDS)

10 source controls mapped|5 target controls covered

11%

Wisconsin Data Privacy Act (SB 670)

10 source controls mapped|7 target controls covered

11%

NIST Special Publication 800-34 Revision 1, Contingency Planning Guide for Federal Information Systems

10 source controls mapped|5 target controls covered

11%

TEFCA - Trusted Exchange Framework and Common Agreement

10 source controls mapped|6 target controls covered

11%

ISO/IEC 27011:2024

9 source controls mapped|9 target controls covered

10%

NIS2 Directive

9 source controls mapped|6 target controls covered

10%

ISO/IEC 23894:2023

9 source controls mapped|7 target controls covered

10%

USMCA Chapter 19 - Digital Trade (United States-Mexico-Canada Agreement)

9 source controls mapped|3 target controls covered

10%

Regulation (EU) 2019/1239 on the Maritime Single Window (MSW)

9 source controls mapped|5 target controls covered

10%

NIST AI Risk Management Framework (AI RMF 1.0)

9 source controls mapped|5 target controls covered

10%

NIST AI 600-1: Generative AI Profile

9 source controls mapped|5 target controls covered

10%

ISO 14001:2015

9 source controls mapped|5 target controls covered

10%

Monetary Authority of Singapore Technology Risk Management Guidelines

9 source controls mapped|4 target controls covered

10%

MITRE ATT&CK

9 source controls mapped|3 target controls covered

10%

ISO/IEC 27014:2020

9 source controls mapped|4 target controls covered

10%

ISO/IEC 27400:2022

9 source controls mapped|6 target controls covered

10%

NIST SP 800-137

9 source controls mapped|7 target controls covered

10%

NIST SP 800-144

9 source controls mapped|4 target controls covered

10%

OpenSSF Scorecard

9 source controls mapped|8 target controls covered

10%

NIST SP 800-92

9 source controls mapped|7 target controls covered

10%

SSDF (NIST)

9 source controls mapped|7 target controls covered

10%

UK PSTI Act

9 source controls mapped|7 target controls covered

10%

SIG (Shared Assessments)

9 source controls mapped|7 target controls covered

10%

AWS Well-Architected Security Pillar

9 source controls mapped|4 target controls covered

10%

WHO Global Strategy on Digital Health 2020-2025

9 source controls mapped|2 target controls covered

10%

SLSA

9 source controls mapped|7 target controls covered

10%

PCI SSF

9 source controls mapped|7 target controls covered

10%

NIST SP 800-88

9 source controls mapped|7 target controls covered

10%

NIST SP 800-61

9 source controls mapped|6 target controls covered

10%

UNECE WP.29 R156

9 source controls mapped|7 target controls covered

10%

SWIFT CSP

9 source controls mapped|7 target controls covered

10%

NIST SP 800-63-4

9 source controls mapped|6 target controls covered

10%

Rhode Island Data Transparency and Privacy Protection Act (RIDTPPA)

9 source controls mapped|4 target controls covered

10%

NIST SP 800-115 (Technical Guide to Information Security Testing and Assessment)

9 source controls mapped|7 target controls covered

10%

ISO/SAE 21434

9 source controls mapped|7 target controls covered

10%

Azure Security Benchmark

9 source controls mapped|4 target controls covered

10%

NIST SP 800-145

9 source controls mapped|4 target controls covered

10%

NIST SP 800-190

9 source controls mapped|4 target controls covered

10%

OWASP SAMM

9 source controls mapped|6 target controls covered

10%

ISO 27043

9 source controls mapped|7 target controls covered

10%

OWASP MASVS

9 source controls mapped|6 target controls covered

10%

FFIEC IT Examination Handbook

9 source controls mapped|7 target controls covered

10%

NIST SP 800-146

9 source controls mapped|4 target controls covered

10%

NIST SP 800-123

9 source controls mapped|7 target controls covered

10%

ISO 27018

9 source controls mapped|4 target controls covered

10%

PTES

9 source controls mapped|7 target controls covered

10%

UNECE WP.29 R155

9 source controls mapped|6 target controls covered

10%

IEC 60601-1 - Medical Electrical Equipment Safety

9 source controls mapped|5 target controls covered

10%

SSAE 18 - Attestation Standards (SOC Reporting)

9 source controls mapped|5 target controls covered

10%

PCI P2PE

9 source controls mapped|7 target controls covered

10%

ISO 14064 - Greenhouse Gas Accounting and Verification (Parts 1-3)

9 source controls mapped|2 target controls covered

10%

ISO 27017

9 source controls mapped|4 target controls covered

10%

PCI PIN Security

9 source controls mapped|7 target controls covered

10%

PSD2 SCA

9 source controls mapped|7 target controls covered

10%

OWASP ASVS

9 source controls mapped|7 target controls covered

10%

AWWA Cybersecurity Guidance for the Water Sector (American Water Works Association)

9 source controls mapped|6 target controls covered

10%

O-RAN WG11 Security Specification

9 source controls mapped|5 target controls covered

10%

Open Banking Security

9 source controls mapped|7 target controls covered

10%

OSFI B-13

9 source controls mapped|7 target controls covered

10%

AICPA Privacy Management Framework (PMF)

9 source controls mapped|2 target controls covered

10%

IAEA Nuclear Security Series - Computer Security at Nuclear Facilities (NSS-17-T Rev 1)

8 source controls mapped|3 target controls covered

French Sapin II Law (Law No. 2016-1691)

8 source controls mapped|2 target controls covered

NIST SP 800-53 Rev 5

8 source controls mapped|12 target controls covered

NIST Privacy Framework 1.0

8 source controls mapped|9 target controls covered

Philippines Cybercrime Prevention Act (RA 10175)

8 source controls mapped|2 target controls covered

NATO AQAP 2110 - Quality Assurance Requirements for Design, Development, and Production

8 source controls mapped|7 target controls covered

Automotive SPICE (ASPICE) v4.0 - Process Assessment Model

8 source controls mapped|3 target controls covered

FBI CJIS Security Policy

8 source controls mapped|6 target controls covered

Pakistan Personal Data Protection Bill 2023

8 source controls mapped|4 target controls covered

Serbia Law on Personal Data Protection (2018)

8 source controls mapped|5 target controls covered

Portugal Law No. 58/2019 - Data Protection Implementation Act

8 source controls mapped|7 target controls covered

Netherlands GDPR Implementation Act (UAVG - Uitvoeringswet AVG, 2018)

8 source controls mapped|6 target controls covered

Oman Personal Data Protection Law (Royal Decree 6/2022)

8 source controls mapped|5 target controls covered

MDS2 (Medical Device)

8 source controls mapped|3 target controls covered

FTC GLBA Safeguards Rule (16 CFR Part 314)

8 source controls mapped|2 target controls covered

ISO/IEC 23837 - Security Requirements for Quantum Key Distribution

8 source controls mapped|7 target controls covered

IEC 62351 - Power Systems Communication Security

8 source controls mapped|3 target controls covered

RFC 2350 - Expectations for Computer Security Incident Response (BCP 21)

8 source controls mapped|6 target controls covered

UK Open Banking Standard

8 source controls mapped|5 target controls covered

Aged Care Quality Standards (Australia)

8 source controls mapped|6 target controls covered

Sigstore - Software Artifact Signing and Verification

7 source controls mapped|6 target controls covered

ISO 27001:2022

7 source controls mapped|9 target controls covered

Security of Critical Infrastructure Act 2018 (SOCI)

7 source controls mapped|6 target controls covered

Singapore Model AI Governance Framework (2nd Edition)

7 source controls mapped|2 target controls covered

ISO/IEC 29115:2023 - Entity Authentication Assurance Framework

7 source controls mapped|5 target controls covered

ISO/IEC 38500:2024 - Governance of IT

7 source controls mapped|4 target controls covered

ISO/IEC 27557:2022 - Organisational Privacy Risk Management

7 source controls mapped|8 target controls covered

ISO/IEC 27031:2011

7 source controls mapped|4 target controls covered

NIST Post-Quantum Cryptography Standards (FIPS 203, 204, 205)

7 source controls mapped|6 target controls covered

US NRC 10 CFR 73.54 - Cyber Security for Nuclear Power Plants

7 source controls mapped|3 target controls covered

Tennessee Information Protection Act (TIPA)

7 source controls mapped|3 target controls covered

WCAG 2.2

7 source controls mapped|3 target controls covered

ISO 22739:2024 - Blockchain and Distributed Ledger Technologies Vocabulary

7 source controls mapped|6 target controls covered

TNFD Recommendations

7 source controls mapped|3 target controls covered

AASB S2 Climate-related Disclosures

7 source controls mapped|2 target controls covered

Turkey Personal Data Protection Law (KVKK - Law No. 6698)

7 source controls mapped|5 target controls covered

Regional Comprehensive Economic Partnership (RCEP) - E-Commerce Chapter

7 source controls mapped|3 target controls covered

Russia Federal Law on Personal Data (152-FZ)

7 source controls mapped|5 target controls covered

ISO 37000:2021 - Governance of Organizations

7 source controls mapped|4 target controls covered

SOC 2

7 source controls mapped|4 target controls covered

W3C Verifiable Credentials (VC) Data Model 2.0

7 source controls mapped|5 target controls covered

ISO 22320:2018

7 source controls mapped|4 target controls covered

ISO 19650 - Organisation and Digitisation of Information about Buildings and Civil Engineering Works (BIM)

7 source controls mapped|4 target controls covered

Oman National Cybersecurity Framework

7 source controls mapped|6 target controls covered

OCC Heightened Standards (12 CFR Part 30, Appendix D)

7 source controls mapped|4 target controls covered

NIS2 Directive Implementing Acts

7 source controls mapped|7 target controls covered

IAIS Insurance Core Principles (ICPs)

7 source controls mapped|3 target controls covered

ICAO Annex 17 - Aviation Security (AVSEC)

6 source controls mapped|3 target controls covered

German Supply Chain Due Diligence Act (LkSG)

6 source controls mapped|3 target controls covered

FedRAMP Rev 5

6 source controls mapped|4 target controls covered

TSA Pipeline Security

6 source controls mapped|4 target controls covered

US Executive Order 14028 - Improving the Nation's Cybersecurity

6 source controls mapped|3 target controls covered

Telecommunications Sector Security Reforms (TSSR)

6 source controls mapped|7 target controls covered

ICH E6(R3) - Good Clinical Practice

6 source controls mapped|2 target controls covered

ISO/IEC 27701:2019

6 source controls mapped|1 target controls covered

South Korea PIPA

6 source controls mapped|1 target controls covered

ITU Radio Regulations and Space Security Standards

6 source controls mapped|1 target controls covered

Israel Protection of Privacy Law (5741-1981)

6 source controls mapped|2 target controls covered

IATA Operational Safety Audit (IOSA) Standards Manual

6 source controls mapped|1 target controls covered

ISO/IEC 27004:2016

6 source controls mapped|3 target controls covered

ISO/IEC 30111:2019

6 source controls mapped|3 target controls covered

ISO/IEC 29147:2018

6 source controls mapped|3 target controls covered

ISO/IEC 29100:2024

6 source controls mapped|3 target controls covered

ISO/IEC 29134:2023

6 source controls mapped|3 target controls covered

US Foreign Corrupt Practices Act (FCPA)

6 source controls mapped|1 target controls covered

ISO/IEC 27007:2020

6 source controls mapped|1 target controls covered

ISO/IEC 27050 - Electronic Discovery (Parts 1-4)

6 source controls mapped|1 target controls covered

UK Building Safety Act 2022

6 source controls mapped|2 target controls covered

ISO 26262:2018 - Functional Safety for Road Vehicles

6 source controls mapped|1 target controls covered

SANS Incident Handler's Handbook and PICERL Methodology

6 source controls mapped|2 target controls covered

Barbados Data Protection Act 2019

6 source controls mapped|1 target controls covered

PCAOB AS 2201 - Audit of Internal Control Over Financial Reporting (ICFR)

6 source controls mapped|3 target controls covered

UK Bribery Act 2010

6 source controls mapped|3 target controls covered

Notifiable Data Breaches Scheme (Australia)

6 source controls mapped|1 target controls covered

NATO STANAG 4774 (Confidentiality Metadata Labels) and STANAG 4778 (Metadata Binding)

6 source controls mapped|5 target controls covered

Rwanda Law No. 058/2021 Relating to the Protection of Personal Data

6 source controls mapped|4 target controls covered

US Children's Online Privacy Protection Act (COPPA) and COPPA 2.0 Proposed Updates

6 source controls mapped|1 target controls covered

COBIT 2019

6 source controls mapped|1 target controls covered

US SEC Digital Assets and Crypto Regulatory Framework

6 source controls mapped|2 target controls covered

South Korea Korea Internet Self-Governance Organisation (KISO) Code of Ethics

6 source controls mapped|1 target controls covered

Proposal for a Directive on improving working conditions in platform work (COM(2023) 491)

6 source controls mapped|6 target controls covered

Union Customs Code (UCC) - Regulation (EU) No 952/2013

6 source controls mapped|2 target controls covered

Uzbekistan Law on Personal Data (No. ZRU-547)

6 source controls mapped|4 target controls covered

Panama Law on Personal Data Protection (Law No. 81 of 2019)

6 source controls mapped|4 target controls covered

Poland Act on Personal Data Protection (Ustawa o ochronie danych osobowych, 2018)

6 source controls mapped|5 target controls covered

Romania Law No. 190/2018 on Data Protection Measures (GDPR Implementation)

6 source controls mapped|6 target controls covered

Qatar Personal Data Privacy Protection Law (Law No. 13 of 2016)

6 source controls mapped|4 target controls covered

UNCITRAL Model Law on Electronic Commerce (1996, updated 2005)

6 source controls mapped|4 target controls covered

Vietnam Law on Cybersecurity (No. 24/2018/QH14)

6 source controls mapped|5 target controls covered

Uruguay Personal Data Protection Act (Law No. 18.331)

6 source controls mapped|5 target controls covered

Spain Organic Law 3/2018 on Data Protection and Digital Rights (LOPDGDD)

6 source controls mapped|3 target controls covered

Singapore Payment Services Act (PSA) - Digital Payment Token Regulation

6 source controls mapped|2 target controls covered

Tanzania Personal Data Protection Act (Draft)

6 source controls mapped|4 target controls covered

Trinidad and Tobago Data Protection Act 2011

6 source controls mapped|4 target controls covered

Saudi PDPL

6 source controls mapped|1 target controls covered

Switzerland New Federal Act on Data Protection (nFADP/nDSG, 2023)

6 source controls mapped|1 target controls covered

FedRAMP High

6 source controls mapped|1 target controls covered

NIST SP 800-53 Revision 5.1 HIGH

6 source controls mapped|1 target controls covered

FedRAMP Moderate

6 source controls mapped|1 target controls covered

NIST SP 800-53 Rev 5 MODERATE

6 source controls mapped|1 target controls covered

NIST SP 800-53 Rev 5 LOW

6 source controls mapped|1 target controls covered

UK GDPR (UK General Data Protection Regulation)

6 source controls mapped|1 target controls covered

Science Based Targets initiative (SBTi) Corporate Standard

6 source controls mapped|2 target controls covered

Singapore Cybersecurity Act 2018

6 source controls mapped|1 target controls covered

Albania Law on Protection of Personal Data (Law No. 9887, 2008, amended 2014)

6 source controls mapped|2 target controls covered

ISO 8000 - Data Quality

6 source controls mapped|2 target controls covered

Sri Lanka Personal Data Protection Act (No. 9 of 2022)

6 source controls mapped|1 target controls covered

UK Construction (Design and Management) Regulations 2015 (CDM 2015)

6 source controls mapped|3 target controls covered

South Africa Promotion of Access to Information Act (PAIA)

6 source controls mapped|1 target controls covered

Sweden Data Protection Act (Dataskyddslag, 2018:218)

6 source controls mapped|1 target controls covered

Nigeria Data Protection Act 2023 (NDPA)

6 source controls mapped|2 target controls covered

Azerbaijan Law on Personal Data (2010)

6 source controls mapped|1 target controls covered

Austria Data Protection Act (Datenschutzgesetz, DSG, amended 2018)

6 source controls mapped|2 target controls covered

Paraguay Law on Protection of Personal Data (Law No. 6534/2020)

6 source controls mapped|1 target controls covered

Singapore Payment Services Act 2019 (PSA) - Digital Payment Token Provisions

6 source controls mapped|1 target controls covered

ASD Strategies to Mitigate Cyber Security Incidents

6 source controls mapped|5 target controls covered

South Korea Credit Information Act

6 source controls mapped|1 target controls covered

Virginia Consumer Data Protection Act (VCDPA)

6 source controls mapped|1 target controls covered

UK Defence Standard 05-138 - Cyber Security for Defence Suppliers

5 source controls mapped|4 target controls covered

UK FCA/PRA Operational Resilience Framework

5 source controls mapped|2 target controls covered

Tunisia Organic Law on Personal Data Protection (Law No. 2004-63)

5 source controls mapped|3 target controls covered

SA8000:2014 - Social Accountability Standard

5 source controls mapped|2 target controls covered

OWASP Top 10 for LLM Applications 2025

5 source controls mapped|5 target controls covered

ACSC Essential Eight

5 source controls mapped|15 target controls covered

MITRE D3FEND

5 source controls mapped|2 target controls covered

MARS-E

5 source controls mapped|5 target controls covered

ISMAP (Japan)

5 source controls mapped|3 target controls covered

NIST SP 800-171A - Assessing Security Requirements for Controlled Unclassified Information (CUI)

5 source controls mapped|9 target controls covered

Secure by Design: A Guide for Manufacturers (CISA)

5 source controls mapped|4 target controls covered

ISO 27799

5 source controls mapped|4 target controls covered

Spain ENS

5 source controls mapped|3 target controls covered

Saudi NCA ECC

5 source controls mapped|3 target controls covered

BSI IT-Grundschutz

5 source controls mapped|3 target controls covered

3GPP 5G Security Architecture (TS 33.501)

5 source controls mapped|5 target controls covered

NIST SP 800-66

5 source controls mapped|4 target controls covered

IATF 16949:2016 - Quality Management System for Automotive Production

4 source controls mapped|3 target controls covered

GS1 Global Standards - Supply Chain Traceability and Data Security

4 source controls mapped|3 target controls covered

GLOBALG.A.P. Integrated Farm Assurance (IFA) Standard v6

4 source controls mapped|2 target controls covered

GAMP 5 - Good Automated Manufacturing Practice

4 source controls mapped|3 target controls covered

ISO/IEC 27010:2015

4 source controls mapped|3 target controls covered

Authorised Economic Operator (AEO) Programmes - Global Standards

4 source controls mapped|5 target controls covered

APRA CPS 230 Operational Risk Management

4 source controls mapped|7 target controls covered

Vermont Artificial Intelligence and Consumer Data Act (AICDA)

4 source controls mapped|3 target controls covered

Bermuda Monetary Authority (BMA) Cyber Risk Management Code of Conduct

4 source controls mapped|2 target controls covered

HKMA SPM

4 source controls mapped|2 target controls covered

HKMA Cyber Resilience Assessment Framework (C-RAF)

4 source controls mapped|2 target controls covered

GLI-33 - Gaming Laboratories International Event Wagering Systems

4 source controls mapped|2 target controls covered

GLBA

4 source controls mapped|2 target controls covered

Ghana Cybersecurity Act

4 source controls mapped|2 target controls covered

FISMA

4 source controls mapped|2 target controls covered

Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (UAE PDPL)

4 source controls mapped|3 target controls covered

FDA 21 CFR Part 11

4 source controls mapped|2 target controls covered

FCC Customer Proprietary Network Information (CPNI) and Data Breach Rules (47 CFR 64.2001-2011)

4 source controls mapped|5 target controls covered

SOC for Cybersecurity - Cybersecurity Risk Management Examination

4 source controls mapped|5 target controls covered

OWASP API Security Top 10 - 2023

4 source controls mapped|5 target controls covered

Belgium CyberFundamentals

4 source controls mapped|2 target controls covered

EASA Part-IS - Information Security in Aviation

4 source controls mapped|4 target controls covered

ISO 31000

4 source controls mapped|4 target controls covered

NFPA 1600 - Standard on Continuity, Emergency, and Crisis Management

4 source controls mapped|5 target controls covered

NIST SP 800-30

4 source controls mapped|4 target controls covered

NIST SP 800-37

4 source controls mapped|4 target controls covered

NIST SP 800-39

4 source controls mapped|4 target controls covered

API 1164

3 source controls mapped|3 target controls covered

ISO 22318

3 source controls mapped|3 target controls covered

ISO 27019

3 source controls mapped|4 target controls covered

UK ONR Cyber Security and Information Assurance (CSIA) for Nuclear Facilities

3 source controls mapped|3 target controls covered

IEC 62443

3 source controls mapped|3 target controls covered

Solvency II

3 source controls mapped|4 target controls covered

NERC CIP

3 source controls mapped|4 target controls covered

ISO 22316

3 source controls mapped|3 target controls covered

NIST SP 1800-32

3 source controls mapped|3 target controls covered

SASB Standards (ISSB Integrated)

3 source controls mapped|4 target controls covered

SASB Standards

3 source controls mapped|4 target controls covered

ISO 22317

3 source controls mapped|3 target controls covered

FSSC 22000 - Food Safety System Certification

3 source controls mapped|1 target controls covered

Italy Personal Data Protection Code (Legislative Decree No. 196/2003, amended 2018)

3 source controls mapped|1 target controls covered

India Account Aggregator Framework (RBI)

3 source controls mapped|1 target controls covered

IMO Maritime Cybersecurity Guidelines (MSC-FAL.1/Circ.3/Rev.2)

3 source controls mapped|1 target controls covered

HL7 FHIR Security Framework

3 source controls mapped|2 target controls covered

FIDO2 / WebAuthn

3 source controls mapped|2 target controls covered

FATF Recommendation 16 - Virtual Asset Travel Rule

3 source controls mapped|1 target controls covered

Peru Personal Data Protection Law (Law No. 29733)

3 source controls mapped|3 target controls covered

Ukraine Law on Personal Data Protection (Law No. 2297-VI)

3 source controls mapped|3 target controls covered

Senegal Law on Personal Data Protection (Law No. 2008-12)

3 source controls mapped|3 target controls covered

Philippines Data Privacy Act (RA 10173)

3 source controls mapped|3 target controls covered

Belgium Data Protection Act (Wet van 30 juli 2018, Loi du 30 juillet 2018)

3 source controls mapped|2 target controls covered

IACS Unified Requirements E26/E27 - Cyber Resilience of Ships and On-Board Systems

3 source controls mapped|2 target controls covered

NIST Privacy Framework Version 1.0

3 source controls mapped|3 target controls covered

TSA Pipeline Cybersecurity Directives

3 source controls mapped|1 target controls covered

AML/CTF Act 2006 (Australia)

3 source controls mapped|2 target controls covered

SWIFT Customer Security Programme (CSP)

3 source controls mapped|3 target controls covered

PropTech Security Standards - Smart Building Cybersecurity

3 source controls mapped|3 target controls covered

Zimbabwe Data Protection Act (2021)

3 source controls mapped|2 target controls covered

Voluntary Principles on Security and Human Rights (VPs)

3 source controls mapped|1 target controls covered

ISO 9001

3 source controls mapped|3 target controls covered

ISO 45001

3 source controls mapped|1 target controls covered

ISO 37001

3 source controls mapped|1 target controls covered

ISO 55001

3 source controls mapped|1 target controls covered

ISO 37301

3 source controls mapped|1 target controls covered

ISO 22000

3 source controls mapped|1 target controls covered

ISO 30401

3 source controls mapped|1 target controls covered

COSO Internal Control - Integrated Framework (2013)

3 source controls mapped|2 target controls covered

WELL Building Standard v2 (International WELL Building Institute)

3 source controls mapped|1 target controls covered

Washington My Health My Data Act (MHMD)

3 source controls mapped|1 target controls covered

UNESCO Recommendation on the Ethics of AI

3 source controls mapped|1 target controls covered

Modern Slavery Act 2018 (Australia)

2 source controls mapped|2 target controls covered

OECD Guidelines for Multinational Enterprises on Responsible Business Conduct (2023 Update)