ASD Information Security Manual (ISM)

Australia

vJune 2025

14 domains

136 controls

The Australian Signals Directorate Information Security Manual is the Australian Government's primary cyber security framework. It provides a comprehensive set of cyber security principles and guidelines for protecting systems and data at all classification levels. The ISM contains over 870 controls organized across system hardening, management, monitoring, development, networking, cryptography, gateways, and data transfer guidelines.

Verified

Framework summaries on this platform are AI-assisted interpretations for educational and compliance planning purposes. They do not reproduce or replace the official standards. Refer to the authoritative source for the definitive text. Framework names and trademarks belong to their respective organisations.

Framework Domains (14)

Backup and Recovery

5 controls

Chapter 12: Data backup, restoration, and digital preservation

Controls in the Backup and Recovery domain of ASD Information Security Manual (ISM) — 5 controls
Code	Title	Description
ISM-1511	Backup Frequency	Backups of data, applications and settings are performed and retained in accordance with business criticality and busine...
ISM-1515	Restoration Testing	Restoration of data, applications and settings from backups is tested as part of disaster recovery exercises.
ISM-1705	Backup Access Restriction	Unprivileged access to backups of other users' data, applications and settings is prevented.
ISM-1810	Synchronised Backups	Backups are synchronised to enable restoration to a common point in time.
ISM-1811	Resilient Backup Storage	Backups are retained in a secure and resilient manner.

Cryptography

9 controls

Chapter 18: Cryptographic controls, TLS, SSH, and post-quantum readiness

Controls in the Cryptography domain of ASD Information Security Manual (ISM) — 9 controls
Code	Title	Description
ISM-0459	Data at Rest Encryption	Full disk or partial disk encryption is implemented for data at rest on all classified media.
ISM-0476	RSA Key Length	RSA is used with a modulus of at least 2048 bits (3072 bits preferred).
ISM-0484	SSH Hardening	SSH is hardened using vendor and ASD guidance.
ISM-1139	TLS Version	Only the latest version of TLS is used for protecting data in transit.
ISM-1369	TLS Encryption Algorithm	AES in Galois/Counter Mode is used for TLS encryption.
ISM-1453	Perfect Forward Secrecy	Perfect forward secrecy is used for all TLS connections.
ISM-1506	SSH v1 Disabled	SSH version 1 is disabled to prevent use of insecure protocol.
ISM-1553	TLS Compression Disabled	TLS compression is disabled to prevent information leakage.
ISM-1917	Post-Quantum Readiness	New development supports ML-DSA-87 and ML-KEM-1024 post-quantum cryptographic algorithms by 2030.

Cyber Security Principles and Governance

9 controls

Chapters 2-4: Cyber security principles, roles, responsibilities, and security documentation

Controls in the Cyber Security Principles and Governance domain of ASD Information Security Manual (ISM) — 9 controls
Code	Title	Description
ISM-0027	CISO Appointment	A Chief Information Security Officer is appointed to provide cyber security leadership.
ISM-0047	System Security Plan	A system security plan is developed, implemented and maintained for each system.
ISM-0714	System Owners Identified	System owners are identified for each system and documented.
ISM-0888	Continuous Monitoring Plan	A continuous monitoring plan is developed, implemented and maintained for each system.
ISM-1211	Incident Response Plan	A cyber security incident response plan is developed, implemented and maintained.
ISM-1526	Cyber Security Strategy	A cyber security strategy is developed, implemented and maintained.
ISM-1563	Security Assessment Report	A security assessment report is produced for each system assessing its security posture.
ISM-1567	Cyber Supply Chain Risk Management	A cyber supply chain risk management strategy is developed, implemented and maintained.
ISM-1568	Shared Responsibility Model	The shared responsibility model for each cloud service is identified and documented.

Gateways and Content Filtering

8 controls

Chapter 19: Firewalls, cross-domain solutions, web proxies, and content inspection

Controls in the Gateways and Content Filtering domain of ASD Information Security Manual (ISM) — 8 controls
Code	Title	Description
ISM-0260	Web Proxy Requirement	All web access is routed through web proxy servers.
ISM-0263	TLS Traffic Inspection	TLS traffic passing through gateways is decrypted and inspected as authorised.
ISM-0631	Authorised Data Flows Only	Gateways only permit explicitly authorised data flows.
ISM-0637	DMZ Implementation	Gateways implement a demilitarised zone (DMZ) for external access to services.
ISM-0963	Content Filter Blocking	Web content filters are used to block potentially harmful web-based content.
ISM-1288	Multi-Engine Antivirus	Files transiting gateways are scanned with multiple different antivirus engines.
ISM-1389	Sandbox Analysis	Executables transiting gateways are run in sandbox environments to detect suspicious behaviour.
ISM-1528	Evaluated Firewalls	Evaluated firewalls are deployed between the organisation's network and public network infrastructure.

Media and Facilities Security

6 controls

Chapters 7-10: Guidelines for media, equipment, and physical facility security

Controls in the Media and Facilities Security domain of ASD Information Security Manual (ISM) — 6 controls
Code	Title	Description
ISM-0159	Media Sanitisation	Media is sanitised before reuse, disposal, or return to vendor.
ISM-0164	Equipment Maintenance	ICT equipment is maintained by authorised personnel with appropriate security clearances.
ISM-0336	ICT Equipment Classification	ICT equipment is classified based on the highest classification of data it processes, stores or communicates.
ISM-0363	Media Destruction	Media that cannot be sanitised is destroyed using approved methods.
ISM-1053	Emanation Security	Emanation security measures are implemented for systems processing classified information.
ISM-1076	ICT Equipment Disposal	ICT equipment disposal includes sanitisation or destruction of all storage media.

Network Security

13 controls

Security requirements for telecoms networks and services

Controls in the Network Security domain of ASD Information Security Manual (ISM) — 13 controls
Code	Title	Description
ISM-0520	Unauthorised Device Prevention	Network access controls prevent unauthorised network devices from connecting to the network.
ISM-1028	NIDS/NIPS Deployment	Network-based intrusion detection/prevention systems are deployed in gateways between networks.
ISM-1181	Network Segmentation	Networks are segregated into zones based on the criticality of servers, services and data handled.
ISM-1182	Network Access Controls	Network access controls limit traffic flows to that required for business purposes.
ISM-1311	SNMP v1/v2 Prohibition	SNMP versions 1 and 2 are not used on networks.
ISM-1627	Anonymity Network Inbound Blocking	Inbound network connections from anonymity networks are blocked at the gateway.
ISM-1628	Anonymity Network Outbound Blocking	Outbound network connections to anonymity networks are blocked at the gateway.
ISM-1781	Data Encryption in Transit	All data communicated over network infrastructure is encrypted.
ISM-1782	Protective DNS	A protective Domain Name System service is used that blocks access to known malicious domain names.
ISM-1800	Trusted Firmware	Network devices are flashed with trusted firmware before being used for the first time.
UK-TSA-NET-01	Security Architecture	Implement secure network architecture with defined security zones, controlled access between zones, and protection of ma...
UK-TSA-NET-02	Access Control and Authentication	Implement strong authentication for network access. Privileged access management for network functions. Multi-factor aut...
UK-TSA-NET-03	Supply Chain Security	Assess and manage risks from equipment vendors and managed service providers. High-risk vendor restrictions apply. Must...

Patch Management

9 controls

Chapter 12: Patching operating systems, applications, and firmware

Controls in the Patch Management domain of ASD Information Security Manual (ISM) — 9 controls
Code	Title	Description
ISM-1143	Patch Management Processes	Patch management processes are developed, implemented and maintained.
ISM-1691	Application Patching — Regular	Patches, updates or vendor mitigations for productivity suites, browsers, email, PDF, and security products are applied...
ISM-1692	Application Patching — Critical	Patches, updates or vendor mitigations for critical vulnerabilities in productivity suites, browsers, email, PDF, and se...
ISM-1694	Server OS Patching — Regular	Non-critical patches for internet-facing server operating systems are applied within two weeks.
ISM-1696	Workstation OS Patching — Critical	Critical patches for workstation operating systems are applied within 48 hours.
ISM-1698	Vulnerability Scanning — Online Services	A vulnerability scanner is used at least daily to identify missing patches or updates for online service vulnerabilities...
ISM-1699	Vulnerability Scanning — Applications	A vulnerability scanner is used at least weekly to identify missing patches or updates for office productivity suites, w...
ISM-1876	Online Service Patching — Critical	Critical patches for online services are applied within 48 hours of release.
ISM-1877	Server OS Patching — Critical	Critical patches for internet-facing server operating systems are applied within 48 hours.

Personnel Security

23 controls

Requirements for ensuring personnel suitability and managing insider threats

Controls in the Personnel Security domain of ASD Information Security Manual (ISM) — 23 controls
Code	Title	Description
AEO-PS-1	Employee Vetting	Pre-employment verification and periodic background checks must be conducted for personnel in sensitive positions.
AEO-PS-2	Security Awareness Training	Staff must receive training on supply chain security threats, procedures, and their role in maintaining security.
AEO-PS-3	Access Management	Access to sensitive areas and information must be restricted based on job function and need-to-know basis.
CTPAT-PE-1	Pre-Employment Verification	Conduct thorough pre-employment background checks and verification for personnel in supply chain security roles.
CTPAT-PE-2	Employee Screening	Screen employees with access to cargo, shipping, and receiving areas to ensure reliability and trustworthiness.
CTPAT-PE-3	Education and Training	Provide security awareness education and training programs for all employees and supply chain partners.
DSPF-PERS-1	Personnel Suitability	Each entity ensures its employees and contractors are suitable to access Australian Government resources and Defence inf...
DSPF-PERS-2	Security Clearances	Personnel accessing classified Defence information must hold appropriate security clearances issued by AGSVA.
DSPF-PERS-3	Ongoing Personnel Assessment	Personnel suitability is continuously monitored and reassessed throughout the period of engagement.
DSPF-PERS-4	Insider Threat Management	Each entity implements measures to identify and manage insider threat risks to Defence people, information and assets.
DSPF-PERS-5	Security Awareness and Training	Personnel receive security awareness training commensurate with their access level and responsibilities.
ISM-0252	Cyber Security Awareness Training	Cyber security awareness training is provided to personnel on employment and annually thereafter.
ISM-0414	System Access Revocation	System access is removed or suspended on the same day a person changes roles or leaves.
ISM-0434	Privileged User Access Restriction	Requests for privileged access to systems, applications and data repositories are validated when first requested.
ISM-1146	Targeted Cyber Security Training	Targeted cyber security awareness training is provided to personnel based on their role and responsibilities.
ISM-1175	Temporary Access	Temporary access to systems is managed and revoked after an agreed period or at the end of the arrangement.
ISM-1503	Separate Privileged Operating Environments	Privileged users use separate privileged and unprivileged operating environments.
ISM-1507	Privileged Access Limitation	Privileged access to systems, applications and data repositories is limited to that required for personnel to undertake...
ISM-1508	Privileged Access Review	Privileged access to systems, applications and data repositories is reviewed at least annually.
PSPF-PERS-1	Eligibility and Suitability	Each entity must ensure that employees and contractors are suitable to access Australian Government resources, based on...
PSPF-PERS-2	Security Clearances	Each entity must ensure appropriate security clearances are obtained for personnel accessing security classified informa...
PSPF-PERS-3	Ongoing Suitability	Each entity must monitor the ongoing suitability of personnel with access to government resources and manage identified...
PSPF-PERS-4	Separation and Transfer	Each entity must manage security risks associated with personnel separating from or transferring within the entity, incl...

Software Development Security

12 controls

Chapter 14: Secure development practices, web application security, and vulnerability management

Controls in the Software Development Security domain of ASD Information Security Manual (ISM) — 12 controls
Code	Title	Description
ISM-0400	Environment Segregation	Development, testing, staging and production environments are segregated.
ISM-0401	Secure Design Principles	Secure design principles and memory-safe programming languages are applied in software development.
ISM-0402	Security Testing	Software undergoes static application security testing (SAST) and dynamic application security testing (DAST) before rel...
ISM-0971	Web Application Security Standard	The OWASP Application Security Verification Standard is used for web application development.
ISM-1240	Input Validation	Validation or sanitisation is performed on all input from the internet.
ISM-1241	Output Encoding	Output encoding is performed on all web application output.
ISM-1275	Database Query Filtering	Database queries from software are filtered for legitimate content.
ISM-1424	Security Headers	Security headers are configured including Content-Security-Policy, HSTS, and X-Frame-Options.
ISM-1616	Vulnerability Disclosure Program	A vulnerability disclosure program is implemented for all internet-facing services.
ISM-1730	Software Bill of Materials	A software bill of materials is produced for all software developed.
ISM-1780	SecDevOps	Secure development operations (SecDevOps) practices are used in software development.
ISM-1850	OWASP Top 10 Mitigation	The OWASP Top 10 is mitigated for all web applications.

System Hardening — Application Control

9 controls

Chapter 11: Application control (Essential Eight mitigation strategy)

Controls in the System Hardening — Application Control domain of ASD Information Security Manual (ISM) — 9 controls
Code	Title	Description
ISM-0843	Application Control on Workstations	Application control is implemented on workstations.
ISM-0955	Application Control Rules	Application control uses cryptographic hash rules, publisher certificate rules, or path rules.
ISM-1490	Application Control on Internet-Facing Servers	Application control is implemented on internet-facing servers.
ISM-1544	Microsoft Blocklist	Microsoft's recommended application blocklist is implemented.
ISM-1582	Application Control Validation	Application control rulesets are validated on an annual or more frequent basis.
ISM-1656	Application Control on Non-Internet Servers	Application control is implemented on non-internet-facing servers.
ISM-1657	Application Control Scope	Application control restricts the execution of executables, software libraries, scripts, installers, compiled HTML, HTML...
ISM-1658	Driver Execution Control	Application control restricts driver execution to an approved set.
ISM-1870	Application Control — User Folders	Application control is applied to user and temporary folders used by operating systems, web browsers, and email clients.

System Hardening — Application and Browser Hardening

9 controls

Chapter 11: Hardening of office suites, web browsers, email clients, and PDF applications

Controls in the System Hardening — Application and Browser Hardening domain of ASD Information Security Manual (ISM) — 9 controls
Code	Title	Description
ISM-1412	Web Browser Hardening	Web browsers are hardened using ASD and vendor guidance.
ISM-1467	Latest Application Versions	The latest release of office productivity suites, web browsers, browser extensions, email clients, PDF software, and sec...
ISM-1485	Block Web Advertisements	Web browsers do not process web advertisements from the internet.
ISM-1486	Block Java in Browsers	Web browsers do not process Java from the internet.
ISM-1667	Office Child Process Blocking	Microsoft Office is blocked from creating child processes.
ISM-1668	Office Executable Content Blocking	Microsoft Office is blocked from creating executable content.
ISM-1671	Office Macro Restriction	Microsoft Office macros are disabled for users who do not have a demonstrated business requirement.
ISM-1674	Trusted Macro Sources	Only macros running from within a sandboxed environment, a Trusted Location, or that are digitally signed by a trusted p...
ISM-1859	Office Suite Hardening	Office productivity suites are hardened using ASD and vendor guidance.

System Hardening — Authentication

9 controls

Chapter 11: Multi-factor authentication and credential management

Controls in the System Hardening — Authentication domain of ASD Information Security Manual (ISM) — 9 controls
Code	Title	Description
ISM-0421	Passphrase Complexity	Passphrases used for non-classified systems are at least 4 random words with a minimum of 15 characters.
ISM-0974	MFA for Unprivileged Users	Multi-factor authentication is used for unprivileged user access to systems.
ISM-1173	MFA for Privileged Users	Multi-factor authentication is used for privileged user access to systems.
ISM-1401	MFA Factor Types	Multi-factor authentication uses at least two of: something the user possesses, something the user knows, or something t...
ISM-1403	Account Lockout	User accounts are locked after a maximum of 5 failed logon attempts.
ISM-1504	MFA for Sensitive Services	Multi-factor authentication is used for organisation online services that handle sensitive data.
ISM-1590	Credential Rotation	Credentials are changed if compromised, suspected of compromise, or older than 12 months without MFA.
ISM-1682	Phishing-Resistant MFA	Multi-factor authentication used for system user authentication is phishing-resistant.
ISM-1686	Credential Guard	Windows Credential Guard functionality is enabled.

System Hardening — Operating Systems

7 controls

Chapter 11: Operating system hardening and configuration management

Controls in the System Hardening — Operating Systems domain of ASD Information Security Manual (ISM) — 7 controls
Code	Title	Description
ISM-1407	Latest OS Release	The latest release, or previous release, of operating systems is used for workstations.
ISM-1408	64-bit Operating Systems	64-bit versions of operating systems are used where supported.
ISM-1409	OS Hardening	Operating systems are hardened using ASD and vendor guidance.
ISM-1410	Local Admin Account Restriction	Local administrator accounts are disabled or have random unique passphrases.
ISM-1584	Security Function Protection	Unprivileged users cannot bypass, disable or modify security functionality of operating systems.
ISM-1588	SOE Annual Review	Standard operating environments are reviewed and updated at least annually.
ISM-1745	Secure Boot	Early Launch Antimalware, Secure Boot, Trusted Boot, and Measured Boot are enabled.

System Monitoring and Event Logging

8 controls

Chapter 13: Event logging, analysis, and centralised monitoring

Controls in the System Monitoring and Event Logging domain of ASD Information Security Manual (ISM) — 8 controls
Code	Title	Description
ISM-0580	Event Logging Policy	An event logging policy is developed, implemented and maintained.
ISM-0584	Authentication Event Logging	Logon, failed logon and logoff events are logged for systems handling authenticated user access.
ISM-0585	Event Log Content	Each event log entry includes date and time, user or process, filename or event, and equipment involved.
ISM-0586	Event Log Protection	Event logs are protected from unauthorised access, modification and deletion.
ISM-0859	Event Log Retention	Event logs (excluding DNS and web proxy logs) are retained for at least seven years.
ISM-0988	Accurate Time Source	An accurate and consistent time source is established and used for event logging purposes.
ISM-1228	Timely Event Analysis	Cyber security events are analysed in a timely manner to identify cyber security incidents.
ISM-1405	Centralised Logging	A centralised event logging facility is implemented and event logs from all systems are sent to it.

Maps to 624 other frameworks

136 total controls

CSA CCM v4

50 source controls mapped|40 target controls covered

37%

South Korea ISMS-P

46 source controls mapped|13 target controls covered

34%

AWWA Cybersecurity Guidance for the Water Sector (American Water Works Association)

42 source controls mapped|18 target controls covered

31%

NIS2 Directive Implementing Acts

42 source controls mapped|25 target controls covered

31%

TISAX — Trusted Information Security Assessment Exchange

42 source controls mapped|19 target controls covered

31%

PAS 1192-5:2015 — Security-Minded Approach to BIM and Digital Built Environments

42 source controls mapped|14 target controls covered

31%

Canada ITSG-33 — IT Security Risk Management

42 source controls mapped|16 target controls covered

31%

New Zealand Information Security Manual (NZISM)

42 source controls mapped|14 target controls covered

31%

MARS-E — Minimum Acceptable Risk Standards for Exchanges

42 source controls mapped|14 target controls covered

31%

South Korea Cloud Security Assurance Program (CSAP)

42 source controls mapped|15 target controls covered

31%

NRC 10 CFR 73.54 — Nuclear Facility Cybersecurity

42 source controls mapped|16 target controls covered

31%

CSA STAR (Security, Trust, Assurance, and Risk)

41 source controls mapped|12 target controls covered

30%

NIST SP 800-171A — Assessing CUI Security Requirements

41 source controls mapped|22 target controls covered

30%

FAA Cybersecurity Framework for Aviation

41 source controls mapped|16 target controls covered

30%

UK Gambling Commission — Cyber Resilience Requirements

41 source controls mapped|17 target controls covered

30%

CISA Cross-Sector Cybersecurity Performance Goals (CPG) 2.0

40 source controls mapped|18 target controls covered

29%

NIST SP 800-82 Rev 3 — Guide to OT Security

40 source controls mapped|17 target controls covered

29%

Oman National Cybersecurity Framework

39 source controls mapped|10 target controls covered

29%

ISO 27001:2022

39 source controls mapped|24 target controls covered

29%

NIST SP 800-53 Rev 5

39 source controls mapped|32 target controls covered

29%

NIST SP 800-171A Rev 3 — Assessing CUI Security Requirements

38 source controls mapped|20 target controls covered

28%

FedRAMP Rev 5

38 source controls mapped|34 target controls covered

28%

NIST Privacy Framework 1.0

38 source controls mapped|16 target controls covered

28%

DISA Security Technical Implementation Guides (STIGs)

37 source controls mapped|22 target controls covered

27%

Singapore Government Instruction Manual on ICT&SS Management (IM8)

36 source controls mapped|13 target controls covered

26%

CISA ICS-CERT Advisories and Industrial Control Systems Security Guidelines

36 source controls mapped|21 target controls covered

26%

PCI DSS v4.0

36 source controls mapped|28 target controls covered

26%

Defence Security Principles Framework (DSPF)

35 source controls mapped|33 target controls covered

26%

Protective Security Policy Framework (PSPF) Release 2024

35 source controls mapped|33 target controls covered

26%

UK Defence Standard 05-138 — Cyber Security for Defence Suppliers

34 source controls mapped|14 target controls covered

25%

TSA Pipeline Security

34 source controls mapped|17 target controls covered

25%

Australian Energy Sector Cyber Security Framework (AESCSF)

34 source controls mapped|19 target controls covered

25%

AWS Well-Architected Security Pillar

33 source controls mapped|12 target controls covered

24%

CFTC System Safeguards (17 CFR 37, 38, 39, 49)

33 source controls mapped|16 target controls covered

24%

Azure Security Benchmark

33 source controls mapped|12 target controls covered

24%

CAIQ (CSA)

33 source controls mapped|12 target controls covered

24%

C5 (Germany)

33 source controls mapped|12 target controls covered

24%

NYDFS Cybersecurity Regulation (23 NYCRR Part 500)

33 source controls mapped|19 target controls covered

24%

FTC Safeguards Rule (16 CFR Part 314)

33 source controls mapped|13 target controls covered

24%

ISO 27017

33 source controls mapped|12 target controls covered

24%

NIST SP 800-190

33 source controls mapped|12 target controls covered

24%

ISMAP (Japan)

33 source controls mapped|12 target controls covered

24%

ISO 27018

33 source controls mapped|12 target controls covered

24%

NIST SP 800-145

33 source controls mapped|12 target controls covered

24%

NIST SP 800-144

33 source controls mapped|12 target controls covered

24%

NIST SP 800-146

33 source controls mapped|12 target controls covered

24%

MTCS (Singapore)

33 source controls mapped|12 target controls covered

24%

ASD Strategies to Mitigate Cyber Security Incidents

32 source controls mapped|20 target controls covered

24%

FTC GLBA Safeguards Rule (16 CFR Part 314)

32 source controls mapped|15 target controls covered

24%

CISA Zero Trust Maturity Model

32 source controls mapped|17 target controls covered

24%

DoD Zero Trust Reference Architecture

32 source controls mapped|17 target controls covered

24%

CNCF Cloud Native Security (Cloud Native Computing Foundation)

32 source controls mapped|11 target controls covered

24%

EIOPA Guidelines on ICT Security and Governance (2020)

31 source controls mapped|16 target controls covered

23%

EU Cyber Resilience Act

31 source controls mapped|14 target controls covered

23%

3GPP Security

31 source controls mapped|13 target controls covered

23%

California IoT Security Law

31 source controls mapped|14 target controls covered

23%

ETSI EN 303 645

31 source controls mapped|15 target controls covered

23%

MITRE D3FEND

31 source controls mapped|15 target controls covered

23%

BSIMM

31 source controls mapped|14 target controls covered

23%

OWASP ASVS

31 source controls mapped|14 target controls covered

23%

NIST SP 800-150

31 source controls mapped|13 target controls covered

23%

MITRE ATT&CK

31 source controls mapped|14 target controls covered

23%

ISO 27002:2022

31 source controls mapped|14 target controls covered

23%

NIST SP 800-128

31 source controls mapped|14 target controls covered

23%

OWASP SAMM

31 source controls mapped|13 target controls covered

23%

NIST SP 800-218

31 source controls mapped|14 target controls covered

23%

SSDF (NIST)

31 source controls mapped|14 target controls covered

23%

NIST SP 800-183

31 source controls mapped|14 target controls covered

23%

NIST SP 800-115

31 source controls mapped|14 target controls covered

23%

NIST SP 800-123

31 source controls mapped|14 target controls covered

23%

ISO/SAE 21434

31 source controls mapped|14 target controls covered

23%

NIST SP 800-181

31 source controls mapped|15 target controls covered

23%

NIST SP 800-61

31 source controls mapped|13 target controls covered

23%

NIST SP 800-161

31 source controls mapped|13 target controls covered

23%

NIST SP 800-63

31 source controls mapped|13 target controls covered

23%

SLSA

31 source controls mapped|14 target controls covered

23%

ISO 27043

31 source controls mapped|15 target controls covered

23%

UNECE WP.29 R156

31 source controls mapped|14 target controls covered

23%

NIST SP 800-160

31 source controls mapped|14 target controls covered

23%

NIST SP 800-92

31 source controls mapped|14 target controls covered

23%

OpenSSF Scorecard

31 source controls mapped|16 target controls covered

23%

SIG (Shared Assessments)

31 source controls mapped|14 target controls covered

23%

NIST SP 800-207

31 source controls mapped|13 target controls covered

23%

OWASP MASVS

31 source controls mapped|12 target controls covered

23%

NIST SP 800-187

31 source controls mapped|15 target controls covered

23%

UK PSTI Act

31 source controls mapped|14 target controls covered

23%

PTES

31 source controls mapped|14 target controls covered

23%

NIST SP 800-137

31 source controls mapped|15 target controls covered

23%

NIST SP 800-88

31 source controls mapped|14 target controls covered

23%

UNECE WP.29 R155

31 source controls mapped|13 target controls covered

23%

OWASP DevSecOps Maturity Model (DSOMM)

31 source controls mapped|16 target controls covered

23%

OWASP Top 10:2025

31 source controls mapped|11 target controls covered

23%

ISO/IEC 27011:2024

30 source controls mapped|12 target controls covered

22%

HKMA Cyber Resilience Assessment Framework (C-RAF)

30 source controls mapped|14 target controls covered

22%

FFIEC Cybersecurity Assessment Tool (CAT)

30 source controls mapped|9 target controls covered

22%

FBI CJIS Security Policy

30 source controls mapped|17 target controls covered

22%

UK Telecommunications (Security) Act 2021

30 source controls mapped|19 target controls covered

22%

Belgium CyberFundamentals

29 source controls mapped|16 target controls covered

21%

Spain ENS

29 source controls mapped|16 target controls covered

21%

ANSSI Cybersecurity Framework

29 source controls mapped|18 target controls covered

21%

FISMA

29 source controls mapped|16 target controls covered

21%

BSI IT-Grundschutz

29 source controls mapped|17 target controls covered

21%

Ghana Cybersecurity Act

29 source controls mapped|17 target controls covered

21%

Cyber Essentials Plus

29 source controls mapped|15 target controls covered

21%

CMMC 2.0

29 source controls mapped|16 target controls covered

21%

NIST SP 800-172

29 source controls mapped|18 target controls covered

21%

NIST SP 800-171

29 source controls mapped|16 target controls covered

21%

NIST SP 800-53A

29 source controls mapped|15 target controls covered

21%

Saudi NCA ECC

29 source controls mapped|17 target controls covered

21%

GLI-33 — Gaming Laboratories International Event Wagering Systems

29 source controls mapped|13 target controls covered

21%

O-RAN Alliance Security Specifications (O-RAN.WG11)

29 source controls mapped|9 target controls covered

21%

RBI Cybersecurity Framework for Banks

28 source controls mapped|10 target controls covered

21%

US Gramm-Leach-Bliley Act (GLBA) — Higher Education Safeguards Rule

28 source controls mapped|17 target controls covered

21%

Telecommunications Sector Security Reforms (TSSR)

28 source controls mapped|12 target controls covered

21%

ASIC Cyber Resilience Good Practices

27 source controls mapped|12 target controls covered

20%

ISO/IEC 27400:2022

27 source controls mapped|8 target controls covered

20%

CISA Secure by Design Principles

27 source controls mapped|9 target controls covered

20%

US Executive Order 14028 — Improving the Nation's Cybersecurity

27 source controls mapped|9 target controls covered

20%

DO-326A

26 source controls mapped|13 target controls covered

19%

IEC 62443

26 source controls mapped|13 target controls covered

19%

IEEE 1686

26 source controls mapped|14 target controls covered

19%

C2M2

26 source controls mapped|14 target controls covered

19%

API 1164

26 source controls mapped|13 target controls covered

19%

HKMA SPM

26 source controls mapped|14 target controls covered

19%

DORA

26 source controls mapped|14 target controls covered

19%

EBA Guidelines on ICT and Security Risk Management (EBA/GL/2019/04)

26 source controls mapped|14 target controls covered

19%

BIMCO Cyber Security

26 source controls mapped|13 target controls covered

19%

FFIEC IT Examination Handbook

26 source controls mapped|14 target controls covered

19%

GLBA

26 source controls mapped|14 target controls covered

19%

BCBS 239

26 source controls mapped|14 target controls covered

19%

APRA CPS 234

26 source controls mapped|14 target controls covered

19%

PCI SSF

26 source controls mapped|14 target controls covered

19%

NAIC Insurance Data Security Model Law (MDL-668)

26 source controls mapped|15 target controls covered

19%

NIS2 Directive

26 source controls mapped|13 target controls covered

19%

SWIFT CSCF

26 source controls mapped|14 target controls covered

19%

NIST SP 1800-32

26 source controls mapped|14 target controls covered

19%

AICPA SOC 1

26 source controls mapped|14 target controls covered

19%

PCI P2PE

26 source controls mapped|14 target controls covered

19%

ISO 27019

26 source controls mapped|14 target controls covered

19%

MAS TRM

26 source controls mapped|14 target controls covered

19%

NIST Cybersecurity Framework 2.0

26 source controls mapped|17 target controls covered

19%

ECB TIBER-EU

26 source controls mapped|14 target controls covered

19%

Open Banking Security

26 source controls mapped|14 target controls covered

19%

PCI PIN Security

26 source controls mapped|14 target controls covered

19%

PSD2 SCA

26 source controls mapped|14 target controls covered

19%

AICPA SOC 3

26 source controls mapped|14 target controls covered

19%

SWIFT CSP

26 source controls mapped|14 target controls covered

19%

OSFI B-13

26 source controls mapped|14 target controls covered

19%

IACS Unified Requirements E26/E27 — Cyber Resilience of Ships and On-Board Systems

25 source controls mapped|10 target controls covered

18%

TSA Pipeline Cybersecurity Directives

25 source controls mapped|9 target controls covered

18%

SWIFT Customer Security Programme (CSP)

25 source controls mapped|10 target controls covered

18%

US ITAR and EAR — Export Control and Data Security

25 source controls mapped|10 target controls covered

18%

FDA 21 CFR Part 11

25 source controls mapped|9 target controls covered

18%

NIST SP 800-66

25 source controls mapped|9 target controls covered

18%

MARS-E

25 source controls mapped|9 target controls covered

18%

MDS2 (Medical Device)

25 source controls mapped|9 target controls covered

18%

ISO 13485

25 source controls mapped|9 target controls covered

18%

ISO 27799

25 source controls mapped|9 target controls covered

18%

ISO/IEC 27010:2015

24 source controls mapped|9 target controls covered

18%

Customs-Trade Partnership Against Terrorism (C-TPAT)

24 source controls mapped|9 target controls covered

18%

HIPAA Security Rule

24 source controls mapped|15 target controls covered

18%

ISO 28001:2007 Supply Chain Security Management

23 source controls mapped|14 target controls covered

17%

NIST SP 800-124 Rev 2 — Mobile Device Security

23 source controls mapped|10 target controls covered

17%

WCO Authorised Economic Operator (AEO) Framework

22 source controls mapped|20 target controls covered

16%

EU Digital Markets Act

22 source controls mapped|8 target controls covered

16%

EAR — Export Administration Regulations

22 source controls mapped|11 target controls covered

16%

C-TPAT — Customs-Trade Partnership Against Terrorism

21 source controls mapped|16 target controls covered

15%

HL7 FHIR Security Framework

21 source controls mapped|11 target controls covered

15%

PropTech Security Standards — Smart Building Cybersecurity

21 source controls mapped|8 target controls covered

15%

EU GMP Annex 11 — Computerised Systems

20 source controls mapped|8 target controls covered

15%

ASD Essential Eight Maturity Model

19 source controls mapped|12 target controls covered

14%

NERC CIP

19 source controls mapped|10 target controls covered

14%

IAEA Nuclear Security Series — Computer Security at Nuclear Facilities (NSS-17-T Rev 1)

19 source controls mapped|7 target controls covered

14%

BS 65000:2014 — Guidance on Organizational Resilience

19 source controls mapped|7 target controls covered

14%

NRF Cybersecurity and Data Privacy Framework (National Retail Federation)

19 source controls mapped|13 target controls covered

14%

EU Critical Raw Materials Act (Regulation (EU) 2024/1252)

18 source controls mapped|9 target controls covered

13%

SOC for Cybersecurity — Cybersecurity Risk Management Examination

18 source controls mapped|7 target controls covered

13%

US NRC 10 CFR 73.54 — Cyber Security for Nuclear Power Plants

18 source controls mapped|5 target controls covered

13%

EU NIS2 Directive — Energy Sector Cybersecurity Requirements (Directive 2022/2555)

18 source controls mapped|10 target controls covered

13%

HITECH Act

18 source controls mapped|3 target controls covered

13%

Japan FSA Cybersecurity Guidelines for Financial Institutions

17 source controls mapped|10 target controls covered

13%

OWASP API Security Top 10:2023

17 source controls mapped|5 target controls covered

13%

IEC 62351 — Power Systems Communication Security

17 source controls mapped|4 target controls covered

13%

BSI C5 — Cloud Computing Compliance Criteria Catalogue

16 source controls mapped|4 target controls covered

12%

SSAE 18 — Attestation Standards (SOC Reporting)

16 source controls mapped|8 target controls covered

12%

Notifiable Data Breaches Scheme (Australia)

16 source controls mapped|8 target controls covered

12%

FTC Health Breach Notification Rule

16 source controls mapped|9 target controls covered

12%

UK Product Security and Telecommunications Infrastructure Act (PSTI)

16 source controls mapped|7 target controls covered

12%

European Accessibility Act (Directive (EU) 2019/882)

16 source controls mapped|8 target controls covered

12%

EU Deforestation-Free Products Regulation (EUDR)

16 source controls mapped|7 target controls covered

12%

Ontario Accessibility for Ontarians with Disabilities Act (AODA) — IASR Web Standard

16 source controls mapped|8 target controls covered

12%

US SEC Digital Assets and Crypto Regulatory Framework

16 source controls mapped|10 target controls covered

12%

Australia Consumer Data Right — Banking (CDR)

16 source controls mapped|10 target controls covered

12%

Australia eSafety Commissioner — Online Safety Expectations for Industry

16 source controls mapped|7 target controls covered

12%

Digital Economy Partnership Agreement (DEPA)

16 source controls mapped|8 target controls covered

12%

CCSDS 350.0-G-3 — Space Communications Security (Consultative Committee for Space Data Systems)

16 source controls mapped|9 target controls covered

12%

IRS Publication 1075 — Tax Information Security Guidelines

16 source controls mapped|4 target controls covered

12%

3GPP Security Architecture (TS 33.501 — 5G Security)

16 source controls mapped|12 target controls covered

12%

ILO Nursing Personnel Convention C149 (1977)

16 source controls mapped|7 target controls covered

12%

EU Anti-Money Laundering Directive (AMLD6 / Directive 2018/1673)

16 source controls mapped|9 target controls covered

12%

ISO 8000 — Data Quality

16 source controls mapped|7 target controls covered

12%

FATF Recommendation 16 — Virtual Asset Travel Rule

16 source controls mapped|6 target controls covered

12%

Privacy by Design (PbD) — Seven Foundational Principles

16 source controls mapped|5 target controls covered

12%

US Maritime Transportation Security Act (MTSA) and USCG Cybersecurity Requirements

15 source controls mapped|7 target controls covered

11%

Security of Critical Infrastructure Act 2018 (SOCI)

15 source controls mapped|9 target controls covered

11%

Privacy Act 1988 (Australia)