Australian Information Security Manual

Australia

21 domains

186 controls

ACSC Information Security Manual. Australian Government cybersecurity controls baseline.

Verified

Framework summaries on this platform are AI-assisted interpretations for educational and compliance planning purposes. They do not reproduce or replace the official standards. Refer to the authoritative source for the definitive text. Framework names and trademarks belong to their respective organisations.

Framework Domains (21)

Communications Infrastructure

8 controls

Controls in the Communications Infrastructure domain of Australian Information Security Manual — 8 controls
Code	Title	Description
ISM-0181	Cable inspections	Cabling is periodically inspected for unauthorised modifications.
ISM-0294	Cabling labelling	Cables and patch panels are labelled clearly to support inspection and maintenance.
ISM-0833	Physical security of facilities	Facilities housing ICT equipment have physical security commensurate with the classification of information.
ISM-0834	Visitor management	Visitors to facilities are managed and escorted in sensitive areas.
ISM-1053	Cabling infrastructure standards	Cabling infrastructure for classified systems meets ACSC cabling standards.
ISM-1101	Cable colour coding	Cables are colour-coded according to the classification of the information they carry.
ISM-1187	Wireless access point placement	Wireless access points are positioned to minimise signal leakage beyond the secure area.
ISM-1188	Wireless protocol restrictions	Insecure wireless protocols such as WEP are not used.

Communications Systems

6 controls

Controls in the Communications Systems domain of Australian Information Security Manual — 6 controls
Code	Title	Description
ISM-0229	Telephone systems classification	Telephone systems used for classified discussions are approved for that classification level.
ISM-0240	Fax machine restrictions	Fax machines transmitting classified information meet relevant security requirements.
ISM-1078	Off-hook audio protection	Off-hook audio protection is implemented to prevent eavesdropping via phones in sensitive areas.
ISM-1297	Video conferencing security	Video conferencing systems used for classified discussions are approved and configured securely.
ISM-1297b	Recording of classified meetings	Recordings of classified meetings are stored, handled and protected at the appropriate classification.
ISM-1297v	Voice over IP security	VoIP systems use approved encryption and authentication for signalling and media.

Cryptography

7 controls

Controls in the Cryptography domain of Australian Information Security Manual — 7 controls
Code	Title	Description
ISM-0455	Key management	Cryptographic keys are generated, stored, rotated and destroyed under defined procedures.
ISM-0467	Data in transit encryption	Data in transit over untrusted networks is encrypted using approved protocols.
ISM-0469	Data at rest encryption	Data at rest containing sensitive or classified information is encrypted.
ISM-1139	TLS minimum version	TLS 1.2 is the minimum used; TLS 1.3 is preferred. Older versions are disabled.
ISM-1505	Approved cryptography	Cryptographic algorithms and protocols approved by ASD are used.
ISM-1505b	PKI usage	Public key infrastructure is used for authentication and signing where required.
ISM-1883	Cloud key management	Cryptographic keys in cloud environments are managed using cloud KMS or HSM with documented controls.

Cybersecurity Documentation

7 controls

Controls in the Cybersecurity Documentation domain of Australian Information Security Manual — 7 controls
Code	Title	Description
ISM-0027	System security plan	A system security plan is developed and maintained for each system.
ISM-0072	Authority to operate	Systems receive an authority to operate before commencing production use.
ISM-0790	Authority to operate review	Authority to operate decisions are reviewed at least every two years or on significant change.
ISM-0888	Incident response plan documented	An incident response plan is documented covering detection, containment, eradication, recovery and reporting.
ISM-1163b	Risk register maintained	A cybersecurity risk register is maintained covering identified risks, treatment plans, and review dates.
ISM-1543b	Data classification	Information is classified and labelled in accordance with Australian Government protective marking standards.
ISM-1556	Continuous monitoring plan	A continuous monitoring plan defining ongoing security activities is documented and applied to systems.

Cybersecurity Incidents

9 controls

Controls in the Cybersecurity Incidents domain of Australian Information Security Manual — 9 controls
Code	Title	Description
ISM-0123	Cybersecurity incident response plan	A cybersecurity incident response plan is developed, implemented and maintained.
ISM-0125	Reporting incidents to ACSC	Cybersecurity incidents are reported to the Australian Cyber Security Centre as soon as possible after detection.
ISM-0576	Evidence preservation	Evidence from cybersecurity incidents is preserved for investigation, forensic and legal purposes.
ISM-0581	Security event escalation	Security events are escalated to the incident response team according to defined criteria.
ISM-1784	Incident response exercises	Cybersecurity incident response exercises are conducted at least annually.
ISM-1791	Notifiable Data Breach scheme	Personal information breaches meeting the threshold are notified to OAIC and affected individuals under the Notifiable D...
ISM-1819	Post-incident reviews	Post-incident reviews are conducted after cybersecurity incidents to identify lessons learned.
ISM-1886	Tabletop exercises for executives	Executives participate in cybersecurity tabletop exercises at least annually.
ISM-1887	Crisis communication plan	A crisis communication plan covers internal, customer, regulator and media communications during incidents.

Cybersecurity Roles

4 controls

Controls in the Cybersecurity Roles domain of Australian Information Security Manual — 4 controls
Code	Title	Description
ISM-0714	Chief Information Security Officer appointment	A Chief Information Security Officer is appointed to provide cybersecurity leadership for the organisation.
ISM-1478	CISO responsibilities	The CISO provides strategic cybersecurity advice, oversees the cybersecurity program, and reports to the executive on cy...
ISM-1525	System owners identified	Each system has an identified system owner accountable for its security.
ISM-1526	System owner responsibilities	System owners are responsible for the security of their systems through the system lifecycle.

Cybersecurity Strategy

19 controls

Controls in the Cybersecurity Strategy domain of Australian Information Security Manual — 19 controls
Code	Title	Description
ISM-0042	Cybersecurity strategy	A cybersecurity strategy is developed, implemented and maintained.
ISM-1163	Risk management framework	A risk management framework is applied to cybersecurity risks, aligned with the organisation's overall risk approach.
ISM-1163c	Threat assessment	Threat assessments inform the risk management framework and are updated regularly.
ISM-1163d	Penetration testing	Penetration testing is performed on important systems at least annually and after major change.
ISM-1212	Threat intelligence	Threat intelligence is used to inform protective and detective measures.
ISM-1542	Outsourcing security responsibilities	Where security functions are outsourced, responsibilities, reporting and assurance are formally defined.
ISM-1543	Data sovereignty considerations	Data sovereignty risks are considered when selecting cloud services and offshore providers.
ISM-1779	Cybersecurity insurance considerations	Cybersecurity insurance is considered as a risk treatment, with controls aligned to insurer requirements.
ISM-1791b	Privacy impact assessment	Privacy impact assessments are conducted for new or changed projects handling personal information.
ISM-1820	Supplier security assessment	Suppliers handling official information are security assessed before engagement and periodically thereafter.
ISM-1821	Supplier contractual security	Contracts with suppliers handling official information include security requirements and audit rights.
ISM-1825	Cloud service approvals	Cloud services storing or processing official information are assessed and approved before use.
ISM-1826	IRAP assessment	Cloud services storing PROTECTED information have an IRAP assessment aligned to the appropriate classification.
ISM-1859	Cloud identity federation	Cloud services use federated identity with the enterprise IdP and enforce MFA.
ISM-1888	Annual cybersecurity review	The cybersecurity posture is reviewed annually and reported to the executive.
ISM-1889	Business continuity alignment	Cyber incident response is aligned with business continuity and disaster recovery plans.
ISM-1896	Cybersecurity metrics and reporting	Cybersecurity metrics are defined, measured and reported to executives and the board.
ISM-1897	Independent assurance	Independent assurance over the cybersecurity program is obtained at planned intervals.
ISM-1898	Essential Eight maturity assessment	The organisation assesses and reports its maturity against the Essential Eight at defined intervals.

Data Transfers

3 controls

Controls in the Data Transfers domain of Australian Information Security Manual — 3 controls
Code	Title	Description
ISM-0664	Data transfer approvals	Transfers of data between systems of different classifications are approved before transfer.
ISM-0665	Data transfer logging	Data transfers between security domains are logged for audit.
ISM-0675	Data export review	Data exports from higher to lower classification systems are subject to review and sanitisation.

Database Systems

6 controls

Controls in the Database Systems domain of Australian Information Security Manual — 6 controls
Code	Title	Description
ISM-0414	Database hardening	Databases are configured against a hardened baseline including disabling unused features.
ISM-0414b	Database backup security	Database backups are protected with the same controls as the primary database.
ISM-0415	Database encryption	Sensitive data stored in databases is encrypted at rest.
ISM-1245	Database access control	Access to databases is restricted to authorised users and applications with least privilege.
ISM-1277	Database activity monitoring	Database activity, especially privileged actions, is logged and monitored.
ISM-1278	Database privileged action approval	Privileged database actions are subject to approval and review.

Email

7 controls

Controls in the Email domain of Australian Information Security Manual — 7 controls
Code	Title	Description
ISM-0270	Email classification	Emails are marked with appropriate protective markings consistent with their classification.
ISM-0270b	Outbound protective marking	Outbound emails contain protective markings consistent with sensitivity of the content.
ISM-0561	Email content filtering	Inbound and outbound email is filtered for malicious and unauthorised content.
ISM-1023	TLS for email	Opportunistic TLS is enabled and MTA-STS is implemented where supported.
ISM-1234	DMARC implementation	DMARC, DKIM and SPF are implemented for all sending domains and enforced.
ISM-1789	Sender Policy Framework	SPF records are configured with a hard fail and updated as senders change.
ISM-1894	Email impersonation protections	Email systems detect and warn on impersonation of executives and trusted senders.

Enterprise Mobility

6 controls

Controls in the Enterprise Mobility domain of Australian Information Security Manual — 6 controls
Code	Title	Description
ISM-0240m	Remote wipe capability	Mobile devices support remote wipe of organisational data on loss or compromise.
ISM-0863	Mobile device policy	A mobile device policy is developed, implemented and maintained.
ISM-1145	Mobile device management	A mobile device management solution is used to enforce security policies on mobile devices.
ISM-1297m	Mobile encryption at rest	Mobile devices that access or store official information encrypt data at rest.
ISM-1554	Travel briefings	Personnel travelling overseas with mobile devices receive a security briefing and use loaner devices where required.
ISM-1554b	Mobile device anti-theft	Mobile devices include anti-theft measures such as tracking, lock and remote wipe.

Evaluated Products

3 controls

Controls in the Evaluated Products domain of Australian Information Security Manual — 3 controls
Code	Title	Description
ISM-0280	Evaluated products selection	Where evaluated products are required, products on the ACSC Evaluated Products List are selected.
ISM-0285	High Assurance products	High Assurance products are used when required by the classification of information being protected.
ISM-0289	Product handling restrictions	Evaluated products are operated within their evaluated configuration.

Gateways

7 controls

Controls in the Gateways domain of Australian Information Security Manual — 7 controls
Code	Title	Description
ISM-0631	Gateway between networks	Gateways are used to control traffic between networks of different trust or classification levels.
ISM-1037	Cross domain solutions	Cross domain solutions are used where data is transferred between networks of different classifications.
ISM-1196	Web content filtering	Web content is filtered at gateways to reduce exposure to malicious sites.
ISM-1416g	Email gateway anti-malware	Email gateways scan for malware and other threats before delivery.
ISM-1416r	Reverse proxy hardening	Reverse proxies in front of internet-facing applications are hardened and patched.
ISM-1430s	DNS sinkholing	Known malicious domains are sinkholed at DNS to prevent communications with attacker infrastructure.
ISM-1812	DNS filtering	DNS resolution is restricted to trusted resolvers and malicious domains are blocked.

ICT Equipment

6 controls

Controls in the ICT Equipment domain of Australian Information Security Manual — 6 controls
Code	Title	Description
ISM-0293	Equipment labelling	ICT equipment is labelled with its classification level.
ISM-0303	Equipment movement records	Movements of ICT equipment between locations are recorded.
ISM-0306	Tamper-evident seals	Tamper-evident seals are applied to ICT equipment when required and inspected for tampering.
ISM-0311	Equipment disposal	ICT equipment is sanitised or destroyed before disposal.
ISM-0316	Equipment maintenance	ICT equipment maintenance is performed in a manner that preserves the confidentiality of information.
ISM-0813	ICT equipment inventory	An inventory of ICT equipment is maintained and reconciled regularly.

Media

8 controls

Controls in the Media domain of Australian Information Security Manual — 8 controls
Code	Title	Description
ISM-0323	Media labelling	Media is labelled to indicate the highest classification of information it holds.
ISM-0325	Media handling procedures	Procedures for the handling of media according to classification are documented and followed.
ISM-0347	Media sanitisation	Media is sanitised before reuse or disposal in line with ISM sanitisation procedures.
ISM-0350	Destruction of media	Media that cannot be sanitised is destroyed using an approved method.
ISM-0359	Removable media restrictions	Use of removable media is restricted and controlled.
ISM-0831	Media transport	Media is transported in a manner appropriate to its classification.
ISM-1294	Removable media encryption	Removable media containing sensitive information is encrypted.
ISM-1893	Removable media in OT	Removable media used in OT environments is scanned and controlled via dedicated kiosks.

Networking

13 controls

Controls in the Networking domain of Australian Information Security Manual — 13 controls
Code	Title	Description
ISM-0263	Network segmentation	Networks are segmented based on classification, function and trust.
ISM-1006	Firewall rule review	Firewall rules are reviewed regularly and rules no longer required are removed.
ISM-1182	Wireless network security	Wireless networks use strong authentication and encryption (WPA3 or WPA2-Enterprise).
ISM-1186	Wireless intrusion detection	Wireless intrusion detection is used to detect rogue access points and threats.
ISM-1295	Wireless guest network isolation	Guest wireless networks are isolated from internal networks.
ISM-1416	Network DDoS protection	Internet-facing services are protected against denial of service attacks.
ISM-1419c	VPN access	Remote access uses VPN or equivalent with multi-factor authentication and least privilege.
ISM-1430	DNS security	DNS infrastructure is hardened and protected against tampering.
ISM-1437	Network access control	Network access control restricts devices connecting to corporate networks.
ISM-1455	Web application firewall	Web application firewalls protect internet-facing applications against common attacks.
ISM-1884	Cloud egress controls	Cloud egress traffic is controlled and monitored to detect data exfiltration.
ISM-1891	Third-party connectivity controls	Third-party network connectivity is segmented, authenticated and monitored.
ISM-1892	OT and ICS segmentation	Operational technology and industrial control systems are segmented from corporate networks.

Personnel Security

7 controls

Controls in the Personnel Security domain of Australian Information Security Manual — 7 controls
Code	Title	Description
ISM-0432	Personnel security clearance	Personnel accessing systems holding classified information hold appropriate security clearances.
ISM-0434	Need to know enforced	Access to classified information is granted on a need-to-know basis.
ISM-0816	Conditions of use for systems	Personnel agree to conditions of use before being granted system access.
ISM-0817	Cybersecurity awareness training	Personnel undertake cybersecurity awareness training at least annually.
ISM-1565	Privileged user training	Privileged users receive additional cybersecurity training relevant to their roles.
ISM-1591	Termination of access	Access is removed promptly when personnel cease duties.
ISM-1895	Phishing simulation	Phishing simulations are conducted regularly with follow-up training for users who fall for them.

Software Development

10 controls

Controls in the Software Development domain of Australian Information Security Manual — 10 controls
Code	Title	Description
ISM-0400	Secure development standards	Software is developed in accordance with secure development standards.
ISM-1238	Security testing of software	Software is tested for security defects before release and on significant change.
ISM-1238b	Production data in test	Production data used in test or development environments is sanitised or masked.
ISM-1419	Separation of environments	Development, test and production environments are separated.
ISM-1750	Open source component review	Open source and third-party components are reviewed for vulnerabilities before use.
ISM-1876	API security	APIs implement authentication, authorisation, input validation and rate limiting.
ISM-1877	Container security	Containers are scanned for vulnerabilities, signed and run with least privilege.
ISM-1878	Infrastructure as code review	Infrastructure as code is reviewed and scanned for security misconfiguration before deployment.
ISM-1879	Secrets management	Secrets are stored in dedicated secret stores, rotated and audited.
ISM-1880	Software signing	Software released to production is signed and signatures verified before execution.

System Hardening

25 controls

Controls in the System Hardening domain of Australian Information Security Manual — 25 controls
Code	Title	Description
ISM-0418	Password complexity	Passwords meet length, complexity and uniqueness requirements consistent with current ISM guidance.
ISM-0421	Password storage	Passwords are stored using approved hashing algorithms.
ISM-0843	Patch operating systems	Operating systems are patched within timeframes specified by the ISM based on risk.
ISM-1144	Vulnerability scanning	Vulnerability scanning is performed regularly across infrastructure and applications.
ISM-1304	Account lockout policy	Account lockout is configured to prevent brute-force attacks while balancing usability.
ISM-1407	Server hardening baseline	Servers are configured against a hardened baseline aligned with vendor and ISM guidance.
ISM-1410	Default credentials changed	Default credentials on devices and software are changed before deployment.
ISM-1411	Disable unused services	Unused services, accounts and software are disabled or removed.
ISM-1414	Anti-malware configuration	Anti-malware solutions are configured for on-access scanning and behaviour analysis.
ISM-1417	Application control	Application control is implemented on workstations and servers to prevent unauthorised execution.
ISM-1417b	Application control rule maintenance	Application control rule sets are reviewed and updated regularly to ensure they remain effective.
ISM-1490	Multi-factor authentication	Multi-factor authentication is used for users accessing important systems and for privileged actions.
ISM-1493	Patch applications	Applications are patched within ISM-defined timeframes proportionate to exposure and criticality.
ISM-1494	Patch firmware	Firmware on devices is patched within risk-aligned timeframes.
ISM-1546	Restrict admin privileges	Privileged access is restricted to those who need it and is reviewed regularly.
ISM-1654	Boot integrity	Secure boot and measured boot mechanisms are enabled on supported devices.
ISM-1657	Hardened user application config	User applications are configured to harden against common attacks (macros, scripting, content rendering).
ISM-1664	Browser hardening	Web browsers are configured against a hardened baseline including disabling unsafe features.
ISM-1667	PDF reader hardening	PDF readers and similar content viewers are configured to limit scripting and external resource loading.
ISM-1671	Macros restriction	Microsoft Office macros are blocked unless from trusted locations or signed by a trusted publisher.
ISM-1815b	Anti-malware on endpoints	Anti-malware protection is installed on endpoints and kept up to date.
ISM-1860	Conditional access	Conditional access policies restrict access based on user, device, location and risk signals.
ISM-1872	Endpoint detection and response	Endpoint detection and response capability is deployed to important endpoints.
ISM-1881	Cloud workload protection	Cloud workloads are protected with workload-specific controls including baseline configuration, monitoring and runtime p...
ISM-1885	Data loss prevention	Data loss prevention controls are deployed to detect and block exfiltration of sensitive information.

System Management

14 controls

Controls in the System Management domain of Australian Information Security Manual — 14 controls
Code	Title	Description
ISM-0140	Removal of unauthorised software	Unauthorised software is detected and removed.
ISM-0813b	Software inventory	An inventory of software, including versions and owners, is maintained.
ISM-0938	Privileged account separation	Privileged accounts are separate from standard user accounts.
ISM-0974	Privileged access just-in-time	Privileged access is granted just-in-time and just-enough where supported.
ISM-1175	Privileged workstations	Privileged administrative tasks are performed from dedicated, hardened workstations.
ISM-1405	Configuration management	Configuration baselines are documented and maintained for systems.
ISM-1511	Backups performed	Backups of important data, software and configuration are performed and retained.
ISM-1512	Backup testing	Restoration from backup is tested at least annually.
ISM-1567	Change management	Changes to systems are managed through a documented change management process including security review.
ISM-1810	Backup immutability	Backups are protected from unauthorised modification or deletion, including by ransomware.
ISM-1873	Privilege access management	Privileged access management solutions are used to broker, record and review privileged access.
ISM-1874	Identity governance	Identity governance practices include joiner, mover, leaver workflows and periodic access reviews.
ISM-1875	Service account governance	Service accounts are inventoried, owned, scoped to least privilege and credentials are rotated.
ISM-1890	Disaster recovery testing	Disaster recovery plans are tested at least annually with documented outcomes.

System Monitoring

11 controls

Controls in the System Monitoring domain of Australian Information Security Manual — 11 controls
Code	Title	Description
ISM-0109	Time synchronisation	Systems are synchronised to a trusted time source.
ISM-0120	Log review	Event logs are reviewed in a timely manner for indicators of compromise.
ISM-0582	Event logging policy	An event logging policy is developed and applied to systems.
ISM-0586	Event log content	Event logs contain the data required to support investigation and detection.
ISM-0859	Centralised logging	Logs are stored on a centralised logging facility separate from the systems generating them.
ISM-1228	Log retention	Event logs are retained for a period that supports investigation and compliance.
ISM-1419d	Privilege escalation logging	Privilege escalation events on systems are logged and monitored.
ISM-1815	Logging of privileged actions	Privileged user activity is logged and reviewed.
ISM-1816	Detection of unusual activity	Detection capabilities identify unusual activity such as unusual logons and data movement.
ISM-1816b	User behaviour analytics	User and entity behaviour analytics are used to detect anomalous activity.
ISM-1882	Cloud audit logging	Cloud control plane and data plane logs are captured, retained and reviewed.

Your Compliance Coverage

If you comply with Australian Information Security Manual, you already cover:

CSA CCM v4

9 controls mapped

Compare →

CSA STAR (Security, Trust, Assurance, and Risk)

9 controls mapped

Compare →

PAS 1192-5:2015 — Security-Minded Approach to BIM and Digital Built Environments

9 controls mapped

Compare →

+ 508 more: Canada ITSG-33 — IT Security Risk Management (5%), New Zealand Information Security Manual (NZISM) (5%)

See all 511 mapped frameworks ↓

Maps to 511 other frameworks

186 total controls

CSA CCM v4

9 source controls mapped|18 target controls covered

CSA STAR (Security, Trust, Assurance, and Risk)

9 source controls mapped|8 target controls covered

PAS 1192-5:2015 — Security-Minded Approach to BIM and Digital Built Environments

9 source controls mapped|8 target controls covered

Canada ITSG-33 — IT Security Risk Management

9 source controls mapped|10 target controls covered

New Zealand Information Security Manual (NZISM)

9 source controls mapped|8 target controls covered

MARS-E — Minimum Acceptable Risk Standards for Exchanges

9 source controls mapped|8 target controls covered

South Korea Cloud Security Assurance Program (CSAP)

9 source controls mapped|9 target controls covered

NRC 10 CFR 73.54 — Nuclear Facility Cybersecurity

9 source controls mapped|8 target controls covered

South Korea ISMS-P

9 source controls mapped|8 target controls covered

CFTC System Safeguards (17 CFR 37, 38, 39, 49)

8 source controls mapped|10 target controls covered

Defence Security Principles Framework (DSPF)

8 source controls mapped|17 target controls covered

Protective Security Policy Framework (PSPF) Release 2024

8 source controls mapped|16 target controls covered

NIST SP 800-82 Rev 3 — Guide to OT Security

8 source controls mapped|9 target controls covered

FTC Safeguards Rule (16 CFR Part 314)

7 source controls mapped|9 target controls covered

CISA Cross-Sector Cybersecurity Performance Goals (CPG) 2.0

7 source controls mapped|9 target controls covered

NIST SP 800-171A Rev 3 — Assessing CUI Security Requirements

7 source controls mapped|10 target controls covered

FedRAMP Rev 5

7 source controls mapped|17 target controls covered

NYDFS Cybersecurity Regulation (23 NYCRR Part 500)

7 source controls mapped|11 target controls covered

AWWA Cybersecurity Guidance for the Water Sector (American Water Works Association)

7 source controls mapped|10 target controls covered

UK Defence Standard 05-138 — Cyber Security for Defence Suppliers

7 source controls mapped|7 target controls covered

Singapore Government Instruction Manual on ICT&SS Management (IM8)

7 source controls mapped|10 target controls covered

OWASP Top 10:2025

7 source controls mapped|7 target controls covered

NIST SP 800-171A — Assessing CUI Security Requirements

7 source controls mapped|13 target controls covered

EIOPA Guidelines on ICT Security and Governance (2023)

7 source controls mapped|12 target controls covered

TISAX — Trusted Information Security Assessment Exchange

7 source controls mapped|12 target controls covered

Telecommunications Sector Security Reforms (TSSR)

7 source controls mapped|9 target controls covered

NIST SP 800-53 Rev 5

7 source controls mapped|16 target controls covered

ISO 27001:2022

7 source controls mapped|9 target controls covered

RBI Cybersecurity Framework for Banks

7 source controls mapped|7 target controls covered

Oman National Cybersecurity Framework

7 source controls mapped|8 target controls covered

NIS2 Directive Implementing Acts

7 source controls mapped|13 target controls covered

ANSSI Cybersecurity Framework

6 source controls mapped|11 target controls covered

FISMA

6 source controls mapped|11 target controls covered

BSI IT-Grundschutz

6 source controls mapped|11 target controls covered

US Gramm-Leach-Bliley Act (GLBA) — Higher Education Safeguards Rule

6 source controls mapped|11 target controls covered

CISA Zero Trust Maturity Model

6 source controls mapped|11 target controls covered

Cyber Essentials Plus

6 source controls mapped|11 target controls covered

Spain ENS

6 source controls mapped|11 target controls covered

Ghana Cybersecurity Act

6 source controls mapped|11 target controls covered

DoD Zero Trust Reference Architecture

6 source controls mapped|11 target controls covered

GLI-33 — Gaming Laboratories International Event Wagering Systems

6 source controls mapped|8 target controls covered

HKMA Cyber Resilience Assessment Framework (C-RAF)

6 source controls mapped|8 target controls covered

Belgium CyberFundamentals

6 source controls mapped|11 target controls covered

US ITAR and EAR — Export Control and Data Security

6 source controls mapped|7 target controls covered

FTC GLBA Safeguards Rule (16 CFR Part 314)

6 source controls mapped|7 target controls covered

NIST SP 800-172

6 source controls mapped|11 target controls covered

DISA Security Technical Implementation Guides (STIGs)

6 source controls mapped|11 target controls covered

UK Telecommunications (Security) Act 2021

6 source controls mapped|12 target controls covered

FAA Cybersecurity Framework for Aviation

6 source controls mapped|11 target controls covered

UK Gambling Commission — Cyber Resilience Requirements

6 source controls mapped|6 target controls covered

NIST SP 800-171

6 source controls mapped|11 target controls covered

NIST SP 800-53A

6 source controls mapped|11 target controls covered

SOC for Cybersecurity — Cybersecurity Risk Management Examination

6 source controls mapped|7 target controls covered

Saudi NCA ECC

6 source controls mapped|11 target controls covered

FFIEC Cybersecurity Assessment Tool (CAT)

6 source controls mapped|7 target controls covered

Australian Energy Sector Cyber Security Framework (AESCSF)

6 source controls mapped|13 target controls covered

ASIC Cyber Resilience Good Practices

6 source controls mapped|8 target controls covered

CAIQ (CSA)

5 source controls mapped|3 target controls covered

HIPAA Security Rule

5 source controls mapped|9 target controls covered

CIS Controls v8

5 source controls mapped|5 target controls covered

EAR — Export Administration Regulations

5 source controls mapped|6 target controls covered

APRA CPS 234

5 source controls mapped|9 target controls covered

ISO/IEC 27400:2022

5 source controls mapped|3 target controls covered

HKMA SPM

5 source controls mapped|9 target controls covered

BCBS 239

5 source controls mapped|9 target controls covered

HITECH Act

5 source controls mapped|2 target controls covered

GLBA

5 source controls mapped|9 target controls covered

DORA

5 source controls mapped|10 target controls covered

C5 (Germany)

5 source controls mapped|3 target controls covered

AWS Well-Architected Security Pillar

5 source controls mapped|3 target controls covered

ASD Strategies to Mitigate Cyber Security Incidents

5 source controls mapped|6 target controls covered

EU Digital Markets Act

5 source controls mapped|5 target controls covered

FFIEC IT Examination Handbook

5 source controls mapped|9 target controls covered

ISO/IEC 27010:2015

5 source controls mapped|5 target controls covered

Azure Security Benchmark

5 source controls mapped|3 target controls covered

PCI DSS v4.0

5 source controls mapped|9 target controls covered

PCI P2PE

5 source controls mapped|9 target controls covered

MTCS (Singapore)

5 source controls mapped|3 target controls covered

PCI PIN Security

5 source controls mapped|9 target controls covered

PSD2 SCA

5 source controls mapped|9 target controls covered

AICPA SOC 3

5 source controls mapped|9 target controls covered

SWIFT CSP

5 source controls mapped|9 target controls covered

AICPA SOC 1

5 source controls mapped|9 target controls covered

MAS TRM

5 source controls mapped|9 target controls covered

ISO 27017

5 source controls mapped|3 target controls covered

O-RAN Alliance Security Specifications (O-RAN.WG11)

5 source controls mapped|4 target controls covered

Open Banking Security

5 source controls mapped|9 target controls covered

SWIFT CSCF

5 source controls mapped|9 target controls covered

NIST SP 800-146

5 source controls mapped|3 target controls covered

ISO 27018

5 source controls mapped|3 target controls covered

BS 65000:2014 — Guidance on Organizational Resilience

5 source controls mapped|4 target controls covered

OSFI B-13

5 source controls mapped|9 target controls covered

NIST SP 800-144

5 source controls mapped|3 target controls covered

TIBER-EU (Threat Intelligence-Based Ethical Red Teaming - European Union)

5 source controls mapped|9 target controls covered

PCI SSF

5 source controls mapped|9 target controls covered

NIST Privacy Framework 1.0

5 source controls mapped|7 target controls covered

NIST SP 800-145

5 source controls mapped|3 target controls covered

NIST SP 800-190

5 source controls mapped|3 target controls covered

ISMAP (Japan)

5 source controls mapped|3 target controls covered

IEC 62443

5 source controls mapped|9 target controls covered

BIMCO Cyber Security

5 source controls mapped|9 target controls covered

API 1164

5 source controls mapped|9 target controls covered

DO-326A / ED-202A

5 source controls mapped|9 target controls covered

C2M2

5 source controls mapped|9 target controls covered

IEEE 1686

5 source controls mapped|9 target controls covered

EBA Guidelines on ICT and Security Risk Management (EBA/GL/2024/07)

5 source controls mapped|8 target controls covered

CISA ICS-CERT Advisories and Industrial Control Systems Security Guidelines

5 source controls mapped|9 target controls covered

EU GMP Annex 11: Computerised Systems

5 source controls mapped|5 target controls covered

NIST SP 1800-32

5 source controls mapped|9 target controls covered

NIS2 Directive

5 source controls mapped|10 target controls covered

TSA Pipeline Security

5 source controls mapped|11 target controls covered

ISO 27019

5 source controls mapped|9 target controls covered

ISO 28001:2007 Supply Chain Security Management

5 source controls mapped|5 target controls covered

3GPP Security

4 source controls mapped|8 target controls covered

California IoT Security Law

4 source controls mapped|7 target controls covered

FDA 21 CFR Part 11

4 source controls mapped|6 target controls covered

Privacy Act 1988 (Australia)

4 source controls mapped|4 target controls covered

MITRE D3FEND

4 source controls mapped|7 target controls covered

BSIMM

4 source controls mapped|7 target controls covered

India DPDP Act

4 source controls mapped|4 target controls covered

Law No. 172-13 on the Protection of Personal Data

4 source controls mapped|4 target controls covered

Ley Orgánica de Protección de Datos Personales (LOPDP)

4 source controls mapped|4 target controls covered

Bahrain PDPL

4 source controls mapped|4 target controls covered

Argentina PDPA

4 source controls mapped|4 target controls covered

CCPA/CPRA

4 source controls mapped|4 target controls covered

OWASP ASVS

4 source controls mapped|7 target controls covered

Law 1581 of 2012 - Statutory Framework for the Protection of Personal Data

4 source controls mapped|4 target controls covered

FBI CJIS Security Policy

4 source controls mapped|6 target controls covered

ISO 15189:2022 — Medical Laboratories Requirements for Quality and Competence

4 source controls mapped|3 target controls covered

Chile DPL

4 source controls mapped|4 target controls covered

FERPA

4 source controls mapped|4 target controls covered

Proposal for a Regulation on Cyber Resilience Act (CRA)

4 source controls mapped|7 target controls covered

Colorado Privacy Act

4 source controls mapped|4 target controls covered

HL7 FHIR Security Framework

4 source controls mapped|7 target controls covered

ISO/IEC 27011:2024

4 source controls mapped|4 target controls covered

CTDPA (Connecticut Data Privacy Act)

4 source controls mapped|4 target controls covered

Iceland DPA

4 source controls mapped|4 target controls covered

APPI

4 source controls mapped|4 target controls covered

ISO 20000-1

4 source controls mapped|3 target controls covered

ETSI EN 303 645

4 source controls mapped|7 target controls covered

CNCF Cloud Native Security (Cloud Native Computing Foundation)

4 source controls mapped|5 target controls covered

IEC 62351 — Power Systems Communication Security

4 source controls mapped|3 target controls covered

COPPA

4 source controls mapped|4 target controls covered

Indonesia PDP Law

4 source controls mapped|4 target controls covered

Iowa Consumer Data Protection Act

4 source controls mapped|4 target controls covered

Switzerland FADP

4 source controls mapped|4 target controls covered

Indiana Consumer Data Protection Act

4 source controls mapped|4 target controls covered

Delaware Online Privacy and Protection Act (proposed)

4 source controls mapped|4 target controls covered

Oregon Consumer Privacy Act

4 source controls mapped|4 target controls covered

NIST SP 800-150

4 source controls mapped|7 target controls covered

Minnesota Consumer Data Privacy Act

4 source controls mapped|4 target controls covered

Nebraska Data Privacy Act

4 source controls mapped|4 target controls covered

US Executive Order 14028 — Improving the Nation's Cybersecurity

4 source controls mapped|3 target controls covered

NAIC Insurance Data Security Model Law (MDL-668)

4 source controls mapped|4 target controls covered

Turkey KVKK

4 source controls mapped|4 target controls covered

IRS Publication 1075 — Tax Information Security Guidelines

4 source controls mapped|3 target controls covered

Jamaica DPA

4 source controls mapped|4 target controls covered

New Hampshire Privacy Act

4 source controls mapped|4 target controls covered

NIST SP 800-218

4 source controls mapped|7 target controls covered

Montana Consumer Data Privacy Act

4 source controls mapped|4 target controls covered

NIST SP 800-207

4 source controls mapped|7 target controls covered

SLSA

4 source controls mapped|7 target controls covered

ISO/SAE 21434

4 source controls mapped|7 target controls covered

PTES

4 source controls mapped|7 target controls covered

SIG (Shared Assessments)

4 source controls mapped|7 target controls covered

New Zealand Privacy Act

4 source controls mapped|4 target controls covered

NIST SP 800-61

4 source controls mapped|7 target controls covered

OWASP SAMM

4 source controls mapped|7 target controls covered

MDS2 (Medical Device)

4 source controls mapped|6 target controls covered

NIST SP 800-187

4 source controls mapped|7 target controls covered

UNECE WP.29 R155

4 source controls mapped|7 target controls covered

Kenya DPA

4 source controls mapped|4 target controls covered

Kenya Data Protection Act

4 source controls mapped|4 target controls covered

NIST SP 800-183

4 source controls mapped|7 target controls covered

ISO 13485

4 source controls mapped|6 target controls covered

NIST SP 800-63

4 source controls mapped|7 target controls covered

Vietnam PDPD

4 source controls mapped|4 target controls covered

Tennessee IPA

4 source controls mapped|4 target controls covered

Philippines DPA

4 source controls mapped|4 target controls covered

UK PSTI Act

4 source controls mapped|7 target controls covered

ISO 27799

4 source controls mapped|6 target controls covered

NIST SP 800-161

4 source controls mapped|7 target controls covered

MITRE ATT&CK

4 source controls mapped|7 target controls covered

PDPA Singapore

4 source controls mapped|4 target controls covered

NIST SP 800-181

4 source controls mapped|7 target controls covered

Kentucky Consumer Data Protection Act

4 source controls mapped|4 target controls covered

MARS-E

4 source controls mapped|6 target controls covered

OpenSSF Scorecard

4 source controls mapped|7 target controls covered

ISO 27043

4 source controls mapped|7 target controls covered

Mauritius DPA

4 source controls mapped|4 target controls covered

ISO 27002:2022

4 source controls mapped|7 target controls covered

Norway PDPA

4 source controls mapped|4 target controls covered

CCSDS 350.0-G-3 — Space Communications Security (Consultative Committee for Space Data Systems)

4 source controls mapped|5 target controls covered

NIST SP 800-115

4 source controls mapped|7 target controls covered

Mexico LFPDPPP

4 source controls mapped|4 target controls covered

Rwanda DPL

4 source controls mapped|4 target controls covered

UK Data Protection Act 2018

4 source controls mapped|4 target controls covered

PIPEDA

4 source controls mapped|4 target controls covered

ISO 27701

4 source controls mapped|4 target controls covered

SSDF (NIST)

4 source controls mapped|7 target controls covered

NIST SP 800-160

4 source controls mapped|7 target controls covered

NIST SP 800-137

4 source controls mapped|7 target controls covered

UAE PDPL

4 source controls mapped|4 target controls covered

NIST AI Risk Management Framework (AI RMF 1.0)

4 source controls mapped|5 target controls covered

NIST AI 600-1 Generative AI Profile

4 source controls mapped|5 target controls covered

Saudi Arabia PDPL

4 source controls mapped|4 target controls covered

ASD Information Security Manual (ISM)

4 source controls mapped|5 target controls covered

NIST SP 800-128

4 source controls mapped|7 target controls covered

POPIA

4 source controls mapped|4 target controls covered

Texas Data Privacy Act

4 source controls mapped|4 target controls covered

Uruguay DPL

4 source controls mapped|4 target controls covered

Virginia CDPA

4 source controls mapped|4 target controls covered

OWASP MASVS

4 source controls mapped|7 target controls covered

NIST SP 800-123

4 source controls mapped|7 target controls covered

Qatar DPL

4 source controls mapped|4 target controls covered

NIST SP 800-66

4 source controls mapped|6 target controls covered

NIST SP 800-88

4 source controls mapped|7 target controls covered

UNECE WP.29 R156

4 source controls mapped|7 target controls covered

Peru DPL

4 source controls mapped|4 target controls covered

China PIPL

4 source controls mapped|4 target controls covered

Maryland Online Data Privacy Act

4 source controls mapped|4 target controls covered

New Jersey Data Privacy Act

4 source controls mapped|4 target controls covered

Nigeria NDPR

4 source controls mapped|4 target controls covered

Liechtenstein DPA

4 source controls mapped|4 target controls covered

Utah Consumer Privacy Act

4 source controls mapped|4 target controls covered

PDPA Thailand

4 source controls mapped|4 target controls covered

NIST SP 800-92

4 source controls mapped|7 target controls covered

Taiwan PDPA

4 source controls mapped|4 target controls covered

Malaysia PDPA 2010

4 source controls mapped|4 target controls covered

NIST SP 800-122

4 source controls mapped|4 target controls covered

LGPD

4 source controls mapped|5 target controls covered

OWASP DevSecOps Maturity Model (DSOMM)

4 source controls mapped|6 target controls covered

Customs-Trade Partnership Against Terrorism (C-TPAT)

4 source controls mapped|5 target controls covered

SWIFT Customer Security Programme (CSP)

4 source controls mapped|5 target controls covered

TSA Pipeline Cybersecurity Directives

4 source controls mapped|5 target controls covered

NIS2 Directive (Directive (EU) 2022/2555)

4 source controls mapped|7 target controls covered

Japan FSA Cybersecurity Guidelines for Financial Institutions

4 source controls mapped|7 target controls covered

ISO/IEC 27557:2022 — Organisational Privacy Risk Management

3 source controls mapped|6 target controls covered

ISO/IEC 23837 — Security Requirements for Quantum Key Distribution

3 source controls mapped|5 target controls covered

Digital Economy Partnership Agreement (DEPA)

3 source controls mapped|2 target controls covered

3GPP Security Architecture (TS 33.501 — 5G Security)

3 source controls mapped|4 target controls covered

AS9100D:2016 — Quality Management Systems for Aviation, Space, and Defence

3 source controls mapped|3 target controls covered

ISO 27005

3 source controls mapped|4 target controls covered

Chile Personal Data Protection Law (Law No. 21.719)

3 source controls mapped|2 target controls covered

OWASP API Security Top 10:2023

3 source controls mapped|2 target controls covered

EDM Council CDMC — Cloud Data Management Capability Framework

3 source controls mapped|2 target controls covered

Nigeria Open Banking Regulatory Framework (CBN, 2023)

3 source controls mapped|2 target controls covered

NIST SP 800-124 Rev 2 — Mobile Device Security

3 source controls mapped|3 target controls covered

UK Open Banking Standard

3 source controls mapped|3 target controls covered

RFC 2350 — Expectations for Computer Security Incident Response (BCP 21)

3 source controls mapped|4 target controls covered

ILO Nursing Personnel Convention C149 (1977)

3 source controls mapped|2 target controls covered

6th Anti-Money Laundering Directive (AMLD6, Directive (EU) 2018/1673)

3 source controls mapped|2 target controls covered

ISO 8000 — Data Quality

3 source controls mapped|2 target controls covered

FATF Recommendation 16 — Virtual Asset Travel Rule

3 source controls mapped|2 target controls covered

Privacy by Design (PbD) — Seven Foundational Principles

3 source controls mapped|2 target controls covered

CISA Secure by Design Principles

3 source controls mapped|2 target controls covered

C-TPAT — Customs-Trade Partnership Against Terrorism

3 source controls mapped|5 target controls covered

IACS Unified Requirements E26/E27 — Cyber Resilience of Ships and On-Board Systems

3 source controls mapped|4 target controls covered

EU Maritime Single Window Environment Regulation (EU) 2019/1239

3 source controls mapped|3 target controls covered

BSI C5 — Cloud Computing Compliance Criteria Catalogue

3 source controls mapped|3 target controls covered

UK ONR Cyber Security and Information Assurance (CSIA) for Nuclear Facilities

3 source controls mapped|3 target controls covered

WCO Authorised Economic Operator (AEO) Framework

3 source controls mapped|6 target controls covered

NRF Cybersecurity and Data Privacy Framework (National Retail Federation)

3 source controls mapped|9 target controls covered

IMO Maritime Cybersecurity Guidelines (MSC-FAL.1/Circ.3/Rev.2)

3 source controls mapped|3 target controls covered

PropTech Security Standards — Smart Building Cybersecurity

3 source controls mapped|4 target controls covered

IAEA Nuclear Security Series — Computer Security at Nuclear Facilities (NSS-17-T Rev 1)

3 source controls mapped|3 target controls covered

FIRST CSIRT Services Framework and Standards

3 source controls mapped|4 target controls covered

EU Markets in Crypto-Assets Regulation (MiCA, Regulation 2023/1114)

3 source controls mapped|3 target controls covered

Bermuda Monetary Authority (BMA) Cyber Risk Management Code of Conduct

3 source controls mapped|7 target controls covered

Australia Consumer Data Right — Banking (CDR)

3 source controls mapped|5 target controls covered

APRA CPS 230 Operational Risk Management

3 source controls mapped|6 target controls covered

TEFCA — Trusted Exchange Framework and Common Agreement

3 source controls mapped|3 target controls covered

NERC CIP

3 source controls mapped|5 target controls covered

Notifiable Data Breaches Scheme (Australia)

3 source controls mapped|4 target controls covered

FTC Health Breach Notification Rule

3 source controls mapped|4 target controls covered

UK Product Security and Telecommunications Infrastructure Act (PSTI)

3 source controls mapped|4 target controls covered

European Accessibility Act (Directive (EU) 2019/882)

3 source controls mapped|5 target controls covered

Regulation (EU) 2023/1115 on deforestation-free supply chains

3 source controls mapped|4 target controls covered

Ontario Accessibility for Ontarians with Disabilities Act (AODA) — IASR Web Standard

3 source controls mapped|4 target controls covered

US SEC Digital Assets and Crypto Regulatory Framework

3 source controls mapped|5 target controls covered

Australia eSafety Commissioner — Online Safety Expectations for Industry

3 source controls mapped|4 target controls covered

NIST Cybersecurity Framework 2.0

3 source controls mapped|7 target controls covered

Papua New Guinea National Cybersecurity Policy & Cybercrime Act (2016)

3 source controls mapped|5 target controls covered

Kuwait National Cybersecurity Framework

3 source controls mapped|5 target controls covered

Canada Artificial Intelligence and Data Act (AIDA)

3 source controls mapped|3 target controls covered

ESRB Privacy Certified

2 source controls mapped|2 target controls covered

Hungary Act CXII of 2011 on Informational Self-Determination and Freedom of Information (Info Act)

2 source controls mapped|2 target controls covered

ISO 19011

2 source controls mapped|1 target controls covered

ISO 31000:2018

2 source controls mapped|1 target controls covered

NSA CNSA Suite 2.0 — Commercial National Security Algorithm Suite

2 source controls mapped|3 target controls covered

ISO/IEC 42001:2023

2 source controls mapped|1 target controls covered

ISO/IEC 29115:2023 — Entity Authentication Assurance Framework

2 source controls mapped|1 target controls covered

EMV 3-D Secure (3DS2) — Payment Authentication Protocol

2 source controls mapped|1 target controls covered

NIST SP 800-34 Rev 1 — Contingency Planning Guide

2 source controls mapped|1 target controls covered

NIST Post-Quantum Cryptography Standards (FIPS 203, 204, 205)

2 source controls mapped|3 target controls covered

NSA Quantum-Resistant (QR) Cryptography Migration Guidance

2 source controls mapped|3 target controls covered

FIDO2 and W3C WebAuthn Standard

2 source controls mapped|1 target controls covered

W3C Verifiable Credentials (VC) Data Model 2.0

2 source controls mapped|1 target controls covered

NATO STANAG 4774/4778 — Confidentiality Metadata Labels

2 source controls mapped|2 target controls covered

ENISA Privacy-Enhancing Technologies Reports and Recommendations

2 source controls mapped|2 target controls covered

3GPP 5G Security Architecture (TS 33.501)

2 source controls mapped|1 target controls covered

ISO 22739:2024 — Blockchain and Distributed Ledger Technologies Vocabulary

2 source controls mapped|1 target controls covered

US Consumer Product Safety Commission (CPSC) — Connected Product Safety

2 source controls mapped|4 target controls covered

Defence Industry Security Program (DISP)

2 source controls mapped|3 target controls covered

EU Cyber Solidarity Act (Regulation (EU) 2025/38)

2 source controls mapped|2 target controls covered

WCO SAFE Framework of Standards to Secure and Facilitate Global Trade (2021)

2 source controls mapped|4 target controls covered

Critical Raw Materials Act (Proposed Regulation COM(2023) 192)

2 source controls mapped|4 target controls covered

EU Chips Act (Regulation (EU) 2023/1781) — potential incorrect regulation number

2 source controls mapped|4 target controls covered

US EPA Safe Drinking Water Act (SDWA) — Cybersecurity Requirements

2 source controls mapped|4 target controls covered

NIST Privacy Framework Version 1.0

2 source controls mapped|3 target controls covered

South Korea PIPA

2 source controls mapped|3 target controls covered

Bermuda Personal Information Protection Act 2016 (PIPA)

2 source controls mapped|3 target controls covered

SOC 2

2 source controls mapped|3 target controls covered

ITIL 4

2 source controls mapped|2 target controls covered

ISO/IEC 30111:2019

2 source controls mapped|4 target controls covered

SANS Incident Handler's Handbook and PICERL Methodology

2 source controls mapped|4 target controls covered

Rwanda Law No. 058/2021 Relating to the Protection of Personal Data

2 source controls mapped|2 target controls covered

ASEAN Data Management Framework

2 source controls mapped|2 target controls covered

Nevada Gaming Control Board Cybersecurity Requirements

2 source controls mapped|4 target controls covered

Lloyd's Minimum Standards — Cyber Security

2 source controls mapped|4 target controls covered

US Maritime Transportation Security Act (MTSA) and USCG Cybersecurity Requirements

2 source controls mapped|3 target controls covered

PCI DSS 4.0

2 source controls mapped|2 target controls covered

EASA Part-IS — Information Security in Aviation

2 source controls mapped|6 target controls covered

ASIS SPC.1-2009 — Organizational Resilience Standard

2 source controls mapped|2 target controls covered

Security of Critical Infrastructure Act 2018 (SOCI)

2 source controls mapped|6 target controls covered

US NRC 10 CFR 73.54 — Cyber Security for Nuclear Power Plants

2 source controls mapped|2 target controls covered

ISO 22320:2018

2 source controls mapped|4 target controls covered

SSAE 18 — Attestation Standards (SOC Reporting)

2 source controls mapped|3 target controls covered

NFPA 1600 — Standard on Continuity, Emergency, and Crisis Management

2 source controls mapped|4 target controls covered

MTCS — Multi-Tier Cloud Security (Singapore)

2 source controls mapped|2 target controls covered

ICH E6(R3) — Good Clinical Practice

2 source controls mapped|2 target controls covered

PIC/S Guide to Good Manufacturing Practice for Medicinal Products

2 source controls mapped|2 target controls covered

IAIS Insurance Core Principles (ICPs)

2 source controls mapped|3 target controls covered

UAE Virtual Asset Regulatory Authority (VARA) Regulations

2 source controls mapped|2 target controls covered

Spain Organic Law 3/2018 on Data Protection and Digital Rights (LOPDGDD)

2 source controls mapped|2 target controls covered

EU Markets in Crypto-Assets Regulation (MiCA)

2 source controls mapped|3 target controls covered

EU Medical Devices Regulation (MDR 2017/745)

2 source controls mapped|4 target controls covered

EU Data Act

1 source controls mapped|1 target controls covered

DAMA-DMBOK2 — Data Management Body of Knowledge (2nd Edition)

1 source controls mapped|2 target controls covered

ICAO Annex 17 — Aviation Security (AVSEC)

1 source controls mapped|1 target controls covered

UK Security and Emergency Measures Direction (SEMD) — Water Industry

1 source controls mapped|3 target controls covered

SSAE 18 SOC 1 — Report on Controls at a Service Organisation (ICFR)

1 source controls mapped|1 target controls covered

ITU-T X.805 — Security Architecture for End-to-End Communications

1 source controls mapped|1 target controls covered

IATA Operational Safety Audit (IOSA) Standards Manual

1 source controls mapped|1 target controls covered

Australia My Health Records Act 2012

1 source controls mapped|1 target controls covered

EU In Vitro Diagnostic Medical Devices Regulation (IVDR)

1 source controls mapped|1 target controls covered

Serbia Law on Personal Data Protection (2018)

1 source controls mapped|1 target controls covered

India CERT-In Cyber Security Directions 2022

1 source controls mapped|1 target controls covered

CIRCIA (Cyber Incident Reporting for Critical Infrastructure Act)

1 source controls mapped|1 target controls covered

ASEAN Guide on AI Governance and Ethics

1 source controls mapped|1 target controls covered

Cyber Security Act 2024 (Australia)

1 source controls mapped|3 target controls covered

Barbados Data Protection Act 2019

1 source controls mapped|1 target controls covered

APRA Prudential Standard CPS 234 — Information Security (Australia)

1 source controls mapped|3 target controls covered

ISO/IEC 29147:2018

1 source controls mapped|1 target controls covered

DFARS 252.204-7012 — Safeguarding Covered Defense Information

1 source controls mapped|1 target controls covered

China Data Security Law (DSL)

1 source controls mapped|1 target controls covered

Pakistan Personal Data Protection Bill 2023

1 source controls mapped|1 target controls covered

China Cybersecurity Law (CSL)

1 source controls mapped|2 target controls covered

COSO Internal Control — Integrated Framework (2013)

1 source controls mapped|1 target controls covered

Singapore Cybersecurity Act 2018

1 source controls mapped|1 target controls covered

Switzerland New Federal Act on Data Protection (nFADP/nDSG, 2023)

1 source controls mapped|1 target controls covered

Estonia Personal Data Protection Act (Isikuandmete kaitse seadus, 2019)

1 source controls mapped|1 target controls covered

Kuwait Data Privacy Protection Regulation (KDPPR, 2021 — CMA Directive)

1 source controls mapped|1 target controls covered

UAE Federal Data Protection Law

1 source controls mapped|1 target controls covered

GDPR

1 source controls mapped|1 target controls covered

Vietnam Law on Cybersecurity (No. 24/2018/QH14)

1 source controls mapped|1 target controls covered

Voluntary Principles on Security and Human Rights (VPs)

1 source controls mapped|1 target controls covered

EU Better Internet for Kids (BIK+) Strategy

1 source controls mapped|1 target controls covered

Zambia Data Protection Act (2021)

1 source controls mapped|2 target controls covered

BREEAM — Building Research Establishment Environmental Assessment Method

1 source controls mapped|1 target controls covered

AICPA Privacy Management Framework (PMF)

1 source controls mapped|1 target controls covered

Laos Law on Prevention and Combating Cybercrime (2015)

1 source controls mapped|1 target controls covered

French Sapin II Law (Law No. 2016-1691)

1 source controls mapped|1 target controls covered

Philippines Data Privacy Act (RA 10173)

1 source controls mapped|1 target controls covered

UK Modern Slavery Act 2015

1 source controls mapped|1 target controls covered

Rhode Island Data Transparency and Privacy Protection Act (RIDTPPA)

1 source controls mapped|1 target controls covered

Philippines Cybercrime Prevention Act (RA 10175)

1 source controls mapped|1 target controls covered

Canada's Anti-Spam Legislation (CASL)

1 source controls mapped|1 target controls covered

Bank Secrecy Act / Anti-Money Laundering (BSA/AML)

1 source controls mapped|1 target controls covered

Singapore Payment Services Act (PSA) — Digital Payment Token Regulation

1 source controls mapped|2 target controls covered

Tanzania Personal Data Protection Act (Draft)

1 source controls mapped|1 target controls covered

Trinidad and Tobago Data Protection Act 2011

1 source controls mapped|1 target controls covered

Cayman Islands Data Protection Act 2017 (DPA)

1 source controls mapped|1 target controls covered

Latvia Personal Data Processing Law (Fizisko personu datu apstrades likums, 2018)

1 source controls mapped|1 target controls covered

Brunei Personal Data Protection Order 2024 (PDPO)

1 source controls mapped|1 target controls covered

Zimbabwe Data Protection Act (2021)

1 source controls mapped|1 target controls covered

UK GDPR (UK General Data Protection Regulation)

1 source controls mapped|1 target controls covered

Sri Lanka Personal Data Protection Act (No. 9 of 2022)

1 source controls mapped|1 target controls covered

Nigeria Data Protection Act 2023 (NDPA)

1 source controls mapped|1 target controls covered

Ghana Data Protection Act 2012 (Act 843)

1 source controls mapped|1 target controls covered

Czech Republic Act on the Protection of Personal Data (Act No. 110/2019 Coll.)

1 source controls mapped|1 target controls covered

Botswana Data Protection Act (2024)

1 source controls mapped|1 target controls covered

FATF 40 Recommendations

1 source controls mapped|1 target controls covered

GLOBALG.A.P. Integrated Farm Assurance (IFA) Standard v6

1 source controls mapped|1 target controls covered

GHG Protocol

1 source controls mapped|1 target controls covered

Sigstore — Software Artifact Signing and Verification

1 source controls mapped|1 target controls covered

ISO/IEC 25012:2008 — Data Quality Model

1 source controls mapped|1 target controls covered

ISO/IEC 27031:2011

1 source controls mapped|3 target controls covered

ASD Essential Eight Maturity Model

1 source controls mapped|2 target controls covered

EU NIS2 Directive — Transport Sector Requirements

1 source controls mapped|1 target controls covered

ISO 22301

1 source controls mapped|3 target controls covered

ISO 22318

1 source controls mapped|3 target controls covered

ISO/IEC 17025:2017 — General Requirements for Testing and Calibration Laboratories

1 source controls mapped|1 target controls covered

ISO 56002

1 source controls mapped|3 target controls covered

ISO 41001:2018 — Facility Management Systems

1 source controls mapped|3 target controls covered

ISO 39001:2012 — Road Traffic Safety Management

1 source controls mapped|3 target controls covered

ISO 37002:2021 — Whistleblowing Management Systems

1 source controls mapped|3 target controls covered

ISO 50001:2018 — Energy Management Systems

1 source controls mapped|3 target controls covered

ISO 22313:2020 — Guidance on Business Continuity Management Systems

1 source controls mapped|3 target controls covered

ISO 22316

1 source controls mapped|3 target controls covered

ISO 22317

1 source controls mapped|3 target controls covered

AS9100D — Aerospace Quality Management System

1 source controls mapped|3 target controls covered

ISO/IEC 27003:2017

1 source controls mapped|3 target controls covered

Australia AI Ethics Framework

1 source controls mapped|3 target controls covered

ISO/IEC 38500:2024 — Governance of IT

1 source controls mapped|1 target controls covered

CDP (formerly Carbon Disclosure Project)

1 source controls mapped|3 target controls covered

GAMP 5 — Good Automated Manufacturing Practice

1 source controls mapped|3 target controls covered

AASB S2 Climate-related Disclosures

1 source controls mapped|5 target controls covered

COSO ERM

1 source controls mapped|3 target controls covered

ICMM Mining Principles (2024 Update)

1 source controls mapped|1 target controls covered

Global Cross-Border Privacy Rules (Global CBPR) Forum

1 source controls mapped|1 target controls covered

IEC 60601-1 — Medical Electrical Equipment Safety

1 source controls mapped|3 target controls covered

Critical Infrastructure Risk Management Program (CIRMP) Rules 2023

1 source controls mapped|2 target controls covered

IEEE 7000

1 source controls mapped|3 target controls covered

OCC Heightened Standards (12 CFR Part 30, Appendix D)

1 source controls mapped|3 target controls covered

AML/CTF Act 2006 (Australia)

1 source controls mapped|1 target controls covered

IRM Enterprise Risk Management Framework (Institute of Risk Management)

1 source controls mapped|2 target controls covered

TNFD Recommendations

1 source controls mapped|4 target controls covered

Singapore Model AI Governance Framework (2nd Edition)

1 source controls mapped|1 target controls covered

China AI Regulations

1 source controls mapped|3 target controls covered

EU AI Act

1 source controls mapped|4 target controls covered

Brazil AI Framework

1 source controls mapped|3 target controls covered

IEC 62304:2015 Medical Device Software Lifecycle Processes

1 source controls mapped|3 target controls covered

APRA CPS 220 Risk Management

1 source controls mapped|3 target controls covered

Colorado Artificial Intelligence Act (proposed SB 24-205)

1 source controls mapped|1 target controls covered

EU Carbon Border Adjustment Mechanism (CBAM)

1 source controls mapped|1 target controls covered

Digital Services Act (DSA) - Regulation (EU) 2022/2065

1 source controls mapped|1 target controls covered

EU Digital Services Act (Regulation (EU) 2022/2065)

1 source controls mapped|1 target controls covered

EU Energy Performance of Buildings Directive (EPBD Recast) – Draft Directive (2023/0317 COD)

1 source controls mapped|1 target controls covered

EU European Media Freedom Act (EMFA)

1 source controls mapped|1 target controls covered

EU Pay Transparency Directive (Directive (EU) 2023/970)

1 source controls mapped|1 target controls covered

Proposal for a Directive on improving working conditions in platform work (COM(2023) 491)

1 source controls mapped|1 target controls covered

EU Product Liability Directive (Directive (EU) 2023/2845)

1 source controls mapped|1 target controls covered

EU Seveso III Directive (Directive 2012/18/EU)

1 source controls mapped|1 target controls covered

EU Taxonomy Regulation (Regulation 2020/852)

1 source controls mapped|1 target controls covered

EU Taxonomy Regulation

1 source controls mapped|1 target controls covered

EU Taxonomy for Sustainable Activities (Regulation 2020/852)

1 source controls mapped|1 target controls covered

EU ePrivacy Directive (2002/58/EC)

1 source controls mapped|1 target controls covered

Japan Act on Specified Commercial Transactions (ASCT) — Digital Services

1 source controls mapped|1 target controls covered

African Union Malabo Convention

1 source controls mapped|1 target controls covered

Egypt Personal Data Protection Law (Law No. 151 of 2020)

1 source controls mapped|1 target controls covered

Peru Personal Data Protection Law (Law No. 29733)

1 source controls mapped|1 target controls covered

Costa Rica Personal Data Protection Law (Law No. 8968) as amended by Executive Decree No. 42089-MGP

1 source controls mapped|1 target controls covered

Turkey Personal Data Protection Law (KVKK — Law No. 6698)

1 source controls mapped|1 target controls covered

Ukraine Law on Personal Data Protection (Law No. 2297-VI)

1 source controls mapped|1 target controls covered

Côte d'Ivoire Law No. 2013-450 on the Protection of Personal Data

1 source controls mapped|1 target controls covered

Uzbekistan Law on Personal Data (No. ZRU-547)

1 source controls mapped|1 target controls covered

Georgia Law on Personal Data Protection (2012)

1 source controls mapped|1 target controls covered

Colombia Data Protection Law (Law 1581 of 2012)

1 source controls mapped|1 target controls covered

Panama Law on Personal Data Protection (Law No. 81 of 2019)

1 source controls mapped|1 target controls covered

Iceland Data Protection and Processing of Personal Data Act (Act No. 90/2018)

1 source controls mapped|1 target controls covered

Montenegro Law on Personal Data Protection (2023)

1 source controls mapped|1 target controls covered

Lithuania Law on Legal Protection of Personal Data (2018)

1 source controls mapped|1 target controls covered

Romania Law No. 190/2018 on Data Protection Measures (GDPR Implementation)

1 source controls mapped|1 target controls covered

Malta Data Protection Act (Cap. 586, 2018)

1 source controls mapped|1 target controls covered

Oman Personal Data Protection Law (Royal Decree 6/2022)

1 source controls mapped|1 target controls covered

Qatar Personal Data Privacy Protection Law (Law No. 13 of 2016)

1 source controls mapped|1 target controls covered

South Korea Personal Information Protection Act (PIPA)

1 source controls mapped|1 target controls covered

Cambodia Sub-Decree on Personal Data Protection (Sub-Decree No. 134)

1 source controls mapped|1 target controls covered

UNCITRAL Model Law on Electronic Commerce (1996, updated 2005)

1 source controls mapped|1 target controls covered

Brazil Open Finance (Resolução Conjunta No. 1/2020)

1 source controls mapped|1 target controls covered

Aged Care Quality Standards (Australia)

1 source controls mapped|1 target controls covered

EDM Council DCAM — Data Management Capability Assessment Model

1 source controls mapped|1 target controls covered

EU Payment Services Directive (PSD2) – Under Review

1 source controls mapped|1 target controls covered

ISO 42001

1 source controls mapped|3 target controls covered

NIST SP 800-39

1 source controls mapped|3 target controls covered

UK AI Regulation Framework

1 source controls mapped|3 target controls covered

Singapore AI Governance Framework

1 source controls mapped|3 target controls covered

OECD AI Principles

1 source controls mapped|3 target controls covered

SASB Standards (ISSB Integrated)

1 source controls mapped|3 target controls covered

SASB Standards

1 source controls mapped|3 target controls covered

SEC Climate Disclosure Rule

1 source controls mapped|3 target controls covered

Japan AI Guidelines

1 source controls mapped|3 target controls covered

Own Risk and Solvency Assessment (ORSA) — NAIC Model Act

1 source controls mapped|2 target controls covered

NIST SP 800-30

1 source controls mapped|3 target controls covered

ECB TIBER-EU Framework

1 source controls mapped|1 target controls covered

SEC Cybersecurity Disclosure Rules

1 source controls mapped|2 target controls covered

ISO 37000:2021 — Governance of Organizations

1 source controls mapped|2 target controls covered

COSO Enterprise Risk Management (ERM) Framework (2017)

1 source controls mapped|3 target controls covered

Lloyd's of London Cyber Insurance Requirements and Underwriting Standards

1 source controls mapped|1 target controls covered

Authorised Economic Operator (AEO) Programmes — Global Standards

1 source controls mapped|1 target controls covered

ISO 20400:2017 — Sustainable Procurement

1 source controls mapped|1 target controls covered

NIST SP 800-37

1 source controls mapped|3 target controls covered

ISO/IEC 23894:2023

1 source controls mapped|3 target controls covered

Solvency II

1 source controls mapped|3 target controls covered

ISO 31000

1 source controls mapped|3 target controls covered

ICH Q10 — Pharmaceutical Quality System

1 source controls mapped|1 target controls covered

APRA SPS 220 Risk Management (Superannuation)

1 source controls mapped|3 target controls covered

German Supply Chain Due Diligence Act (LkSG)

1 source controls mapped|1 target controls covered

OECD AI Principles (2024 Update)

1 source controls mapped|1 target controls covered

ISO/IEC 27006:2024

1 source controls mapped|1 target controls covered

FedRAMP High

1 source controls mapped|2 target controls covered

NIST SP 800-53 Rev 5 HIGH

1 source controls mapped|2 target controls covered

IRS Publication 1075

1 source controls mapped|2 target controls covered

FedRAMP Moderate

1 source controls mapped|2 target controls covered

Austria Data Protection Act (Datenschutzgesetz, DSG, amended 2018)

1 source controls mapped|1 target controls covered

NATO AQAP 2110 — Quality Assurance Requirements for Design, Development, and Production

1 source controls mapped|1 target controls covered

ILO Tripartite Declaration of Principles concerning Multinational Enterprises (MNE Declaration)

1 source controls mapped|1 target controls covered

NIST SP 800-53 Rev 5 MODERATE

1 source controls mapped|1 target controls covered

NIST SP 800-53 Rev 5 LOW

1 source controls mapped|1 target controls covered

Florida Digital Bill of Rights (SB 262)

1 source controls mapped|1 target controls covered

Compare Australian Information Security Manual with CSA CCM v4

Frequently Asked Questions

What is Australian Information Security Manual?

Australian Information Security Manual is a compliance framework from Australia with 21 domains and 186 controls. ACSC Information Security Manual. Australian Government cybersecurity controls baseline. It is used by organisations to establish and maintain compliance with industry standards and regulatory requirements.

How many controls does Australian Information Security Manual have?

Australian Information Security Manual has 186 controls organised across 21 domains. The largest domains are System Hardening (25 controls), Cybersecurity Strategy (19 controls), System Management (14 controls). Each control defines specific requirements that organisations must implement to achieve compliance.

What frameworks does Australian Information Security Manual map to?

Australian Information Security Manual maps to 511 other compliance frameworks. The top mapping partners are CSA CCM v4 (5% coverage), CSA STAR (Security, Trust, Assurance, and Risk) (5% coverage), PAS 1192-5:2015 — Security-Minded Approach to BIM and Digital Built Environments (5% coverage). Use our comparison tool to explore control-level mappings between frameworks.

How do I get started with Australian Information Security Manual compliance?

Start your Australian Information Security Manual compliance journey by running a self-assessment on our platform to identify your current compliance posture. Our AI advisory can answer specific questions about Australian Information Security Manual requirements, and cross-framework mapping helps you leverage existing controls from other frameworks you may already comply with. Create a free account to access all 186 controls and track your progress.

Start Your Compliance Journey

Create a free account to run self-assessments, get AI advisory, and track your compliance progress across 769 frameworks.

Get Started Free →

Free forever — no credit card required