CIS Controls v8

International

v8.0

36 domains

153 controls

Center for Internet Security Critical Security Controls - prioritized set of actions to protect organizations and data from known cyber attack vectors

Verified

Framework summaries on this platform are AI-assisted interpretations for educational and compliance planning purposes. They do not reproduce or replace the official standards. Refer to the authoritative source for the definitive text. Framework names and trademarks belong to their respective organisations.

Framework Domains (36)

Access Control Management

8 controls

Controls in the Access Control Management domain of CIS Controls v8 — 8 controls
Code	Title	Description
6.1	Malware Protection	Ensure that local SWIFT infrastructure is protected against malware and act upon the results.
6.2	Approach selection	Select event-based or asset-based risk identification approaches based on context.
6.3	Information security awareness, education and training	Provide personnel and relevant interested parties with appropriate awareness, education and training and regular policy...
6.4	Logging and Monitoring	Record security events and detect anomalous actions and operations within the local SWIFT environment.
6.5	Preparing and Distributing Audit Report	Audit team leader prepares audit report and distributes it within agreed time to defined recipients.
6.6	Confidentiality or non-disclosure agreements	Identify, document, review and have signed confidentiality or non-disclosure agreements that reflect the needs to protec...
6.7	Conducting Audit Follow-up	Follow-up activities verify completion of corrective actions and effectiveness in addressing audit findings.
6.8	Externally Provided Products and Services	Externally provided products and services that affect laboratory activities are evaluated and approved.

Account Management

6 controls

Controls in the Account Management domain of CIS Controls v8 — 6 controls
Code	Title	Description
5.1	Logical Access Control	Enforce the security principles of need-to-know access, least privilege, and separation of duties for operator accounts.
5.2	Token Management	Ensure the proper management, tracking, and use, where applicable, of connected and disconnected hardware authentication...
5.3	Determining and Evaluating Audit Programme Risks	Risks and opportunities related to audit programme are identified and addressed in programme design.
5.4	Establishing Audit Programme	Audit programme is established including scope, schedules, methods, resources and procedures.
5.5	Implementing Audit Programme	Audit programme manager implements programme by defining audit objectives, assigning teams and managing outcomes.
5.6	Monitoring Audit Programme	Audit programme manager monitors implementation considering need to evaluate conformity to programme and effectiveness.

Application Software Security

14 controls

Controls in the Application Software Security domain of CIS Controls v8 — 14 controls
Code	Title	Description
16.1	Establish and Maintain a Secure Application Development Process	Establish and maintain a secure application development process. In the process, address such items as secure applicatio...
16.10	Apply Secure Design Principles in Application Architectures	Apply secure design principles in application architectures. Secure design principles include the concept of least privi...
16.11	Leverage Vetted Modules or Services for Application Security Components	Leverage vetted modules or services for application security components, such as identity management, encryption, and au...
16.12	Implement Code-Level Security Checks	Apply static and dynamic analysis tools within the application life cycle to verify that secure coding practices are bei...
16.13	Conduct Application Penetration Testing	Conduct application penetration testing. For critical applications, authenticated penetration testing is better suited t...
16.14	Conduct Threat Modeling	Conduct threat modeling. Threat modeling is the process of identifying and addressing application security design flaws...
16.2	Establish and Maintain a Process to Accept and Address Software Vulnerabilities	Establish and maintain a process to accept and address reports of software vulnerabilities, including providing a means...
16.3	Perform Root Cause Analysis on Security Vulnerabilities	Perform root cause analysis on security vulnerabilities. When reviewing vulnerabilities, root cause analysis is the task...
16.4	Establish and Manage an Inventory of Third-Party Software Components	Establish and manage an updated inventory of third-party components used in development, often referred to as a 'bill of...
16.5	Use Up-to-Date and Trusted Third-Party Software Components	Use up-to-date and trusted third-party software components. When possible, choose established and proven frameworks and...
16.6	Establish and Maintain a Severity Rating System and Process for Application Vulnerabilities	Establish and maintain a severity rating system and process for application vulnerabilities that facilitates prioritizin...
16.7	Use Standard Hardening Configuration Templates for Application Infrastructure	Use standard, industry-recommended hardening configuration templates for application infrastructure components. This inc...
16.8	Separate Production and Non-Production Systems	Maintain separate environments for production and non-production systems.
16.9	Train Developers in Application Security Concepts and Secure Coding	Ensure that all software development personnel receive training in writing secure code for their specific development en...

Audit Log Management

12 controls

Controls in the Audit Log Management domain of CIS Controls v8 — 12 controls
Code	Title	Description
8.1	Risk treatment selection	Select appropriate risk treatment options including modification, retention, avoidance or sharing.
8.10	Retain Audit Logs	Retain audit logs across enterprise assets for a minimum of 90 days.
8.11	Conduct Audit Log Reviews	Conduct reviews of audit logs to detect anomalies or abnormal events that could indicate a potential threat. Conduct rev...
8.12	Data leakage prevention	Apply data leakage prevention measures to systems, networks and devices that process, store or transmit sensitive inform...
8.2	Risk treatment plan	Formulate a risk treatment plan with assigned owners, timelines and resources.
8.3	Statement of Applicability linkage	Document selected controls in the Statement of Applicability and reconcile with the treatment plan.
8.4	Residual risk acceptance	Obtain documented acceptance of residual risks by accountable risk owners.
8.5	Control effectiveness review	Review the effectiveness of implemented risk treatment controls and adjust as needed.
8.6	Release of products and services	Implement planned arrangements at appropriate stages to verify product/service requirements have been met. Do not releas...
8.7	Protection against malware	Implement protection against malware combined with appropriate user awareness.
8.8	Management of technical vulnerabilities	Obtain timely information about technical vulnerabilities, evaluate exposure and take appropriate measures.
8.9	Management Reviews	Top management reviews QMS at planned intervals to ensure continuing suitability, adequacy and effectiveness.

CIS 01 - Inventory and Control of Enterprise Assets

0 controls

Actively manage all enterprise assets connected to the network

CIS 02 - Inventory and Control of Software Assets

0 controls

Actively manage all software on the network

CIS 03 - Data Protection

0 controls

Develop processes and technical controls to identify, classify, handle and dispose of data

CIS 04 - Secure Configuration

0 controls

Establish and maintain secure configuration of enterprise assets and software

CIS 05 - Account Management

0 controls

Use processes and tools to assign and manage authorization to credentials

CIS 06 - Access Control Management

0 controls

Use processes and tools to create, assign, manage, and revoke access credentials

CIS 07 - Continuous Vulnerability Management

0 controls

Develop a plan to continuously assess and track vulnerabilities

CIS 08 - Audit Log Management

0 controls

Collect, alert, review, and retain audit logs of events

CIS 09 - Email and Web Browser Protections

0 controls

Improve protections and detections of threats from email and web vectors

CIS 10 - Malware Defenses

0 controls

Prevent or control the installation, spread, and execution of malicious applications

CIS 11 - Data Recovery

0 controls

Establish and maintain data recovery practices

CIS 12 - Network Infrastructure Management

0 controls

Establish and maintain the management and security of network infrastructure

CIS 13 - Network Monitoring and Defense

0 controls

Operate processes and tooling to establish and maintain comprehensive network monitoring

CIS 14 - Security Awareness and Skills Training

0 controls

Establish and maintain a security awareness program

CIS 15 - Service Provider Management

0 controls

Develop a process to evaluate service providers

CIS 16 - Application Software Security

0 controls

Manage the security life cycle of in-house developed, hosted, or acquired software

CIS 17 - Incident Response Management

0 controls

Establish a program to develop and maintain an incident response capability

CIS 18 - Penetration Testing

0 controls

Test effectiveness and resiliency of enterprise assets through simulated attacks

Continuous Vulnerability Management

7 controls

Controls in the Continuous Vulnerability Management domain of CIS Controls v8 — 7 controls
Code	Title	Description
7.1	Cyber Incident Response Planning	Ensure a consistent and effective approach for the management of cyber incidents affecting the SWIFT environment.
7.2	Security Training and Awareness	Ensure all staff are aware of and fulfil their security responsibilities by performing regular awareness activities and...
7.3	Risk evaluation	Compare analysed risks against acceptance criteria to prioritize treatment.
7.4	Asset valuation	Assign values to assets reflecting their business importance and sensitivity.
7.5	Threat assessment	Identify and assess threats relevant to assets and the operating environment.
7.6	Vulnerability assessment	Identify and assess vulnerabilities that could be exploited by threats causing harm.
7.7	Likelihood estimation	Estimate the likelihood of threats exploiting vulnerabilities using consistent criteria.

Data Protection

14 controls

Controls in the Data Protection domain of CIS Controls v8 — 14 controls
Code	Title	Description
3.1	Physical Security	Prevent unauthorised physical access to sensitive equipment, workplace environments, hosting sites, and storage.
3.10	Encrypt Sensitive Data in Transit	Encrypt sensitive data in transit. Example implementations include TLS and OpenSSH.
3.11	Encrypt Sensitive Data at Rest	Encrypt sensitive data at rest on servers, applications, and databases. Storage-layer encryption is recommended.
3.12	Segment Data Processing and Storage Based on Sensitivity	Segment data processing and storage based on the sensitivity of the data. Do not process sensitive data on enterprise as...
3.13	Deploy a Data Loss Prevention Solution	Implement an automated tool, such as a host-based Data Loss Prevention (DLP) tool, to identify sensitive data on enterpr...
3.14	Log Sensitive Data Access	Log sensitive data access, including modification and disposal.
3.2	Establish and Maintain a Data Inventory	Establish and maintain a data inventory based on the enterprise data management process. Inventory sensitive data at min...
3.3	Configure Data Access Control Lists	Configure data access control lists based on a user's need to know. Apply ACLs on file systems, databases, and applicati...
3.4	Enforce Data Retention	Retain data according to the enterprise data management process. Data retention must include both minimum and maximum ti...
3.5	Securely Dispose of Data	Securely dispose of data as outlined in the enterprise data management process. Ensure the disposal process and method a...
3.6	Encrypt Data on End-User Devices	Encrypt data on end-user devices containing sensitive data. Examples include Windows BitLocker, Apple FileVault, Linux d...
3.7	Establish and Maintain a Data Classification Scheme	Establish and maintain an overall data classification scheme. Example labels include Sensitive, Confidential, and Public...
3.8	Document Data Flows	Document data flows. Data flow documentation includes service provider data flows and should be based on the enterprise'...
3.9	Encrypt Data on Removable Media	Encrypt data on removable media. Examples include USB sticks, external HDDs, optical media.

Data Recovery

5 controls

Controls in the Data Recovery domain of CIS Controls v8 — 5 controls
Code	Title	Description
11.1	Establish and Maintain a Data Recovery Process	Establish and maintain a documented data recovery process. In the process, address the scope of data recovery activities...
11.2	Perform Automated Backups	Perform automated backups of in-scope enterprise assets. Run backups weekly, or more frequently, based on the sensitivit...
11.3	Protect Recovery Data	Protect recovery data with equivalent controls to the original data. Reference encryption or data separation, based on r...
11.4	Establish and Maintain an Isolated Instance of Recovery Data	Establish and maintain an isolated instance of recovery data. Example implementations include version controlling backup...
11.5	Test Data Recovery	Test backup recovery quarterly, or more frequently, for a sampling of in-scope enterprise assets.

Email and Web Browser Protections

7 controls

Controls in the Email and Web Browser Protections domain of CIS Controls v8 — 7 controls
Code	Title	Description
9.1	Risk communication and consultation	Communicate and consult with internal and external stakeholders on risk throughout the process.
9.2	Internal Audit	Internal audits are conducted at planned intervals to verify SMS conformity and effectiveness.
9.3	Management Review	Top management reviews SMS at planned intervals to ensure suitability, adequacy and effectiveness.
9.4	Restrict Unnecessary or Unauthorized Browser and Email Client Extensions	Restrict, either through uninstalling or disabling, any unauthorized or unnecessary browser or email client plugins, ext...
9.5	Implement DMARC	To lower the chance of spoofed or modified emails from valid domains, implement DMARC policy and verification, starting...
9.6	Block Unnecessary File Types	Block unnecessary file types attempting to enter the enterprise's email gateway.
9.7	Deploy and Maintain Email Server Anti-Malware Protections	Deploy and maintain email server anti-malware protections, such as attachment scanning and/or sandboxing.

Incident Response Management

9 controls

Controls in the Incident Response Management domain of CIS Controls v8 — 9 controls
Code	Title	Description
17.1	Designate Personnel to Manage Incident Handling	Designate one key person, and at least one backup, who will manage the enterprise's incident handling process. Managemen...
17.2	Establish and Maintain Contact Information for Reporting Security Incidents	Establish and maintain contact information for parties that need to be informed of security incidents. Contacts may incl...
17.3	Establish and Maintain an Enterprise Process for Reporting Incidents	Establish and maintain an enterprise process for the workforce to report security incidents. The process includes report...
17.4	Establish and Maintain an Incident Response Process	Establish and maintain an incident response process that addresses roles and responsibilities, compliance requirements,...
17.5	Assign Key Roles and Responsibilities	Assign key roles and responsibilities for incident response, including staff from legal, IT, information security, facil...
17.6	Define Mechanisms for Communicating During Incident Response	Determine which primary and secondary mechanisms will be used to communicate and report during a security incident. Mech...
17.7	Conduct Routine Incident Response Exercises	Plan and conduct routine incident response exercises and scenarios for key personnel involved in the incident response p...
17.8	Conduct Post-Incident Reviews	Conduct post-incident reviews. Post-incident reviews help prevent incident recurrence through identifying lessons learne...
17.9	Establish and Maintain Security Incident Thresholds	Establish and maintain security incident thresholds, including, at a minimum, differentiating between an incident and an...

Inventory and Control of Enterprise Assets

5 controls

Controls in the Inventory and Control of Enterprise Assets domain of CIS Controls v8 — 5 controls
Code	Title	Description
1.1	SWIFT Environment Protection	Establish a logical separation between the user's general IT environment and the local SWIFT infrastructure to limit exp...
1.2	Operating System Privileged Account Control	Restrict and control the allocation and usage of administrator-level operating system accounts on SWIFT-related componen...
1.3	Virtualisation Platform Protection	Secure the virtualisation platform and underlying physical hosts used to host SWIFT-related components to the same stand...
1.4	Restriction of Internet Access	Restrict and control general internet access on operator PCs and from the local SWIFT infrastructure to reduce attack su...
1.5	Customer Environment Protection (Architecture B)	For Architecture B users, ensure the customer connector and operator PCs accessing the service provider are protected fr...

Inventory and Control of Software Assets

7 controls

Controls in the Inventory and Control of Software Assets domain of CIS Controls v8 — 7 controls
Code	Title	Description
2.1	Internal Data Flow Security	Ensure the confidentiality, integrity, and mutual authenticity of data flows between local SWIFT-related applications an...
2.2	Security Updates	Minimise the occurrence of known technical vulnerabilities on operator PCs and within the local SWIFT infrastructure by...
2.3	System Hardening	Reduce the cyber attack surface of SWIFT-related components by performing system hardening on all in-scope systems.
2.4	Utilize Automated Software Inventory Tools	Utilize software inventory tools, when possible, throughout the enterprise to automate the discovery and documentation o...
2.5	Allowlist Authorized Software	Use technical controls, such as application allowlisting, to ensure only authorized software can execute or be accessed....
2.6	Operator Session Confidentiality and Integrity	Protect the confidentiality and integrity of interactive operator sessions that connect to the local or remote SWIFT inf...
2.7	Vulnerability Scanning	Identify known vulnerabilities within the local SWIFT environment by implementing a regular vulnerability scanning proce...

Malware Defenses

7 controls

Controls in the Malware Defenses domain of CIS Controls v8 — 7 controls
Code	Title	Description
10.1	Risk monitoring and review	Monitor and review risks, controls and the risk management process for continuing relevance.
10.2	Risk reporting	Report risk information to management with sufficient detail to support decision making.
10.3	Continual Improvement	Continually improve the suitability, adequacy and effectiveness of the EMS to enhance environmental performance.
10.4	Configure Automatic Anti-Malware Scanning of Removable Media	Configure anti-malware software to automatically scan removable media.
10.5	Enable Anti-Exploitation Features	Enable anti-exploitation features on enterprise assets and software, where possible, such as Microsoft Data Execution Pr...
10.6	Centrally Manage Anti-Malware Software	Centrally manage anti-malware software.
10.7	Use Behavior-Based Anti-Malware Software	Use behavior-based anti-malware software.

Network Infrastructure Management

8 controls

Controls in the Network Infrastructure Management domain of CIS Controls v8 — 8 controls
Code	Title	Description
12.1	Ensure Network Infrastructure is Up-to-Date	Ensure network infrastructure is kept up-to-date. Example implementations include running the latest stable release of s...
12.2	Establish and Maintain a Secure Network Architecture	Establish and maintain a secure network architecture. A secure network architecture must address segmentation, least pri...
12.3	Securely Manage Network Infrastructure	Securely manage network infrastructure. Example implementations include version-controlled-infrastructure-as-code, and t...
12.4	Establish and Maintain Architecture Diagram(s)	Establish and maintain architecture diagram(s) and/or other network system documentation. Review and update documentatio...
12.5	Centralize Network Authentication, Authorization, and Auditing (AAA)	Centralize network AAA.
12.6	Use Secure Network Management and Communication Protocols	Use secure network management and communication protocols (e.g., 802.1X, Wi-Fi Protected Access 2 (WPA2) Enterprise or g...
12.7	Ensure Remote Devices Utilize a VPN and are Connecting to an Enterprise's AAA Infrastructure	Require users to authenticate to enterprise-managed VPN and authentication services prior to accessing enterprise resour...
12.8	Establish and Maintain Dedicated Computing Resources for All Administrative Work	Establish and maintain dedicated computing resources, either physically or logically separated, for all administrative t...

Network Monitoring and Defense

11 controls

Controls in the Network Monitoring and Defense domain of CIS Controls v8 — 11 controls
Code	Title	Description
13.1	Centralize Security Event Alerting	Centralize security event alerting across enterprise assets for log correlation and analysis. Best practice implementati...
13.10	Perform Application Layer Filtering	Perform application layer filtering. Example implementations include a filtering proxy, application layer firewall, or g...
13.11	Tune Security Event Alerting Thresholds	Tune security event alerting thresholds monthly, or more frequently.
13.2	Deploy a Host-Based Intrusion Detection Solution	Deploy a host-based intrusion detection solution on enterprise assets, where appropriate and/or supported.
13.3	Deploy a Network Intrusion Detection Solution	Deploy a network intrusion detection solution on enterprise assets, where appropriate. Example implementations include t...
13.4	Perform Traffic Filtering Between Network Segments	Perform traffic filtering between network segments, where appropriate.
13.5	Manage Access Control for Remote Assets	Manage access control for assets remotely connecting to enterprise resources. Determine compliance with standards, such...
13.6	Collect Network Traffic Flow Logs	Collect network traffic flow logs and/or network traffic to review and alert upon from network devices.
13.7	Deploy a Host-Based Intrusion Prevention Solution	Deploy a host-based intrusion prevention solution on enterprise assets, where appropriate and/or supported.
13.8	Deploy a Network Intrusion Prevention Solution	Deploy a network intrusion prevention solution, where appropriate. Example implementations include the use of a Network...
13.9	Deploy Port-Level Access Control	Deploy port-level access control. Port-level access control utilizes 802.1x or similar network access control protocols.

Penetration Testing

5 controls

Controls in the Penetration Testing domain of CIS Controls v8 — 5 controls
Code	Title	Description
18.1	Establish and Maintain a Penetration Testing Program	Establish and maintain a penetration testing program appropriate to the size, complexity, and maturity of the enterprise...
18.2	Perform Periodic External Penetration Tests	Perform periodic external penetration tests based on program requirements, no less than annually. External penetration t...
18.3	Remediate Penetration Test Findings	Remediate penetration test findings based on the enterprise's policy for remediation scope and prioritization.
18.4	Validate Security Measures	Validate security measures after each penetration test. If deemed necessary, modify rulesets and capabilities to detect...
18.5	Perform Periodic Internal Penetration Tests	Perform periodic internal penetration tests based on program requirements, no less than annually. The testing may be cle...

Secure Configuration of Enterprise Assets and Software

12 controls

Controls in the Secure Configuration of Enterprise Assets and Software domain of CIS Controls v8 — 12 controls
Code	Title	Description
4.1	Password Policy	Ensure passwords used to access SWIFT components and connected systems are sufficiently resistant against common passwor...
4.10	Enforce Automatic Device Lockout on Portable End-User Devices	Enforce automatic device lockout following a predetermined threshold of local failed authentication attempts on portable...
4.11	Enforce Remote Wipe Capability on Portable End-User Devices	Remotely wipe enterprise data from enterprise-owned portable end-user devices when deemed appropriate, such as lost or s...
4.12	Separate Enterprise Workspaces on Mobile End-User Devices	Ensure separate enterprise workspaces are used on mobile end-user devices, where supported. Example implementations incl...
4.2	Multi-Factor Authentication	Prevent that a compromise of a single authentication factor allows access to SWIFT systems by implementing multi-factor...
4.3	Determining Scope of SMS	Boundaries and applicability of SMS are determined considering services, locations and interfaces.
4.4	Service Management System	Organisation establishes, implements, maintains and continually improves an SMS.
4.5	Implement and Manage a Firewall on End-User Devices	Implement and manage a host-based firewall or port-filtering tool on end-user devices, with a default-deny rule.
4.6	Securely Manage Enterprise Assets and Software	Securely manage enterprise assets and software. Example implementations include managing configuration through version-c...
4.7	Manage Default Accounts on Enterprise Assets and Software	Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-configured vendor...
4.8	Uninstall or Disable Unnecessary Services on Enterprise Assets and Software	Uninstall or disable unnecessary services on enterprise assets and software, such as an unused file sharing service, web...
4.9	Configure Trusted DNS Servers on Enterprise Assets	Configure trusted DNS servers on enterprise assets. Example implementations include configuring assets to use enterprise...

Security Awareness and Skills Training

9 controls

Controls in the Security Awareness and Skills Training domain of CIS Controls v8 — 9 controls
Code	Title	Description
14.1	Establish and Maintain a Security Awareness Program	Establish and maintain a security awareness program. The purpose of a security awareness program is to educate the enter...
14.2	Train Workforce Members to Recognize Social Engineering Attacks	Train workforce members to recognize social engineering attacks, such as phishing, pre-texting, and tailgating.
14.3	Train Workforce Members on Authentication Best Practices	Train workforce members on authentication best practices. Example topics include MFA, password composition, and credenti...
14.4	Train Workforce on Data Handling Best Practices	Train workforce members on how to identify and properly store, transfer, archive, and destroy sensitive data.
14.5	Train Workforce Members on Causes of Unintentional Data Exposure	Train workforce members to be aware of causes for unintentional data exposure. Example topics include misdelivery of sen...
14.6	Train Workforce Members on Recognizing and Reporting Security Incidents	Train workforce members to be able to recognize a potential incident and be able to report such an incident.
14.7	Train Workforce on How to Identify and Report if Their Enterprise Assets are Missing Security Updates	Train workforce to understand how to verify and report on out-of-date software patches or any failures in automated proc...
14.8	Train Workforce on the Dangers of Connecting to and Transmitting Enterprise Data Over Insecure Networks	Train workforce members on the dangers of connecting to, and transmitting data over, insecure networks for enterprise ac...
14.9	Conduct Role-Specific Security Awareness and Skills Training	Conduct role-specific security awareness and skills training. Example implementations include secure system administrati...

Service Provider Management

7 controls

Controls in the Service Provider Management domain of CIS Controls v8 — 7 controls
Code	Title	Description
15.1	Establish and Maintain an Inventory of Service Providers	Establish and maintain an inventory of service providers. The inventory is to list all known service providers, include...
15.2	Establish and Maintain a Service Provider Management Policy	Establish and maintain a service provider management policy. Ensure the policy addresses the classification, inventory,...
15.3	Classify Service Providers	Classify service providers. Classification consideration may include one or more characteristics, such as data sensitivi...
15.4	Ensure Service Provider Contracts Include Security Requirements	Ensure service provider contracts include security requirements. Example requirements may include minimum security progr...
15.5	Assess Service Providers	Assess service providers consistent with the enterprise's service provider management policy. Scope may vary based on cl...
15.6	Monitor Service Providers	Monitor service providers consistent with the enterprise's service provider management policy. Monitoring may include pe...
15.7	Securely Decommission Service Providers	Securely decommission service providers. Example considerations include user and service account deactivation, terminati...

Your Compliance Coverage

If you comply with CIS Controls v8, you already cover:

UK Telecommunications (Security) Act 2021

16%

25 controls mapped

Compare →

NIS2 Directive Implementing Acts

16%

24 controls mapped

Compare →

NIST SP 800-171A Rev 3 - Assessing CUI Security Requirements

14%

22 controls mapped

Compare →

+ 650 more: SWIFT CSCF (14%), ISO 15189:2022 - Medical Laboratories Requirements for Quality and Competence (14%)

See all 653 mapped frameworks ↓

Maps to 653 other frameworks

153 total controls

UK Telecommunications (Security) Act 2021

25 source controls mapped|21 target controls covered

16%

NIS2 Directive Implementing Acts

24 source controls mapped|22 target controls covered

16%

NIST SP 800-171A Rev 3 - Assessing CUI Security Requirements

22 source controls mapped|13 target controls covered

14%

SWIFT CSCF

21 source controls mapped|14 target controls covered

14%

ISO 15189:2022 - Medical Laboratories Requirements for Quality and Competence

21 source controls mapped|18 target controls covered

14%

ISO 13485

21 source controls mapped|14 target controls covered

14%

TISAX - Trusted Information Security Assessment Exchange

20 source controls mapped|19 target controls covered

13%

AS9100D - Aerospace Quality Management System

20 source controls mapped|14 target controls covered

13%

ISO/IEC 27003:2017

20 source controls mapped|14 target controls covered

13%

SQF Code Edition 9 - Safe Quality Food

20 source controls mapped|8 target controls covered

13%

3GPP Security Architecture (TS 33.501 - 5G Security)

20 source controls mapped|14 target controls covered

13%

ISO 19011

19 source controls mapped|6 target controls covered

12%

South Korea ISMS-P

19 source controls mapped|12 target controls covered

12%

PIC/S Guide to Good Manufacturing Practice for Medicinal Products

19 source controls mapped|9 target controls covered

12%

SWIFT CSCF v2024

18 source controls mapped|9 target controls covered

12%

FDA Quality Management System Regulation (QMSR)

18 source controls mapped|6 target controls covered

12%

ISO/IEC 17025:2017 - General Requirements for Testing and Calibration Laboratories

18 source controls mapped|10 target controls covered

12%

ISO 20000-1

18 source controls mapped|9 target controls covered

12%

AS9100D:2016 - Quality Management Systems for Aviation, Space, and Defence

18 source controls mapped|14 target controls covered

12%

BRCGS Global Standard for Food Safety Issue 9

17 source controls mapped|11 target controls covered

11%

IEC 62304:2015 Medical Device Software Lifecycle Processes

17 source controls mapped|6 target controls covered

11%

DO-178C / ED-12C - Software Considerations in Airborne Systems

17 source controls mapped|7 target controls covered

11%

ISO/IEC 27006:2024

17 source controls mapped|8 target controls covered

11%

NRC 10 CFR 73.54 - Nuclear Facility Cybersecurity

17 source controls mapped|15 target controls covered

11%

PAS 1192-5:2015 - Security-Minded Approach to BIM and Digital Built Environments

17 source controls mapped|13 target controls covered

11%

Canada ITSG-33 - IT Security Risk Management

17 source controls mapped|15 target controls covered

11%

New Zealand Information Security Manual (NZISM)

17 source controls mapped|13 target controls covered

11%

MARS-E - Minimum Acceptable Risk Standards for Exchanges

17 source controls mapped|13 target controls covered

11%

South Korea Cloud Security Assurance Program (CSAP)

17 source controls mapped|14 target controls covered

11%

WCO Authorised Economic Operator (AEO) Framework

17 source controls mapped|21 target controls covered

11%

IRS Publication 1075 - Tax Information Security Guidelines

16 source controls mapped|5 target controls covered

10%

21 CFR Part 58 - Good Laboratory Practice (GLP)

16 source controls mapped|4 target controls covered

10%

ISO 9001:2015

16 source controls mapped|7 target controls covered

10%

ISO/IEC 42001:2023

16 source controls mapped|8 target controls covered

10%

ISO 22301:2019

16 source controls mapped|8 target controls covered

10%

PCI DSS 4.0

16 source controls mapped|4 target controls covered

10%

US OFAC Sanctions Compliance Framework

16 source controls mapped|7 target controls covered

10%

NIST SP 800-82 Rev 3 - Guide to OT Security

16 source controls mapped|12 target controls covered

10%

FedRAMP Rev 5

16 source controls mapped|27 target controls covered

10%

GLI-33 - Gaming Laboratories International Event Wagering Systems

16 source controls mapped|14 target controls covered

10%

21 CFR Part 211 - Current Good Manufacturing Practice

16 source controls mapped|5 target controls covered

10%

UK Gambling Commission - Cyber Resilience Requirements

16 source controls mapped|14 target controls covered

10%

ASD Information Security Manual (ISM)

16 source controls mapped|27 target controls covered

10%

FAA Cybersecurity Framework for Aviation

16 source controls mapped|16 target controls covered

10%

NRF Cybersecurity and Data Privacy Framework (National Retail Federation)

16 source controls mapped|14 target controls covered

10%

Customs-Trade Partnership Against Terrorism (C-TPAT)

16 source controls mapped|11 target controls covered

10%

Critical Raw Materials Act (Proposed Regulation COM(2023) 192)

16 source controls mapped|11 target controls covered

10%

ILO Nursing Personnel Convention C149 (1977)

15 source controls mapped|10 target controls covered

10%

6th Anti-Money Laundering Directive (AMLD6, Directive (EU) 2018/1673) - superseded by AMLD7

15 source controls mapped|11 target controls covered

10%

ISO 8000 - Data Quality

15 source controls mapped|9 target controls covered

10%

FATF Recommendation 16 - Virtual Asset Travel Rule

15 source controls mapped|9 target controls covered

10%

Privacy by Design (PbD) - Seven Foundational Principles

15 source controls mapped|7 target controls covered

10%

BS 65000:2014 - Guidance on Organizational Resilience

15 source controls mapped|7 target controls covered

10%

ISO 28001:2007 Supply Chain Security Management

15 source controls mapped|10 target controls covered

10%

ASIS SPC.1-2009 - Organizational Resilience Standard

15 source controls mapped|6 target controls covered

10%

CFTC System Safeguards (17 CFR 37, 38, 39, 49)

15 source controls mapped|18 target controls covered

10%

ISO/IEC 25012:2008 - Data Quality Model

15 source controls mapped|3 target controls covered

10%

Defence Security Principles Framework (DSPF)

15 source controls mapped|30 target controls covered

10%

Protective Security Policy Framework (PSPF) Release 2024

15 source controls mapped|29 target controls covered

10%

CSA STAR (Security, Trust, Assurance, and Risk)

15 source controls mapped|8 target controls covered

10%

EIOPA Guidelines on ICT Security and Governance (EIOPA‑BoS‑23/146, 2023)

15 source controls mapped|16 target controls covered

10%

Telecommunications Sector Security Reforms (TSSR)

15 source controls mapped|14 target controls covered

10%

FBI CJIS Security Policy

15 source controls mapped|14 target controls covered

10%

US ITAR and EAR - Export Control and Data Security

15 source controls mapped|12 target controls covered

10%

RBI Cybersecurity Framework for Banks

15 source controls mapped|10 target controls covered

10%

ISO 45001:2018

15 source controls mapped|6 target controls covered

10%

WCO SAFE Framework of Standards to Secure and Facilitate Global Trade (2021)

15 source controls mapped|10 target controls covered

10%

EU Chips Act (Regulation (EU) 2023/1781)

15 source controls mapped|10 target controls covered

10%

ASEAN Data Management Framework

14 source controls mapped|11 target controls covered

IMO Maritime Cybersecurity Guidelines (MSC-FAL.1/Circ.3/Rev.2)

14 source controls mapped|7 target controls covered

DAMA-DMBOK2 - Data Management Body of Knowledge (2nd Edition)

14 source controls mapped|6 target controls covered

NAIC Insurance Data Security Model Law (MDL-668)

14 source controls mapped|15 target controls covered

ISO/IEC 27400:2022

14 source controls mapped|8 target controls covered

ISO 31000:2018

14 source controls mapped|2 target controls covered

AWS Well-Architected Security Pillar

14 source controls mapped|7 target controls covered

MTCS (Singapore)

14 source controls mapped|7 target controls covered

CAIQ (CSA)

14 source controls mapped|7 target controls covered

ISO 27017

14 source controls mapped|7 target controls covered

ISMAP (Japan)

14 source controls mapped|7 target controls covered

AWWA Cybersecurity Guidance for the Water Sector (American Water Works Association)

14 source controls mapped|12 target controls covered

CCSDS 350.0-G-3 - Space Communications Security (Consultative Committee for Space Data Systems)

14 source controls mapped|10 target controls covered

Singapore Government Instruction Manual on ICT&SS Management (IM8)

14 source controls mapped|9 target controls covered

NIST Cybersecurity Framework 2.0

14 source controls mapped|16 target controls covered

NIST SP 800-145

14 source controls mapped|7 target controls covered

CISA Cross-Sector Cybersecurity Performance Goals (CPG) 2.0

14 source controls mapped|14 target controls covered

C5 (Germany)

14 source controls mapped|7 target controls covered

FTC GLBA Safeguards Rule (16 CFR Part 314)

14 source controls mapped|12 target controls covered

CISA Industrial Control Systems (ICS) Security Guidance

14 source controls mapped|16 target controls covered

Azure Security Benchmark

14 source controls mapped|8 target controls covered

NIST SP 800-190

14 source controls mapped|7 target controls covered

NIST SP 800-146

14 source controls mapped|7 target controls covered

EU Digital Markets Act

14 source controls mapped|10 target controls covered

EAR - Export Administration Regulations

14 source controls mapped|11 target controls covered

NIST SP 800-144

14 source controls mapped|7 target controls covered

ISO 27018

14 source controls mapped|7 target controls covered

EBA Guidelines on ICT and Security Risk Management (EBA/GL/2024/07)

14 source controls mapped|10 target controls covered

C-TPAT - Customs-Trade Partnership Against Terrorism

14 source controls mapped|14 target controls covered

NIST SP 800-34 Rev 1 - Contingency Planning Guide

13 source controls mapped|7 target controls covered

IATF 16949:2016 - Quality Management System for Automotive Production

13 source controls mapped|8 target controls covered

DFARS 252.204-7012 - Safeguarding Covered Defense Information

13 source controls mapped|9 target controls covered

Connecticut Data Privacy Act (CTDPA)

13 source controls mapped|12 target controls covered

3GPP Security

13 source controls mapped|10 target controls covered

ISO 27002:2022

13 source controls mapped|10 target controls covered

ISO 13485:2016

13 source controls mapped|4 target controls covered

OWASP SAMM

13 source controls mapped|8 target controls covered

ISO 27043

13 source controls mapped|10 target controls covered

NIST SP 800-124 Rev 2 - Mobile Device Security

13 source controls mapped|7 target controls covered

Digital Economy Partnership Agreement (DEPA)

13 source controls mapped|7 target controls covered

ETSI EN 303 645

13 source controls mapped|11 target controls covered

UNECE WP.29 R156

13 source controls mapped|9 target controls covered

Chile Personal Data Protection Law (Law No. 21.719)

13 source controls mapped|7 target controls covered

OWASP DevSecOps Maturity Model (DSOMM)

13 source controls mapped|11 target controls covered

MITRE ATT&CK

13 source controls mapped|10 target controls covered

ISO/SAE 21434

13 source controls mapped|10 target controls covered

NIST SP 800-137

13 source controls mapped|10 target controls covered

NIST SP 800-92

13 source controls mapped|9 target controls covered

NIST SP 800-183

13 source controls mapped|9 target controls covered

OWASP MASVS

13 source controls mapped|8 target controls covered

OWASP ASVS

13 source controls mapped|9 target controls covered

NIST SP 800-207

13 source controls mapped|8 target controls covered

NIST SP 800-128

13 source controls mapped|10 target controls covered

NIST SP 800-160

13 source controls mapped|10 target controls covered

HKMA Cyber Resilience Assessment Framework (C-RAF)

13 source controls mapped|9 target controls covered

NIST SP 800-88

13 source controls mapped|9 target controls covered

California IoT Security Law

13 source controls mapped|9 target controls covered

OpenSSF Scorecard

13 source controls mapped|11 target controls covered

MITRE D3FEND

13 source controls mapped|10 target controls covered

NIST SP 800-187

13 source controls mapped|10 target controls covered

NIST SP 800-123

13 source controls mapped|9 target controls covered

NIST SP 800-181

13 source controls mapped|9 target controls covered

NIST SP 800-161

13 source controls mapped|9 target controls covered

PTES

13 source controls mapped|9 target controls covered

UNECE WP.29 R155

13 source controls mapped|8 target controls covered

Proposal for a Regulation on Cyber Resilience Act (CRA)

13 source controls mapped|9 target controls covered

SIG (Shared Assessments)

13 source controls mapped|9 target controls covered

NIST SP 800-61

13 source controls mapped|8 target controls covered

NIST SP 800-115

13 source controls mapped|9 target controls covered

OWASP Top 10:2025

13 source controls mapped|9 target controls covered

SSDF (NIST)

13 source controls mapped|9 target controls covered

NIST SP 800-63

13 source controls mapped|8 target controls covered

NIST SP 800-218

13 source controls mapped|8 target controls covered

NIST SP 800-150

13 source controls mapped|9 target controls covered

SLSA

13 source controls mapped|9 target controls covered

UK PSTI Act

13 source controls mapped|9 target controls covered

BSIMM

13 source controls mapped|9 target controls covered

ISO 14001

13 source controls mapped|4 target controls covered

ISO 41001:2018 - Facility Management Systems

12 source controls mapped|9 target controls covered

ISO 39001:2012 - Road Traffic Safety Management

12 source controls mapped|9 target controls covered

ISO 50001:2018 - Energy Management Systems

12 source controls mapped|9 target controls covered

ISO 22313:2020 - Guidance on Business Continuity Management Systems

12 source controls mapped|9 target controls covered

GLOBALG.A.P. Integrated Farm Assurance (IFA) Standard v6

12 source controls mapped|6 target controls covered

AICPA Privacy Management Framework (PMF)

12 source controls mapped|4 target controls covered

ISO 27005

12 source controls mapped|8 target controls covered

ICAO Annex 17 - Aviation Security (AVSEC)

12 source controls mapped|5 target controls covered

Modern Slavery Act 2018 (Australia)

12 source controls mapped|7 target controls covered

EMV 3‑D Secure (3DS) - Payment Authentication Protocol

12 source controls mapped|7 target controls covered

FTC Health Breach Notification Rule

12 source controls mapped|12 target controls covered

Notifiable Data Breaches Scheme (Australia)

12 source controls mapped|10 target controls covered

US SEC Digital Assets and Crypto Regulatory Framework

12 source controls mapped|12 target controls covered

PCI DSS v4.0

12 source controls mapped|14 target controls covered

Regulation (EU) 2019/1239 on the Maritime Single Window (MSW)

12 source controls mapped|8 target controls covered

SSAE 18 - Attestation Standards (SOC Reporting)

12 source controls mapped|10 target controls covered

RFC 2350 - Expectations for Computer Security Incident Response (BCP 21)

12 source controls mapped|8 target controls covered

Law 1581 of 2012 - Statutory Framework for the Protection of Personal Data

12 source controls mapped|9 target controls covered

NIS2 Directive

12 source controls mapped|16 target controls covered

UK Open Banking Standard

12 source controls mapped|6 target controls covered

C2M2

12 source controls mapped|12 target controls covered

IAEA Nuclear Security Series - Computer Security at Nuclear Facilities (NSS-17-T Rev 1)

12 source controls mapped|9 target controls covered

LGPD

12 source controls mapped|7 target controls covered

SWIFT Customer Security Programme (CSP)

12 source controls mapped|8 target controls covered

ASIC Cyber Resilience Good Practices

12 source controls mapped|7 target controls covered

UK Product Security and Telecommunications Infrastructure Act (PSTI)

12 source controls mapped|9 target controls covered

European Accessibility Act (Directive (EU) 2019/882)

12 source controls mapped|10 target controls covered

Regulation (EU) 2023/1115 on deforestation-free supply chains

12 source controls mapped|9 target controls covered

Ontario Accessibility for Ontarians with Disabilities Act (AODA) - IASR Web Standard

12 source controls mapped|10 target controls covered

NIS2 Directive (Directive (EU) 2022/2555)

12 source controls mapped|11 target controls covered

Australia Consumer Data Right - Banking (CDR)

12 source controls mapped|11 target controls covered

Australia eSafety Commissioner - Online Safety Expectations for Industry

12 source controls mapped|9 target controls covered

Japan FSA Cybersecurity Guidelines for Financial Institutions

12 source controls mapped|10 target controls covered

NIST SP 800-53 Rev 5

12 source controls mapped|27 target controls covered

ISO 20400:2017 - Sustainable Procurement

11 source controls mapped|6 target controls covered

EU Medical Devices Regulation (MDR 2017/745)

11 source controls mapped|7 target controls covered

ICH Q10 - Pharmaceutical Quality System

11 source controls mapped|5 target controls covered

ISO/IEC 27014:2020

11 source controls mapped|5 target controls covered

Illinois Biometric Information Privacy Act (BIPA)

11 source controls mapped|5 target controls covered

ISO/IEC 27011:2024

11 source controls mapped|13 target controls covered

DORA

11 source controls mapped|11 target controls covered

USMCA Chapter 19 - Digital Trade (United States-Mexico-Canada Agreement)

11 source controls mapped|4 target controls covered

Turkey Personal Data Protection Law (KVKK - Law No. 6698)

11 source controls mapped|8 target controls covered

NIST AI Risk Management Framework (AI RMF 1.0)

11 source controls mapped|9 target controls covered

NIST AI 600-1 Generative AI Profile

11 source controls mapped|9 target controls covered

Florida Digital Bill of Rights (SB 262)

11 source controls mapped|4 target controls covered

TEFCA - Trusted Exchange Framework and Common Agreement

11 source controls mapped|5 target controls covered

Annex 11 to EU GMP - Computerised Systems

11 source controls mapped|6 target controls covered

O-RAN Alliance Security Specifications (O-RAN.WG11)

11 source controls mapped|4 target controls covered

SSAE 18 SOC 1 - Report on Controls at a Service Organisation (ICFR)

11 source controls mapped|7 target controls covered

Wisconsin Data Privacy Act (SB 670)

11 source controls mapped|10 target controls covered

Tennessee Information Protection Act (TIPA)

11 source controls mapped|7 target controls covered

Papua New Guinea National Cybersecurity Policy & Cybercrime Act (2016)

11 source controls mapped|8 target controls covered

Kuwait National Cybersecurity Framework

11 source controls mapped|8 target controls covered

HL7 FHIR Security Framework

11 source controls mapped|7 target controls covered

US Gramm-Leach-Bliley Act (GLBA) - Higher Education Safeguards Rule

11 source controls mapped|14 target controls covered

Cloud Security Alliance Cloud Controls Matrix (CCM) v4.0.1

11 source controls mapped|20 target controls covered

ISO 14064 - Greenhouse Gas Accounting and Verification (Parts 1-3)

10 source controls mapped|2 target controls covered

ICH E6(R2) Good Clinical Practice - Data Integrity and Electronic Systems

10 source controls mapped|3 target controls covered

ISO 56002

10 source controls mapped|7 target controls covered

ISO 37002:2021 - Whistleblowing Management Systems

10 source controls mapped|6 target controls covered

ICH E6(R3) - Good Clinical Practice

10 source controls mapped|2 target controls covered

ITAR - International Traffic in Arms Regulations

10 source controls mapped|3 target controls covered

ISO/IEC 23837 - Security Requirements for Quantum Key Distribution

10 source controls mapped|7 target controls covered

3GPP 5G Security Architecture (TS 33.501)

10 source controls mapped|6 target controls covered

IEC 62351 - Power Systems Communication Security

10 source controls mapped|3 target controls covered

ISO/IEC 29115:2023 - Entity Authentication Assurance Framework

10 source controls mapped|5 target controls covered

APRA CPS 234

10 source controls mapped|6 target controls covered

TNFD Recommendations

10 source controls mapped|6 target controls covered

PCI SSF

10 source controls mapped|6 target controls covered

EU Cyber Solidarity Act (Regulation (EU) 2025/38)

10 source controls mapped|5 target controls covered

EU NIS2 Directive - Transport Sector Requirements

10 source controls mapped|5 target controls covered

Laos Law on Prevention and Combating Cybercrime (2015)

10 source controls mapped|9 target controls covered

Lebanon Electronic Transactions and Personal Data Protection Law (Law No. 81/2018)

10 source controls mapped|7 target controls covered

Zimbabwe Data Protection Act (2021)

10 source controls mapped|6 target controls covered

China Cybersecurity Law (CSL)

10 source controls mapped|5 target controls covered

PCI P2PE

10 source controls mapped|6 target controls covered

South Korea PIPA

10 source controls mapped|5 target controls covered

Bermuda Personal Information Protection Act 2016 (PIPA)

10 source controls mapped|6 target controls covered

W3C Verifiable Credentials (VC) Data Model 2.0

10 source controls mapped|5 target controls covered

TIBER-EU (Threat Intelligence-Based Ethical Red Teaming - European Union)

10 source controls mapped|6 target controls covered

BCBS 239

10 source controls mapped|8 target controls covered

MAS TRM

10 source controls mapped|6 target controls covered

PCI PIN Security

10 source controls mapped|6 target controls covered

AICPA SOC 3

10 source controls mapped|6 target controls covered

Bermuda Monetary Authority (BMA) Cyber Risk Management Code of Conduct

10 source controls mapped|8 target controls covered

BREEAM - Building Research Establishment Environmental Assessment Method

10 source controls mapped|4 target controls covered

HKMA SPM

10 source controls mapped|6 target controls covered

Florida Digital Bill of Rights (FDBR)

10 source controls mapped|6 target controls covered

EDM Council CDMC - Cloud Data Management Capability Framework

10 source controls mapped|5 target controls covered

PSD2 SCA

10 source controls mapped|6 target controls covered

FFIEC IT Examination Handbook

10 source controls mapped|6 target controls covered

OSFI B-13

10 source controls mapped|6 target controls covered

Regional Comprehensive Economic Partnership (RCEP) - E-Commerce Chapter

10 source controls mapped|4 target controls covered

AICPA SOC 1

10 source controls mapped|6 target controls covered

Open Banking Security

10 source controls mapped|6 target controls covered

IATA Operational Safety Audit (IOSA) Standards Manual

10 source controls mapped|4 target controls covered

GLBA

10 source controls mapped|6 target controls covered

French Sapin II Law (Law No. 2016-1691)

10 source controls mapped|4 target controls covered

SWIFT CSP

10 source controls mapped|6 target controls covered

FISMA

10 source controls mapped|11 target controls covered

Ghana Cybersecurity Act

10 source controls mapped|12 target controls covered

Oman National Cybersecurity Framework

10 source controls mapped|7 target controls covered

NIST SP 800-171

10 source controls mapped|11 target controls covered

NIST SP 800-53A

10 source controls mapped|11 target controls covered

Spain ENS

10 source controls mapped|10 target controls covered

NIST Privacy Framework 1.0

10 source controls mapped|10 target controls covered

Cyber Essentials Plus

10 source controls mapped|10 target controls covered

Saudi NCA ECC

10 source controls mapped|10 target controls covered

BSI IT-Grundschutz

10 source controls mapped|10 target controls covered

ANSSI Cybersecurity Framework

10 source controls mapped|11 target controls covered

Belgium CyberFundamentals

10 source controls mapped|11 target controls covered

FTC Safeguards Rule (16 CFR Part 314)

10 source controls mapped|12 target controls covered

NIST SP 800-172

10 source controls mapped|11 target controls covered

DoD Zero Trust Reference Architecture

10 source controls mapped|10 target controls covered

CISA Zero Trust Maturity Model

10 source controls mapped|11 target controls covered

EU Digital Services Act

10 source controls mapped|4 target controls covered

CDP (formerly Carbon Disclosure Project)

10 source controls mapped|5 target controls covered

ISO/IEC 27557:2022 - Organisational Privacy Risk Management

9 source controls mapped|7 target controls covered

ISO/IEC 29147:2018

9 source controls mapped|4 target controls covered

FCC Customer Proprietary Network Information (CPNI) and Data Breach Rules (47 CFR 64.2001-2011)

9 source controls mapped|8 target controls covered

CIRCIA (Cyber Incident Reporting for Critical Infrastructure Act)

9 source controls mapped|6 target controls covered

ISO/IEC 27031:2011

9 source controls mapped|5 target controls covered

SANS Incident Handler's Handbook and PICERL Methodology

9 source controls mapped|7 target controls covered

GAMP 5 - Good Automated Manufacturing Practice

9 source controls mapped|7 target controls covered

EU Payment Services Directive (PSD2)

9 source controls mapped|5 target controls covered

US NRC 10 CFR 73.54 - Cyber Security for Nuclear Power Plants

9 source controls mapped|5 target controls covered

Philippines Cybercrime Prevention Act (RA 10175)

9 source controls mapped|3 target controls covered

EU General Product Safety Regulation (GPSR, Regulation 2023/988)

9 source controls mapped|8 target controls covered

EU AI Act

9 source controls mapped|5 target controls covered

WCAG 2.2

9 source controls mapped|3 target controls covered

AASB S2 Climate-related Disclosures

9 source controls mapped|6 target controls covered

Armenia Law on Protection of Personal Data (2015)

9 source controls mapped|5 target controls covered

EU Markets in Crypto-Assets Regulation (MiCA, Regulation 2023/1114)

9 source controls mapped|6 target controls covered

EU Taxonomy Regulation (Regulation 2020/852)

9 source controls mapped|6 target controls covered

eIDAS 2.0 - EU Digital Identity Regulation

9 source controls mapped|4 target controls covered

Pakistan Personal Data Protection Bill 2023

9 source controls mapped|5 target controls covered

Austria Data Protection Act (Datenschutzgesetz, DSG, amended 2018)

9 source controls mapped|3 target controls covered

EU In Vitro Diagnostic Medical Devices Regulation (IVDR)

9 source controls mapped|4 target controls covered

Vietnam Law on Cybersecurity (No. 24/2018/QH14)

9 source controls mapped|7 target controls covered

South Korea Personal Information Protection Act (PIPA)

9 source controls mapped|7 target controls covered

Hungary Act CXII of 2011 on Informational Self-Determination and Freedom of Information (Info Act)

9 source controls mapped|6 target controls covered

Serbia Law on Personal Data Protection (2018)

9 source controls mapped|6 target controls covered

Russia Federal Law on Personal Data (152-FZ)

9 source controls mapped|5 target controls covered

Botswana Data Protection Act (2024)

9 source controls mapped|7 target controls covered

Trinidad and Tobago Data Protection Act 2011

9 source controls mapped|5 target controls covered

Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (PDPL)

9 source controls mapped|4 target controls covered

GDPR

9 source controls mapped|4 target controls covered

Switzerland New Federal Act on Data Protection (nFADP/nDSG, 2023)

9 source controls mapped|3 target controls covered

SOC 2

9 source controls mapped|7 target controls covered

FedRAMP High

9 source controls mapped|5 target controls covered

NIST SP 800-53 Revision 5.1 HIGH

9 source controls mapped|5 target controls covered

IRS Publication 1075

9 source controls mapped|5 target controls covered

FedRAMP Moderate

9 source controls mapped|5 target controls covered

NIST SP 800-53 Rev 5 MODERATE

9 source controls mapped|4 target controls covered

NIST SP 800-53 Rev 5 LOW

9 source controls mapped|4 target controls covered

UK GDPR (UK General Data Protection Regulation)

9 source controls mapped|3 target controls covered

Singapore Cybersecurity Act 2018

9 source controls mapped|3 target controls covered

Czech Republic Act on the Protection of Personal Data (Act No. 110/2019 Coll.)

9 source controls mapped|6 target controls covered

MTCS - Multi-Tier Cloud Security (Singapore)

9 source controls mapped|3 target controls covered

ISO/IEC 23894:2023

9 source controls mapped|7 target controls covered

Rhode Island Data Transparency and Privacy Protection Act (RIDTPPA)

9 source controls mapped|6 target controls covered

NIST Post-Quantum Cryptography Standards (FIPS 203, 204, 205)

9 source controls mapped|6 target controls covered

Regulation on the European Health Data Space (EHDS)

9 source controls mapped|2 target controls covered

Sri Lanka Personal Data Protection Act (No. 9 of 2022)

9 source controls mapped|3 target controls covered

Barbados Data Protection Act 2019

9 source controls mapped|2 target controls covered

NYDFS Cybersecurity Regulation (23 NYCRR Part 500)

9 source controls mapped|14 target controls covered

HIPAA Security Rule

9 source controls mapped|11 target controls covered

NIST SP 800-171A - Assessing CUI Security Requirements

9 source controls mapped|12 target controls covered

CNCF Security Technical Advisory Group (TAG)

9 source controls mapped|6 target controls covered

FDA 21 CFR Part 11

9 source controls mapped|8 target controls covered

DISA Security Technical Implementation Guides (STIGs)

9 source controls mapped|11 target controls covered

MDS2 (Medical Device)

9 source controls mapped|8 target controls covered

NIST SP 800-66

9 source controls mapped|8 target controls covered

ISO 27799

9 source controls mapped|8 target controls covered

MARS-E

9 source controls mapped|8 target controls covered

ISO 27001:2022

9 source controls mapped|14 target controls covered

ISO 14001:2015

9 source controls mapped|5 target controls covered

FSSC 22000 - Food Safety System Certification

9 source controls mapped|5 target controls covered

GS1 Global Standards - Supply Chain Traceability and Data Security

9 source controls mapped|4 target controls covered

ISO/IEC 29134:2023

8 source controls mapped|5 target controls covered

ISO/IEC 30111:2019

8 source controls mapped|4 target controls covered

PCAOB AS 2201 - Audit of Internal Control Over Financial Reporting (ICFR)

8 source controls mapped|5 target controls covered

EN 50126, EN 50128, and EN 50129 - Railway Applications - Reliability, Availability, Maintainability and Safety (RAMS)

8 source controls mapped|5 target controls covered

NATO STANAG 4774/4778 - Confidentiality Metadata Labels

8 source controls mapped|5 target controls covered

EU Machinery Regulation (Regulation (EU) 2023/1230)

8 source controls mapped|5 target controls covered

China Personal Information Protection Law (PIPL)

8 source controls mapped|4 target controls covered

Morocco Data Protection Law (09-08)

8 source controls mapped|5 target controls covered

Rwanda Law No. 058/2021 Relating to the Protection of Personal Data

8 source controls mapped|5 target controls covered

EU Taxonomy Regulation

8 source controls mapped|4 target controls covered

ISO 22739:2024 - Blockchain and Distributed Ledger Technologies Vocabulary

8 source controls mapped|4 target controls covered

EU Markets in Crypto-Assets Regulation (MiCA)

8 source controls mapped|6 target controls covered

Union Customs Code (UCC) - Regulation (EU) No 952/2013

8 source controls mapped|4 target controls covered

African Union Malabo Convention

8 source controls mapped|4 target controls covered

Law No. 2013-450 of 19 June 2013 on the Protection of Personal Data

8 source controls mapped|4 target controls covered

Costa Rica Personal Data Protection Law (Law No. 8968) as amended by Executive Decree No. 42089-MGP

8 source controls mapped|5 target controls covered

Kazakhstan Law on Personal Data and Their Protection (No. 94-V)

8 source controls mapped|5 target controls covered

Georgia Law on Personal Data Protection (2012)

8 source controls mapped|5 target controls covered

Colombia Data Protection Law (Law 1581 of 2012)

8 source controls mapped|5 target controls covered

Portugal Law No. 58/2019 - Data Protection Implementation Act

8 source controls mapped|7 target controls covered

Oman Personal Data Protection Law (Royal Decree 6/2022)

8 source controls mapped|5 target controls covered

Cook Islands Electronic Transactions Act 2003

8 source controls mapped|4 target controls covered

EU Network Code on Cybersecurity for the Electricity Sector

8 source controls mapped|4 target controls covered

Digital Services Act (DSA) - Regulation (EU) 2022/2065

8 source controls mapped|4 target controls covered

Iceland Data Protection and Processing of Personal Data Act (Act No. 90/2018)

8 source controls mapped|7 target controls covered

Spain Organic Law 3/2018 on Data Protection and Digital Rights (LOPDGDD)

8 source controls mapped|4 target controls covered

Tunisia Organic Law on Personal Data Protection (Law No. 2004-63)

8 source controls mapped|3 target controls covered

Lithuania Law on Legal Protection of Personal Data (2018)

8 source controls mapped|3 target controls covered

Netherlands GDPR Implementation Act (UAVG - Uitvoeringswet AVG, 2018)

8 source controls mapped|6 target controls covered

Latvia Personal Data Processing Law (Fizisko personu datu apstrades likums, 2018)

8 source controls mapped|7 target controls covered

Estonia Personal Data Protection Act (Isikuandmete kaitse seadus, 2019)

8 source controls mapped|5 target controls covered

Singapore Payment Services Act (PSA) - Digital Payment Token Regulation

8 source controls mapped|6 target controls covered

Tanzania Personal Data Protection Act (Draft)

8 source controls mapped|4 target controls covered

Cayman Islands Data Protection Act 2017 (DPA)

8 source controls mapped|4 target controls covered

Brunei Personal Data Protection Order 2022 (PDPO)

8 source controls mapped|6 target controls covered

Kuwait Data Privacy Protection Regulation (KDPPR, 2021 - CMA Directive)

8 source controls mapped|4 target controls covered

Saudi PDPL

8 source controls mapped|2 target controls covered

EU Data Act

8 source controls mapped|2 target controls covered

ISPE GAMP 5 - A Risk-Based Approach to Compliant GxP Computerised Systems

8 source controls mapped|4 target controls covered

Australia My Health Records Act 2012

8 source controls mapped|5 target controls covered

Cyber Security Act 2024 (Australia)

8 source controls mapped|4 target controls covered

ECB TIBER-EU Framework

8 source controls mapped|2 target controls covered

Virginia Consumer Data Protection Act (VCDPA)

8 source controls mapped|2 target controls covered

Ghana Data Protection Act 2012 (Act 843)

8 source controls mapped|3 target controls covered

Nigeria Data Protection Act 2023 (NDPA)

8 source controls mapped|3 target controls covered

ISO 22320:2018

8 source controls mapped|6 target controls covered

Digital Services Act (Regulation (EU) 2022/2065 of the European Parliament and of the Council of 6 July 2022)

8 source controls mapped|2 target controls covered

MiFID II / MiFIR

8 source controls mapped|2 target controls covered

Automotive SPICE (ASPICE) v4.0 - Process Assessment Model

8 source controls mapped|3 target controls covered

APRA Prudential Standard CPS 234 - Information Security (Australia)

8 source controls mapped|4 target controls covered

IAIS Insurance Core Principles (ICPs)

8 source controls mapped|2 target controls covered

ISO 26262:2018 - Functional Safety for Road Vehicles

8 source controls mapped|2 target controls covered

ASD Strategies to Mitigate Cyber Security Incidents

8 source controls mapped|10 target controls covered

Sigstore - Software Artifact Signing and Verification

8 source controls mapped|7 target controls covered

US Executive Order 14028 - Improving the Nation's Cybersecurity

8 source controls mapped|4 target controls covered

UK Defence Standard 05-138 - Cyber Security for Defence Suppliers

8 source controls mapped|11 target controls covered

Singapore Model AI Governance Framework (2nd Edition)

8 source controls mapped|1 target controls covered

ISO/IEC 27701:2019

8 source controls mapped|1 target controls covered

Australian Energy Sector Cyber Security Framework (AESCSF)

8 source controls mapped|13 target controls covered

TSA Pipeline Security

8 source controls mapped|12 target controls covered

IEC 60601-1 - Medical Electrical Equipment Safety

7 source controls mapped|2 target controls covered

ISO/IEC 38500:2024 - Governance of IT

7 source controls mapped|3 target controls covered

EU ePrivacy Directive (2002/58/EC)

7 source controls mapped|5 target controls covered

IFRS 17 - Insurance Contracts

7 source controls mapped|3 target controls covered

US Foreign Corrupt Practices Act (FCPA)

7 source controls mapped|1 target controls covered

ISO/IEC 27007:2020

7 source controls mapped|1 target controls covered

ISO/IEC 27004:2016

7 source controls mapped|3 target controls covered

ISO/IEC 29100:2024

7 source controls mapped|3 target controls covered

ISO/IEC 27050 - Electronic Discovery (Parts 1-4)

7 source controls mapped|1 target controls covered

US Children's Online Privacy Protection Act (COPPA) and COPPA 2.0 Proposed Updates

7 source controls mapped|1 target controls covered

COBIT 2019

7 source controls mapped|1 target controls covered

UK Building Safety Act 2022

7 source controls mapped|2 target controls covered

South Korea Korea Internet Self-Governance Organisation (KISO) Code of Ethics

7 source controls mapped|5 target controls covered

Online Safety Act 2021 (Australia)

7 source controls mapped|3 target controls covered

EU AI Liability Directive

7 source controls mapped|4 target controls covered

EU Carbon Border Adjustment Mechanism (CBAM)

7 source controls mapped|4 target controls covered

EU Energy Performance of Buildings Directive (EPBD Recast) - Draft Directive (2023/0317 COD)

7 source controls mapped|3 target controls covered

EU European Media Freedom Act (EMFA)

7 source controls mapped|5 target controls covered

Directive (EU) 2023/970 on pay transparency

7 source controls mapped|6 target controls covered

Proposal for a Directive on improving working conditions in platform work (COM(2023) 491)

7 source controls mapped|6 target controls covered

EU Product Liability Directive (Directive (EU) 2023/2845)

7 source controls mapped|6 target controls covered

EU Seveso III Directive (Directive 2012/18/EU)

7 source controls mapped|5 target controls covered

EU Taxonomy for Sustainable Activities (Regulation 2020/852)

7 source controls mapped|2 target controls covered

EU Web Accessibility Directive (Directive 2016/2102)

7 source controls mapped|3 target controls covered

Egypt Personal Data Protection Law (Law No. 151 of 2020)

7 source controls mapped|6 target controls covered

Peru Personal Data Protection Law (Law No. 29733)

7 source controls mapped|3 target controls covered

Ukraine Law on Personal Data Protection (Law No. 2297-VI)

7 source controls mapped|3 target controls covered

Ethiopia Personal Data Protection Proclamation (No. 1321/2024)

7 source controls mapped|4 target controls covered

Senegal Law on Personal Data Protection (Law No. 2008-12)

7 source controls mapped|3 target controls covered

Uzbekistan Law on Personal Data (No. ZRU-547)

7 source controls mapped|4 target controls covered

Panama Law on Personal Data Protection (Law No. 81 of 2019)

7 source controls mapped|4 target controls covered

Montenegro Law on Personal Data Protection (2023)

7 source controls mapped|6 target controls covered

Poland Act on Personal Data Protection (Ustawa o ochronie danych osobowych, 2018)

7 source controls mapped|5 target controls covered

Romania Law No. 190/2018 on Data Protection Measures (GDPR Implementation)

7 source controls mapped|6 target controls covered

Act on the Implementation of the General Data Protection Regulation (OG 42/2018)

7 source controls mapped|3 target controls covered

Luxembourg Law of 1 August 2018 on Data Protection (GDPR Implementation)

7 source controls mapped|5 target controls covered

Malta Data Protection Act (Cap. 586, 2018)

7 source controls mapped|6 target controls covered

Qatar Personal Data Privacy Protection Law (Law No. 13 of 2016)

7 source controls mapped|4 target controls covered

Cambodia Sub-Decree on Personal Data Protection (Sub-Decree No. 134)

7 source controls mapped|6 target controls covered

UNCITRAL Model Law on Electronic Commerce (1996, updated 2005)

7 source controls mapped|4 target controls covered

Brazil Open Finance (Resolução Conjunta No. 1/2020)

7 source controls mapped|5 target controls covered

RICS Professional Standards - Data and Technology in Property

7 source controls mapped|1 target controls covered

US Americans with Disabilities Act (ADA) - Title III Digital Accessibility

7 source controls mapped|3 target controls covered

Paraguay Law on Protection of Personal Data (Law No. 6534/2020)

7 source controls mapped|4 target controls covered

Jordan Draft Personal Data Protection Law (2022)

7 source controls mapped|4 target controls covered

EU Audiovisual Media Services Directive (AVMSD, Directive 2010/13/EU as amended by Directive 2018/1808 and Directive (EU) 2023/2586)

7 source controls mapped|2 target controls covered

North Macedonia Law on Personal Data Protection (2020)

7 source controls mapped|5 target controls covered

Japan Act on Specified Commercial Transactions (ASCT) - Digital Services

7 source controls mapped|5 target controls covered

Uruguay Personal Data Protection Act (Law No. 18.331)

7 source controls mapped|5 target controls covered

Finland Data Protection Act (Tietosuojalaki, 1050/2018)

7 source controls mapped|5 target controls covered

Greece Law 4624/2019 - Hellenic Data Protection Authority (HDPA) Implementation Act

7 source controls mapped|2 target controls covered

Fiji Data Protection Bill (2020)

7 source controls mapped|5 target controls covered

Uganda Data Protection and Privacy Act (2019)

7 source controls mapped|4 target controls covered

EU Clinical Trials Regulation (CTR 536/2014)

7 source controls mapped|1 target controls covered

ISO 19650 - Organisation and Digitisation of Information about Buildings and Civil Engineering Works (BIM)

7 source controls mapped|3 target controls covered

Science Based Targets initiative (SBTi) Corporate Standard

7 source controls mapped|2 target controls covered

India Account Aggregator Framework (RBI)

7 source controls mapped|1 target controls covered

ISO 37000:2021 - Governance of Organizations

7 source controls mapped|3 target controls covered

Bosnia and Herzegovina Law on Protection of Personal Data (2006, amended 2011)

7 source controls mapped|3 target controls covered

Albania Law on Protection of Personal Data (Law No. 9887, 2008, amended 2014)

7 source controls mapped|3 target controls covered

Angola Personal Data Protection Law (Law No. 22/11)

7 source controls mapped|4 target controls covered

ETSI Industry Specification Group (ISG) on Quantum Key Distribution (QKD)

7 source controls mapped|5 target controls covered

South Korea Credit Information Act

7 source controls mapped|1 target controls covered

COSO Enterprise Risk Management (ERM) Framework (2017)

7 source controls mapped|2 target controls covered

Singapore Protection from Online Falsehoods and Manipulation Act (POFMA, 2019)

7 source controls mapped|3 target controls covered

Australia Online Safety Act 2021

7 source controls mapped|4 target controls covered

Jamaica Data Protection Act 2020

7 source controls mapped|3 target controls covered

Mauritius Data Protection Act 2017

7 source controls mapped|2 target controls covered

Kenya Data Protection Act 2019

7 source controls mapped|3 target controls covered

UK Construction (Design and Management) Regulations 2015 (CDM 2015)

7 source controls mapped|3 target controls covered

Danish Data Protection Act (Databeskyttelsesloven)

7 source controls mapped|4 target controls covered

South Africa Promotion of Access to Information Act (PAIA)

7 source controls mapped|1 target controls covered

Sweden Data Protection Act (Dataskyddslag, 2018:218)

7 source controls mapped|1 target controls covered

EDM Council DCAM - Data Management Capability Assessment Model

7 source controls mapped|3 target controls covered

Italy Personal Data Protection Code (Legislative Decree No. 196/2003, amended 2018)

7 source controls mapped|1 target controls covered

ECSS‑E‑ST‑40C (Space engineering - Software) and ECSS‑Q‑ST‑80C (Product assurance - Software)

7 source controls mapped|3 target controls covered

ECSS-E-ST-40C: Space Engineering - Software

7 source controls mapped|3 target controls covered

Azerbaijan Law on Personal Data (2010)

7 source controls mapped|1 target controls covered

Australia NHMRC National Statement on Ethical Conduct in Human Research

7 source controls mapped|2 target controls covered

Belgium Data Protection Act (Wet van 30 juli 2018, Loi du 30 juillet 2018)

7 source controls mapped|2 target controls covered

ITU Radio Regulations and Space Security Standards

7 source controls mapped|1 target controls covered

UK Bribery Act 2010

7 source controls mapped|3 target controls covered

Israel Protection of Privacy Law (5741-1981)

7 source controls mapped|3 target controls covered

Singapore Payment Services Act 2019 (PSA) - Digital Payment Token Provisions

7 source controls mapped|1 target controls covered

OCC Heightened Standards (12 CFR Part 30, Appendix D)

7 source controls mapped|1 target controls covered

WHO Global Strategy on Digital Health 2020-2025

7 source controls mapped|1 target controls covered

IACS Unified Requirements E26/E27 - Cyber Resilience of Ships and On-Board Systems

7 source controls mapped|9 target controls covered

TSA Pipeline Cybersecurity Directives

7 source controls mapped|7 target controls covered

US Maritime Transportation Security Act (MTSA) and USCG Cybersecurity Requirements

7 source controls mapped|8 target controls covered

ISO/IEC 27010:2015

6 source controls mapped|7 target controls covered

Mexico LFPDPPP