ITIL 4

International

v4.0

38 domains

53 controls

IT Infrastructure Library for IT service management best practices

Verified

Framework summaries on this platform are AI-assisted interpretations for educational and compliance planning purposes. They do not reproduce or replace the official standards. Refer to the authoritative source for the definitive text. Framework names and trademarks belong to their respective organisations.

Framework Domains (38)

Architecture Management

1 controls

Controls in the Architecture Management domain of ITIL 4 — 1 controls
Code	Title	Description
GM-ARC-1	Architecture Management	Provide an understanding of all the different elements that make up an organisation and how those elements interrelate,...

Availability Management

1 controls

Controls in the Availability Management domain of ITIL 4 — 1 controls
Code	Title	Description
SM-AV-1	Availability Management	Ensure that services deliver agreed levels of availability to meet the needs of customers and users by designing, measur...

Business Analysis

1 controls

Controls in the Business Analysis domain of ITIL 4 — 1 controls
Code	Title	Description
SM-BA-1	Business Analysis	Analyse a business or some element of it, define its associated needs, and recommend solutions to address these needs an...

Capacity and Performance Management

1 controls

Controls in the Capacity and Performance Management domain of ITIL 4 — 1 controls
Code	Title	Description
SM-CAP-1	Capacity and Performance Management	Ensure that services achieve agreed and expected performance, satisfying current and future demand cost-effectively thro...

Change Enablement

1 controls

Controls in the Change Enablement domain of ITIL 4 — 1 controls
Code	Title	Description
SM-CHG-1	Change Enablement	Maximise the number of successful service and product changes by ensuring that risks are properly assessed, authorising...

Continual Improvement

1 controls

Controls in the Continual Improvement domain of ITIL 4 — 1 controls
Code	Title	Description
GM-CI-1	Continual Improvement	Align organisational practices and services with changing business needs through ongoing improvement of products, servic...

Deployment Management

1 controls

Controls in the Deployment Management domain of ITIL 4 — 1 controls
Code	Title	Description
SM-DEP-1	Deployment Management	Move new or changed hardware, software, documentation, processes, or any other component to live environments, including...

IT Asset Management

1 controls

Controls in the IT Asset Management domain of ITIL 4 — 1 controls
Code	Title	Description
GM-ITAM-1	IT Asset Management	Plan and manage the full lifecycle of all IT assets to maximise value, control costs, manage risks, support decision-mak...

ITIL 4: Continual Improvement

4 controls

Ongoing improvement of IT services (ITIL 4)

Controls in the ITIL 4: Continual Improvement domain of ITIL 4 — 4 controls
Code	Title	Description
ITIL4-16	Service measurement and reporting	Service measurement and reporting. Control from ITIL 4 framework, domain: ITIL 4: Continual Improvement.
ITIL4-17	Continual improvement process	Continual improvement process. Control from ITIL 4 framework, domain: ITIL 4: Continual Improvement.
ITIL4-18	Benchmarking and maturity assessment	Benchmarking and maturity assessment. Control from ITIL 4 framework, domain: ITIL 4: Continual Improvement.
ITIL4-19	Stakeholder feedback management	Stakeholder feedback management. Control from ITIL 4 framework, domain: ITIL 4: Continual Improvement.

ITIL 4: Service Operation

5 controls

Day-to-day IT service operations (ITIL 4)

Controls in the ITIL 4: Service Operation domain of ITIL 4 — 5 controls
Code	Title	Description
ITIL4-11	Incident management	Incident management. Control from ITIL 4 framework, domain: ITIL 4: Service Operation.
ITIL4-12	Problem management	Problem management. Control from ITIL 4 framework, domain: ITIL 4: Service Operation.
ITIL4-13	Event management and monitoring	Event management and monitoring. Control from ITIL 4 framework, domain: ITIL 4: Service Operation.
ITIL4-14	Request fulfillment	Request fulfillment. Control from ITIL 4 framework, domain: ITIL 4: Service Operation.
ITIL4-15	Access management for services	Access management for services. Control from ITIL 4 framework, domain: ITIL 4: Service Operation.

ITIL 4: Service Strategy & Design

5 controls

IT service strategy and design (ITIL 4)

Controls in the ITIL 4: Service Strategy & Design domain of ITIL 4 — 5 controls
Code	Title	Description
ITIL4-01	Service portfolio management	Service portfolio management. Control from ITIL 4 framework, domain: ITIL 4: Service Strategy & Design.
ITIL4-02	Service level management	Service level management. Control from ITIL 4 framework, domain: ITIL 4: Service Strategy & Design.
ITIL4-03	Capacity and availability management	Capacity and availability management. Control from ITIL 4 framework, domain: ITIL 4: Service Strategy & Design.
ITIL4-04	IT service continuity management	IT service continuity management. Control from ITIL 4 framework, domain: ITIL 4: Service Strategy & Design.
ITIL4-05	Information security for services	Information security for services. Control from ITIL 4 framework, domain: ITIL 4: Service Strategy & Design.

ITIL 4: Service Transition

5 controls

Managing changes to IT services (ITIL 4)

Controls in the ITIL 4: Service Transition domain of ITIL 4 — 5 controls
Code	Title	Description
ITIL4-06	Change management processes	Change management processes. Control from ITIL 4 framework, domain: ITIL 4: Service Transition.
ITIL4-07	Release and deployment management	Release and deployment management. Control from ITIL 4 framework, domain: ITIL 4: Service Transition.
ITIL4-08	Service validation and testing	Service validation and testing. Control from ITIL 4 framework, domain: ITIL 4: Service Transition.
ITIL4-09	Knowledge management	Knowledge management. Control from ITIL 4 framework, domain: ITIL 4: Service Transition.
ITIL4-10	Configuration management	Configuration management. Control from ITIL 4 framework, domain: ITIL 4: Service Transition.

Incident Management

1 controls

Controls in the Incident Management domain of ITIL 4 — 1 controls
Code	Title	Description
SM-INC-1	Incident Management	Minimise the negative impact of incidents by restoring normal service operation as quickly as possible, with prioritisat...

Information Security Management

1 controls

Controls in the Information Security Management domain of ITIL 4 — 1 controls
Code	Title	Description
GM-ISM-1	Information Security Management	Protect the information needed by the organisation to conduct its business by establishing confidentiality, integrity, a...

Infrastructure and Platform Management

1 controls

Controls in the Infrastructure and Platform Management domain of ITIL 4 — 1 controls
Code	Title	Description
TM-INF-1	Infrastructure and Platform Management	Oversee the infrastructure and platforms used by an organisation, supporting the overall service delivery including hard...

Knowledge Management

1 controls

Controls in the Knowledge Management domain of ITIL 4 — 1 controls
Code	Title	Description
GM-KM-1	Knowledge Management	Maintain and improve the effective, efficient, and convenient use of information and knowledge across the organisation b...

Measurement and Reporting

1 controls

Controls in the Measurement and Reporting domain of ITIL 4 — 1 controls
Code	Title	Description
GM-MS-1	Measurement and Reporting	Support good decision-making and continual improvement by decreasing levels of uncertainty through the collection of rel...

Monitoring and Event Management

1 controls

Controls in the Monitoring and Event Management domain of ITIL 4 — 1 controls
Code	Title	Description
SM-MEM-1	Monitoring and Event Management	Systematically observe services and service components and record and report selected changes of state identified as eve...

Organizational Change Management

1 controls

Controls in the Organizational Change Management domain of ITIL 4 — 1 controls
Code	Title	Description
SM-OCM-1	Organizational Change Management	Ensure that changes in an organisation are smoothly and successfully implemented and that lasting benefits are achieved...

Portfolio Management

1 controls

Controls in the Portfolio Management domain of ITIL 4 — 1 controls
Code	Title	Description
GM-PFM-1	Portfolio Management	Ensure that the organisation has the right mix of programmes, projects, products, and services to execute its strategy w...

Problem Management

1 controls

Controls in the Problem Management domain of ITIL 4 — 1 controls
Code	Title	Description
SM-PRB-1	Problem Management	Reduce the likelihood and impact of incidents by identifying actual and potential causes of incidents and managing worka...

Project Management

1 controls

Controls in the Project Management domain of ITIL 4 — 1 controls
Code	Title	Description
GM-PM-1	Project Management	Ensure that all projects in the organisation are successfully delivered, balancing the constraints of scope, time, cost,...

Relationship Management

1 controls

Controls in the Relationship Management domain of ITIL 4 — 1 controls
Code	Title	Description
GM-REL-1	Relationship Management	Establish and nurture the links between the organisation and its stakeholders at strategic and tactical levels, includin...

Release Management

1 controls

Controls in the Release Management domain of ITIL 4 — 1 controls
Code	Title	Description
SM-REL-1	Release Management	Make new and changed services and features available for use according to agreed expectations of customers and stakehold...

Risk Management

1 controls

Controls in the Risk Management domain of ITIL 4 — 1 controls
Code	Title	Description
GM-RSK-1	Risk Management	Ensure that the organisation understands and effectively handles risks by identifying, analysing, evaluating, treating,...

Service Catalogue Management

1 controls

Controls in the Service Catalogue Management domain of ITIL 4 — 1 controls
Code	Title	Description
GM-SRV-1	Service Catalogue Management	Provide a single source of consistent information on all services and service offerings, ensuring that it is available t...

Service Configuration Management

1 controls

Controls in the Service Configuration Management domain of ITIL 4 — 1 controls
Code	Title	Description
SM-SCM-1	Service Configuration Management	Ensure that accurate and reliable information about the configuration of services and the CIs that support them is avail...

Service Continuity Management

1 controls

Controls in the Service Continuity Management domain of ITIL 4 — 1 controls
Code	Title	Description
SM-SCONT-1	Service Continuity Management	Ensure that service availability and performance are maintained at sufficient levels in case of a disaster, supporting o...

Service Design

1 controls

Controls in the Service Design domain of ITIL 4 — 1 controls
Code	Title	Description
SM-SD-DES-1	Service Design	Design products and services that are fit for purpose, fit for use, and that can be delivered by the organisation and it...

Service Desk

1 controls

Controls in the Service Desk domain of ITIL 4 — 1 controls
Code	Title	Description
SM-SD-1	Service Desk	Capture demand for incident resolution and service requests, providing a clear path for users to report issues, queries,...

Service Financial Management

1 controls

Controls in the Service Financial Management domain of ITIL 4 — 1 controls
Code	Title	Description
GM-FIN-1	Service Financial Management	Support the organisation's strategies and plans for service management by ensuring that financial resources and investme...

Service Level Management

1 controls

Controls in the Service Level Management domain of ITIL 4 — 1 controls
Code	Title	Description
SM-SLM-1	Service Level Management	Set clear business-based targets for service performance so that the delivery of a service can be properly assessed, mon...

Service Request Management

1 controls

Controls in the Service Request Management domain of ITIL 4 — 1 controls
Code	Title	Description
SM-SRM-1	Service Request Management	Support the agreed quality of a service by handling all predefined, user-initiated service requests in an effective and...

Service Validation and Testing

1 controls

Controls in the Service Validation and Testing domain of ITIL 4 — 1 controls
Code	Title	Description
SM-SVAL-1	Service Validation and Testing	Ensure that new or changed products and services meet defined requirements through structured testing approaches coverin...

Software Development and Management

1 controls

Controls in the Software Development and Management domain of ITIL 4 — 1 controls
Code	Title	Description
TM-SDM-1	Software Development and Management	Ensure that applications meet stakeholder needs in terms of functionality, reliability, maintainability, compliance, and...

Strategy Management

1 controls

Controls in the Strategy Management domain of ITIL 4 — 1 controls
Code	Title	Description
GM-STR-1	Strategy Management	Formulate the goals of the organisation and adopt the courses of action and allocation of resources necessary for achiev...

Supplier Management

1 controls

Controls in the Supplier Management domain of ITIL 4 — 1 controls
Code	Title	Description
GM-SUP-1	Supplier Management	Ensure that the organisation's suppliers and their performances are managed appropriately to support the seamless provis...

Workforce and Talent Management

1 controls

Controls in the Workforce and Talent Management domain of ITIL 4 — 1 controls
Code	Title	Description
GM-WT-1	Workforce and Talent Management	Ensure that the organisation has the right people with the appropriate skills, knowledge, and competencies in the right...

Your Compliance Coverage

If you comply with ITIL 4, you already cover:

Cloud Security Alliance Cloud Controls Matrix (CCM) v4.0.1

5 controls mapped

Compare →

South Korea Cloud Security Assurance Program (CSAP)

5 controls mapped

Compare →

ISO 20000-1

5 controls mapped

Compare →

+ 413 more: CISA Industrial Control Systems (ICS) Security Guidance (9%), ISO 27001:2022 (9%)

See all 416 mapped frameworks ↓

Maps to 416 other frameworks

53 total controls

Cloud Security Alliance Cloud Controls Matrix (CCM) v4.0.1

5 source controls mapped|13 target controls covered

South Korea Cloud Security Assurance Program (CSAP)

5 source controls mapped|8 target controls covered

ISO 20000-1

5 source controls mapped|5 target controls covered

CISA Industrial Control Systems (ICS) Security Guidance

5 source controls mapped|9 target controls covered

ISO 27001:2022

5 source controls mapped|9 target controls covered

NIST SP 800-82 Rev 3 - Guide to OT Security

5 source controls mapped|9 target controls covered

CFTC System Safeguards (17 CFR 37, 38, 39, 49)

4 source controls mapped|8 target controls covered

TISAX - Trusted Information Security Assessment Exchange

4 source controls mapped|7 target controls covered

HKMA Cyber Resilience Assessment Framework (C-RAF)

4 source controls mapped|5 target controls covered

ASIC Cyber Resilience Good Practices

4 source controls mapped|6 target controls covered

FTC Safeguards Rule (16 CFR Part 314)

4 source controls mapped|8 target controls covered

FFIEC Cybersecurity Assessment Tool (CAT)

4 source controls mapped|5 target controls covered

SOC 2

4 source controls mapped|7 target controls covered

SOC for Cybersecurity - Cybersecurity Risk Management Examination

4 source controls mapped|4 target controls covered

SSAE 18 SOC 1 - Report on Controls at a Service Organisation (ICFR)

4 source controls mapped|6 target controls covered

FTC GLBA Safeguards Rule (16 CFR Part 314)

4 source controls mapped|6 target controls covered

NIST Privacy Framework 1.0

4 source controls mapped|6 target controls covered

Belgium CyberFundamentals

4 source controls mapped|10 target controls covered

CISA Zero Trust Maturity Model

4 source controls mapped|10 target controls covered

NIST SP 800-171A - Assessing CUI Security Requirements

4 source controls mapped|7 target controls covered

Spain ENS

4 source controls mapped|10 target controls covered

DO-326A / ED-202A

4 source controls mapped|9 target controls covered

Ghana Cybersecurity Act

4 source controls mapped|9 target controls covered

DoD Zero Trust Reference Architecture

4 source controls mapped|10 target controls covered

Australian Energy Sector Cyber Security Framework (AESCSF)

4 source controls mapped|6 target controls covered

BSI IT-Grundschutz

4 source controls mapped|9 target controls covered

ISO 27019

4 source controls mapped|9 target controls covered

FISMA

4 source controls mapped|10 target controls covered

IEC 62443

4 source controls mapped|9 target controls covered

BIMCO Cyber Security

4 source controls mapped|9 target controls covered

IEEE 1686

4 source controls mapped|9 target controls covered

API 1164

4 source controls mapped|9 target controls covered

ANSSI Cybersecurity Framework

4 source controls mapped|10 target controls covered

Cyber Essentials Plus

4 source controls mapped|10 target controls covered

C2M2

4 source controls mapped|9 target controls covered

Annex 11 to EU GMP - Computerised Systems

4 source controls mapped|3 target controls covered

NIST SP 800-172

4 source controls mapped|9 target controls covered

Oman National Cybersecurity Framework

4 source controls mapped|4 target controls covered

TSA Pipeline Security

4 source controls mapped|9 target controls covered

NIST SP 800-53 Rev 5

4 source controls mapped|10 target controls covered

NIST SP 1800-32

4 source controls mapped|9 target controls covered

Saudi NCA ECC

4 source controls mapped|9 target controls covered

PAS 1192-5:2015 - Security-Minded Approach to BIM and Digital Built Environments

4 source controls mapped|6 target controls covered

Canada ITSG-33 - IT Security Risk Management

4 source controls mapped|6 target controls covered

New Zealand Information Security Manual (NZISM)

4 source controls mapped|6 target controls covered

MARS-E - Minimum Acceptable Risk Standards for Exchanges

4 source controls mapped|6 target controls covered

NRC 10 CFR 73.54 - Nuclear Facility Cybersecurity

4 source controls mapped|6 target controls covered

NIS2 Directive

4 source controls mapped|10 target controls covered

NIST SP 800-171

4 source controls mapped|11 target controls covered

NIST SP 800-53A

4 source controls mapped|9 target controls covered

DORA

3 source controls mapped|8 target controls covered

US ITAR and EAR - Export Control and Data Security

3 source controls mapped|5 target controls covered

FFIEC IT Examination Handbook

3 source controls mapped|7 target controls covered

ASD Strategies to Mitigate Cyber Security Incidents

3 source controls mapped|6 target controls covered

BCBS 239

3 source controls mapped|7 target controls covered

GLBA

3 source controls mapped|7 target controls covered

EBA Guidelines on ICT and Security Risk Management (EBA/GL/2024/07)

3 source controls mapped|3 target controls covered

Singapore Government Instruction Manual on ICT&SS Management (IM8)

3 source controls mapped|5 target controls covered

US EPA Safe Drinking Water Act (SDWA) - Cybersecurity Requirements

3 source controls mapped|7 target controls covered

APRA CPS 234

3 source controls mapped|7 target controls covered

EIOPA Guidelines on ICT Security and Governance (EIOPA‑BoS‑23/146, 2023)

3 source controls mapped|6 target controls covered

Telecommunications Sector Security Reforms (TSSR)

3 source controls mapped|6 target controls covered

Defence Security Principles Framework (DSPF)

3 source controls mapped|11 target controls covered

Protective Security Policy Framework (PSPF) Release 2024

3 source controls mapped|10 target controls covered

UK ONR Cyber Security and Information Assurance (CSIA) for Nuclear Facilities

3 source controls mapped|3 target controls covered

HKMA SPM

3 source controls mapped|7 target controls covered

Regulation (EU) 2019/1239 on the Maritime Single Window (MSW)

3 source controls mapped|2 target controls covered

SWIFT CSP

3 source controls mapped|7 target controls covered

Open Banking Security

3 source controls mapped|7 target controls covered

MAS TRM

3 source controls mapped|7 target controls covered

OSFI B-13

3 source controls mapped|7 target controls covered

PCI PIN Security

3 source controls mapped|7 target controls covered

PSD2 SCA

3 source controls mapped|7 target controls covered

SWIFT CSCF

3 source controls mapped|7 target controls covered

PCI SSF

3 source controls mapped|7 target controls covered

AICPA SOC 1

3 source controls mapped|7 target controls covered

PCI P2PE

3 source controls mapped|7 target controls covered

NIST Cybersecurity Framework 2.0

3 source controls mapped|7 target controls covered

TIBER-EU (Threat Intelligence-Based Ethical Red Teaming - European Union)

3 source controls mapped|7 target controls covered

SSAE 18 - Attestation Standards (SOC Reporting)

3 source controls mapped|5 target controls covered

NYDFS Cybersecurity Regulation (23 NYCRR Part 500)

3 source controls mapped|7 target controls covered

AICPA SOC 3

3 source controls mapped|7 target controls covered

CAIQ (CSA)

3 source controls mapped|4 target controls covered

ISO 27017

3 source controls mapped|4 target controls covered

ISMAP (Japan)

3 source controls mapped|4 target controls covered

Azure Security Benchmark

3 source controls mapped|4 target controls covered

ISO 27018

3 source controls mapped|4 target controls covered

AWS Well-Architected Security Pillar

3 source controls mapped|4 target controls covered

US Gramm-Leach-Bliley Act (GLBA) - Higher Education Safeguards Rule

3 source controls mapped|7 target controls covered

HIPAA Security Rule

3 source controls mapped|6 target controls covered

C5 (Germany)

3 source controls mapped|4 target controls covered

MTCS (Singapore)

3 source controls mapped|4 target controls covered

NIST SP 800-190

3 source controls mapped|4 target controls covered

NERC CIP

3 source controls mapped|6 target controls covered

UK Gambling Commission - Cyber Resilience Requirements

3 source controls mapped|4 target controls covered

NRF Cybersecurity and Data Privacy Framework (National Retail Federation)

3 source controls mapped|5 target controls covered

NIST SP 800-145

3 source controls mapped|4 target controls covered

NIST SP 800-144

3 source controls mapped|4 target controls covered

NIST SP 800-146

3 source controls mapped|4 target controls covered

ASD Information Security Manual (ISM)

3 source controls mapped|9 target controls covered

UK Defence Standard 05-138 - Cyber Security for Defence Suppliers

3 source controls mapped|4 target controls covered

IACS Unified Requirements E26/E27 - Cyber Resilience of Ships and On-Board Systems

3 source controls mapped|4 target controls covered

OWASP DevSecOps Maturity Model (DSOMM)

3 source controls mapped|5 target controls covered

NIST SP 800-171A Rev 3 - Assessing CUI Security Requirements

3 source controls mapped|5 target controls covered

FedRAMP Rev 5

3 source controls mapped|10 target controls covered

CNCF Security Technical Advisory Group (TAG)

3 source controls mapped|4 target controls covered

South Korea ISMS-P

3 source controls mapped|4 target controls covered

AWWA Cybersecurity Guidance for the Water Sector (American Water Works Association)

3 source controls mapped|6 target controls covered

OWASP Top 10:2025

3 source controls mapped|4 target controls covered

PCI DSS v4.0

3 source controls mapped|6 target controls covered

DISA Security Technical Implementation Guides (STIGs)

3 source controls mapped|7 target controls covered

FAA Cybersecurity Framework for Aviation

3 source controls mapped|4 target controls covered

SWIFT Customer Security Programme (CSP)

3 source controls mapped|4 target controls covered

IAEA Nuclear Security Series - Computer Security at Nuclear Facilities (NSS-17-T Rev 1)

3 source controls mapped|3 target controls covered

Proposal for a Regulation on Cyber Resilience Act (CRA)

2 source controls mapped|6 target controls covered

Notifiable Data Breaches Scheme (Australia)

2 source controls mapped|4 target controls covered

EU Digital Markets Act

2 source controls mapped|4 target controls covered

FTC Health Breach Notification Rule

2 source controls mapped|4 target controls covered

UK Product Security and Telecommunications Infrastructure Act (PSTI)

2 source controls mapped|4 target controls covered

EAR - Export Administration Regulations

2 source controls mapped|4 target controls covered

European Accessibility Act (Directive (EU) 2019/882)

2 source controls mapped|4 target controls covered

Regulation (EU) 2023/1115 on deforestation-free supply chains

2 source controls mapped|4 target controls covered

Ontario Accessibility for Ontarians with Disabilities Act (AODA) - IASR Web Standard

2 source controls mapped|4 target controls covered

NIS2 Directive (Directive (EU) 2022/2555)

2 source controls mapped|5 target controls covered

US SEC Digital Assets and Crypto Regulatory Framework

2 source controls mapped|4 target controls covered

Australia Consumer Data Right - Banking (CDR)

2 source controls mapped|5 target controls covered

Australia eSafety Commissioner - Online Safety Expectations for Industry

2 source controls mapped|4 target controls covered

GLI-33 - Gaming Laboratories International Event Wagering Systems

2 source controls mapped|5 target controls covered

ASIS SPC.1-2009 - Organizational Resilience Standard

2 source controls mapped|4 target controls covered

IEC 62351 - Power Systems Communication Security

2 source controls mapped|3 target controls covered

NATO AQAP 2110 - Quality Assurance Requirements for Design, Development, and Production

2 source controls mapped|2 target controls covered

Digital Economy Partnership Agreement (DEPA)

2 source controls mapped|2 target controls covered

Bermuda Monetary Authority (BMA) Cyber Risk Management Code of Conduct

2 source controls mapped|4 target controls covered

IMO Maritime Cybersecurity Guidelines (MSC-FAL.1/Circ.3/Rev.2)

2 source controls mapped|2 target controls covered

India CERT-In Cyber Security Directions 2022

2 source controls mapped|2 target controls covered

COSO Internal Control - Integrated Framework (2013)

2 source controls mapped|2 target controls covered

ASEAN Data Management Framework

2 source controls mapped|2 target controls covered

Voluntary Principles on Security and Human Rights (VPs)

2 source controls mapped|2 target controls covered

O-RAN Alliance Security Specifications (O-RAN.WG11)

2 source controls mapped|2 target controls covered

ITU-T X.805 - Security Architecture for End-to-End Communications

2 source controls mapped|2 target controls covered

SASB Standards (ISSB Integrated)

2 source controls mapped|2 target controls covered

SASB Standards

2 source controls mapped|2 target controls covered

NIST Privacy Framework Version 1.0

2 source controls mapped|3 target controls covered

Nevada Gaming Control Board Cybersecurity Requirements

2 source controls mapped|4 target controls covered

Lloyd's Minimum Standards - Cyber Security

2 source controls mapped|4 target controls covered

Security of Critical Infrastructure Act 2018 (SOCI)

2 source controls mapped|5 target controls covered

TEFCA - Trusted Exchange Framework and Common Agreement

2 source controls mapped|2 target controls covered

UK Security and Emergency Measures Direction (SEMD) - Water Industry

2 source controls mapped|5 target controls covered

DAMA-DMBOK2 - Data Management Body of Knowledge (2nd Edition)

2 source controls mapped|3 target controls covered

UK Open Banking Standard

2 source controls mapped|3 target controls covered

MTCS - Multi-Tier Cloud Security (Singapore)

2 source controls mapped|1 target controls covered

IEC 62304:2015 Medical Device Software Lifecycle Processes

2 source controls mapped|4 target controls covered

ISO 26262:2018 - Functional Safety for Road Vehicles

2 source controls mapped|2 target controls covered

DO-178C / ED-12C - Software Considerations in Airborne Systems

2 source controls mapped|2 target controls covered

FBI CJIS Security Policy

2 source controls mapped|4 target controls covered

OWASP API Security Top 10:2023

2 source controls mapped|2 target controls covered

ISO/IEC 27400:2022

2 source controls mapped|2 target controls covered

HL7 FHIR Security Framework

2 source controls mapped|3 target controls covered

PropTech Security Standards - Smart Building Cybersecurity

2 source controls mapped|3 target controls covered

US NRC 10 CFR 73.54 - Cyber Security for Nuclear Power Plants

2 source controls mapped|2 target controls covered

Indonesia PDP Law

2 source controls mapped|3 target controls covered

APPI

2 source controls mapped|3 target controls covered

C-TPAT - Customs-Trade Partnership Against Terrorism

2 source controls mapped|4 target controls covered

CCPA/CPRA

2 source controls mapped|3 target controls covered

Law 1581 of 2012 - Statutory Framework for the Protection of Personal Data

2 source controls mapped|4 target controls covered

ISO 27701

2 source controls mapped|3 target controls covered

FERPA

2 source controls mapped|3 target controls covered

Iceland DPA

2 source controls mapped|3 target controls covered

CIS Controls v8

2 source controls mapped|2 target controls covered

Delaware Online Privacy and Protection Act (proposed)

2 source controls mapped|3 target controls covered

Indiana Consumer Data Protection Act

2 source controls mapped|3 target controls covered

Switzerland FADP

2 source controls mapped|3 target controls covered

Defence Industry Security Program (DISP)

2 source controls mapped|3 target controls covered

Customs-Trade Partnership Against Terrorism (C-TPAT)

2 source controls mapped|3 target controls covered

ISO 28001:2007 Supply Chain Security Management

2 source controls mapped|3 target controls covered

COPPA

2 source controls mapped|3 target controls covered

Law No. 172-13 on the Protection of Personal Data

2 source controls mapped|3 target controls covered

Argentina PDPA

2 source controls mapped|3 target controls covered

CISA Cross-Sector Cybersecurity Performance Goals (CPG) 2.0

2 source controls mapped|4 target controls covered

India DPDP Act

2 source controls mapped|3 target controls covered

Chile DPL

2 source controls mapped|3 target controls covered

CTDPA (Connecticut Data Privacy Act)

2 source controls mapped|3 target controls covered

Iowa Consumer Data Protection Act

2 source controls mapped|3 target controls covered

LGPD

2 source controls mapped|4 target controls covered

BSI C5 - Cloud Computing Compliance Criteria Catalogue

2 source controls mapped|2 target controls covered

Bahrain PDPL

2 source controls mapped|3 target controls covered

CSA STAR (Security, Trust, Assurance, and Risk)

2 source controls mapped|2 target controls covered

Privacy Act 1988 (Australia)

2 source controls mapped|3 target controls covered

ISO/IEC 27010:2015

2 source controls mapped|3 target controls covered

Ley Orgánica de Protección de Datos Personales (LOPDP)

2 source controls mapped|3 target controls covered

Australian Information Security Manual

2 source controls mapped|2 target controls covered

HITECH Act

2 source controls mapped|2 target controls covered

Colorado Privacy Act

2 source controls mapped|3 target controls covered

Oregon Consumer Privacy Act

2 source controls mapped|3 target controls covered

Minnesota Consumer Data Privacy Act

2 source controls mapped|3 target controls covered

PIPEDA

2 source controls mapped|3 target controls covered

New Zealand Privacy Act

2 source controls mapped|3 target controls covered

Rwanda DPL

2 source controls mapped|3 target controls covered

Malaysia PDPA 2010

2 source controls mapped|3 target controls covered

UAE PDPL

2 source controls mapped|3 target controls covered

Qatar DPL

2 source controls mapped|3 target controls covered

Nigeria NDPR

2 source controls mapped|3 target controls covered

Kenya DPA

2 source controls mapped|3 target controls covered

Kenya Data Protection Act

2 source controls mapped|3 target controls covered

NIST SP 800-122

2 source controls mapped|3 target controls covered

NIS2 Directive Implementing Acts

2 source controls mapped|6 target controls covered

Uruguay DPL

2 source controls mapped|3 target controls covered

China PIPL

2 source controls mapped|3 target controls covered

POPIA

2 source controls mapped|3 target controls covered

Liechtenstein DPA

2 source controls mapped|3 target controls covered

Mauritius DPA

2 source controls mapped|3 target controls covered

CCSDS 350.0-G-3 - Space Communications Security (Consultative Committee for Space Data Systems)

2 source controls mapped|2 target controls covered

Nebraska Data Privacy Act

2 source controls mapped|3 target controls covered

Tennessee IPA

2 source controls mapped|3 target controls covered

RBI Cybersecurity Framework for Banks

2 source controls mapped|2 target controls covered

Vietnam PDPD

2 source controls mapped|3 target controls covered

Jamaica DPA

2 source controls mapped|3 target controls covered

Taiwan PDPA

2 source controls mapped|3 target controls covered

Philippines Data Privacy Act (RA 10173)

2 source controls mapped|4 target controls covered

UK Telecommunications (Security) Act 2021

2 source controls mapped|8 target controls covered

Kentucky Consumer Data Protection Act

2 source controls mapped|3 target controls covered

New Hampshire Privacy Act

2 source controls mapped|3 target controls covered

South Korea PIPA

2 source controls mapped|3 target controls covered

Bermuda Personal Information Protection Act 2016 (PIPA)

2 source controls mapped|3 target controls covered

TSA Pipeline Cybersecurity Directives

2 source controls mapped|2 target controls covered

Peru DPL

2 source controls mapped|3 target controls covered

Mexico LFPDPPP

2 source controls mapped|3 target controls covered

PDPA Thailand

2 source controls mapped|3 target controls covered

Turkey KVKK

2 source controls mapped|3 target controls covered

Turkey Personal Data Protection Law (KVKK - Law No. 6698)

2 source controls mapped|3 target controls covered

Texas Data Privacy Act

2 source controls mapped|3 target controls covered

UK Data Protection Act 2018

2 source controls mapped|3 target controls covered

Norway PDPA

2 source controls mapped|3 target controls covered

Saudi Arabia PDPL

2 source controls mapped|3 target controls covered

IRS Publication 1075 - Tax Information Security Guidelines

2 source controls mapped|2 target controls covered

Maryland Online Data Privacy Act

2 source controls mapped|3 target controls covered

PDPA Singapore

2 source controls mapped|3 target controls covered

Philippines DPA

2 source controls mapped|3 target controls covered

New Jersey Data Privacy Act

2 source controls mapped|3 target controls covered

Utah Consumer Privacy Act

2 source controls mapped|3 target controls covered

Virginia CDPA

2 source controls mapped|3 target controls covered

Montana Consumer Data Privacy Act

2 source controls mapped|3 target controls covered

ILO Nursing Personnel Convention C149 (1977)

1 source controls mapped|2 target controls covered

6th Anti-Money Laundering Directive (AMLD6, Directive (EU) 2018/1673) - superseded by AMLD7

1 source controls mapped|2 target controls covered

ISO 8000 - Data Quality

1 source controls mapped|2 target controls covered

FATF Recommendation 16 - Virtual Asset Travel Rule

1 source controls mapped|2 target controls covered

Privacy by Design (PbD) - Seven Foundational Principles

1 source controls mapped|2 target controls covered

BS 65000:2014 - Guidance on Organizational Resilience

1 source controls mapped|3 target controls covered

CDP Climate Change Questionnaire (Corporate Disclosure)

1 source controls mapped|2 target controls covered

ISO/IEC 38500:2024 - Governance of IT

1 source controls mapped|1 target controls covered

Critical Infrastructure Risk Management Program (CIRMP) Rules 2023

1 source controls mapped|2 target controls covered

COBIT 2019

1 source controls mapped|1 target controls covered

ISO/IEC 27007:2020

1 source controls mapped|1 target controls covered

EU AI Act

1 source controls mapped|1 target controls covered

ISO/IEC 27031:2011

1 source controls mapped|2 target controls covered

ISO/IEC 25012:2008 - Data Quality Model

1 source controls mapped|1 target controls covered

FDA Quality Management System Regulation (QMSR)

1 source controls mapped|1 target controls covered

ISO 42001

1 source controls mapped|1 target controls covered

EU Taxonomy Regulation (Regulation 2020/852)

1 source controls mapped|1 target controls covered

EU Taxonomy Regulation

1 source controls mapped|2 target controls covered

Australia AI Ethics Framework

1 source controls mapped|1 target controls covered

IRM Enterprise Risk Management Framework (Institute of Risk Management)

1 source controls mapped|3 target controls covered

TNFD Recommendations

1 source controls mapped|3 target controls covered

AASB S2 Climate-related Disclosures

1 source controls mapped|3 target controls covered

Administrative Measures for the Security Assessment of Generative AI Services (2023) and Algorithmic Recommendation Management Provisions (2022)

1 source controls mapped|1 target controls covered

Brazil AI Framework

1 source controls mapped|1 target controls covered

IEEE 7000

1 source controls mapped|1 target controls covered

US OFAC Sanctions Compliance Framework

1 source controls mapped|1 target controls covered

OECD AI Principles

1 source controls mapped|1 target controls covered

WELL Building Standard v2 (International WELL Building Institute)

1 source controls mapped|1 target controls covered

SEC Climate Disclosure Rule

1 source controls mapped|1 target controls covered

Right to Disconnect (Australia)

1 source controls mapped|1 target controls covered

UK FCA/PRA Operational Resilience Framework

1 source controls mapped|3 target controls covered

NATO Cyber Defence Standards and NCIRC (NATO Computer Incident Response Capability)

1 source controls mapped|1 target controls covered

Japan AI Guidelines

1 source controls mapped|1 target controls covered

UK AI Regulation Framework

1 source controls mapped|1 target controls covered

Singapore AI Governance Framework

1 source controls mapped|1 target controls covered

South Africa Promotion of Access to Information Act (PAIA)

1 source controls mapped|1 target controls covered

ECB TIBER-EU Framework

1 source controls mapped|1 target controls covered

EDM Council DCAM - Data Management Capability Assessment Model

1 source controls mapped|1 target controls covered

ISO 37301

1 source controls mapped|1 target controls covered

ISO 37001

1 source controls mapped|1 target controls covered

ISO 30401

1 source controls mapped|1 target controls covered

ISO 55001

1 source controls mapped|1 target controls covered

ISO 19011

1 source controls mapped|1 target controls covered

ISPE GAMP 5 - A Risk-Based Approach to Compliant GxP Computerised Systems

1 source controls mapped|1 target controls covered

ISO 9001

1 source controls mapped|1 target controls covered

ICH Q10 - Pharmaceutical Quality System

1 source controls mapped|1 target controls covered

GAMP 5 - Good Automated Manufacturing Practice

1 source controls mapped|1 target controls covered

ECSS-E-ST-40C: Space Engineering - Software

1 source controls mapped|2 target controls covered

ECSS‑E‑ST‑40C (Space engineering - Software) and ECSS‑Q‑ST‑80C (Product assurance - Software)

1 source controls mapped|2 target controls covered

AS9100D:2016 - Quality Management Systems for Aviation, Space, and Defence

1 source controls mapped|1 target controls covered

AS9100D - Aerospace Quality Management System

1 source controls mapped|1 target controls covered

ISO/IEC 27003:2017

1 source controls mapped|1 target controls covered

Secure by Design: A Guide for Manufacturers (CISA)

1 source controls mapped|1 target controls covered

Automotive SPICE (ASPICE) v4.0 - Process Assessment Model

1 source controls mapped|1 target controls covered

APRA CPS 230 Operational Risk Management

1 source controls mapped|1 target controls covered

ISO 22320:2018

1 source controls mapped|3 target controls covered

Switzerland New Federal Act on Data Protection (nFADP/nDSG, 2023)

1 source controls mapped|1 target controls covered

APRA Prudential Standard CPS 234 - Information Security (Australia)

1 source controls mapped|3 target controls covered

China Cybersecurity Law (CSL)

1 source controls mapped|2 target controls covered

NIST AI Risk Management Framework (AI RMF 1.0)

1 source controls mapped|2 target controls covered

NIST AI 600-1 Generative AI Profile

1 source controls mapped|2 target controls covered

FIRST CSIRT Services Framework and Standards

1 source controls mapped|3 target controls covered

CIRCIA (Cyber Incident Reporting for Critical Infrastructure Act)

1 source controls mapped|1 target controls covered

Singapore Cybersecurity Act 2018

1 source controls mapped|1 target controls covered

Cyber Security Act 2024 (Australia)

1 source controls mapped|3 target controls covered

Kuwait Data Privacy Protection Regulation (KDPPR, 2021 - CMA Directive)

1 source controls mapped|1 target controls covered

Laos Law on Prevention and Combating Cybercrime (2015)

1 source controls mapped|2 target controls covered

Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (PDPL)

1 source controls mapped|1 target controls covered

GDPR

1 source controls mapped|1 target controls covered

Vietnam Law on Cybersecurity (No. 24/2018/QH14)

1 source controls mapped|1 target controls covered

Estonia Personal Data Protection Act (Isikuandmete kaitse seadus, 2019)

1 source controls mapped|1 target controls covered

EU Better Internet for Kids (BIK+) Strategy

1 source controls mapped|1 target controls covered

ISO/IEC 30111:2019

1 source controls mapped|2 target controls covered

ISO/IEC 29147:2018

1 source controls mapped|1 target controls covered

EU In Vitro Diagnostic Medical Devices Regulation (IVDR)

1 source controls mapped|1 target controls covered

EU Markets in Crypto-Assets Regulation (MiCA, Regulation 2023/1114)

1 source controls mapped|1 target controls covered

Rwanda Law No. 058/2021 Relating to the Protection of Personal Data

1 source controls mapped|1 target controls covered

Serbia Law on Personal Data Protection (2018)

1 source controls mapped|1 target controls covered

China Data Security Law (DSL)

1 source controls mapped|1 target controls covered

EASA Part-IS - Information Security in Aviation

1 source controls mapped|3 target controls covered

ASEAN Guide on AI Governance and Ethics

1 source controls mapped|1 target controls covered

Pakistan Personal Data Protection Bill 2023

1 source controls mapped|1 target controls covered

Chile Personal Data Protection Law (Law No. 21.719)

1 source controls mapped|1 target controls covered

US Maritime Transportation Security Act (MTSA) and USCG Cybersecurity Requirements

1 source controls mapped|2 target controls covered

Barbados Data Protection Act 2019

1 source controls mapped|1 target controls covered

PCI DSS 4.0

1 source controls mapped|1 target controls covered

DFARS 252.204-7012 - Safeguarding Covered Defense Information

1 source controls mapped|1 target controls covered

SANS Incident Handler's Handbook and PICERL Methodology

1 source controls mapped|3 target controls covered

Singapore Payment Services Act (PSA) - Digital Payment Token Regulation

1 source controls mapped|2 target controls covered

Ghana Data Protection Act 2012 (Act 843)

1 source controls mapped|1 target controls covered

Czech Republic Act on the Protection of Personal Data (Act No. 110/2019 Coll.)

1 source controls mapped|1 target controls covered

Botswana Data Protection Act (2024)

1 source controls mapped|1 target controls covered

Zambia Data Protection Act (2021)

1 source controls mapped|2 target controls covered

BREEAM - Building Research Establishment Environmental Assessment Method

1 source controls mapped|1 target controls covered

AICPA Privacy Management Framework (PMF)

1 source controls mapped|1 target controls covered

NFPA 1600 - Standard on Continuity, Emergency, and Crisis Management

1 source controls mapped|1 target controls covered

French Sapin II Law (Law No. 2016-1691)

1 source controls mapped|1 target controls covered

Nigeria Open Banking Regulatory Framework (CBN, 2023)

1 source controls mapped|1 target controls covered

Japan FSA Cybersecurity Guidelines for Financial Institutions

1 source controls mapped|2 target controls covered

NIST SP 800-124 Rev 2 - Mobile Device Security

1 source controls mapped|1 target controls covered

Papua New Guinea National Cybersecurity Policy & Cybercrime Act (2016)

1 source controls mapped|1 target controls covered

Kuwait National Cybersecurity Framework

1 source controls mapped|1 target controls covered

RFC 2350 - Expectations for Computer Security Incident Response (BCP 21)

1 source controls mapped|3 target controls covered

US Executive Order 14028 - Improving the Nation's Cybersecurity

1 source controls mapped|1 target controls covered

Nigeria Data Protection Act 2023 (NDPA)

1 source controls mapped|1 target controls covered

UK Modern Slavery Act 2015

1 source controls mapped|1 target controls covered

Rhode Island Data Transparency and Privacy Protection Act (RIDTPPA)

1 source controls mapped|1 target controls covered

Philippines Cybercrime Prevention Act (RA 10175)

1 source controls mapped|1 target controls covered

Canada's Anti-Spam Legislation (CASL)

1 source controls mapped|1 target controls covered

Bank Secrecy Act / Anti-Money Laundering (BSA/AML)

1 source controls mapped|1 target controls covered

Tanzania Personal Data Protection Act (Draft)

1 source controls mapped|1 target controls covered

Trinidad and Tobago Data Protection Act 2011

1 source controls mapped|1 target controls covered

Cayman Islands Data Protection Act 2017 (DPA)

1 source controls mapped|1 target controls covered

Latvia Personal Data Processing Law (Fizisko personu datu apstrades likums, 2018)

1 source controls mapped|1 target controls covered

Brunei Personal Data Protection Order 2022 (PDPO)

1 source controls mapped|1 target controls covered

Zimbabwe Data Protection Act (2021)

1 source controls mapped|1 target controls covered

UK GDPR (UK General Data Protection Regulation)

1 source controls mapped|1 target controls covered

Sri Lanka Personal Data Protection Act (No. 9 of 2022)

1 source controls mapped|1 target controls covered

WCO Authorised Economic Operator (AEO) Framework

1 source controls mapped|3 target controls covered

WCO SAFE Framework of Standards to Secure and Facilitate Global Trade (2021)

1 source controls mapped|2 target controls covered

Critical Raw Materials Act (Proposed Regulation COM(2023) 192)

1 source controls mapped|2 target controls covered

EU Chips Act (Regulation (EU) 2023/1781)

1 source controls mapped|2 target controls covered

EU Cyber Solidarity Act (Regulation (EU) 2025/38)

1 source controls mapped|1 target controls covered

ETSI EN 303 645

1 source controls mapped|3 target controls covered

EDM Council CDMC - Cloud Data Management Capability Framework

1 source controls mapped|1 target controls covered

BSIMM

1 source controls mapped|3 target controls covered

California IoT Security Law

1 source controls mapped|3 target controls covered

MITRE D3FEND

1 source controls mapped|3 target controls covered

ISO 27043

1 source controls mapped|3 target controls covered

FDA 21 CFR Part 11

1 source controls mapped|3 target controls covered

OWASP ASVS

1 source controls mapped|3 target controls covered

ISO 27002:2022

1 source controls mapped|3 target controls covered

ISO 13485

1 source controls mapped|3 target controls covered

ISO 27799

1 source controls mapped|3 target controls covered

3GPP Security

1 source controls mapped|3 target controls covered

ISO/IEC 27011:2024

1 source controls mapped|2 target controls covered

ISO/SAE 21434

1 source controls mapped|3 target controls covered

ICAO Annex 17 - Aviation Security (AVSEC)

1 source controls mapped|1 target controls covered

EU Data Act

1 source controls mapped|1 target controls covered

US Consumer Product Safety Commission (CPSC) - Connected Product Safety

1 source controls mapped|1 target controls covered

OWASP SAMM

1 source controls mapped|3 target controls covered

UNECE WP.29 R155

1 source controls mapped|3 target controls covered

OWASP MASVS

1 source controls mapped|3 target controls covered

NIST SP 800-218

1 source controls mapped|3 target controls covered

NIST SP 800-150

1 source controls mapped|3 target controls covered

SSDF (NIST)

1 source controls mapped|3 target controls covered

NAIC Insurance Data Security Model Law (MDL-668)

1 source controls mapped|2 target controls covered

PTES

1 source controls mapped|3 target controls covered

SIG (Shared Assessments)

1 source controls mapped|3 target controls covered

Sigstore - Software Artifact Signing and Verification

1 source controls mapped|3 target controls covered

NIST SP 800-207

1 source controls mapped|3 target controls covered

NIST SP 800-128

1 source controls mapped|3 target controls covered

UNECE WP.29 R156

1 source controls mapped|3 target controls covered

NIST SP 800-63

1 source controls mapped|3 target controls covered

SLSA

1 source controls mapped|3 target controls covered

NIST SP 800-92

1 source controls mapped|3 target controls covered

NIST SP 800-137

1 source controls mapped|3 target controls covered

UK PSTI Act

1 source controls mapped|3 target controls covered

OpenSSF Scorecard

1 source controls mapped|3 target controls covered

MDS2 (Medical Device)

1 source controls mapped|3 target controls covered

NIST SP 800-66

1 source controls mapped|3 target controls covered

NIST SP 800-123

1 source controls mapped|3 target controls covered

NIST SP 800-187

1 source controls mapped|3 target controls covered

MITRE ATT&CK

1 source controls mapped|3 target controls covered

NIST SP 800-88

1 source controls mapped|3 target controls covered

NIST SP 800-160

1 source controls mapped|3 target controls covered

NIST SP 800-161

1 source controls mapped|3 target controls covered

NIST SP 800-183

1 source controls mapped|3 target controls covered

NIST SP 800-61

1 source controls mapped|3 target controls covered

MARS-E

1 source controls mapped|3 target controls covered

NIST SP 800-181

1 source controls mapped|3 target controls covered

NIST SP 800-115

1 source controls mapped|3 target controls covered

IATA Operational Safety Audit (IOSA) Standards Manual

1 source controls mapped|1 target controls covered

Australia My Health Records Act 2012

1 source controls mapped|1 target controls covered

Compare ITIL 4 with Cloud Security Alliance Cloud Controls Matrix (CCM) v4.0.1

Frequently Asked Questions

What is ITIL 4?

ITIL 4 is a compliance framework from International with 38 domains and 53 controls. IT Infrastructure Library for IT service management best practices It is used by organisations to establish and maintain compliance with industry standards and regulatory requirements.

How many controls does ITIL 4 have?

ITIL 4 has 53 controls organised across 38 domains. The largest domains are ITIL 4: Service Operation (5 controls), ITIL 4: Service Strategy & Design (5 controls), ITIL 4: Service Transition (5 controls). Each control defines specific requirements that organisations must implement to achieve compliance.

What frameworks does ITIL 4 map to?

ITIL 4 maps to 416 other compliance frameworks. The top mapping partners are Cloud Security Alliance Cloud Controls Matrix (CCM) v4.0.1 (9% coverage), South Korea Cloud Security Assurance Program (CSAP) (9% coverage), ISO 20000-1 (9% coverage). Use our comparison tool to explore control-level mappings between frameworks.

How do I get started with ITIL 4 compliance?

Start your ITIL 4 compliance journey by running a self-assessment on our platform to identify your current compliance posture. Our AI advisory can answer specific questions about ITIL 4 requirements, and cross-framework mapping helps you leverage existing controls from other frameworks you may already comply with. Create a free account to access all 53 controls and track your progress.

Start Your Compliance Journey

Create a free account to run self-assessments, get AI advisory, and track your compliance progress across 700 frameworks.

Get Started Free →

Free forever — no credit card required