Framework Mappings
OSA controls are mapped to major compliance and governance frameworks. Select a framework to see which controls apply, or start from a control to see its framework coverage.
10 CFR 73.54
US Nuclear Regulatory Commission mandatory cybersecurity regulation for nuclear power plants and fuel cycle facilities. Requires protection of Critical Digital Assets (CDAs) associated with safety, security, and emergency preparedness functions from cyber attacks up to and including the Design Basis Threat. Implements defense-in-depth through a 5-level security architecture per NRC Regulatory Guide 5.71. Covers technical, operational, and management controls with NRC-approved Cyber Security Plans, ongoing assessment, and integration with physical protection programs.
ANSSI
French national cybersecurity guidelines from the Agence nationale de la securite des systemes d'information. Includes the 42-measure Hygiene Guide (cyber hygiene essentials), Referentiel General de Securite (government IS security framework), and SecNumCloud 3.2 (cloud security qualification for trusted cloud providers).
API 1164
Industry standard for cybersecurity of pipeline SCADA and control systems in the oil and natural gas sector. 12 requirement areas covering risk management, security architecture, access control, system integrity, data protection, monitoring and detection, incident response, business continuity, supply chain security, personnel security, physical security, and compliance assessment. Aligned with NIST CSF and TSA Pipeline Security Directives. Used by pipeline operators for control system cybersecurity programs.
APRA CPS 234
Mandatory prudential standard for all APRA-regulated entities in Australia (banks, insurers, superannuation funds). Requires information security capability, policy frameworks, asset classification, control implementation, incident management, testing of control effectiveness, and 72-hour APRA breach notification.
ASD Essential Eight
Eight prioritised mitigation strategies from the Australian Signals Directorate, each with four maturity levels (0-3). Covers application control, patching applications and operating systems, Microsoft Office macro settings, user application hardening, restricting administrative privileges, multi-factor authentication, and regular backups.
AWIA
Federal law requiring community water systems serving more than 3,300 people to conduct risk and resilience assessments and develop emergency response plans covering cybersecurity. Complemented by AWWA cybersecurity guidance covering governance, asset management, access control, network security, detection and monitoring, incident response, supply chain management, and workforce security. Overseen by EPA with 5-year reassessment cycles. Addresses unique water utility challenges including distributed infrastructure, small utility resource constraints, and treatment process safety.
Basel SCO60
Basel Committee standard for the prudential treatment of banks' cryptoasset exposures, effective January 2026. Covers classification of cryptoassets (Group 1a tokenised traditional assets, Group 1b stablecoins, Group 2 unbacked crypto), capital requirements, credit and market risk, operational risk including custody and key management requirements for DLT infrastructure, disclosure obligations, and exposure limits. Applies to all internationally active banks.
BCBS 239
Basel Committee principles establishing expectations for risk data aggregation and reporting capabilities at global systemically important banks (G-SIBs). 14 principles across 4 domains: overarching governance and infrastructure, risk data aggregation capabilities, risk reporting practices, and supervisory review. Focused on data quality, timeliness, and accuracy rather than cybersecurity controls per se.
BIO2
Mandatory information security baseline for all Dutch government organisations at all levels: central government, provinces, municipalities, and water authorities. Aligned with ISO/IEC 27002:2022 with 93 controls plus government-specific measures (overheidsmaatregelen). Integrates NIS2 Article 21 requirements and supports ENSIA audit compliance. Replaces BIO 1.04 with a risk-based approach.
BoG CISD
Comprehensive 131-page directive mandating cybersecurity requirements for all banks, specialised deposit-taking institutions, payment systems, and fintech companies in Ghana. 20 sections covering governance, risk management, audit, asset management, cyber defence, incident response, access control, electronic banking, cyber exercises, external connections, cloud services, physical security, HR management, contractual requirements, ISMS/ISO 27001 certification, business continuity, compliance, and secure development. Requires mandatory ISO 27001 certification.
BoM CTRM
Comprehensive technology risk management guideline for all banks and non-bank deposit-taking institutions licensed by the Bank of Mauritius. 5 parts (governance, identification, protection, detection, response and recovery) across 26 sections covering board oversight, CISO, technology strategy, risk framework, control functions, network and infrastructure security, logical security, encryption, physical security, change management, technology refresh, people, third-party management, data hosting, secure coding, threat intelligence, monitoring, vulnerability testing, incident management, BCP/DRP, and technology audit. Structured around NIST CSF five-function model.
BOT Cyber Resilience
Bank of Thailand mandatory cyber resilience guidelines for all BOT-regulated financial institutions. 26 requirements across governance and oversight, identification (asset management, risk assessment, threat intelligence), protection (access control, data security, network security, application security, change management), detection (monitoring, vulnerability assessment, penetration testing), and response and recovery (incident management, business continuity, crisis communication, lessons learned). Structured around NIST CSF five-function model with BOT-specific supervisory expectations.
BSI IT-Grundschutz
Comprehensive German cybersecurity methodology from the Federal Office for Information Security (BSI). Covers 111 modules across process, system, network, application, infrastructure, operations, and detection/response layers. Widely adopted across German government, critical infrastructure, and enterprise.
BSSC Standards
Industry-led security standards for blockchain infrastructure, published May 2025. Four complementary standards: Node Operation Standard (NOS) for blockchain node security and resilience, Token Integration Standard (TIS) for digital asset integration and governance, Key Management Standard (KMS) for cryptographic key handling and wallet custody, and General Security & Privacy Standard (GSP) for baseline risk management. Founded by Anchorage Digital, Coinbase, Kraken, Fireblocks, Halborn, and OpenZeppelin.
CBB TM
Mandatory technology governance and cybersecurity requirements for all CBB-licensed financial institutions in Bahrain. 16 sections covering board oversight, IT governance, information security, risk management, operations, access control, application and network security, data security, physical security, vulnerability management, SOC, incident response, BCM/DR, third-party management, and regulatory reporting.
CBE CSF
Mandatory cybersecurity framework for all banks, financial institutions, and payment service providers regulated by the Central Bank of Egypt. 5 functions (governance, risk management, technology and operations, cyber defence, outsourcing and vendor management) across 23 domains covering leadership, compliance, asset management, IAM, data protection, cryptography, application security, network security, SOC, incident management, and business resilience. Built on NIST CSF, ISO 27001, and SWIFT CSCF.
CBEST
Bank of England framework for intelligence-led penetration testing of UK financial infrastructure. Prescribes threat intelligence gathering, red team execution, blue team assessment, and remediation for systemically important financial institutions. Requires accredited threat intelligence providers (TIPs) and penetration testing providers (PTPs). Complementary to PRA operational resilience requirements.
CBN CSF
Central Bank of Nigeria mandatory risk-based cybersecurity framework for all deposit money banks and payment service banks. 10 parts covering governance, risk management, cyber resilience, threat intelligence, emerging technologies, metrics and reporting, compliance and enforcement, awareness and training, personnel security, and physical security. Requires annual self-assessment (CSAT) and participation in NigFinCERT. Effective July 2024.
CBUAE
Central Bank of the UAE mandatory framework for cyber risk governance, security operations, incident management, and operational resilience for all CBUAE-regulated financial institutions. 14 sections covering governance, risk management, SOC, identity and access management, data protection, application and infrastructure security, cryptography, incident management, security testing, awareness, third-party risk, operational resilience, and regulatory reporting.
CCSS v9.0
Industry de facto standard for cryptocurrency exchange and custodian security. 47 control objectives across 10 security aspects covering key/seed generation, wallet creation, key storage, key usage, key compromise protocol, keyholder grant/revoke, third-party audits, data sanitization, proof of reserve, and log auditing. Three certification levels (Level 1-3) with increasing rigour. Published by the CryptoCurrency Certification Consortium (C4).
CIS Controls v8
Prioritized set of actions to protect organizations and data from known cyber attack vectors. Developed by a global community of IT experts.
CMMC 2.0
US Department of Defense cybersecurity certification framework for the defense industrial base. Level 2 aligns to NIST SP 800-171 Rev 2 (110 security requirements) across 14 domains: access control, awareness and training, audit and accountability, configuration management, identification and authentication, incident response, maintenance, media protection, personnel security, physical protection, risk assessment, security assessment, system and communications protection, and system and information integrity. Required for contractors handling Controlled Unclassified Information (CUI). Third-party assessment (C3PAO) mandatory.
COBIT 2019
Framework for IT governance and management. Helps organizations develop, implement, and improve IT governance and management practices.
Common Criteria
International standard for IT security evaluation defining Security Functional Requirements (SFRs) across 11 classes and Security Assurance Requirements (SARs) at 7 Evaluation Assurance Levels (EAL 1-7). Used for product certification through Protection Profiles and Security Targets evaluated by Common Criteria Testing Laboratories. Mutual recognition under the CCRA arrangement across 31 member nations.
CPMI-IOSCO PFMI
24 international principles for the design and operation of financial market infrastructures including payment systems, CCPs, CSDs, SSSs, and trade repositories. Covers general organisation, credit and liquidity risk, settlement, default management, general business and operational risk, access, efficiency, and transparency. The foundational standard referenced by all national FMI regulators.
CSA AICM v1
AI security standard extending CSA CCM with 243 control objectives across 18 domains including the new Model Security (MDS) domain. Covers AI-specific risks including adversarial ML, training data governance, model integrity, and responsible AI. Used alongside CCM for cloud AI assessments.
CSA CCM v4
De facto cloud security standard with 197 control objectives across 17 domains. Used for STAR certification and cloud provider assessments. Maps to ISO 27001, NIST 800-53, PCI DSS, SOC 2, and CIS Controls.
DNB Good Practice
De Nederlandsche Bank's mandatory information security framework for Dutch financial institutions including banks, insurers, pension funds, and payment institutions. 58 controls across 7 elements (governance, organisation, people, processes, technology, facilities, testing) with COBIT 4.1 maturity model assessment. DORA supersedes for in-scope entities from January 2025, but continues for pension funds. Self-assessment tool available.
DOE C2M2 v2.1
Voluntary cybersecurity maturity model developed by the Department of Energy for the energy sector. 10 domains covering asset management, threat and vulnerability management, risk management, identity and access management, situational awareness, event and incident response, third-party risk management, workforce management, cybersecurity architecture, and program management. Each domain assessed across Maturity Indicator Levels (MIL 0-3) measuring organizational capability progression. Used by electric utilities, oil and gas companies, and other energy subsectors for self-assessment.
EBA ICT Guidelines
European Banking Authority guidelines on ICT and security risk management for credit institutions, investment firms, and payment service providers across the EU. 33 guidelines across ICT governance and strategy, ICT and security risk management framework, information security, ICT operations management, ICT project and change management, business continuity management, and payment service user relationship management. Being superseded by DORA for in-scope entities from January 2025.
ECB CROE
European Central Bank expectations for cyber resilience of euro area financial market infrastructures. 21 expectations across 3 pillars: governance (board oversight, risk appetite, cyber strategy), identification and protection (threat-led testing, situational awareness, learning and evolving), and detection and response (incident management, recovery, crisis communication). Builds on CPMI-IOSCO cyber resilience guidance with ECB-specific supervisory expectations.
EU CRA
EU regulation establishing horizontal cybersecurity requirements for products with digital elements. Applies to manufacturers, importers, and distributors of hardware and software sold in the EU. 22 essential cybersecurity requirements in Annex I covering secure-by-design, vulnerability handling, SBOM, coordinated disclosure, and secure update mechanisms. Penalties up to EUR 15M or 2.5% turnover. Reporting obligations from September 2026, full applicability December 2027. Complements NIS2 (which targets operators) with product-level security.
EU DORA
EU regulation establishing uniform requirements for ICT risk management, incident reporting, digital operational resilience testing, and ICT third-party risk management across financial entities. Covers banks, insurers, investment firms, crypto-asset service providers, and critical ICT third-party providers. Requires threat-led penetration testing (TLPT) and comprehensive ICT third-party oversight.
EU GDPR
The EU's comprehensive data protection and privacy regulation. Establishes principles for lawful processing, data subject rights, controller and processor obligations, breach notification (72 hours), data protection by design and by default, and cross-border transfer safeguards. Applies to any organisation processing personal data of EU residents.
FCA SYSC 13
Financial Conduct Authority rules for operational risk management applicable to all FCA-regulated firms. Covers operational risk identification and assessment, systems and controls, business continuity planning, outsourcing, technology and cyber risk, change management, information security, access control, data integrity, incident management, insurance, record keeping, and board governance responsibilities. Part of the FCA Senior Management Arrangements, Systems and Controls (SYSC) sourcebook.
FDA 21 CFR Part 11
US federal regulation establishing criteria for acceptance of electronic records and electronic signatures by the FDA. 30 requirements across electronic records (validation, audit trails, system access controls, authority checks, device checks, education and training, documentation, open and closed system controls), electronic signatures (uniqueness, identity verification, signature manifestations, signature/record linking), and biometric and non-biometric authentication controls. Applies to all FDA-regulated industries including pharmaceuticals, medical devices, biologics, and food.
FDA Cybersecurity Guidance
FDA guidance establishing cybersecurity expectations for medical device manufacturers throughout the total product lifecycle. 42 requirements across secure product development framework (SPDF), threat modelling, security architecture, authentication and authorisation, cryptography and data protection, software bill of materials (SBOM), security testing and vulnerability management, postmarket monitoring and coordinated vulnerability disclosure, patch and update management, labelling and transparency, and interoperability security. Addresses both premarket submission requirements and postmarket management obligations. Enacted under Section 524B of the FD&C Act (Consolidated Appropriations Act 2023).
FERC CIP Orders
Federal Energy Regulatory Commission orders directing NERC to develop and modify Critical Infrastructure Protection reliability standards for the Bulk Electric System. Key orders include Order 706 (mandatory CIP standards), Orders 829/850 (supply chain risk management including EACMS/PACS), Order 881 (internal network security monitoring), Order 887 (virtualization and cloud), Order 888 (low-impact BES enhancements), Order 2222 (DER cybersecurity), and Order 893 (incentive-based rate treatment). Represents the regulatory policy layer driving NERC CIP standard evolution.
FFIEC IS
US Federal Financial Institutions Examination Council handbook for examining information security at financial institutions. 51 examination objectives across governance, risk management, threat intelligence, security controls, network security, endpoint protection, access management, data security, resilience, incident response, and third-party security. Used by OCC, FDIC, Federal Reserve, NCUA, and state banking agencies for IT examinations.
FINMA Circular 2023/1
Swiss financial market supervisory authority circular covering technology infrastructure, cyber risk, critical data management, business continuity management, and outsourcing for banks and securities dealers. References use chapter and margin number format — e.g. IV.C(65) for cyber risk management margin 65 — across 114 margin numbers in 7 sections.
FINOS CCC
Open standard for consistent cloud security controls in financial services. Defines cybersecurity, resiliency, and compliance controls for common cloud services across major providers.
FIPS 140-3
Federal standard for cryptographic module validation derived from ISO/IEC 19790:2012. Defines four increasing security levels covering cryptographic module specification, interfaces, roles and authentication, software/firmware security, operational environment, physical security, non-invasive attack resistance, sensitive security parameter management, self-tests, and life-cycle assurance. Validated through the NIST Cryptographic Module Validation Program (CMVP) with NVLAP-accredited testing laboratories.
FISC Security Guidelines
Japan's de facto mandatory security standard for financial institutions, published by the Center for Financial Industry Information Systems (FISC). Covers technical standards (system design, access control, cryptography, network security), operational standards (IT governance, incident response, outsourcing, SDLC), and facility standards (data center physical security, environmental controls, disaster recovery). Referenced by the FSA and Bank of Japan for supervisory examinations.
HIPAA Security Rule
US federal regulation establishing national standards for protecting electronic protected health information (ePHI). 63 specifications across administrative safeguards (security management, workforce security, information access, awareness training, security incident procedures, contingency planning), physical safeguards (facility access, workstation use, device controls), and technical safeguards (access control, audit controls, integrity, authentication, transmission security). Covers all HIPAA covered entities and business associates.
HITRUST CSF v11
Comprehensive security framework widely adopted in healthcare, integrating requirements from HIPAA, NIST 800-53, ISO 27001, PCI DSS, and other standards. 14 control categories covering information security management, access control, human resources security, risk management, security policy, organisation of information security, compliance, asset management, physical and environmental security, communications and operations management, information systems development, incident management, business continuity, and privacy practices. Supports three assessment types: e1 (essential), i1 (implemented), and r2 (risk-based validated).
HKMA TM-E-1
Hong Kong Monetary Authority's comprehensive technology risk management guideline for all authorised institutions. Covers IT governance, project management, change management, operations, IT resilience, information security, access control, cryptography, internet and mobile banking, ATM security, and outsourcing of technology services. Complemented by the Cyber Fortification Initiative (CFI) including iCAST intelligence-led penetration testing and the Cyber Resilience Assessment Framework (C-RAF).
IAEA NSS 17-T
International guidance for computer security at nuclear facilities published by the International Atomic Energy Agency. 14 sections covering computer security management, risk management, defense-in-depth (5 security levels), identification and authentication, access control, system integrity, audit and monitoring, communication security, supply chain security, incident response, contingency planning, personnel security, physical security integration, and assessment and testing. Provides framework for protecting instrumentation and control (I&C) systems including safety-critical systems. Applied globally through national regulatory implementations.
IEC 62443
International standard for industrial automation and control system (IACS) cybersecurity. Defines system security requirements across 7 foundational requirements: identification and authentication, use control, system integrity, data confidentiality, restricted data flow, timely response to events, and resource availability.
IEEE 1686-2022
International standard defining minimum cybersecurity capabilities required in Intelligent Electronic Devices (IEDs) used in power substations — protective relays, bay controllers, merging units, and phasor measurement units. 10 capability areas covering electronic access control, audit trail, firmware integrity, configuration management, communication security, network filtering, password management, session management, physical port security, and secure development practices. Used for procurement specifications and NERC CIP compliance.
IOSCO Cyber Resilience
International guidance establishing cybersecurity and operational resilience expectations for financial market infrastructures (FMIs) including CCPs, CSDs, payment systems, and trade repositories. 5 risk categories covering governance, identification, protection, detection, and response/recovery with 3 maturity levels (evolving, advancing, innovating). Builds on CPMI-IOSCO PFMI Principle 17 and complements national supervisory frameworks.
ISAE 3402
International assurance engagement standard for reporting on controls at service organisations relevant to user entities' financial reporting. Defines Type I (design suitability) and Type II (design and operating effectiveness) report structures covering management assertions, control objectives, control activities, subservice organisation management, and complementary user entity controls (CUECs). Widely used by cloud providers, data centres, payment processors, and outsourcing firms. Equivalent to SSAE 18 / SOC 1 in the US.
ISO 27001:2022
Information security management systems standard. Specifies requirements for establishing, implementing, maintaining and continually improving an ISMS.
ISO 27002:2022
Code of practice for information security controls. Provides guidance on organizational security standards and information security management practices.
ISO 27799
International standard providing implementation guidance for ISO 27002 controls in the health informatics context. 48 control areas addressing health-specific requirements including patient data confidentiality, clinical system availability, health information exchange security, consent management, audit trail requirements for clinical systems, mobile health device security, telemedicine security, medical device integration, health cloud security, and cross-border health data transfer. Applies to all organisations holding or processing health information regardless of size.
ISO 42001:2023
Artificial intelligence management system standard. Specifies requirements for establishing, implementing, maintaining and improving an AI management system, including responsible AI development, deployment and use.
LGPD + BCB 4893
Brazil's combined data protection and financial cybersecurity framework. LGPD (Law 13,709/2018) establishes comprehensive data protection principles, data subject rights, international transfer rules, and ANPD oversight. BCB Resolution 4893/2021 mandates cybersecurity policy, incident response and reporting, cloud governance, board accountability, and annual cybersecurity reporting for financial institutions regulated by the Banco Central do Brasil. Includes PIX instant payment security and Open Finance Brasil API requirements.
Lloyd's Minimum Standards
Mandatory minimum standards for all managing agents operating in the Lloyd's market. Covers IT governance and strategy, information security policy, risk assessment, access control, application security, change management, business continuity and disaster recovery, network security, data protection and classification, incident management, third-party and outsourcing risk, and security monitoring. Compliance assessed through Lloyd's annual oversight process.
MAS TRM
Mandatory technology risk management guidelines for financial institutions regulated by the Monetary Authority of Singapore. Covers 15 domains including technology risk governance, IT resilience, access control, cryptography, data and infrastructure security, cyber security operations, and IT audit.
MiCA
Comprehensive EU regulation for cryptoasset markets, fully applicable since December 2024. Covers cryptoasset service provider (CASP) authorisation, governance, safeguarding of client assets, ICT system requirements, operational resilience, AML/CFT, stablecoin issuance (asset-referenced and e-money tokens), reserve management, market abuse prevention, and regulatory reporting. Applies to all CASPs operating in the EU.
MLPS 2.0
China's mandatory cybersecurity classification and protection standard for information systems. Level 3 applies to government, finance, healthcare, energy, and critical infrastructure. Covers 10 security domains: physical environment, communication network, area boundary, computing environment, security management center, management system, management organization, personnel security, construction management, and operations management. Includes extension requirements for cloud computing, mobile internet, IoT, and industrial control systems. Enforced by the Ministry of Public Security through mandatory classification filing (备案) and periodic assessment by licensed testing organisations (等级测评).
NAIC Insurance Data Security
Model law adopted by 24+ US states requiring insurers, agents, and other licensed entities to develop comprehensive information security programs. 24 sections covering information security program requirements, risk assessment, board oversight, CISO designation, access controls, system and data safeguards, secure development practices, incident response, investigation and notification, third-party service provider oversight, and annual compliance certification to the commissioner.
NCA ECC
Saudi National Cybersecurity Authority mandatory controls for all government entities, government-affiliated organizations, and critical infrastructure operators. 5 domains: cybersecurity governance, defence, resilience, third-party and cloud computing, and ICS/OT cybersecurity. Designed referencing NIST CSF, NIST 800-53, and ISO 27001.
NERC CIP
Mandatory reliability standards for the Bulk Electric System (BES) in North America. 14 CIP standards (CIP-002 through CIP-015) covering BES Cyber System categorization, security management controls, personnel and training, electronic security perimeters, physical security, system security management, incident reporting, recovery plans, configuration and vulnerability management, information protection, control center communications, supply chain risk management, transmission station physical security, and internal network security monitoring (INSM). Enforced by NERC with mandatory compliance, violations, and penalties.
NHS DSPT
Mandatory annual self-assessment for all organisations that have access to NHS patient data and systems. 40 requirements across 10 National Data Guardian standards covering leadership, staff responsibilities, training, managing data access, process reviews, responding to incidents, continuity planning, unsupported systems, IT protection, and accountable suppliers. Aligned with the National Data Guardian's 10 data security standards and NCSC Cyber Essentials. Applies to all NHS trusts, CCGs, GP practices, social care providers, and third-party suppliers processing NHS data.
NIS2 Directive
EU-wide cybersecurity legislation requiring essential and important entities to implement risk-management measures, report significant incidents, and submit to supervisory oversight. Covers 10 mandatory security domains under Article 21 including incident handling, business continuity, supply chain security, and cryptography.
NIST CSF 2.0
Voluntary guidance for managing and reducing cybersecurity risk. Organized around five core functions: Identify, Protect, Detect, Respond, Recover.
NYDFS 500
New York Department of Financial Services mandatory cybersecurity regulation for all DFS-regulated entities including banks, insurers, and financial services companies. 18 sections covering cybersecurity program, policy, CISO, penetration testing, access privileges, application security, risk assessment, third-party service provider security, MFA, data retention, monitoring, incident response, 72-hour notification, and annual compliance certification. Enhanced requirements for Class A companies.
OSFI B-13
Canadian federal prudential guideline for technology and cyber risk management at federally regulated financial institutions. Covers 4 domains: governance and risk management, technology operations and resilience, cyber security (identify/defend/detect/respond), and third-party technology risk including cloud-specific considerations.
OWASP MASVS v2.1
Community-driven verification standard for mobile application security. 24 requirements across 8 groups: storage, cryptography, authentication, network communication, platform interaction, code quality, resilience, and privacy. Covers both iOS and Android with testable requirements mapped to the OWASP Mobile Application Security Testing Guide (MASTG). Widely adopted by mobile development teams, penetration testers, and security architects as the baseline for mobile app security assessments.
PCI DSS v4.0.1
Global security standard for organisations that store, process, or transmit cardholder data. Defines 12 requirements across 6 control objectives for protecting payment card data.
PCI HSM
PCI requirements for the secure management of PINs and cryptographic keys used in payment transactions. Covers Hardware Security Module (HSM) physical and logical security, key management lifecycle, PIN entry device validation, PIN transmission encryption (ISO 9564), key injection ceremonies, DUKPT key derivation, and certificate management. Mandatory for acquirers, processors, and their agents handling PIN-based transactions.
PCI PTS v6
PCI PIN Transaction Security requirements for Point of Interaction (POI) devices including PIN entry terminals, unattended payment terminals, and mobile payment acceptance devices. Covers physical tamper resistance, logical security, firmware integrity, secure boot, key management, and vendor qualification across 7 evaluation modules. Required for all POI device types seeking PCI approval.
POPIA
South Africa's comprehensive data protection law, closely modelled on EU GDPR principles. Establishes 8 conditions for lawful processing: accountability, processing limitation, purpose specification, further processing limitation, information quality, openness, security safeguards, and data subject participation. Covers responsible party obligations, information officers, data subject rights, transborder data flows, enforcement by the Information Regulator, and criminal offences. Mandatory for all public and private bodies processing personal information in South Africa.
PRA Operational Resilience
UK Prudential Regulation Authority requirements for operational resilience at PRA-regulated firms. PRA SS1/21 covers identification of important business services, impact tolerance setting, resource mapping, scenario testing, and self-assessment. PRA SS2/21 covers outsourcing governance, materiality assessment, due diligence, contractual requirements, sub-outsourcing chains, intra-group outsourcing, and exit strategies. Packaged under PRA Policy Statement PS6/21.
PRA SS1/23
UK Prudential Regulation Authority supervisory statement setting expectations for model risk management at banks, building societies, and PRA-designated investment firms. 5 principles covering model identification and classification, governance (board accountability, model risk committee, independent validation), model development and implementation (documentation, testing, performance monitoring), model use and ongoing monitoring, and risk mitigation and reporting. Effective 17 May 2024 with proportionate application.
Qatar NIA
Mandatory information assurance policy for all Qatar government entities and critical infrastructure operators. 11 security domains modeled on ISO 27001 and NIST 800-53 with a 3-tier classification system (Basic, Advanced, Critical). Covers governance, risk management, asset management, HR security, physical security, communications, operations, access control, systems development, incident management, and business continuity.
RBI CSF
India's mandatory cybersecurity framework for scheduled commercial banks, NBFCs, and financial institutions regulated by the Reserve Bank of India. Combines the 2016 Cyber Security Framework (24 baseline control areas covering SOC, network security, access control, incident reporting) with the 2023 Master Direction on IT Governance, Risk, Controls and Assurance Practices (ITGRCA) covering IT governance, infrastructure management, risk assessment, BCP/DR, and IS audit. Requires 2-6 hour incident reporting to RBI and CERT-In notification.
SA JS2
Mandatory cybersecurity and cyber resilience requirements for all South African financial institutions including banks, insurers, market infrastructure, pension funds, and fund managers. Issued jointly by FSCA and Prudential Authority. 21 requirements covering governance, strategy, asset classification, risk assessment, access control, network security, monitoring, incident response, resilience, threat intelligence, testing, MFA, data protection, cryptography, patching, personnel security, third-party management, and regulatory reporting. Effective June 2025.
SAMA CSF
Saudi Central Bank mandatory cybersecurity framework for all financial institutions regulated by SAMA. 4 domains covering cyber security leadership and governance, risk management and compliance, operations and technology, and third-party cyber security. Built on NIST CSF with augmentations from ISO 27001, NIST 800-53, PCI DSS, and SWIFT CSCF.
SEBI CSCRF
Securities and Exchange Board of India mandatory cybersecurity framework for all SEBI-regulated entities including stock exchanges, depositories, clearing corporations, mutual funds, brokers, and portfolio managers. 5 cyber resilience goals (anticipate, withstand, contain, recover, evolve) across 41 control areas covering governance, risk assessment, asset management, identity and access management, data protection, network security, application security, endpoint security, vulnerability management, security monitoring, incident management, business continuity, third-party risk, and cloud security. Entity classification into 5 categories with graded compliance requirements.
SEC Custody (Digital Assets)
SEC framework for custody of digital asset securities by broker-dealers and investment advisers. Covers qualified custodian requirements, exclusive control of private keys, multi-signature and threshold signature mandates, segregation of client assets, key management lifecycle, distributed ledger risk assessment, third-party custodian oversight, incident response, business continuity, transfer capability verification, independent examination, and safeguarding against theft, loss, and misuse.
SOC 2 TSC
Trust Services Criteria for security, availability, processing integrity, confidentiality, and privacy. Used for SOC 2 attestation engagements.
Solvency II
EU prudential regulation for insurance and reinsurance undertakings. Pillar 2 governance and risk management requirements include ICT risk, operational resilience, outsourcing controls, and key function holder accountability. Supplemented by EIOPA Guidelines on ICT Security and Governance (EIOPA-BoS-20/600) covering information security policy, logical security, cryptography, operations security, security monitoring, business continuity, and third-party ICT risk management.
SWIFT CSCF
Mandatory security controls framework for all 11,000+ SWIFT-connected financial institutions globally. 32 controls (25 mandatory, 7 advisory) across 3 objectives: secure your environment, know and limit access, detect and respond. Annual independent assessment attestation required. Covers network segmentation, privileged access, system hardening, transaction business controls, malware protection, logging/monitoring, and incident response for SWIFT financial messaging infrastructure. Aligned with ISO 27002, NIST CSF, PCI DSS 4.0.
TIBER-EU
ECB framework for threat intelligence-based ethical red teaming of financial entities across the EU. Defines a structured approach covering generic threat landscape, targeted threat intelligence, red team testing on live production systems, and 360-degree closure. Adopted by 15+ EU member states with cross-border mutual recognition. Complementary to DORA Article 26 TLPT requirements.
TSA Pipeline SD
Mandatory cybersecurity requirements for owner/operators of hazardous liquid and natural gas pipelines designated as critical infrastructure by TSA. Security Directive Pipeline-2021-01 (SD-1) requires cybersecurity coordinator designation, 24-hour incident reporting to CISA, vulnerability assessment, and remediation. Security Directive Pipeline-2021-02 (SD-2) mandates network segmentation, access control, continuous monitoring, patch management, cybersecurity implementation plans, architecture design review, testing, and training. Issued following the Colonial Pipeline ransomware attack.
UAE IA
UAE mandatory information assurance standards for all government entities and critical national infrastructure operators. 12 security domains aligned to ISO 27001/27002 covering governance, risk management, asset management, HR security, physical security, operations, communications, access control, system development, incident management, and business continuity. Enforced by TDRA with compliance audits.
Mapping Methodology
Compliance framework mappings are professional judgement, not mechanical keyword matching. This section explains how OSA derives and maintains its cross-framework references so you can assess their applicability to your organisation.
Approach: Control-Objective Alignment
Each mapping is derived by comparing the security objective of a NIST 800-53 Rev 5 control against the intent of a framework requirement. When both address the same security outcome — even if the language, structure, or level of specificity differs — we create a reference. We do not map based on superficial keyword overlap (e.g., both mentioning "access") without confirming the underlying objectives align.
Many-to-Many Relationships
Security frameworks rarely have one-to-one correspondence. A single NIST control may map to multiple requirements in another framework, and a single framework requirement may be addressed by several NIST controls. OSA maps every meaningful relationship rather than forcing artificial one-to-one pairings. This means some controls have 10+ references to a framework while others have none — that reflects reality, not inconsistency.
Granularity
We cite the most specific reference available in each framework: article sub-paragraphs for NIS2 (e.g., Art.21(2)(e)), margin numbers for FINMA, paragraph numbers for MAS TRM and CPS 234, individual safeguards for CIS Controls. Broad section-level references are used only when the framework itself is principles-based and does not decompose further.
Prescriptive vs Principles-Based Frameworks
Frameworks vary significantly in specificity. Prescriptive frameworks like PCI DSS v4, ASD Essential Eight, and CIS Controls define precise technical requirements — these produce tight, high-confidence mappings. Principles-based frameworks like NIS2, PRA SS1/21, and APRA CPS 234 define outcomes and obligations at a higher level — these produce broader mappings where one article may legitimately map to dozens of technical controls. Both mapping styles are valid; they reflect the framework's design philosophy, not mapping imprecision.
Jurisdictional Coverage
OSA selects frameworks based on where our practitioners work. Our visitor data shows traffic from 100+ countries, with concentration in the United States, United Kingdom, Singapore, Germany, France, Australia, Switzerland, and Canada. We prioritise frameworks that serve these jurisdictions, with a focus on financial services regulation (where security architecture requirements are most mature) and broadly applicable standards (ISO, NIST, CIS) that cross borders.
Review and Maintenance
Framework versions are tracked in each mapping's metadata. When a framework publishes a new version (e.g., PCI DSS v4.0 to v4.0.1, CIS Controls v7 to v8), we review and update the mappings. The NIST 800-53 Rev 5 control catalogue is the stable anchor — it changes infrequently, so most updates are driven by framework revisions rather than control changes.
Limitations
Mappings represent OSA's professional assessment of control-objective alignment. They are not legal advice, regulatory guidance, or a substitute for your organisation's own compliance analysis. Specific regulatory obligations depend on your jurisdiction, sector, entity classification, and the specific services you provide. An auditor assessing your PCI DSS compliance will apply the PCI DSS requirements directly — our mapping helps you understand which NIST controls support that compliance, but the authoritative source is always the framework itself.
Data Format
All mappings are stored as structured JSON in the osa-data repository, versioned in Git, and validated automatically on every commit. Each NIST control's JSON file contains a compliance_mappings object with framework IDs as keys and arrays of specific references as values. This means mappings are machine-readable, auditable, diffable, and available for integration into your own tooling.