14 frameworks127 controls
CROSSWALKFramework crosswalk
14 compliance frameworks mapped to ATT&CK. Click a cell to see overlapping controls and shared techniques. Authored by Adam Lundqvist.
Cells coloured by Jaccard similarity of technique sets.
01
| DORA | ISO 27001 | PCI DSS v4 | CIS v8 | NIS2 | OWASP API Top 10 | OWASP LLM Top 10 | OWASP Top 10 | ISO 27701 | EU AI Act | GDPR | NIST CSF | EU CRA | TIBER-EU | |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| DORA | 0.40 | 0.36 | 0.48 | 0.54 | 0.23 | 0.31 | 0.33 | 0.29 | 0.26 | 0.45 | 0.46 | 0.19 | ||
| ISO 27001 | 0.40 | 0.33 | 0.53 | 0.44 | 0.30 | 0.29 | 0.34 | 0.28 | 0.25 | 0.40 | 0.36 | 0.14 | ||
| PCI DSS v4 | 0.36 | 0.33 | 0.41 | 0.41 | 0.33 | 0.35 | 0.33 | 0.39 | 0.40 | 0.30 | 0.33 | 0.29 | ||
| CIS v8 | 0.48 | 0.53 | 0.41 | 0.54 | 0.33 | 0.33 | 0.39 | 0.29 | 0.30 | 0.51 | 0.48 | 0.19 | ||
| NIS2 | 0.54 | 0.44 | 0.41 | 0.54 | 0.33 | 0.36 | 0.32 | 0.32 | 0.27 | 0.45 | 0.47 | 0.22 | ||
| OWASP API Top 10 | 0.23 | 0.30 | 0.33 | 0.33 | 0.33 | 0.36 | 0.35 | 0.26 | 0.20 | 0.25 | 0.31 | 0.11 | ||
| OWASP LLM Top 10 | 0.31 | 0.29 | 0.35 | 0.33 | 0.36 | 0.36 | 0.39 | 0.39 | 0.31 | 0.37 | 0.39 | 0.21 | ||
| OWASP Top 10 | 0.33 | 0.34 | 0.33 | 0.39 | 0.32 | 0.35 | 0.39 | 0.28 | 0.27 | 0.31 | 0.35 | 0.17 | ||
| ISO 27701 | 0.29 | 0.28 | 0.39 | 0.29 | 0.32 | 0.26 | 0.39 | 0.28 | 0.30 | 0.38 | 0.26 | 0.29 | ||
| EU AI Act | 0.26 | 0.25 | 0.40 | 0.30 | 0.27 | 0.20 | 0.31 | 0.27 | 0.30 | 0.40 | 0.31 | 0.27 | ||
| GDPR | 0.45 | 0.40 | 0.30 | 0.51 | 0.45 | 0.25 | 0.37 | 0.31 | 0.38 | 0.40 | 0.44 | 0.21 | ||
| NIST CSF | 0.46 | 0.36 | 0.33 | 0.48 | 0.47 | 0.31 | 0.39 | 0.35 | 0.26 | 0.31 | 0.44 | 0.18 | ||
| EU CRA | ||||||||||||||
| TIBER-EU | 0.19 | 0.14 | 0.29 | 0.19 | 0.22 | 0.11 | 0.21 | 0.17 | 0.29 | 0.27 | 0.21 | 0.18 |
CIS v8 ↔ GDPR — 35 shared techniques
Clear ✕| Control A | Control B | Shared | Examples |
|---|---|---|---|
| CIS Control 16 Application Software Security | Art. 32 GDPR-Art32__Q2.2026 | 12 | T1133, T1068, T1027, T1036 |
| CIS Control 18 Penetration Testing | Art. 32 GDPR-Art32__Q2.2026 | 12 | T1059, T1068, T1547, T1027 |
| CIS Control 18 Penetration Testing | Art. 35 Data protection impact assessment | 12 | T1190, T1566, T1068, T1547 |
| CIS Control 13 Network Monitoring and Defense | Art. 32 GDPR-Art32__Q2.2026 | 11 | T1078, T1059, T1133, T1068 |
| CIS Control 16 Application Software Security | Art. 33 Notification of a personal data breach to the s… | 11 | T1190, T1133, T1068, T1027 |
| CIS Control 16 Application Software Security | Art. 35 Data protection impact assessment | 11 | T1190, T1068, T1027, T1003 |
| CIS Control 18 Penetration Testing | Art. 33 Notification of a personal data breach to the s… | 11 | T1190, T1566, T1068, T1547 |
| CIS Control 2 Inventory and Control of Software Assets | Art. 32 GDPR-Art32__Q2.2026 | 10 | T1078, T1021, T1059, T1027 |
| CIS Control 13 Network Monitoring and Defense | Art. 33 Notification of a personal data breach to the s… | 9 | T1190, T1133, T1068, T1027 |
| CIS Control 13 Network Monitoring and Defense | Art. 35 Data protection impact assessment | 9 | T1190, T1068, T1027, T1046 |
| CIS Control 1 Inventory and Control of Enterprise Assets | Art. 33 Notification of a personal data breach to the s… | 9 | T1133, T1190, T1547, T1068 |
| CIS Control 7 Continuous Vulnerability Management | Art. 35 Data protection impact assessment | 9 | T1190, T1068, T1003, T1027 |
| CIS Control 8 Audit Log Management | Art. 34 Communication of a personal data breach to the … | 9 | T1190, T1547.001, T1068, T1003.001 |
| CIS Control 8 Audit Log Management | Art. 5 Principles relating to processing of personal data | 9 | T1190, T1068, T1087.001, T1021.001 |
| CIS Control 1 Inventory and Control of Enterprise Assets | Art. 32 GDPR-Art32__Q2.2026 | 8 | T1046, T1133, T1547, T1068 |
| CIS Control 1 Inventory and Control of Enterprise Assets | Art. 35 Data protection impact assessment | 8 | T1046, T1190, T1547, T1068 |
| CIS Control 2 Inventory and Control of Software Assets | Art. 25 Data protection by design and by default | 8 | T1021, T1047, T1053, T1027 |
| CIS Control 4 Secure Configuration of Enterprise Assets and S… | Art. 5 Principles relating to processing of personal data | 8 | T1190, T1068, T1027, T1003 |
| CIS Control 5 Account Management | Art. 32 GDPR-Art32__Q2.2026 | 8 | T1078, T1133, T1003, T1046 |
| CIS Control 7 Continuous Vulnerability Management | Art. 32 GDPR-Art32__Q2.2026 | 8 | T1068, T1003, T1027, T1046 |
| CIS Control 7 Continuous Vulnerability Management | Art. 33 Notification of a personal data breach to the s… | 8 | T1190, T1068, T1003, T1027 |
| CIS Control 16 Application Software Security | Art. 25 Data protection by design and by default | 7 | T1027, T1036, T1003, T1021 |
| CIS Control 16 Application Software Security | Art. 34 Communication of a personal data breach to the … | 7 | T1190, T1547.001, T1068, T1083 |
| CIS Control 16 Application Software Security | Art. 5 Principles relating to processing of personal data | 7 | T1190, T1068, T1027, T1003 |
| CIS Control 18 Penetration Testing | Art. 5 Principles relating to processing of personal data | 7 | T1190, T1068, T1027, T1003 |
Showing top 25 of 66 control pairs.
Show non-overlap — CIS v8 techniques NOT covered by GDPR (25)
T1003.002, T1003.005, T1015, T1018, T1036.005, T1037, T1042, T1049, T1055, T1070.001, T1078.001, T1078.002, T1078.003, T1078.004, T1087, T1090, T1098, T1110, T1136, T1210, T1490, T1543.003, T1548.002, T1552.001, T1562
compliance_mappings (127 controls across 14 frameworks). Jaccard computed from the union of applicable_techniques per control. Refreshed hourly via ISR. Curated by Adam Lundqvist, Founder at SQUR.