14 frameworks127 controls

CROSSWALKFramework crosswalk

14 compliance frameworks mapped to ATT&CK. Click a cell to see overlapping controls and shared techniques. Authored by Adam Lundqvist.

Cells coloured by Jaccard similarity of technique sets.

01

	DORA	ISO 27001	PCI DSS v4	CIS v8	NIS2	OWASP API Top 10	OWASP LLM Top 10	OWASP Top 10	ISO 27701	EU AI Act	GDPR	NIST CSF	TIBER-EU
DORA		0.40	0.36	0.48	0.54	0.23	0.31	0.33	0.29	0.26	0.45	0.46	0.19
ISO 27001	0.40		0.33	0.53	0.44	0.30	0.29	0.34	0.28	0.25	0.40	0.36	0.14
PCI DSS v4	0.36	0.33		0.41	0.41	0.33	0.35	0.33	0.39	0.40	0.30	0.33	0.29
CIS v8	0.48	0.53	0.41		0.54	0.33	0.33	0.39	0.29	0.30	0.51	0.48	0.19
NIS2	0.54	0.44	0.41	0.54		0.33	0.36	0.32	0.32	0.27	0.45	0.47	0.22
OWASP API Top 10	0.23	0.30	0.33	0.33	0.33		0.36	0.35	0.26	0.20	0.25	0.31	0.11
OWASP LLM Top 10	0.31	0.29	0.35	0.33	0.36	0.36		0.39	0.39	0.31	0.37	0.39	0.21
OWASP Top 10	0.33	0.34	0.33	0.39	0.32	0.35	0.39		0.28	0.27	0.31	0.35	0.17
ISO 27701	0.29	0.28	0.39	0.29	0.32	0.26	0.39	0.28		0.30	0.38	0.26	0.29
EU AI Act	0.26	0.25	0.40	0.30	0.27	0.20	0.31	0.27	0.30		0.40	0.31	0.27
GDPR	0.45	0.40	0.30	0.51	0.45	0.25	0.37	0.31	0.38	0.40		0.44	0.21
NIST CSF	0.46	0.36	0.33	0.48	0.47	0.31	0.39	0.35	0.26	0.31	0.44		0.18
EU CRA
TIBER-EU	0.19	0.14	0.29	0.19	0.22	0.11	0.21	0.17	0.29	0.27	0.21	0.18

EU AI Act ↔ ISO 27001 — 20 shared techniques

Clear ✕

Control A	Control B	Shared	Examples
Art. 10 Data and data governance	A.5.7 Threat intelligence	10	T1190, T1566, T1547, T1068
Art. 15 Accuracy, robustness and cybersecurity	A.5.7 Threat intelligence	10	T1190, T1566, T1547, T1068
Art. 10 Data and data governance	A.8.8 Management of technical vulnerabilities	9	T1190, T1078, T1068, T1027
Art. 15 Accuracy, robustness and cybersecurity	A.8.16 Monitoring activities	9	T1078, T1547, T1068, T1070
Art. 10 Data and data governance	A.8.16 Monitoring activities	8	T1078, T1547, T1068, T1003
Art. 10 Data and data governance	A.8.26 Application security requirements	8	T1190, T1078, T1068, T1003
Art. 10 Data and data governance	A.8.29 Security testing in development and acceptance	8	T1190, T1078, T1547, T1068
Art. 15 Accuracy, robustness and cybersecurity	A.8.8 Management of technical vulnerabilities	8	T1190, T1078, T1068, T1027
Art. 10 Data and data governance	A.8.28 Secure coding	7	T1190, T1068, T1027, T1003
Art. 15 Accuracy, robustness and cybersecurity	A.8.26 Application security requirements	7	T1190, T1078, T1068, T1003
Art. 15 Accuracy, robustness and cybersecurity	A.8.29 Security testing in development and acceptance	7	T1190, T1078, T1547, T1068
Art. 15 Accuracy, robustness and cybersecurity	A.8.2 Privileged access rights	7	T1078, T1068, T1070, T1003
Art. 10 Data and data governance	A.8.21 Security of network services	6	T1190, T1078, T1068, T1027
Art. 10 Data and data governance	A.8.23 Web filtering	6	T1566, T1068, T1027, T1005
Art. 10 Data and data governance	A.8.25 Secure development life cycle	6	T1190, T1068, T1027, T1003
Art. 10 Data and data governance	A.8.2 Privileged access rights	6	T1078, T1068, T1003, T1005
Art. 10 Data and data governance	A.8.9 Configuration management	6	T1190, T1068, T1003, T1005
Art. 15 Accuracy, robustness and cybersecurity	A.8.21 Security of network services	6	T1190, T1078, T1068, T1027
Art. 15 Accuracy, robustness and cybersecurity	A.8.25 Secure development life cycle	6	T1190, T1068, T1027, T1003
Art. 15 Accuracy, robustness and cybersecurity	A.8.28 Secure coding	6	T1190, T1068, T1027, T1003
Art. 12 Record keeping	A.5.7 Threat intelligence	5	T1003, T1087, T1071, T1041
Art. 12 Record keeping	A.8.16 Monitoring activities	5	T1003, T1087, T1071, T1041
Art. 12 Record keeping	A.8.26 Application security requirements	5	T1070.004, T1562.001, T1003, T1041
Art. 12 Record keeping	A.8.28 Secure coding	5	T1070.004, T1490, T1003, T1547.001
Art. 12 Record keeping	A.8.8 Management of technical vulnerabilities	5	T1490, T1003, T1071, T1041

Showing top 25 of 42 control pairs.

Show non-overlap — EU AI Act techniques NOT covered by ISO 27001 (7)

T1070.001, T1070.002, T1070.003, T1074, T1136.001, T1561, T1562.004

Sourced from cs-graph compliance_mappings (127 controls across 14 frameworks). Jaccard computed from the union of applicable_techniques per control. Refreshed hourly via ISR. Curated by Adam Lundqvist, Founder at SQUR.