14 frameworks127 controls

CROSSWALKFramework crosswalk

14 compliance frameworks mapped to ATT&CK. Click a cell to see overlapping controls and shared techniques. Authored by Adam Lundqvist.

Cells coloured by Jaccard similarity of technique sets.

01

	DORA	ISO 27001	PCI DSS v4	CIS v8	NIS2	OWASP API Top 10	OWASP LLM Top 10	OWASP Top 10	ISO 27701	EU AI Act	GDPR	NIST CSF	TIBER-EU
DORA		0.40	0.36	0.48	0.54	0.23	0.31	0.33	0.29	0.26	0.45	0.46	0.19
ISO 27001	0.40		0.33	0.53	0.44	0.30	0.29	0.34	0.28	0.25	0.40	0.36	0.14
PCI DSS v4	0.36	0.33		0.41	0.41	0.33	0.35	0.33	0.39	0.40	0.30	0.33	0.29
CIS v8	0.48	0.53	0.41		0.54	0.33	0.33	0.39	0.29	0.30	0.51	0.48	0.19
NIS2	0.54	0.44	0.41	0.54		0.33	0.36	0.32	0.32	0.27	0.45	0.47	0.22
OWASP API Top 10	0.23	0.30	0.33	0.33	0.33		0.36	0.35	0.26	0.20	0.25	0.31	0.11
OWASP LLM Top 10	0.31	0.29	0.35	0.33	0.36	0.36		0.39	0.39	0.31	0.37	0.39	0.21
OWASP Top 10	0.33	0.34	0.33	0.39	0.32	0.35	0.39		0.28	0.27	0.31	0.35	0.17
ISO 27701	0.29	0.28	0.39	0.29	0.32	0.26	0.39	0.28		0.30	0.38	0.26	0.29
EU AI Act	0.26	0.25	0.40	0.30	0.27	0.20	0.31	0.27	0.30		0.40	0.31	0.27
GDPR	0.45	0.40	0.30	0.51	0.45	0.25	0.37	0.31	0.38	0.40		0.44	0.21
NIST CSF	0.46	0.36	0.33	0.48	0.47	0.31	0.39	0.35	0.26	0.31	0.44		0.18
EU CRA
TIBER-EU	0.19	0.14	0.29	0.19	0.22	0.11	0.21	0.17	0.29	0.27	0.21	0.18

GDPR ↔ ISO 27701 — 20 shared techniques

Clear ✕

Control A	Control B	Shared	Examples
Art. 33 Notification of a personal data breach to the s…	A.7.5.1 Identify basis for PII transfer between jurisdi…	10	T1133, T1566, T1068, T1027
Art. 32 GDPR-Art32__Q2.2026	A.7.5.1 Identify basis for PII transfer between jurisdi…	9	T1078, T1133, T1068, T1027
Art. 35 Data protection impact assessment	A.7.4.1 Limit collection	9	T1190, T1566, T1068, T1003
Art. 35 Data protection impact assessment	A.7.5.1 Identify basis for PII transfer between jurisdi…	9	T1566, T1068, T1027, T1003
Art. 32 GDPR-Art32__Q2.2026	A.7.4.5 PII de-identification and deletion at the end o…	8	T1078, T1059, T1003, T1083
Art. 33 Notification of a personal data breach to the s…	A.7.4.1 Limit collection	8	T1190, T1566, T1068, T1003
Art. 5 Principles relating to processing of personal data	A.7.4.1 Limit collection	8	T1190, T1068, T1003, T1005
Art. 5 Principles relating to processing of personal data	A.7.5.1 Identify basis for PII transfer between jurisdi…	7	T1068, T1027, T1003, T1005
Art. 25 Data protection by design and by default	A.7.4.5 PII de-identification and deletion at the end o…	6	T1003, T1005, T1021, T1041
Art. 25 Data protection by design and by default	A.7.5.1 Identify basis for PII transfer between jurisdi…	6	T1003, T1005, T1027, T1041
Art. 32 GDPR-Art32__Q2.2026	A.7.4.1 Limit collection	6	T1068, T1003, T1083, T1005
Art. 33 Notification of a personal data breach to the s…	A.7.4.5 PII de-identification and deletion at the end o…	6	T1003, T1083, T1021, T1005
Art. 34 Communication of a personal data breach to the …	A.7.4.1 Limit collection	6	T1190, T1068, T1083, T1005
Art. 35 Data protection impact assessment	A.7.4.5 PII de-identification and deletion at the end o…	6	T1003, T1083, T1021, T1005
Art. 34 Communication of a personal data breach to the …	A.7.5.1 Identify basis for PII transfer between jurisdi…	4	T1068, T1005, T1041, T1486
Art. 5 Principles relating to processing of personal data	A.7.4.5 PII de-identification and deletion at the end o…	4	T1003, T1005, T1041, T1530
Art. 25 Data protection by design and by default	A.7.4.1 Limit collection	3	T1003, T1005, T1041
Art. 34 Communication of a personal data breach to the …	A.7.4.5 PII de-identification and deletion at the end o…	3	T1083, T1005, T1041

Show non-overlap — GDPR techniques NOT covered by ISO 27701 (23)

T1001, T1003.001, T1003.003, T1011, T1012, T1016, T1021.001, T1027.002, T1033, T1036, T1046, T1047, T1053.005, T1059.003, T1070, T1070.004, T1074, T1087.001, T1136.001, T1547, T1547.001, T1562.001, T1566.001

Sourced from cs-graph compliance_mappings (127 controls across 14 frameworks). Jaccard computed from the union of applicable_techniques per control. Refreshed hourly via ISR. Curated by Adam Lundqvist, Founder at SQUR.