14 frameworks127 controls
CROSSWALKFramework crosswalk
14 compliance frameworks mapped to ATT&CK. Click a cell to see overlapping controls and shared techniques. Authored by Adam Lundqvist.
Cells coloured by Jaccard similarity of technique sets.
01
| DORA | ISO 27001 | PCI DSS v4 | CIS v8 | NIS2 | OWASP API Top 10 | OWASP LLM Top 10 | OWASP Top 10 | ISO 27701 | EU AI Act | GDPR | NIST CSF | EU CRA | TIBER-EU | |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| DORA | 0.40 | 0.36 | 0.48 | 0.54 | 0.23 | 0.31 | 0.33 | 0.29 | 0.26 | 0.45 | 0.46 | 0.19 | ||
| ISO 27001 | 0.40 | 0.33 | 0.53 | 0.44 | 0.30 | 0.29 | 0.34 | 0.28 | 0.25 | 0.40 | 0.36 | 0.14 | ||
| PCI DSS v4 | 0.36 | 0.33 | 0.41 | 0.41 | 0.33 | 0.35 | 0.33 | 0.39 | 0.40 | 0.30 | 0.33 | 0.29 | ||
| CIS v8 | 0.48 | 0.53 | 0.41 | 0.54 | 0.33 | 0.33 | 0.39 | 0.29 | 0.30 | 0.51 | 0.48 | 0.19 | ||
| NIS2 | 0.54 | 0.44 | 0.41 | 0.54 | 0.33 | 0.36 | 0.32 | 0.32 | 0.27 | 0.45 | 0.47 | 0.22 | ||
| OWASP API Top 10 | 0.23 | 0.30 | 0.33 | 0.33 | 0.33 | 0.36 | 0.35 | 0.26 | 0.20 | 0.25 | 0.31 | 0.11 | ||
| OWASP LLM Top 10 | 0.31 | 0.29 | 0.35 | 0.33 | 0.36 | 0.36 | 0.39 | 0.39 | 0.31 | 0.37 | 0.39 | 0.21 | ||
| OWASP Top 10 | 0.33 | 0.34 | 0.33 | 0.39 | 0.32 | 0.35 | 0.39 | 0.28 | 0.27 | 0.31 | 0.35 | 0.17 | ||
| ISO 27701 | 0.29 | 0.28 | 0.39 | 0.29 | 0.32 | 0.26 | 0.39 | 0.28 | 0.30 | 0.38 | 0.26 | 0.29 | ||
| EU AI Act | 0.26 | 0.25 | 0.40 | 0.30 | 0.27 | 0.20 | 0.31 | 0.27 | 0.30 | 0.40 | 0.31 | 0.27 | ||
| GDPR | 0.45 | 0.40 | 0.30 | 0.51 | 0.45 | 0.25 | 0.37 | 0.31 | 0.38 | 0.40 | 0.44 | 0.21 | ||
| NIST CSF | 0.46 | 0.36 | 0.33 | 0.48 | 0.47 | 0.31 | 0.39 | 0.35 | 0.26 | 0.31 | 0.44 | 0.18 | ||
| EU CRA | ||||||||||||||
| TIBER-EU | 0.19 | 0.14 | 0.29 | 0.19 | 0.22 | 0.11 | 0.21 | 0.17 | 0.29 | 0.27 | 0.21 | 0.18 |
ISO 27001 ↔ ISO 27701 — 22 shared techniques
Clear ✕| Control A | Control B | Shared | Examples |
|---|---|---|---|
| A.5.7 Threat intelligence | A.7.5.1 Identify basis for PII transfer between jurisdi… | 8 | T1566, T1068, T1027, T1003 |
| A.8.16 Monitoring activities | A.7.5.1 Identify basis for PII transfer between jurisdi… | 8 | T1078, T1133, T1068, T1003 |
| A.8.26 Application security requirements | A.7.4.5 PII de-identification and deletion at the end o… | 8 | T1078, T1059, T1003, T1552 |
| A.8.2 Privileged access rights | A.7.4.5 PII de-identification and deletion at the end o… | 8 | T1078, T1003, T1021, T1059 |
| A.5.7 Threat intelligence | A.7.4.1 Limit collection | 7 | T1190, T1566, T1068, T1003 |
| A.8.16 Monitoring activities | A.7.4.5 PII de-identification and deletion at the end o… | 7 | T1078, T1059, T1003, T1021 |
| A.8.26 Application security requirements | A.7.4.1 Limit collection | 7 | T1190, T1068, T1003, T1083 |
| A.8.26 Application security requirements | A.7.5.1 Identify basis for PII transfer between jurisdi… | 7 | T1078, T1068, T1133, T1003 |
| A.8.2 Privileged access rights | A.7.5.1 Identify basis for PII transfer between jurisdi… | 7 | T1078, T1003, T1068, T1053 |
| A.8.8 Management of technical vulnerabilities | A.7.4.5 PII de-identification and deletion at the end o… | 7 | T1059, T1003, T1021, T1005 |
| A.8.8 Management of technical vulnerabilities | A.7.5.1 Identify basis for PII transfer between jurisdi… | 7 | T1068, T1027, T1003, T1005 |
| A.8.9 Configuration management | A.7.4.1 Limit collection | 7 | T1190, T1068, T1003, T1005 |
| A.5.7 Threat intelligence | A.7.4.5 PII de-identification and deletion at the end o… | 6 | T1059, T1003, T1021, T1005 |
| A.8.21 Security of network services | A.7.5.1 Identify basis for PII transfer between jurisdi… | 6 | T1133, T1078, T1068, T1027 |
| A.8.23 Web filtering | A.7.4.1 Limit collection | 6 | T1566, T1071.001, T1041, T1567 |
| A.8.25 Secure development life cycle | A.7.4.1 Limit collection | 6 | T1190, T1068, T1003, T1083 |
| A.8.28 Secure coding | A.7.4.1 Limit collection | 6 | T1190, T1068, T1003, T1083 |
| A.8.29 Security testing in development and acceptance | A.7.5.1 Identify basis for PII transfer between jurisdi… | 6 | T1068, T1133, T1078, T1053 |
| A.8.9 Configuration management | A.7.5.1 Identify basis for PII transfer between jurisdi… | 6 | T1133, T1068, T1003, T1005 |
| A.8.16 Monitoring activities | A.7.4.1 Limit collection | 5 | T1068, T1003, T1005, T1041 |
| A.8.21 Security of network services | A.7.4.1 Limit collection | 5 | T1190, T1068, T1003, T1071.001 |
| A.8.23 Web filtering | A.7.5.1 Identify basis for PII transfer between jurisdi… | 5 | T1566, T1041, T1027, T1005 |
| A.8.24 Use of cryptography | A.7.4.5 PII de-identification and deletion at the end o… | 5 | T1005, T1041, T1071, T1078 |
| A.8.24 Use of cryptography | A.7.5.1 Identify basis for PII transfer between jurisdi… | 5 | T1005, T1041, T1071, T1078 |
| A.8.25 Secure development life cycle | A.7.5.1 Identify basis for PII transfer between jurisdi… | 5 | T1133, T1068, T1027, T1003 |
Showing top 25 of 42 control pairs.
Show non-overlap — ISO 27001 techniques NOT covered by ISO 27701 (51)
T1003.001, T1003.002, T1003.003, T1003.005, T1012, T1016, T1021.001, T1021.002, T1021.003, T1027.011, T1033, T1036, T1036.001, T1040, T1046, T1048.001, T1049, T1055, T1070, T1070.004, T1071.004, T1078.002, T1078.003, T1078.004, T1087, T1087.001, T1087.004, T1090, T1098, T1098.001, T1110.002, T1136, T1136.003, T1189, T1203, T1204.001, T1490, T1526, T1535, T1537, T1543, T1543.003, T1547, T1547.001, T1548.001, T1548.002, T1552.001, T1553.004, T1562.001, T1573.001, T1574
compliance_mappings (127 controls across 14 frameworks). Jaccard computed from the union of applicable_techniques per control. Refreshed hourly via ISR. Curated by Adam Lundqvist, Founder at SQUR.