14 frameworks127 controls
CROSSWALKFramework crosswalk
14 compliance frameworks mapped to ATT&CK. Click a cell to see overlapping controls and shared techniques. Authored by Adam Lundqvist.
Cells coloured by Jaccard similarity of technique sets.
01
| DORA | ISO 27001 | PCI DSS v4 | CIS v8 | NIS2 | OWASP API Top 10 | OWASP LLM Top 10 | OWASP Top 10 | ISO 27701 | EU AI Act | GDPR | NIST CSF | EU CRA | TIBER-EU | |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| DORA | 0.40 | 0.36 | 0.48 | 0.54 | 0.23 | 0.31 | 0.33 | 0.29 | 0.26 | 0.45 | 0.46 | 0.19 | ||
| ISO 27001 | 0.40 | 0.33 | 0.53 | 0.44 | 0.30 | 0.29 | 0.34 | 0.28 | 0.25 | 0.40 | 0.36 | 0.14 | ||
| PCI DSS v4 | 0.36 | 0.33 | 0.41 | 0.41 | 0.33 | 0.35 | 0.33 | 0.39 | 0.40 | 0.30 | 0.33 | 0.29 | ||
| CIS v8 | 0.48 | 0.53 | 0.41 | 0.54 | 0.33 | 0.33 | 0.39 | 0.29 | 0.30 | 0.51 | 0.48 | 0.19 | ||
| NIS2 | 0.54 | 0.44 | 0.41 | 0.54 | 0.33 | 0.36 | 0.32 | 0.32 | 0.27 | 0.45 | 0.47 | 0.22 | ||
| OWASP API Top 10 | 0.23 | 0.30 | 0.33 | 0.33 | 0.33 | 0.36 | 0.35 | 0.26 | 0.20 | 0.25 | 0.31 | 0.11 | ||
| OWASP LLM Top 10 | 0.31 | 0.29 | 0.35 | 0.33 | 0.36 | 0.36 | 0.39 | 0.39 | 0.31 | 0.37 | 0.39 | 0.21 | ||
| OWASP Top 10 | 0.33 | 0.34 | 0.33 | 0.39 | 0.32 | 0.35 | 0.39 | 0.28 | 0.27 | 0.31 | 0.35 | 0.17 | ||
| ISO 27701 | 0.29 | 0.28 | 0.39 | 0.29 | 0.32 | 0.26 | 0.39 | 0.28 | 0.30 | 0.38 | 0.26 | 0.29 | ||
| EU AI Act | 0.26 | 0.25 | 0.40 | 0.30 | 0.27 | 0.20 | 0.31 | 0.27 | 0.30 | 0.40 | 0.31 | 0.27 | ||
| GDPR | 0.45 | 0.40 | 0.30 | 0.51 | 0.45 | 0.25 | 0.37 | 0.31 | 0.38 | 0.40 | 0.44 | 0.21 | ||
| NIST CSF | 0.46 | 0.36 | 0.33 | 0.48 | 0.47 | 0.31 | 0.39 | 0.35 | 0.26 | 0.31 | 0.44 | 0.18 | ||
| EU CRA | ||||||||||||||
| TIBER-EU | 0.19 | 0.14 | 0.29 | 0.19 | 0.22 | 0.11 | 0.21 | 0.17 | 0.29 | 0.27 | 0.21 | 0.18 |
NIS2 ↔ ISO 27701 — 21 shared techniques
Clear ✕| Control A | Control B | Shared | Examples |
|---|---|---|---|
| Art. 21(2)(a) Policies on risk analysis and information syste… | A.7.5.1 Identify basis for PII transfer between jurisdi… | 9 | T1078, T1133, T1068, T1027 |
| Art. 21(2)(b) Incident handling | A.7.5.1 Identify basis for PII transfer between jurisdi… | 8 | T1078, T1133, T1053, T1027 |
| Art. 21(2)(g) Basic cyber hygiene practices and cybersecurity… | A.7.5.1 Identify basis for PII transfer between jurisdi… | 8 | T1566, T1133, T1078, T1003 |
| Art. 21(2)(b) Incident handling | A.7.4.5 PII de-identification and deletion at the end o… | 7 | T1078, T1059, T1003, T1021 |
| Art. 21(2)(d) Supply chain security | A.7.5.1 Identify basis for PII transfer between jurisdi… | 7 | T1068, T1027, T1003, T1005 |
| Art. 21(2)(f) Policies and procedures to assess the effective… | A.7.4.1 Limit collection | 7 | T1190, T1566, T1068, T1003 |
| Art. 21(2)(f) Policies and procedures to assess the effective… | A.7.5.1 Identify basis for PII transfer between jurisdi… | 7 | T1566, T1078, T1068, T1027 |
| Art. 21(2)(h) Policies and procedures regarding the use of cr… | A.7.4.5 PII de-identification and deletion at the end o… | 7 | T1003, T1005, T1021, T1041 |
| Art. 21(2)(a) Policies on risk analysis and information syste… | A.7.4.5 PII de-identification and deletion at the end o… | 6 | T1078, T1003, T1021, T1005 |
| Art. 21(2)(c) Business continuity and crisis management | A.7.5.1 Identify basis for PII transfer between jurisdi… | 6 | T1486, T1041, T1005, T1039 |
| Art. 21(2)(d) Supply chain security | A.7.4.5 PII de-identification and deletion at the end o… | 6 | T1003, T1018, T1021, T1005 |
| Art. 21(2)(g) Basic cyber hygiene practices and cybersecurity… | A.7.4.5 PII de-identification and deletion at the end o… | 6 | T1078, T1003, T1021, T1005 |
| Art. 21(2)(i) Human resources security, access control polici… | A.7.4.5 PII de-identification and deletion at the end o… | 6 | T1003, T1005, T1018, T1021 |
| Art. 21(2)(j) The use of multi-factor authentication or conti… | A.7.4.5 PII de-identification and deletion at the end o… | 6 | T1078, T1003, T1552, T1021 |
| Art. 21(2)(a) Policies on risk analysis and information syste… | A.7.4.1 Limit collection | 5 | T1068, T1003, T1005, T1041 |
| Art. 21(2)(d) Supply chain security | A.7.4.1 Limit collection | 5 | T1068, T1003, T1005, T1041 |
| Art. 21(2)(e) Security in network and information systems acq… | A.7.4.5 PII de-identification and deletion at the end o… | 5 | T1078, T1003, T1021, T1041 |
| Art. 21(2)(e) Security in network and information systems acq… | A.7.5.1 Identify basis for PII transfer between jurisdi… | 5 | T1078, T1068, T1053, T1003 |
| Art. 21(2)(h) Policies and procedures regarding the use of cr… | A.7.4.1 Limit collection | 5 | T1003, T1005, T1041, T1071.001 |
| Art. 21(2)(h) Policies and procedures regarding the use of cr… | A.7.5.1 Identify basis for PII transfer between jurisdi… | 5 | T1003, T1005, T1027, T1041 |
| Art. 21(2)(i) Human resources security, access control polici… | A.7.5.1 Identify basis for PII transfer between jurisdi… | 5 | T1003, T1005, T1027, T1039 |
| Art. 21(2)(j) The use of multi-factor authentication or conti… | A.7.5.1 Identify basis for PII transfer between jurisdi… | 5 | T1078, T1133, T1003, T1071 |
| Art. 21(2)(c) Business continuity and crisis management | A.7.4.1 Limit collection | 4 | T1486, T1041, T1005, T1039 |
| Art. 21(2)(c) Business continuity and crisis management | A.7.4.5 PII de-identification and deletion at the end o… | 4 | T1041, T1005, T1078, T1018 |
| Art. 21(2)(e) Security in network and information systems acq… | A.7.4.1 Limit collection | 4 | T1190, T1068, T1003, T1041 |
Showing top 25 of 30 control pairs.
Show non-overlap — NIS2 techniques NOT covered by ISO 27701 (36)
T1003.001, T1003.002, T1012, T1015, T1016, T1021.001, T1033, T1036, T1037, T1040, T1046, T1047, T1048.001, T1049, T1053.005, T1055, T1056, T1070.004, T1071.002, T1078.003, T1078.004, T1087, T1098, T1105, T1110, T1114, T1195, T1490, T1498, T1529, T1539, T1547, T1547.001, T1588.006, T1592, T1595.002
compliance_mappings (127 controls across 14 frameworks). Jaccard computed from the union of applicable_techniques per control. Refreshed hourly via ISR. Curated by Adam Lundqvist, Founder at SQUR.