14 frameworks127 controls
CROSSWALKFramework crosswalk
14 compliance frameworks mapped to ATT&CK. Click a cell to see overlapping controls and shared techniques. Authored by Adam Lundqvist.
Cells coloured by Jaccard similarity of technique sets.
01
| DORA | ISO 27001 | PCI DSS v4 | CIS v8 | NIS2 | OWASP API Top 10 | OWASP LLM Top 10 | OWASP Top 10 | ISO 27701 | EU AI Act | GDPR | NIST CSF | EU CRA | TIBER-EU | |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| DORA | 0.40 | 0.36 | 0.48 | 0.54 | 0.23 | 0.31 | 0.33 | 0.29 | 0.26 | 0.45 | 0.46 | 0.19 | ||
| ISO 27001 | 0.40 | 0.33 | 0.53 | 0.44 | 0.30 | 0.29 | 0.34 | 0.28 | 0.25 | 0.40 | 0.36 | 0.14 | ||
| PCI DSS v4 | 0.36 | 0.33 | 0.41 | 0.41 | 0.33 | 0.35 | 0.33 | 0.39 | 0.40 | 0.30 | 0.33 | 0.29 | ||
| CIS v8 | 0.48 | 0.53 | 0.41 | 0.54 | 0.33 | 0.33 | 0.39 | 0.29 | 0.30 | 0.51 | 0.48 | 0.19 | ||
| NIS2 | 0.54 | 0.44 | 0.41 | 0.54 | 0.33 | 0.36 | 0.32 | 0.32 | 0.27 | 0.45 | 0.47 | 0.22 | ||
| OWASP API Top 10 | 0.23 | 0.30 | 0.33 | 0.33 | 0.33 | 0.36 | 0.35 | 0.26 | 0.20 | 0.25 | 0.31 | 0.11 | ||
| OWASP LLM Top 10 | 0.31 | 0.29 | 0.35 | 0.33 | 0.36 | 0.36 | 0.39 | 0.39 | 0.31 | 0.37 | 0.39 | 0.21 | ||
| OWASP Top 10 | 0.33 | 0.34 | 0.33 | 0.39 | 0.32 | 0.35 | 0.39 | 0.28 | 0.27 | 0.31 | 0.35 | 0.17 | ||
| ISO 27701 | 0.29 | 0.28 | 0.39 | 0.29 | 0.32 | 0.26 | 0.39 | 0.28 | 0.30 | 0.38 | 0.26 | 0.29 | ||
| EU AI Act | 0.26 | 0.25 | 0.40 | 0.30 | 0.27 | 0.20 | 0.31 | 0.27 | 0.30 | 0.40 | 0.31 | 0.27 | ||
| GDPR | 0.45 | 0.40 | 0.30 | 0.51 | 0.45 | 0.25 | 0.37 | 0.31 | 0.38 | 0.40 | 0.44 | 0.21 | ||
| NIST CSF | 0.46 | 0.36 | 0.33 | 0.48 | 0.47 | 0.31 | 0.39 | 0.35 | 0.26 | 0.31 | 0.44 | 0.18 | ||
| EU CRA | ||||||||||||||
| TIBER-EU | 0.19 | 0.14 | 0.29 | 0.19 | 0.22 | 0.11 | 0.21 | 0.17 | 0.29 | 0.27 | 0.21 | 0.18 |
ISO 27001 ↔ NIS2 — 40 shared techniques
Clear ✕| Control A | Control B | Shared | Examples |
|---|---|---|---|
| A.8.16 Monitoring activities | Art. 21(2)(a) Policies on risk analysis and information syste… | 13 | T1078, T1133, T1547, T1068 |
| A.5.7 Threat intelligence | Art. 21(2)(a) Policies on risk analysis and information syste… | 11 | T1547, T1068, T1027, T1036 |
| A.8.16 Monitoring activities | Art. 21(2)(b) Incident handling | 11 | T1078, T1133, T1059, T1036 |
| A.5.7 Threat intelligence | Art. 21(2)(d) Supply chain security | 10 | T1547, T1068, T1027, T1003 |
| A.8.21 Security of network services | Art. 21(2)(f) Policies and procedures to assess the effective… | 10 | T1190, T1078, T1068, T1027 |
| A.8.25 Secure development life cycle | Art. 21(2)(f) Policies and procedures to assess the effective… | 10 | T1190, T1547.001, T1068, T1027 |
| A.8.8 Management of technical vulnerabilities | Art. 21(2)(b) Incident handling | 10 | T1059, T1055, T1027, T1003 |
| A.5.7 Threat intelligence | Art. 21(2)(b) Incident handling | 9 | T1059, T1027, T1036, T1003 |
| A.8.16 Monitoring activities | Art. 21(2)(d) Supply chain security | 9 | T1547, T1068, T1003, T1087 |
| A.8.28 Secure coding | Art. 21(2)(f) Policies and procedures to assess the effective… | 9 | T1190, T1547.001, T1068, T1027 |
| A.8.8 Management of technical vulnerabilities | Art. 21(2)(a) Policies on risk analysis and information syste… | 9 | T1068, T1027, T1003, T1046 |
| A.8.8 Management of technical vulnerabilities | Art. 21(2)(f) Policies and procedures to assess the effective… | 9 | T1190, T1068, T1055, T1027 |
| A.8.9 Configuration management | Art. 21(2)(f) Policies and procedures to assess the effective… | 9 | T1190, T1547.001, T1068, T1003 |
| A.5.7 Threat intelligence | Art. 21(2)(f) Policies and procedures to assess the effective… | 8 | T1190, T1566, T1068, T1027 |
| A.5.7 Threat intelligence | Art. 21(2)(g) Basic cyber hygiene practices and cybersecurity… | 8 | T1566, T1059, T1027, T1003 |
| A.8.16 Monitoring activities | Art. 21(2)(g) Basic cyber hygiene practices and cybersecurity… | 8 | T1078, T1133, T1059, T1003 |
| A.8.23 Web filtering | Art. 21(2)(f) Policies and procedures to assess the effective… | 8 | T1566, T1071.001, T1041, T1027 |
| A.8.26 Application security requirements | Art. 21(2)(a) Policies on risk analysis and information syste… | 8 | T1078, T1068, T1133, T1003 |
| A.8.26 Application security requirements | Art. 21(2)(b) Incident handling | 8 | T1078, T1059, T1055, T1133 |
| A.8.26 Application security requirements | Art. 21(2)(e) Security in network and information systems acq… | 8 | T1190, T1078, T1059, T1068 |
| A.8.26 Application security requirements | Art. 21(2)(f) Policies and procedures to assess the effective… | 8 | T1190, T1078, T1068, T1055 |
| A.8.2 Privileged access rights | Art. 21(2)(a) Policies on risk analysis and information syste… | 8 | T1078, T1003, T1068, T1021 |
| A.8.2 Privileged access rights | Art. 21(2)(b) Incident handling | 8 | T1078, T1003, T1053, T1021 |
| A.8.2 Privileged access rights | Art. 21(2)(d) Supply chain security | 8 | T1003, T1068, T1021, T1087 |
| A.8.2 Privileged access rights | Art. 21(2)(e) Security in network and information systems acq… | 8 | T1078, T1003, T1068, T1053 |
Showing top 25 of 138 control pairs.
Show non-overlap — ISO 27001 techniques NOT covered by NIS2 (33)
T1003.003, T1003.005, T1021.002, T1021.003, T1027.011, T1036.001, T1070, T1071.004, T1078.002, T1087.001, T1087.004, T1090, T1098.001, T1110.002, T1136, T1136.003, T1189, T1203, T1204.001, T1526, T1530, T1535, T1537, T1543, T1543.003, T1548.001, T1548.002, T1552.001, T1553.004, T1562.001, T1567, T1573.001, T1574
compliance_mappings (127 controls across 14 frameworks). Jaccard computed from the union of applicable_techniques per control. Refreshed hourly via ISR. Curated by Adam Lundqvist, Founder at SQUR.