14 frameworks127 controls

CROSSWALKFramework crosswalk

14 compliance frameworks mapped to ATT&CK. Click a cell to see overlapping controls and shared techniques. Authored by Adam Lundqvist.

Cells coloured by Jaccard similarity of technique sets.

01

	DORA	ISO 27001	PCI DSS v4	CIS v8	NIS2	OWASP API Top 10	OWASP LLM Top 10	OWASP Top 10	ISO 27701	EU AI Act	GDPR	NIST CSF	TIBER-EU
DORA		0.40	0.36	0.48	0.54	0.23	0.31	0.33	0.29	0.26	0.45	0.46	0.19
ISO 27001	0.40		0.33	0.53	0.44	0.30	0.29	0.34	0.28	0.25	0.40	0.36	0.14
PCI DSS v4	0.36	0.33		0.41	0.41	0.33	0.35	0.33	0.39	0.40	0.30	0.33	0.29
CIS v8	0.48	0.53	0.41		0.54	0.33	0.33	0.39	0.29	0.30	0.51	0.48	0.19
NIS2	0.54	0.44	0.41	0.54		0.33	0.36	0.32	0.32	0.27	0.45	0.47	0.22
OWASP API Top 10	0.23	0.30	0.33	0.33	0.33		0.36	0.35	0.26	0.20	0.25	0.31	0.11
OWASP LLM Top 10	0.31	0.29	0.35	0.33	0.36	0.36		0.39	0.39	0.31	0.37	0.39	0.21
OWASP Top 10	0.33	0.34	0.33	0.39	0.32	0.35	0.39		0.28	0.27	0.31	0.35	0.17
ISO 27701	0.29	0.28	0.39	0.29	0.32	0.26	0.39	0.28		0.30	0.38	0.26	0.29
EU AI Act	0.26	0.25	0.40	0.30	0.27	0.20	0.31	0.27	0.30		0.40	0.31	0.27
GDPR	0.45	0.40	0.30	0.51	0.45	0.25	0.37	0.31	0.38	0.40		0.44	0.21
NIST CSF	0.46	0.36	0.33	0.48	0.47	0.31	0.39	0.35	0.26	0.31	0.44		0.18
EU CRA
TIBER-EU	0.19	0.14	0.29	0.19	0.22	0.11	0.21	0.17	0.29	0.27	0.21	0.18

NIST CSF ↔ NIS2 — 37 shared techniques

Clear ✕

Control A	Control B	Shared	Examples
GOVERN GOVERN (GV) — Establish and monitor the cyberse…	Art. 21(2)(f) Policies and procedures to assess the effective…	12	T1078, T1547.001, T1068, T1055
PROTECT PROTECT (PR) — Use safeguards to manage cyberse…	Art. 21(2)(a) Policies on risk analysis and information syste…	11	T1547, T1068, T1027, T1003
GOVERN GOVERN (GV) — Establish and monitor the cyberse…	Art. 21(2)(a) Policies on risk analysis and information syste…	9	T1078, T1133, T1068, T1027
GOVERN GOVERN (GV) — Establish and monitor the cyberse…	Art. 21(2)(b) Incident handling	9	T1078, T1133, T1055, T1027
PROTECT PROTECT (PR) — Use safeguards to manage cyberse…	Art. 21(2)(d) Supply chain security	9	T1547, T1068, T1027, T1003
PROTECT PROTECT (PR) — Use safeguards to manage cyberse…	Art. 21(2)(b) Incident handling	8	T1059, T1027, T1003, T1087
PROTECT PROTECT (PR) — Use safeguards to manage cyberse…	Art. 21(2)(f) Policies and procedures to assess the effective…	8	T1190, T1566, T1068, T1027
RESPOND RESPOND (RS) — Take action regarding a detected…	Art. 21(2)(f) Policies and procedures to assess the effective…	8	T1190, T1068, T1070.004, T1021.001
GOVERN GOVERN (GV) — Establish and monitor the cyberse…	Art. 21(2)(g) Basic cyber hygiene practices and cybersecurity…	7	T1078, T1133, T1027, T1003
IDENTIFY IDENTIFY (ID) — Understand organisational cyber…	Art. 21(2)(a) Policies on risk analysis and information syste…	7	T1046, T1087, T1003, T1036
IDENTIFY IDENTIFY (ID) — Understand organisational cyber…	Art. 21(2)(b) Incident handling	7	T1046, T1087, T1003, T1036
IDENTIFY IDENTIFY (ID) — Understand organisational cyber…	Art. 21(2)(d) Supply chain security	7	T1087, T1018, T1003, T1195
IDENTIFY IDENTIFY (ID) — Understand organisational cyber…	Art. 21(2)(i) Human resources security, access control polici…	7	T1046, T1018, T1033, T1003
PROTECT PROTECT (PR) — Use safeguards to manage cyberse…	Art. 21(2)(g) Basic cyber hygiene practices and cybersecurity…	7	T1566, T1059, T1027, T1003
GOVERN GOVERN (GV) — Establish and monitor the cyberse…	Art. 21(2)(c) Business continuity and crisis management	6	T1078, T1053.005, T1027, T1021.001
GOVERN GOVERN (GV) — Establish and monitor the cyberse…	Art. 21(2)(d) Supply chain security	6	T1068, T1027, T1003, T1087
GOVERN GOVERN (GV) — Establish and monitor the cyberse…	Art. 21(2)(e) Security in network and information systems acq…	6	T1078, T1068, T1070.004, T1003
IDENTIFY IDENTIFY (ID) — Understand organisational cyber…	Art. 21(2)(e) Security in network and information systems acq…	6	T1087, T1049, T1003, T1190
PROTECT PROTECT (PR) — Use safeguards to manage cyberse…	Art. 21(2)(e) Security in network and information systems acq…	6	T1190, T1059, T1068, T1003
RECOVER RECOVER (RC) — Restore assets and operations af…	Art. 21(2)(c) Business continuity and crisis management	6	T1490, T1529, T1498, T1005
RESPOND RESPOND (RS) — Take action regarding a detected…	Art. 21(2)(c) Business continuity and crisis management	6	T1053.005, T1003.001, T1021.001, T1005
GOVERN GOVERN (GV) — Establish and monitor the cyberse…	Art. 21(2)(h) Policies and procedures regarding the use of cr…	5	T1078, T1027, T1003, T1005
GOVERN GOVERN (GV) — Establish and monitor the cyberse…	Art. 21(2)(i) Human resources security, access control polici…	5	T1027, T1003, T1046, T1005
IDENTIFY IDENTIFY (ID) — Understand organisational cyber…	Art. 21(2)(f) Policies and procedures to assess the effective…	5	T1046, T1087, T1003, T1190
PROTECT PROTECT (PR) — Use safeguards to manage cyberse…	Art. 21(2)(h) Policies and procedures regarding the use of cr…	5	T1027, T1003, T1056, T1021

Showing top 25 of 58 control pairs.

Show non-overlap — NIST CSF techniques NOT covered by NIS2 (21)

T1004, T1009, T1011.001, T1014, T1035, T1036.003, T1037.001, T1038, T1048.003, T1059.003, T1070, T1087.001, T1491, T1531, T1552.001, T1561.001, T1561.002, T1562.001, T1565.001, T1566.001, T1595

Sourced from cs-graph compliance_mappings (127 controls across 14 frameworks). Jaccard computed from the union of applicable_techniques per control. Refreshed hourly via ISR. Curated by Adam Lundqvist, Founder at SQUR.