14 frameworks127 controls

CROSSWALKFramework crosswalk

14 compliance frameworks mapped to ATT&CK. Click a cell to see overlapping controls and shared techniques. Authored by Adam Lundqvist.

Cells coloured by Jaccard similarity of technique sets.

01

	DORA	ISO 27001	PCI DSS v4	CIS v8	NIS2	OWASP API Top 10	OWASP LLM Top 10	OWASP Top 10	ISO 27701	EU AI Act	GDPR	NIST CSF	TIBER-EU
DORA		0.40	0.36	0.48	0.54	0.23	0.31	0.33	0.29	0.26	0.45	0.46	0.19
ISO 27001	0.40		0.33	0.53	0.44	0.30	0.29	0.34	0.28	0.25	0.40	0.36	0.14
PCI DSS v4	0.36	0.33		0.41	0.41	0.33	0.35	0.33	0.39	0.40	0.30	0.33	0.29
CIS v8	0.48	0.53	0.41		0.54	0.33	0.33	0.39	0.29	0.30	0.51	0.48	0.19
NIS2	0.54	0.44	0.41	0.54		0.33	0.36	0.32	0.32	0.27	0.45	0.47	0.22
OWASP API Top 10	0.23	0.30	0.33	0.33	0.33		0.36	0.35	0.26	0.20	0.25	0.31	0.11
OWASP LLM Top 10	0.31	0.29	0.35	0.33	0.36	0.36		0.39	0.39	0.31	0.37	0.39	0.21
OWASP Top 10	0.33	0.34	0.33	0.39	0.32	0.35	0.39		0.28	0.27	0.31	0.35	0.17
ISO 27701	0.29	0.28	0.39	0.29	0.32	0.26	0.39	0.28		0.30	0.38	0.26	0.29
EU AI Act	0.26	0.25	0.40	0.30	0.27	0.20	0.31	0.27	0.30		0.40	0.31	0.27
GDPR	0.45	0.40	0.30	0.51	0.45	0.25	0.37	0.31	0.38	0.40		0.44	0.21
NIST CSF	0.46	0.36	0.33	0.48	0.47	0.31	0.39	0.35	0.26	0.31	0.44		0.18
EU CRA
TIBER-EU	0.19	0.14	0.29	0.19	0.22	0.11	0.21	0.17	0.29	0.27	0.21	0.18

NIS2 ↔ PCI DSS v4 — 28 shared techniques

Clear ✕

Control A	Control B	Shared	Examples
Art. 21(2)(a) Policies on risk analysis and information syste…	Requirement 4 Protect Cardholder Data with Strong Cryptograph…	10	T1078, T1133, T1068, T1003
Art. 21(2)(d) Supply chain security	Requirement 11 Test Security of Systems and Networks Regularly	10	T1547, T1068, T1003, T1087
Art. 21(2)(a) Policies on risk analysis and information syste…	Requirement 11 Test Security of Systems and Networks Regularly	9	T1547, T1068, T1003, T1046
Art. 21(2)(f) Policies and procedures to assess the effective…	Requirement 3 Protect Stored Account Data	9	T1190, T1566, T1547.001, T1068
Art. 21(2)(a) Policies on risk analysis and information syste…	Requirement 10 Log and Monitor All Access to System Components…	8	T1078, T1003, T1087, T1021
Art. 21(2)(b) Incident handling	Requirement 10 Log and Monitor All Access to System Components…	8	T1078, T1055, T1003, T1087
Art. 21(2)(b) Incident handling	Requirement 4 Protect Cardholder Data with Strong Cryptograph…	8	T1078, T1133, T1003, T1046
Art. 21(2)(f) Policies and procedures to assess the effective…	Requirement 4 Protect Cardholder Data with Strong Cryptograph…	8	T1190, T1566, T1078, T1068
Art. 21(2)(j) The use of multi-factor authentication or conti…	Requirement 4 Protect Cardholder Data with Strong Cryptograph…	8	T1078, T1133, T1003, T1056
Art. 21(2)(j) The use of multi-factor authentication or conti…	Requirement 8 Identify Users and Authenticate Access to Syste…	8	T1078, T1133, T1003, T1021
Art. 21(2)(b) Incident handling	Requirement 11 Test Security of Systems and Networks Regularly	7	T1003, T1087, T1046, T1021
Art. 21(2)(d) Supply chain security	Requirement 10 Log and Monitor All Access to System Components…	7	T1003, T1087, T1021, T1005
Art. 21(2)(e) Security in network and information systems acq…	Requirement 11 Test Security of Systems and Networks Regularly	7	T1190, T1068, T1003, T1087
Art. 21(2)(f) Policies and procedures to assess the effective…	Requirement 10 Log and Monitor All Access to System Components…	7	T1190, T1078, T1055, T1003
Art. 21(2)(f) Policies and procedures to assess the effective…	Requirement 11 Test Security of Systems and Networks Regularly	7	T1190, T1068, T1003, T1087
Art. 21(2)(g) Basic cyber hygiene practices and cybersecurity…	Requirement 4 Protect Cardholder Data with Strong Cryptograph…	7	T1566, T1133, T1078, T1003
Art. 21(2)(g) Basic cyber hygiene practices and cybersecurity…	Requirement 8 Identify Users and Authenticate Access to Syste…	7	T1133, T1078, T1098, T1110
Art. 21(2)(a) Policies on risk analysis and information syste…	Requirement 3 Protect Stored Account Data	6	T1068, T1027, T1003, T1005
Art. 21(2)(a) Policies on risk analysis and information syste…	Requirement 8 Identify Users and Authenticate Access to Syste…	6	T1078, T1133, T1003, T1087
Art. 21(2)(b) Incident handling	Requirement 8 Identify Users and Authenticate Access to Syste…	6	T1078, T1133, T1003, T1087
Art. 21(2)(d) Supply chain security	Requirement 3 Protect Stored Account Data	6	T1068, T1027, T1003, T1005
Art. 21(2)(d) Supply chain security	Requirement 4 Protect Cardholder Data with Strong Cryptograph…	6	T1068, T1003, T1021, T1005
Art. 21(2)(e) Security in network and information systems acq…	Requirement 10 Log and Monitor All Access to System Components…	6	T1190, T1078, T1003, T1087
Art. 21(2)(e) Security in network and information systems acq…	Requirement 4 Protect Cardholder Data with Strong Cryptograph…	6	T1190, T1078, T1068, T1003
Art. 21(2)(g) Basic cyber hygiene practices and cybersecurity…	Requirement 10 Log and Monitor All Access to System Components…	6	T1078, T1003, T1087, T1021

Showing top 25 of 50 control pairs.

Show non-overlap — NIS2 techniques NOT covered by PCI DSS v4 (29)

T1003.001, T1003.002, T1012, T1015, T1016, T1021.001, T1033, T1036, T1037, T1047, T1048, T1048.001, T1049, T1053, T1053.005, T1059, T1071.001, T1071.002, T1078.003, T1078.004, T1105, T1114, T1195, T1498, T1529, T1539, T1588.006, T1592, T1595.002

Sourced from cs-graph compliance_mappings (127 controls across 14 frameworks). Jaccard computed from the union of applicable_techniques per control. Refreshed hourly via ISR. Curated by Adam Lundqvist, Founder at SQUR.