127 indexed
COMPLIANCECompliance controls
127 controls across 14 compliance frameworks, grouped by framework. For cross-framework Jaccard overlap see /explore/crosswalk. Authored by Adam Lundqvist.
127 across 14 categories
DORA14
| ID | Title | Summary |
|---|---|---|
| DORA-Art10 | DORA-Art10 DORA | DORA Article 10 — Detection: Financial entities must have in place mechanisms to promptly detect anomalous activities, including ICT network performance issues… |
| DORA-Art11 | Response and recovery DORApentest:high | Financial entities must put in place a comprehensive ICT business continuity policy, implemented through dedicated, appropriate, and documented arrangements, p… |
| DORA-Art12 | Backup policies and recovery methods DORApentest:medium | Financial entities must develop and document backup policies and procedures specifying the scope of data subject to backup and the minimum frequency of backups… |
| DORA-Art13 | Learning and evolving DORApentest:high | Financial entities must have capabilities and staff to gather information on vulnerabilities and cyber threats, ICT-related incidents, in particular cyber-atta… |
| DORA-Art14 | Communication DORApentest:low | Financial entities must implement communication policies for clients, counterparts and the public regarding ICT-related incidents or vulnerabilities. The polic… |
| DORA-Art17 | ICT-related incident management process DORApentest:high | Financial entities must establish, document, and implement an ICT-related incident management process to detect, manage, and notify ICT-related incidents. They… |
| DORA-Art24 | DORA-Art24 DORA | DORA Article 24 — Annual Penetration Testing: Financial entities must conduct, at least annually, comprehensive, independent penetration testing of ICT systems… |
| DORA-Art25 | Advanced testing of ICT tools, systems and processes based on TLPT DORApentest:high | Financial entities, other than microenterprises, that are identified as significant must carry out at least every three years advanced testing by means of TLPT… |
| DORA-Art28 | General principles for ICT third-party risk DORApentest:medium | Financial entities must manage ICT third-party risk as an integral component of ICT risk within their ICT risk-management framework. They must adopt and regula… |
| DORA-Art5 | DORA-Art5 DORA | DORA Article 5 — Governance and Organisation: Financial entities must have an internal governance and control framework that ensures effective and prudent mana… |
| DORA-Art6 | DORA-Art6 DORA | DORA Article 6 — ICT risk management framework: Financial entities must have a sound, comprehensive and well-documented ICT risk-management framework. The fram… |
| DORA-Art7 | DORA-Art7 DORA | DORA Article 7 — ICT systems, protocols and tools: Financial entities must use and maintain updated ICT systems, protocols and tools that are appropriate to th… |
| DORA-Art8 | DORA-Art8 DORA | DORA Article 8 — Identification: Financial entities must identify, classify and adequately document all ICT-supported business functions, roles and responsibil… |
| DORA-Art9 | DORA-Art9 DORA | DORA Article 9 — Protection and prevention: Financial entities must continuously monitor and control the security and functioning of ICT systems and tools and … |
ISO2700114
| ID | Title | Summary |
|---|---|---|
| ISO27001-A.5.23 | Information security for use of cloud services ISO27001pentest:high | Processes for acquisition, use, management and exit from cloud services shall be established in accordance with the organisation's information security require… |
| ISO27001-A.5.7 | Threat intelligence ISO27001pentest:high | Information relating to information security threats shall be collected and analysed to produce threat intelligence. Theme: Organisational controls. (Full guid… |
| ISO27001-A.8.16 | Monitoring activities ISO27001pentest:high | Networks, systems and applications shall be monitored for anomalous behaviour and appropriate actions taken to evaluate potential information security incident… |
| ISO27001-A.8.2 | Privileged access rights ISO27001pentest:high | The allocation and use of privileged access rights shall be restricted and managed. Theme: Technological controls. (Full guidance: ISO/IEC 27002:2022 §8.2.) |
| ISO27001-A.8.21 | Security of network services ISO27001pentest:high | Security mechanisms, service levels and service requirements of network services shall be identified, implemented and monitored. Theme: Technological controls.… |
| ISO27001-A.8.23 | Web filtering ISO27001pentest:medium | Access to external websites shall be managed to reduce exposure to malicious content. Theme: Technological controls. (Full guidance: ISO/IEC 27002:2022 §8.23.) |
| ISO27001-A.8.24 | Use of cryptography ISO27001pentest:high | Rules for the effective use of cryptography, including cryptographic key management, shall be defined and implemented. Theme: Technological controls. (Full gui… |
| ISO27001-A.8.25 | Secure development life cycle ISO27001pentest:high | Rules for the secure development of software and systems shall be established and applied. Theme: Technological controls. (Full guidance: ISO/IEC 27002:2022 §8… |
| ISO27001-A.8.26 | Application security requirements ISO27001pentest:high | Information security requirements shall be identified, specified and approved when developing or acquiring applications. Theme: Technological controls. (Full g… |
| ISO27001-A.8.28 | Secure coding ISO27001pentest:high | Secure coding principles shall be applied to software development. Theme: Technological controls. (Full guidance: ISO/IEC 27002:2022 §8.28.) |
| ISO27001-A.8.29 | Security testing in development and acceptance ISO27001pentest:high | Security testing processes shall be defined and implemented in the development life cycle. Theme: Technological controls. (Full guidance: ISO/IEC 27002:2022 §8… |
| ISO27001-A.8.5 | Secure authentication ISO27001pentest:high | Secure authentication technologies and procedures shall be implemented based on information access restrictions and the topic-specific policy on access control… |
| ISO27001-A.8.8 | Management of technical vulnerabilities ISO27001pentest:high | Information about technical vulnerabilities of information systems in use shall be obtained, the organisation's exposure to such vulnerabilities shall be evalu… |
| ISO27001-A.8.9 | Configuration management ISO27001pentest:high | Configurations, including security configurations, of hardware, software, services and networks shall be established, documented, implemented, monitored and re… |
PCI DSS v412
| ID | Title | Summary |
|---|---|---|
| PCI_DSS_v4-R1 | Install and Maintain Network Security Controls PCI DSS v4pentest:high | Network security controls (NSCs), such as firewalls and other network security technologies, are network policy enforcement points that typically control netwo… |
| PCI_DSS_v4-R10 | Log and Monitor All Access to System Components and Cardholder Data PCI DSS v4pentest:high | Logging mechanisms and the ability to track user activities are critical in preventing, detecting, or minimising the impact of a data compromise. The presence … |
| PCI_DSS_v4-R11 | Test Security of Systems and Networks Regularly PCI DSS v4pentest:high | Vulnerabilities are being discovered continually by malicious individuals and researchers, and being introduced by new software. System components, processes, … |
| PCI_DSS_v4-R12 | Support Information Security with Organizational Policies and Programs PCI DSS v4pentest:medium | A strong security policy sets the security tone for the whole entity and lets personnel know what is expected of them. All personnel should be aware of the sen… |
| PCI_DSS_v4-R2 | Apply Secure Configurations to All System Components PCI DSS v4pentest:high | Malicious individuals (external and internal) often use default passwords and other vendor default settings to compromise systems. Apply secure configurations … |
| PCI_DSS_v4-R3 | Protect Stored Account Data PCI DSS v4pentest:high | Protection methods such as encryption, truncation, masking, and hashing are critical components of account data protection. If an intruder circumvents other se… |
| PCI_DSS_v4-R4 | Protect Cardholder Data with Strong Cryptography During Transmission PCI DSS v4pentest:high | Sensitive information must be encrypted during transmission over networks that are easily accessed by malicious individuals. Misconfigured wireless networks an… |
| PCI_DSS_v4-R5 | Protect All Systems and Networks from Malicious Software PCI DSS v4pentest:medium | Malicious software (malware) is software designed to infiltrate or damage a computer system without the owner's knowledge or consent. Anti-malware mechanisms m… |
| PCI_DSS_v4-R6 | Develop and Maintain Secure Systems and Software PCI DSS v4pentest:high | Bespoke and custom software used in the cardholder data environment must be developed securely. Software-development processes shall incorporate security consi… |
| PCI_DSS_v4-R7 | Restrict Access to System Components and Cardholder Data by Business Need to Know PCI DSS v4pentest:high | To ensure critical data can only be accessed by authorised personnel, systems and processes must be in place to limit access based on need to know and accordin… |
| PCI_DSS_v4-R8 | Identify Users and Authenticate Access to System Components PCI DSS v4pentest:high | Two fundamental principles of identifying and authenticating users are to (1) establish the identity of an individual or process and (2) verify the user or pro… |
| PCI_DSS_v4-R9 | Restrict Physical Access to Cardholder Data PCI DSS v4pentest:low | Any physical access to data or systems that store, process, or transmit cardholder data provides the opportunity for individuals to access devices or data, and… |
CIS v811
| ID | Title | Summary |
|---|---|---|
| CIS_v8-1 | Inventory and Control of Enterprise Assets CIS v8pentest:medium | Actively manage (inventory, track, and correct) all enterprise assets (end-user devices, including portable and mobile; network devices; non-computing/IoT devi… |
| CIS_v8-13 | Network Monitoring and Defense CIS v8pentest:high | Operate processes and tooling to establish and maintain comprehensive network monitoring and defence against security threats across the enterprise's network i… |
| CIS_v8-16 | Application Software Security CIS v8pentest:high | Manage the security life cycle of in-house developed, hosted, or acquired software to prevent, detect, and remediate security weaknesses before they can impact… |
| CIS_v8-18 | Penetration Testing CIS v8pentest:high | Test the effectiveness and resiliency of enterprise assets through identifying and exploiting weaknesses in controls (people, processes, and technology), and s… |
| CIS_v8-2 | Inventory and Control of Software Assets CIS v8pentest:medium | Actively manage (inventory, track, and correct) all software (operating systems and applications) on the network so that only authorised software is installed … |
| CIS_v8-3 | Data Protection CIS v8pentest:high | Develop processes and technical controls to identify, classify, securely handle, retain, and dispose of data. |
| CIS_v8-4 | Secure Configuration of Enterprise Assets and Software CIS v8pentest:high | Establish and maintain the secure configuration of enterprise assets (end-user devices, including portable and mobile; network devices; non-computing/IoT devic… |
| CIS_v8-5 | Account Management CIS v8pentest:high | Use processes and tools to assign and manage authorisation to credentials for user accounts, including administrator accounts, as well as service accounts, to … |
| CIS_v8-6 | Access Control Management CIS v8pentest:high | Use processes and tools to create, assign, manage, and revoke access credentials and privileges for user, administrator, and service accounts for enterprise as… |
| CIS_v8-7 | Continuous Vulnerability Management CIS v8pentest:high | Develop a plan to continuously assess and track vulnerabilities on all enterprise assets within the enterprise's infrastructure, in order to remediate, and min… |
| CIS_v8-8 | Audit Log Management CIS v8pentest:medium | Collect, alert, review, and retain audit logs of events that could help detect, understand, or recover from an attack. |
NIS210
| ID | Title | Summary |
|---|---|---|
| NIS2-Art21a | Policies on risk analysis and information system security NIS2pentest:high | Essential and important entities must take appropriate and proportionate technical, operational and organisational measures to manage the risks posed to the se… |
| NIS2-Art21b | Incident handling NIS2pentest:high | Essential and important entities must implement incident handling measures, covering detection, analysis, containment, eradication, recovery, and post-incident… |
| NIS2-Art21c | Business continuity and crisis management NIS2pentest:medium | Essential and important entities must implement business continuity measures, such as backup management and disaster recovery, and crisis management arrangemen… |
| NIS2-Art21d | Supply chain security NIS2pentest:high | Essential and important entities must implement supply chain security measures, including security-related aspects concerning the relationships between each en… |
| NIS2-Art21e | Security in network and information systems acquisition, development and maintenance NIS2pentest:high | Essential and important entities must implement security in the acquisition, development, and maintenance of network and information systems, including vulnera… |
| NIS2-Art21f | Policies and procedures to assess the effectiveness of cybersecurity risk-management measures NIS2pentest:high | Essential and important entities must establish policies and procedures to assess the effectiveness of cybersecurity risk-management measures. This includes re… |
| NIS2-Art21g | Basic cyber hygiene practices and cybersecurity training NIS2pentest:medium | Essential and important entities must implement basic cyber hygiene practices and cybersecurity training. This includes user awareness programs, secure passwor… |
| NIS2-Art21h | Policies and procedures regarding the use of cryptography NIS2pentest:high | Essential and important entities must implement policies and procedures regarding the use of cryptography and, where appropriate, encryption. This includes key… |
| NIS2-Art21i | Human resources security, access control policies and asset management NIS2pentest:high | Essential and important entities must implement human resources security measures, access control policies, and asset management. This covers identity and acce… |
| NIS2-Art21j | The use of multi-factor authentication or continuous authentication solutions NIS2pentest:high | Essential and important entities must implement the use of multi-factor authentication or continuous authentication solutions, secured voice, video and text co… |
OWASP API TOP1010
| ID | Title | Summary |
|---|---|---|
| OWASP_API_TOP10-API01 | Broken Object Level Authorization (BOLA) OWASP API TOP10pentest:high | APIs tend to expose endpoints that handle object identifiers, creating a wide attack surface for Object Level Access Control issues. Object-level authorisation… |
| OWASP_API_TOP10-API02 | Broken Authentication OWASP API TOP10pentest:high | Authentication mechanisms are often implemented incorrectly, allowing attackers to compromise authentication tokens or to exploit implementation flaws to assum… |
| OWASP_API_TOP10-API03 | Broken Object Property Level Authorization (BOPLA) OWASP API TOP10pentest:high | Lack of or improper authorisation validation at the object property level. Leads to information exposure or manipulation by unauthorised parties (excessive dat… |
| OWASP_API_TOP10-API04 | Unrestricted Resource Consumption OWASP API TOP10pentest:high | Satisfying API requests requires resources such as network bandwidth, CPU, memory, and storage. Other resources, such as emails/SMS/phone calls or biometrics v… |
| OWASP_API_TOP10-API05 | Broken Function Level Authorization (BFLA) OWASP API TOP10pentest:high | Complex access control policies with different hierarchies, groups, and roles, and an unclear separation between administrative and regular functions, tend to … |
| OWASP_API_TOP10-API06 | Unrestricted Access to Sensitive Business Flows OWASP API TOP10pentest:high | APIs vulnerable to this risk expose a business flow — such as buying a ticket, posting a comment — without compensating for how the functionality could harm th… |
| OWASP_API_TOP10-API07 | Server-Side Request Forgery (SSRF) OWASP API TOP10pentest:high | SSRF flaws occur when an API is fetching a remote resource without validating the user-supplied URI. This enables an attacker to coerce the application to send… |
| OWASP_API_TOP10-API08 | Security Misconfiguration OWASP API TOP10pentest:high | APIs and the systems supporting them typically contain complex configurations, meant to make the APIs more customisable. Software and DevOps engineers can miss… |
| OWASP_API_TOP10-API09 | Improper Inventory Management OWASP API TOP10pentest:high | APIs tend to expose more endpoints than traditional web applications, making proper and updated documentation highly important. A proper inventory of hosts and… |
| OWASP_API_TOP10-API10 | Unsafe Consumption of APIs OWASP API TOP10pentest:high | Developers tend to trust data received from third-party APIs more than user input, and so tend to adopt weaker security standards. To compromise APIs, attacker… |
OWASP LLM TOP1010
| ID | Title | Summary |
|---|---|---|
| OWASP_LLM_TOP10-LLM01 | Prompt Injection OWASP LLM TOP10pentest:high | Prompt injection vulnerabilities occur when user prompts alter the LLM's behaviour or output in unintended ways. These inputs can affect the model even if they… |
| OWASP_LLM_TOP10-LLM02 | Sensitive Information Disclosure OWASP LLM TOP10pentest:high | LLMs can expose sensitive information through their outputs, including personally identifiable information (PII), proprietary algorithms, confidential business… |
| OWASP_LLM_TOP10-LLM03 | Supply Chain OWASP LLM TOP10pentest:high | LLM supply chains are vulnerable to integrity failures, particularly in training data, models, and deployment platforms. Risks include compromised pretrained m… |
| OWASP_LLM_TOP10-LLM04 | Data and Model Poisoning OWASP LLM TOP10pentest:high | Data and model poisoning attacks occur when an attacker manipulates the pretraining, fine-tuning, or embedding data of the LLM to introduce vulnerabilities, ba… |
| OWASP_LLM_TOP10-LLM05 | Improper Output Handling OWASP LLM TOP10pentest:high | Improper output handling occurs when LLM-generated output is passed downstream to other systems without validation, sanitisation, or context-aware escaping. Th… |
| OWASP_LLM_TOP10-LLM06 | Excessive Agency OWASP LLM TOP10pentest:high | Excessive agency arises when LLM-based systems are granted excessive functionality, permissions, or autonomy. Damaging actions can occur in response to unexpec… |
| OWASP_LLM_TOP10-LLM07 | System Prompt Leakage OWASP LLM TOP10pentest:high | System prompts contain configuration, instructions, and sometimes sensitive data (credentials, internal endpoints, business logic) that should not be exposed. … |
| OWASP_LLM_TOP10-LLM08 | Vector and Embedding Weaknesses OWASP LLM TOP10pentest:high | Vulnerabilities in vector databases and embedding stores used by RAG applications. Includes unauthorised access to embedding stores, cross-tenant data leakage … |
| OWASP_LLM_TOP10-LLM09 | Misinformation OWASP LLM TOP10pentest:medium | LLMs can generate plausible-but-false outputs (hallucinations) that downstream consumers rely upon. The risk increases when the LLM is used for high-stakes dec… |
| OWASP_LLM_TOP10-LLM10 | Unbounded Consumption OWASP LLM TOP10pentest:high | Unbounded consumption refers to model invocations that consume excessive resources — compute, memory, tokens, or external API quota — leading to denial of serv… |
OWASP TOP1010
| ID | Title | Summary |
|---|---|---|
| OWASP_TOP10-A01 | Broken Access Control OWASP TOP10pentest:high | Access control enforces policy such that users cannot act outside of their intended permissions. Failures typically lead to unauthorised information disclosure… |
| OWASP_TOP10-A02 | Cryptographic Failures OWASP TOP10pentest:high | Failures related to cryptography (or the lack thereof) which often lead to exposure of sensitive data. Includes transmission of data in clear text, use of weak… |
| OWASP_TOP10-A03 | Injection OWASP TOP10pentest:high | Application is vulnerable when user-supplied data is not validated, filtered, or sanitised; dynamic queries or non-parameterised calls without context-aware es… |
| OWASP_TOP10-A04 | Insecure Design OWASP TOP10pentest:high | Risks related to design and architectural flaws. Distinct from implementation defects — a secure design can still have implementation defects but an insecure d… |
| OWASP_TOP10-A05 | Security Misconfiguration OWASP TOP10pentest:high | Application may be vulnerable due to missing security hardening, improperly configured permissions on cloud services, unnecessary features enabled or installed… |
| OWASP_TOP10-A06 | Vulnerable and Outdated Components OWASP TOP10pentest:high | Likely vulnerable if: you do not know the versions of all components used (both client- and server-side), software is vulnerable, unsupported, or out of date (… |
| OWASP_TOP10-A07 | Identification and Authentication Failures OWASP TOP10pentest:high | Confirmation of user identity, authentication, and session management is critical. Authentication weaknesses include permitting credential stuffing, brute forc… |
| OWASP_TOP10-A08 | Software and Data Integrity Failures OWASP TOP10pentest:high | Failures related to code and infrastructure that do not protect against integrity violations. Application that relies upon plugins, libraries, or modules from … |
| OWASP_TOP10-A09 | Security Logging and Monitoring Failures OWASP TOP10pentest:high | Helps to detect, escalate, and respond to active breaches. Without logging and monitoring, breaches cannot be detected. Insufficient logging, detection, monito… |
| OWASP_TOP10-A10 | Server-Side Request Forgery (SSRF) OWASP TOP10pentest:high | SSRF flaws occur whenever a web application is fetching a remote resource without validating the user-supplied URL. It allows an attacker to coerce the applica… |
ISO277018
| ID | Title | Summary |
|---|---|---|
| ISO27701-A.7.2.1 | Identify and document the purpose ISO27701pentest:medium | The organisation should identify and document the specific purposes for which the PII will be processed. The legal basis for the processing should be documente… |
| ISO27701-A.7.2.2 | Identify lawful basis ISO27701pentest:medium | The organisation should determine, document and comply with the relevant lawful basis for the processing of PII for the identified purposes. For each processin… |
| ISO27701-A.7.3.1 | Determining and fulfilling obligations to PII principals ISO27701pentest:medium | The organisation should determine and document its legal, regulatory and contractual obligations to PII principals related to the processing of their PII and p… |
| ISO27701-A.7.3.6 | Access, correction and/or erasure ISO27701pentest:high | The organisation should implement policies, procedures and mechanisms to meet their obligations to PII principals to access, correct and/or erase their PII. Th… |
| ISO27701-A.7.4.1 | Limit collection ISO27701pentest:high | The organisation should limit the collection of PII to the minimum necessary for the identified purposes. Data minimisation must be enforced at the application… |
| ISO27701-A.7.4.5 | PII de-identification and deletion at the end of processing ISO27701pentest:high | The organisation should either delete PII or render it in a form which does not permit identification or re-identification of PII principals, as soon as the or… |
| ISO27701-A.7.5.1 | Identify basis for PII transfer between jurisdictions ISO27701pentest:medium | The organisation should identify and document the relevant basis for transfers of PII between jurisdictions. Where applicable transfer mechanisms (adequacy dec… |
| ISO27701-A.8.2.1 | Customer agreement (processor) ISO27701pentest:low | The organisation should ensure, where relevant, that a contract or other documented agreement with the customer addresses the protection of PII. The agreement … |
AI ACT7
| ID | Title | Summary |
|---|---|---|
| AI_ACT-Art10 | Data and data governance AI ACTpentest:medium | High-risk AI systems making use of techniques involving training of models with data shall be developed on the basis of training, validation and testing data s… |
| AI_ACT-Art12 | Record keeping AI ACTpentest:high | High-risk AI systems shall technically allow for the automatic recording of events (logs) over the duration of the lifetime of the system. The logging capabili… |
| AI_ACT-Art14 | Human oversight AI ACTpentest:medium | High-risk AI systems shall be designed and developed in such a way that they can be effectively overseen by natural persons during the period in which they are… |
| AI_ACT-Art15 | Accuracy, robustness and cybersecurity AI ACTpentest:high | High-risk AI systems shall be designed and developed in such a way that they achieve an appropriate level of accuracy, robustness, and cybersecurity, and perfo… |
| AI_ACT-Art72 | Post-market monitoring by providers AI ACTpentest:medium | Providers shall establish and document a post-market monitoring system. The post-market monitoring system shall actively and systematically collect, document a… |
| AI_ACT-Art73 | Reporting of serious incidents AI ACTpentest:high | Providers of high-risk AI systems placed on the Union market shall report any serious incident to the market surveillance authorities of the Member States wher… |
| AI_ACT-Art9 | Risk management system AI ACTpentest:high | A risk management system shall be established, implemented, documented and maintained in relation to high-risk AI systems. It shall consist of a continuous ite… |
GDPR6
| ID | Title | Summary |
|---|---|---|
| GDPR-Art25 | Data protection by design and by default GDPRpentest:high | The controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technic… |
| GDPR-Art32 | GDPR-Art32 GDPR | GDPR Article 32 — Security of processing: Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of … |
| GDPR-Art33 | Notification of a personal data breach to the supervisory authority GDPRpentest:medium | In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, n… |
| GDPR-Art34 | Communication of a personal data breach to the data subject GDPRpentest:medium | When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal d… |
| GDPR-Art35 | Data protection impact assessment GDPRpentest:medium | Where a type of processing is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, car… |
| GDPR-Art5 | Principles relating to processing of personal data GDPRpentest:high | Personal data shall be: (a) processed lawfully, fairly and in a transparent manner; (b) collected for specified, explicit and legitimate purposes; (c) adequate… |
NIST CSF6
| ID | Title | Summary |
|---|---|---|
| NIST_CSF-DE | DETECT (DE) — Find and analyse possible cybersecurity attacks and compromises NIST CSFpentest:high | Possible cybersecurity attacks and compromises are found and analysed. DETECT enables the timely discovery and analysis of anomalies, indicators of compromise,… |
| NIST_CSF-GV | GOVERN (GV) — Establish and monitor the cybersecurity risk management strategy NIST CSFpentest:low | The organisation's cybersecurity risk management strategy, expectations, and policy are established, communicated, and monitored. GOVERN provides outcomes to i… |
| NIST_CSF-ID | IDENTIFY (ID) — Understand organisational cybersecurity risk NIST CSFpentest:medium | The organisation's current cybersecurity risks are understood. Identifying assets, suppliers, and related cybersecurity risks enables an organisation to focus … |
| NIST_CSF-PR | PROTECT (PR) — Use safeguards to manage cybersecurity risks NIST CSFpentest:high | Safeguards to manage the organisation's cybersecurity risks are used. Once assets and risks are identified and prioritised, PROTECT supports the ability to sec… |
| NIST_CSF-RC | RECOVER (RC) — Restore assets and operations affected by a cybersecurity incident NIST CSFpentest:medium | Assets and operations affected by a cybersecurity incident are restored. RECOVER supports the timely restoration of normal operations to reduce the effects of … |
| NIST_CSF-RS | RESPOND (RS) — Take action regarding a detected cybersecurity incident NIST CSFpentest:high | Actions regarding a detected cybersecurity incident are taken. RESPOND supports the ability to contain the effects of cybersecurity incidents. |
CRA5
| ID | Title | Summary |
|---|---|---|
| CRA-AnnexI-1 | Essential cybersecurity properties — Confidentiality CRApentest:high | Products with digital elements must protect the confidentiality of stored, transmitted, or otherwise processed data, personal or other, by encrypting relevant … |
| CRA-AnnexI-2 | Essential cybersecurity properties — Integrity CRApentest:high | Products with digital elements must protect the integrity of stored, transmitted, or otherwise processed data, commands, programs and configuration against any… |
| CRA-AnnexI-3 | Essential cybersecurity properties — Vulnerability handling CRApentest:high | Manufacturers must identify and document vulnerabilities and components contained in products, including by drawing up an SBOM, address and remediate vulnerabi… |
| CRA-Art13 | Essential cybersecurity requirements for products with digital elements CRApentest:high | Products with digital elements must be designed, developed and produced in such a way that they ensure an appropriate level of cybersecurity based on the risks… |
| CRA-Art14 | Reporting obligations of manufacturers CRApentest:high | Manufacturers must notify ENISA and the competent CSIRT designated as coordinator without undue delay and in any event within 24 hours of becoming aware of any… |
TIBER EU4
| ID | Title | Summary |
|---|---|---|
| TIBER_EU-Closure | TIBER-EU Closure Phase TIBER EUpentest:high | The closure phase documents findings, develops a remediation plan, validates implementation, and produces the TIBER-EU Test Summary Report submitted to compete… |
| TIBER_EU-Generic | Threat Intelligence-based Ethical Red Teaming TIBER EUpentest:high | TIBER-EU is the European framework for threat intelligence-based ethical red-teaming. It enables financial sector entities to test their cyber resilience by si… |
| TIBER_EU-Preparation | TIBER-EU Preparation Phase TIBER EUpentest:high | The preparation phase establishes the test foundation: scoping the critical functions and supporting infrastructure to be tested, identifying the test manager … |
| TIBER_EU-Testing | TIBER-EU Testing Phase TIBER EUpentest:high | The testing phase comprises threat intelligence (TI) and red team (RT) work. TI providers produce a Targeted Threat Intelligence Report scoping plausible adver… |