Security & compliance frameworks
mapped to SecPortal
A practical reference for every major standard, from OWASP and ISO 27001 to PCI DSS, NIST, GDPR, and beyond. Each guide explains the framework and how SecPortal helps you meet it.
No credit card required. Free plan available forever.
OWASP Top 10
Map your security findings to the OWASP Top 10 categories. Track which vulnerabilities have been found, remediated, and verified. Generate compliance reports for stakeholders.
Learn moreISO 27001
Run ISO 27001 audits with pre-built Annex A control templates. Mark controls as compliant, non-compliant, or partial. Generate AI-powered compliance summaries and export audit evidence.
Learn moreISO 27002
ISO 27002:2022 is the implementation companion to ISO 27001. It describes 93 information security controls across organisational, people, physical, and technological themes, and the attributes that classify each control. This page covers how to read the catalogue, how it maps to ISO 27001 Annex A, and how to evidence control operation in a workspace.
Learn moreISO 27017
ISO/IEC 27017:2015 is the cloud-specific extension to ISO 27002. It restates the ISO 27002 controls with cloud-specific implementation guidance and adds seven controls that only exist when an information service is delivered through a cloud relationship. This page covers the structure, the customer and provider responsibility split, and how a workspace records the evidence ISO 27017 expects.
Learn moreISO 27018
ISO/IEC 27018:2019 sets out the obligations a public cloud service provider takes on when it processes personally identifiable information on behalf of customers. It layers on top of ISO 27002 and ISO 27017, adding privacy-specific implementation guidance and an annex of additional PII processor controls. This page covers the structure, the controller and processor responsibility split, and how a workspace records the evidence ISO 27018 expects.
Learn moreISO 27701
ISO/IEC 27701:2019 is the certifiable extension that turns an ISO 27001 information security management system into a privacy information management system (PIMS). It adds privacy-specific requirements, additional controls, and a controller and processor obligation split that the ISMS does not carry on its own. This page covers the structure, the GDPR cross-walk, and how a workspace records the evidence the PIMS audit expects.
Learn moreCyber Essentials
Manage Cyber Essentials and Cyber Essentials Plus assessments with pre-built control templates covering all five technical areas. Track compliance status and generate reports.
Learn moreCyber Essentials Plus
Run hands-on Cyber Essentials Plus audits with structured templates aligned to the IASME test specification. Coordinate external vulnerability scans, authenticated workstation tests, malware checks, and remediation tracking from a single platform.
Learn morePCI DSS assessment
Run PCI DSS assessments, gap analysis, and risk assessments across all 12 requirements. Map vulnerability findings to specific controls, track remediation with SLAs, and generate compliance reports for QSAs, all from one platform.
Learn moreNIST SP 800-53
Run NIST 800-53 Rev. 5 assessments against the Low, Moderate, and High baselines. Map vulnerability findings to control families, track remediation against POA&M deadlines, and produce assessor-ready evidence packs from one platform.
Learn moreFedRAMP
The Federal Risk and Authorization Management Program (FedRAMP) is the US federal cloud authorisation programme. Run FedRAMP assessments aligned to NIST SP 800-53 Rev. 5, manage the SSP, SAP, and SAR documents, track POA&M items, run monthly vulnerability scans, and produce evidence packs that 3PAOs and agency reviewers can act on.
Learn moreNIST Cybersecurity Framework
Map your security controls to the NIST Cybersecurity Framework. Track maturity across the five core functions and generate compliance reports for executive stakeholders.
Learn moreNIST CSF 2.0
NIST Cybersecurity Framework 2.0 is the February 2024 revision of the NIST CSF. It promotes governance to a first-class core function, restructures the categories and subcategories, replaces the legacy NIST CSF 1.1 critical-infrastructure framing with a sector-agnostic posture, and ships a Profile model and Implementation Examples designed for direct use by AppSec, vulnerability management, GRC, and security leadership functions. This page covers the six functions, the new GOVERN function in operating practice, the four Tiers, the Current and Target Profile model, the Implementation Examples, the Informative References, and the evidence pack a workspace-driven programme keeps in one place.
Learn moreMITRE ATT&CK
Tag every penetration testing and red team finding with the MITRE ATT&CK tactics and techniques the attacker would use. Track coverage across the kill chain, plan adversary emulation engagements, and produce reports defenders can act on.
Learn moreDORA
The Digital Operational Resilience Act (Regulation EU 2022/2554) applies to banks, insurers, investment firms, crypto-asset providers, and their critical ICT third parties. Run DORA assessments, coordinate threat-led penetration testing, log major ICT incidents, and produce supervisory-ready evidence from one platform.
Learn moreNIS2
The NIS2 Directive (EU 2022/2555) raises the cyber baseline across essential and important entities in 18 sectors. Run NIS2 risk assessments, log significant incidents on the 24-hour and 72-hour clocks, manage supply chain security, and produce competent authority evidence from one platform.
Learn moreCIS Critical Security Controls v8.1
The CIS Critical Security Controls are a prioritised set of defensive actions published by the Center for Internet Security. Run CIS Controls v8.1 assessments across all 18 controls and 153 safeguards, scope by Implementation Group (IG1, IG2, IG3), and produce evidence packs that hold up alongside ISO 27001, NIST CSF, and PCI DSS.
Learn morePTES
The Penetration Testing Execution Standard (PTES) defines a complete penetration test from pre-engagement through reporting across seven sections. Run PTES-aligned engagements with pre-engagement records, intelligence gathering tracking, threat modelling notes, exploitation evidence, and final reporting from one platform.
Learn moreHIPAA Security Rule
Run HIPAA Security Rule risk analysis end-to-end. Map vulnerability findings to Administrative, Physical, and Technical Safeguards under 45 CFR Part 164 Subpart C, track remediation against documented timelines, and produce evidence packs that hold up under an OCR investigation or a HITECH audit.
Learn moreGDPR
The General Data Protection Regulation (Regulation EU 2016/679) and the UK GDPR set the security baseline for any organisation processing personal data of EU or UK individuals. Run Article 32 security control assessments, coordinate vulnerability assessments and penetration tests, manage Data Protection Impact Assessments, log personal data breaches against the 72-hour clock, and produce supervisory authority evidence from one platform.
Learn moreEssential Eight
The Essential Eight is the Australian Cyber Security Centre (ACSC) prioritised set of mitigation strategies for protecting internet-connected information technology networks. Run Essential Eight maturity assessments across all eight strategies and Maturity Levels 1, 2, and 3, map vulnerability findings to each strategy, and produce assessor-ready evidence packs from one platform.
Learn moreSOC 2
Manage SOC 2 assessments with pre-built Trust Services Criteria controls. Track compliance across security, availability, processing integrity, confidentiality, and privacy.
Learn moreCREST penetration testing
CREST is the international not for profit body that accredits cybersecurity service providers and the individuals who work for them. Run CREST aligned engagements across CHECK, OVS, STAR, and STAR FS scopes with structured scoping, technical execution, peer reviewed reporting, retests, and assessor ready evidence from one platform.
Learn moreTIBER-EU
TIBER-EU is the European Central Bank framework for threat intelligence-based ethical red teaming. It is the methodology national competent authorities and the ECB use to standardise threat-led penetration testing across the European financial system, and it is the reference framework for TLPT under DORA. Run a defensible TIBER-EU test from preparation through closure, with the white team, control team, threat intelligence provider, red team, and supervisor record on a single workflow.
Learn moreCMMC 2.0
The Cybersecurity Maturity Model Certification (CMMC) 2.0 is the US Department of Defense compliance regime for contractors handling Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). Run CMMC scoping, control implementation, evidence collection, vulnerability scanning, POA&M tracking, and assessor-ready evidence packs aligned to NIST SP 800-171 Rev. 2, NIST SP 800-172, and 32 CFR Part 170 from one workflow.
Learn moreOWASP ASVS
The OWASP Application Security Verification Standard (ASVS) is the open standard that defines what a verified secure web application looks like, requirement by requirement. Pick a verification level (L1 opportunistic, L2 standard, L3 advanced), test against the named requirements, and produce a verification report that maps findings to ASVS rather than to a generic vulnerability list. SecPortal runs ASVS engagements as structured records with requirement-level traceability from kickoff to verified close.
Learn moreOWASP MASVS
The OWASP Mobile Application Security Verification Standard (MASVS) is the open standard that defines what a verified secure mobile application looks like, control by control. Pick a verification level (MASVS-L1 standard, MASVS-L2 defence in depth) and the optional resilience set (MASVS-R), test against the named controls, and produce a verification report that maps findings to MASVS rather than to a generic vulnerability list. SecPortal runs MASVS engagements as structured records with control-level traceability across the iOS app, the Android app, and the backend they call.
Learn moreOSSTMM
The Open Source Security Testing Methodology Manual (OSSTMM), maintained by ISECOM, defines a measurable security test across four channels and ten modules, with an explicit Risk Assessment Values (RAV) calculation that produces a numeric attack surface metric. Run OSSTMM-aligned engagements with structured rules of engagement, channel and module coverage, RAV inputs, and reporting tracked on one record.
Learn moreNIST SP 800-115
NIST Special Publication 800-115, the Technical Guide to Information Security Testing and Assessment, is the United States government reference for how to plan, execute, and report on technical security testing. Run NIST SP 800-115 aligned engagements with structured planning, review evidence, target analysis, validation, exploitation, and reporting tracked on one record.
Learn moreOWASP SAMM
OWASP SAMM (Software Assurance Maturity Model) is the open framework that measures software security maturity across five business functions and fifteen security practices, on a three-level scale. Run SAMM assessments as structured records, score each practice, build an improvement roadmap, and re-score over time so the maturity claim is a record rather than a one-off slide.
Learn moreCBEST
CBEST is the Bank of England framework for intelligence-led penetration testing of UK financial entities, run jointly with the Prudential Regulation Authority and the Financial Conduct Authority. The framework uses bespoke threat intelligence and accredited red team providers to test the resilience of systems supporting important business services, then walks the attack path with the defenders during the replay phase. Run a defensible CBEST engagement from scope through joint debrief and closure on a single record, with the white team, control group, threat intelligence provider, and red team provider tracked as one workflow rather than a folder of PDFs.
Learn moreIEC 62443
IEC 62443 is the international standard for cybersecurity in industrial automation and control systems. Run IEC 62443 assessments across the asset owner, the system integrator, and the product supplier roles: scope zones and conduits, set target security levels, evidence the seven foundational requirements, track manual and authenticated test findings, and produce assessor-ready evidence packs from one workflow.
Learn moreNIST SP 800-171
NIST Special Publication 800-171 is the US federal control set for protecting Controlled Unclassified Information (CUI) in non-federal systems. Run NIST 800-171 self-assessments and assessor-led assessments end-to-end: scope the boundary, implement the 110 security requirements, capture evidence, manage POA&M items, score against the DoD Assessment Methodology, and submit to the Supplier Performance Risk System (SPRS) from one workflow.
Learn moreHITRUST CSF
Run HITRUST CSF programmes end-to-end. Build the factor profile, complete readiness against the tailored requirement set, score evidence across the PRISMA maturity model, manage the External Assessor engagement, and produce the MyCSF submission and post-certification evidence pack from one workflow.
Learn moreSWIFT Customer Security Programme
The SWIFT Customer Security Programme (CSP) requires every SWIFT user to attest annually against the Customer Security Controls Framework. Most user types must back the attestation with an independent assessment. Run CSCF assessments, coordinate independent assessor work, track mandatory and advisory controls, and produce KYC-SA-ready evidence from one platform.
Learn moreEU Cyber Resilience Act
Regulation (EU) 2024/2847 raises the cybersecurity baseline for products with digital elements placed on the EU market. Run CRA conformity work, manage essential cybersecurity requirements, handle vulnerabilities across the support period, and produce ENISA-ready incident reports from one workspace.
Learn moreNCSC CAF
The NCSC Cyber Assessment Framework (CAF) is the UK National Cyber Security Centre framework used to assess organisations responsible for essential services and digital infrastructure. The CAF is structured around four objectives, fourteen principles, and thirty-nine contributing outcomes, each evaluated against indicators of good practice. Run a defensible CAF assessment from scoping through evidence, gap analysis, and remediation tracking on one workspace, with the assessor, the cyber regulator, and the in-scope service operator working from the same engagement record rather than parallel spreadsheets.
Learn moreOWASP API Security Top 10
The OWASP API Security Top 10 is the open list of the most critical risks specific to APIs, maintained by the Open Worldwide Application Security Project. The 2023 edition replaces the 2019 list and shifts the centre of gravity towards authorisation, business logic abuse, and API consumption risk. SecPortal runs API security testing engagements as structured records, with findings mapped to API1 through API10 alongside CVSS 3.1 vectors and CWE identifiers.
Learn moreSEC Cybersecurity Disclosure
The SEC Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure rules require US-listed registrants to file Form 8-K Item 1.05 within four business days of determining a cybersecurity incident is material, and to disclose risk management processes and board oversight in Form 10-K Item 106. Run the materiality determination, the disclosure narrative, and the supporting audit trail from one workspace.
Learn moreAPRA CPS 234
Prudential Standard CPS 234 obligates APRA-regulated entities to maintain information security capability commensurate with the size and extent of threats, identify and classify information assets, implement controls (including against third-party-managed assets), and notify APRA of material information security incidents within 72 hours. This page covers the structure of CPS 234, the obligations under each section, the evidence APRA expects, and how a workspace records it.
Learn moreHKMA C-RAF
The Hong Kong Monetary Authority Cyber Resilience Assessment Framework, currently at version 2.0, sets the cyber resilience expectation for Authorised Institutions in Hong Kong. C-RAF runs in three sequential phases (inherent risk, maturity, and intelligence-led testing) under the wider Cyber Fortification Initiative, with iCAST applied to the highest-tier institutions. This page covers the structure, the maturity domains, the iCAST profile, and the evidence pack a workspace-driven cycle keeps in one place.
Learn moreMAS TRM
The Monetary Authority of Singapore Technology Risk Management Guidelines set the technology and cyber risk expectations for MAS-regulated financial institutions, with the Notice on Cyber Hygiene providing the legally binding baseline. This page covers the four pillars, the cyber security control areas, the testing and adversarial exercise cadence, and the evidence pack a workspace-driven programme keeps in one place.
Learn moreFFIEC
The Federal Financial Institutions Examination Council coordinates examination policy across the OCC, the Federal Reserve, the FDIC, the NCUA, and the CFPB. The FFIEC IT Examination Handbook and the Cybersecurity Assessment Tool (CAT) are the working framework federal banking examiners use to read the cybersecurity programme. This page covers the booklets, the CAT inherent risk and maturity model, the testing and adversarial exercise cadence, the Computer Security Incident Notification Rule, and the evidence pack a workspace-driven programme keeps in one place.
Learn moreRBI Cyber Security Framework
The Reserve Bank of India sets cyber security expectations across the regulated financial population through the 2016 Cyber Security Framework in Banks circular, the Master Direction on IT Governance, Risk, Controls and Assurance Practices effective 1 April 2024, and the Master Direction on Information Technology Governance and Information Risk Management for NBFCs. This page covers the tier classification, the cyber security policy, the Cyber Crisis Management Plan, VAPT cadence, CSITE examination, the CERT-In incident reporting timeline, and the evidence pack a workspace-driven programme keeps in one place.
Learn moreCISA Secure by Design
CISA Secure by Design is the principles-based framework the Cybersecurity and Infrastructure Security Agency uses to shift the burden of cyber risk from software customers to software manufacturers. This page covers the three principles, the seven goals of the public Secure by Design Pledge, the manufacturer and customer responsibility split, the relationship to NIST SSDF, and how a workspace records the evidence the framework expects.
Learn moreNIST AI Risk Management Framework
The NIST AI Risk Management Framework (AI RMF 1.0, NIST AI 100-1) is the voluntary, sector-agnostic framework US federal agencies, regulated buyers, and enterprise AI programmes read against when they need to evidence trustworthy AI. This page covers the four core functions (GOVERN, MAP, MEASURE, MANAGE), the seven characteristics of trustworthy AI, the Generative AI Profile (NIST AI 600-1), the Playbook companion, the Profile model, and the audit evidence a workspace-driven AI risk programme is expected to produce.
Learn moreContinuous Threat Exposure Management (CTEM)
CTEM is the programme model Gartner uses to describe how mature security organisations move from a backlog of vulnerabilities to a continuous, business-aligned exposure reduction programme. This page covers the five stages (Scoping, Discovery, Prioritisation, Validation, Mobilisation), how CTEM differs from risk-based vulnerability management, attack surface management, and threat and vulnerability management, the operating cadence, the evidence pack a CTEM cycle keeps, and how a workspace-driven approach turns the model into a programme rather than a slide deck.
Learn moreCISA Cybersecurity Performance Goals
The CISA Cybersecurity Performance Goals (CPGs) are a voluntary, prioritised subset of cybersecurity practices CISA publishes for owners and operators across the sixteen critical infrastructure sectors and any organisation that wants a defensible baseline. CPGs v2.0 reorganises the goals against the NIST CSF 2.0 functions (GOVERN, IDENTIFY, PROTECT, DETECT, RESPOND, RECOVER) and rates each goal on cost, complexity, and impact. This page covers the goal set, the NIST CSF 2.0 mapping, the cross-sector versus sector-specific split, the audit evidence each goal expects, and where CPGs sit alongside NIST CSF 2.0, CIS Controls, and the wider cybersecurity baseline regime.
Learn moreCOSO ERM
COSO Enterprise Risk Management (Integrating with Strategy and Performance, 2017) is the enterprise risk framework boards, audit committees, and senior leadership read against. This page covers the five components, the twenty principles, how cyber risk and information security work map into the framework, the operating cadence, the audit evidence the framework expects, and where COSO ERM sits alongside ISO 31000, NIST CSF 2.0, FAIR, and the wider risk regime.
Learn moreNIST SP 800-161r1
NIST Special Publication 800-161 Revision 1 (May 2022, with the 2024 IPD update on AI considerations) is the federal cybersecurity supply chain risk management framework. It defines the C-SCRM strategy, the C-SCRM plan, the supplier risk management policy, the integration of supply chain risk with NIST SP 800-39 enterprise risk management and NIST SP 800-37 risk management framework, and the security controls in NIST SP 800-53 Rev. 5 that carry the supply chain risk implications. This page covers the three operating tiers, the C-SCRM artefact set, the SR control family in 800-53, the evidence the framework expects, and where 800-161r1 sits alongside SLSA, SSDF, SBOM, EU CRA, and the wider supply chain risk regime.
Learn moreISO/IEC 29147
ISO/IEC 29147:2018 (Information technology, Security techniques, Vulnerability disclosure) is the international standard for the external-facing half of vulnerability disclosure. It describes how a vendor receives reports from finders, communicates through the case lifecycle, coordinates where relevant, and publishes the advisory. The standard pairs with ISO/IEC 30111 (Vulnerability handling processes), and is the international anchor that the EU Cyber Resilience Act, the CISA Coordinated Vulnerability Disclosure model, the FIRST PSIRT Services Framework, and the US federal disclosure mandates inherit from. This page covers the five-phase disclosure lifecycle, the policy artefact set, the failure modes the standard surfaces, the relationship with adjacent regimes, and the audit-grade evidence pack the programme produces.
Learn moreISO/IEC 30111
ISO/IEC 30111:2019 (Information technology, Security techniques, Vulnerability handling processes) is the international standard for the internal-handling half of vulnerability disclosure. It describes how a vendor that has received a vulnerability report (or surfaced one through internal discovery) operates the internal triage, the root-cause analysis, the fix development, the regression testing, and the release-readiness sign-off that produce the remediation the disclosure record commits to. The standard pairs with ISO/IEC 29147 (Vulnerability disclosure), which covers the externally facing half. It is the operating reference the EU Cyber Resilience Act, the CISA Coordinated Vulnerability Disclosure model, the FIRST PSIRT Services Framework, and the ISO/IEC 27001 Annex A control set read against. This page covers the four-phase handling cycle, the policy and operating-record set, the failure modes the standard surfaces, the relationship with adjacent regimes, and the audit-grade evidence pack the programme produces.
Learn moreISO/IEC 27035
ISO/IEC 27035 (Information technology, Security techniques, Information security incident management) is the international standard for the discipline of security incident management as operated inside an information security management system. It is published in three parts: Part 1 names the principles and the five-phase cycle, Part 2 covers planning and preparation, and Part 3 covers ICT incident response operations once an incident is in flight. The standard pairs with ISO/IEC 30111 (vulnerability handling) and ISO/IEC 29147 (vulnerability disclosure) to form the international incident-and-disclosure trio, and it is the operating reference behind the policy and control discipline that ISO/IEC 27001 Annex A 5.24 through 5.30 names. This page covers the five-phase cycle, the operating-record artefact set, the failure modes the standard surfaces, the relationship with NIS2, DORA, SOC 2, PCI DSS, HIPAA, the SEC rule, and NIST SP 800-61, and the audit-grade evidence pack the programme produces.
Learn moreTrack compliance from one workspace
Map findings to your frameworks, generate audit-ready evidence, and ship reports clients trust.
No credit card required. Free plan available forever.