Frameworks

Security & compliance frameworks
mapped to SecPortal

A practical reference for every major standard, from OWASP and ISO 27001 to PCI DSS, NIST, GDPR, and beyond. Each guide explains the framework and how SecPortal helps you meet it.

Get Started Free

No credit card required. Free plan available forever.

OWASP Top 10

Map your security findings to the OWASP Top 10 categories. Track which vulnerabilities have been found, remediated, and verified. Generate compliance reports for stakeholders.

ISO 27001

Run ISO 27001 audits with pre-built Annex A control templates. Mark controls as compliant, non-compliant, or partial. Generate AI-powered compliance summaries and export audit evidence.

ISO 27002

ISO 27002:2022 is the implementation companion to ISO 27001. It describes 93 information security controls across organisational, people, physical, and technological themes, and the attributes that classify each control. This page covers how to read the catalogue, how it maps to ISO 27001 Annex A, and how to evidence control operation in a workspace.

ISO 27017

ISO/IEC 27017:2015 is the cloud-specific extension to ISO 27002. It restates the ISO 27002 controls with cloud-specific implementation guidance and adds seven controls that only exist when an information service is delivered through a cloud relationship. This page covers the structure, the customer and provider responsibility split, and how a workspace records the evidence ISO 27017 expects.

ISO 27018

ISO/IEC 27018:2019 sets out the obligations a public cloud service provider takes on when it processes personally identifiable information on behalf of customers. It layers on top of ISO 27002 and ISO 27017, adding privacy-specific implementation guidance and an annex of additional PII processor controls. This page covers the structure, the controller and processor responsibility split, and how a workspace records the evidence ISO 27018 expects.

ISO 27701

ISO/IEC 27701:2019 is the certifiable extension that turns an ISO 27001 information security management system into a privacy information management system (PIMS). It adds privacy-specific requirements, additional controls, and a controller and processor obligation split that the ISMS does not carry on its own. This page covers the structure, the GDPR cross-walk, and how a workspace records the evidence the PIMS audit expects.

Cyber Essentials

Manage Cyber Essentials and Cyber Essentials Plus assessments with pre-built control templates covering all five technical areas. Track compliance status and generate reports.

Cyber Essentials Plus

Run hands-on Cyber Essentials Plus audits with structured templates aligned to the IASME test specification. Coordinate external vulnerability scans, authenticated workstation tests, malware checks, and remediation tracking from a single platform.

PCI DSS assessment

Run PCI DSS assessments, gap analysis, and risk assessments across all 12 requirements. Map vulnerability findings to specific controls, track remediation with SLAs, and generate compliance reports for QSAs, all from one platform.

NIST SP 800-53

Run NIST 800-53 Rev. 5 assessments against the Low, Moderate, and High baselines. Map vulnerability findings to control families, track remediation against POA&M deadlines, and produce assessor-ready evidence packs from one platform.

FedRAMP

The Federal Risk and Authorization Management Program (FedRAMP) is the US federal cloud authorisation programme. Run FedRAMP assessments aligned to NIST SP 800-53 Rev. 5, manage the SSP, SAP, and SAR documents, track POA&M items, run monthly vulnerability scans, and produce evidence packs that 3PAOs and agency reviewers can act on.

NIST Cybersecurity Framework

Map your security controls to the NIST Cybersecurity Framework. Track maturity across the five core functions and generate compliance reports for executive stakeholders.

NIST CSF 2.0

NIST Cybersecurity Framework 2.0 is the February 2024 revision of the NIST CSF. It promotes governance to a first-class core function, restructures the categories and subcategories, replaces the legacy NIST CSF 1.1 critical-infrastructure framing with a sector-agnostic posture, and ships a Profile model and Implementation Examples designed for direct use by AppSec, vulnerability management, GRC, and security leadership functions. This page covers the six functions, the new GOVERN function in operating practice, the four Tiers, the Current and Target Profile model, the Implementation Examples, the Informative References, and the evidence pack a workspace-driven programme keeps in one place.

MITRE ATT&CK

Tag every penetration testing and red team finding with the MITRE ATT&CK tactics and techniques the attacker would use. Track coverage across the kill chain, plan adversary emulation engagements, and produce reports defenders can act on.

DORA

The Digital Operational Resilience Act (Regulation EU 2022/2554) applies to banks, insurers, investment firms, crypto-asset providers, and their critical ICT third parties. Run DORA assessments, coordinate threat-led penetration testing, log major ICT incidents, and produce supervisory-ready evidence from one platform.

NIS2

The NIS2 Directive (EU 2022/2555) raises the cyber baseline across essential and important entities in 18 sectors. Run NIS2 risk assessments, log significant incidents on the 24-hour and 72-hour clocks, manage supply chain security, and produce competent authority evidence from one platform.

CIS Critical Security Controls v8.1

The CIS Critical Security Controls are a prioritised set of defensive actions published by the Center for Internet Security. Run CIS Controls v8.1 assessments across all 18 controls and 153 safeguards, scope by Implementation Group (IG1, IG2, IG3), and produce evidence packs that hold up alongside ISO 27001, NIST CSF, and PCI DSS.

PTES

The Penetration Testing Execution Standard (PTES) defines a complete penetration test from pre-engagement through reporting across seven sections. Run PTES-aligned engagements with pre-engagement records, intelligence gathering tracking, threat modelling notes, exploitation evidence, and final reporting from one platform.

HIPAA Security Rule

Run HIPAA Security Rule risk analysis end-to-end. Map vulnerability findings to Administrative, Physical, and Technical Safeguards under 45 CFR Part 164 Subpart C, track remediation against documented timelines, and produce evidence packs that hold up under an OCR investigation or a HITECH audit.

GDPR

The General Data Protection Regulation (Regulation EU 2016/679) and the UK GDPR set the security baseline for any organisation processing personal data of EU or UK individuals. Run Article 32 security control assessments, coordinate vulnerability assessments and penetration tests, manage Data Protection Impact Assessments, log personal data breaches against the 72-hour clock, and produce supervisory authority evidence from one platform.

Essential Eight

The Essential Eight is the Australian Cyber Security Centre (ACSC) prioritised set of mitigation strategies for protecting internet-connected information technology networks. Run Essential Eight maturity assessments across all eight strategies and Maturity Levels 1, 2, and 3, map vulnerability findings to each strategy, and produce assessor-ready evidence packs from one platform.

SOC 2

Manage SOC 2 assessments with pre-built Trust Services Criteria controls. Track compliance across security, availability, processing integrity, confidentiality, and privacy.

CREST penetration testing

CREST is the international not for profit body that accredits cybersecurity service providers and the individuals who work for them. Run CREST aligned engagements across CHECK, OVS, STAR, and STAR FS scopes with structured scoping, technical execution, peer reviewed reporting, retests, and assessor ready evidence from one platform.

TIBER-EU

TIBER-EU is the European Central Bank framework for threat intelligence-based ethical red teaming. It is the methodology national competent authorities and the ECB use to standardise threat-led penetration testing across the European financial system, and it is the reference framework for TLPT under DORA. Run a defensible TIBER-EU test from preparation through closure, with the white team, control team, threat intelligence provider, red team, and supervisor record on a single workflow.

CMMC 2.0

The Cybersecurity Maturity Model Certification (CMMC) 2.0 is the US Department of Defense compliance regime for contractors handling Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). Run CMMC scoping, control implementation, evidence collection, vulnerability scanning, POA&M tracking, and assessor-ready evidence packs aligned to NIST SP 800-171 Rev. 2, NIST SP 800-172, and 32 CFR Part 170 from one workflow.

OWASP ASVS

The OWASP Application Security Verification Standard (ASVS) is the open standard that defines what a verified secure web application looks like, requirement by requirement. Pick a verification level (L1 opportunistic, L2 standard, L3 advanced), test against the named requirements, and produce a verification report that maps findings to ASVS rather than to a generic vulnerability list. SecPortal runs ASVS engagements as structured records with requirement-level traceability from kickoff to verified close.

OWASP MASVS

The OWASP Mobile Application Security Verification Standard (MASVS) is the open standard that defines what a verified secure mobile application looks like, control by control. Pick a verification level (MASVS-L1 standard, MASVS-L2 defence in depth) and the optional resilience set (MASVS-R), test against the named controls, and produce a verification report that maps findings to MASVS rather than to a generic vulnerability list. SecPortal runs MASVS engagements as structured records with control-level traceability across the iOS app, the Android app, and the backend they call.

OSSTMM

The Open Source Security Testing Methodology Manual (OSSTMM), maintained by ISECOM, defines a measurable security test across four channels and ten modules, with an explicit Risk Assessment Values (RAV) calculation that produces a numeric attack surface metric. Run OSSTMM-aligned engagements with structured rules of engagement, channel and module coverage, RAV inputs, and reporting tracked on one record.

NIST SP 800-115

NIST Special Publication 800-115, the Technical Guide to Information Security Testing and Assessment, is the United States government reference for how to plan, execute, and report on technical security testing. Run NIST SP 800-115 aligned engagements with structured planning, review evidence, target analysis, validation, exploitation, and reporting tracked on one record.

OWASP SAMM

OWASP SAMM (Software Assurance Maturity Model) is the open framework that measures software security maturity across five business functions and fifteen security practices, on a three-level scale. Run SAMM assessments as structured records, score each practice, build an improvement roadmap, and re-score over time so the maturity claim is a record rather than a one-off slide.

BSIMM

BSIMM (Building Security In Maturity Model) is the long-running descriptive study of the activities that software security programmes actually run across a pool of participating organisations. Run BSIMM measurement cycles as structured records: catalogue the activities, capture the evidence per activity, score per-practice prevalence, compare against the study average, plan activity additions, and re-measure on annual cadence so the comparative position is a record rather than a one-off slide.

OWASP DSOMM

OWASP DSOMM (DevSecOps Maturity Model) measures the maturity of a DevSecOps programme across four dimensions and sixteen sub-dimensions, on a four-level scale. Run DSOMM assessments as structured records, score each sub-dimension, build the pipeline improvement roadmap, and re-score over time so the maturity claim is a record rather than a one-off slide.

CBEST

CBEST is the Bank of England framework for intelligence-led penetration testing of UK financial entities, run jointly with the Prudential Regulation Authority and the Financial Conduct Authority. The framework uses bespoke threat intelligence and accredited red team providers to test the resilience of systems supporting important business services, then walks the attack path with the defenders during the replay phase. Run a defensible CBEST engagement from scope through joint debrief and closure on a single record, with the white team, control group, threat intelligence provider, and red team provider tracked as one workflow rather than a folder of PDFs.

IEC 62443

IEC 62443 is the international standard for cybersecurity in industrial automation and control systems. Run IEC 62443 assessments across the asset owner, the system integrator, and the product supplier roles: scope zones and conduits, set target security levels, evidence the seven foundational requirements, track manual and authenticated test findings, and produce assessor-ready evidence packs from one workflow.

NIST SP 800-171

NIST Special Publication 800-171 is the US federal control set for protecting Controlled Unclassified Information (CUI) in non-federal systems. Run NIST 800-171 self-assessments and assessor-led assessments end-to-end: scope the boundary, implement the 110 security requirements, capture evidence, manage POA&M items, score against the DoD Assessment Methodology, and submit to the Supplier Performance Risk System (SPRS) from one workflow.

HITRUST CSF

Run HITRUST CSF programmes end-to-end. Build the factor profile, complete readiness against the tailored requirement set, score evidence across the PRISMA maturity model, manage the External Assessor engagement, and produce the MyCSF submission and post-certification evidence pack from one workflow.

SWIFT Customer Security Programme

The SWIFT Customer Security Programme (CSP) requires every SWIFT user to attest annually against the Customer Security Controls Framework. Most user types must back the attestation with an independent assessment. Run CSCF assessments, coordinate independent assessor work, track mandatory and advisory controls, and produce KYC-SA-ready evidence from one platform.

EU Cyber Resilience Act

Regulation (EU) 2024/2847 raises the cybersecurity baseline for products with digital elements placed on the EU market. Run CRA conformity work, manage essential cybersecurity requirements, handle vulnerabilities across the support period, and produce ENISA-ready incident reports from one workspace.

NCSC CAF

The NCSC Cyber Assessment Framework (CAF) is the UK National Cyber Security Centre framework used to assess organisations responsible for essential services and digital infrastructure. The CAF is structured around four objectives, fourteen principles, and thirty-nine contributing outcomes, each evaluated against indicators of good practice. Run a defensible CAF assessment from scoping through evidence, gap analysis, and remediation tracking on one workspace, with the assessor, the cyber regulator, and the in-scope service operator working from the same engagement record rather than parallel spreadsheets.

OWASP API Security Top 10

The OWASP API Security Top 10 is the open list of the most critical risks specific to APIs, maintained by the Open Worldwide Application Security Project. The 2023 edition replaces the 2019 list and shifts the centre of gravity towards authorisation, business logic abuse, and API consumption risk. SecPortal runs API security testing engagements as structured records, with findings mapped to API1 through API10 alongside CVSS 3.1 vectors and CWE identifiers.

SEC Cybersecurity Disclosure

The SEC Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure rules require US-listed registrants to file Form 8-K Item 1.05 within four business days of determining a cybersecurity incident is material, and to disclose risk management processes and board oversight in Form 10-K Item 106. Run the materiality determination, the disclosure narrative, and the supporting audit trail from one workspace.

APRA CPS 234

Prudential Standard CPS 234 obligates APRA-regulated entities to maintain information security capability commensurate with the size and extent of threats, identify and classify information assets, implement controls (including against third-party-managed assets), and notify APRA of material information security incidents within 72 hours. This page covers the structure of CPS 234, the obligations under each section, the evidence APRA expects, and how a workspace records it.

HKMA C-RAF

The Hong Kong Monetary Authority Cyber Resilience Assessment Framework, currently at version 2.0, sets the cyber resilience expectation for Authorised Institutions in Hong Kong. C-RAF runs in three sequential phases (inherent risk, maturity, and intelligence-led testing) under the wider Cyber Fortification Initiative, with iCAST applied to the highest-tier institutions. This page covers the structure, the maturity domains, the iCAST profile, and the evidence pack a workspace-driven cycle keeps in one place.

MAS TRM

The Monetary Authority of Singapore Technology Risk Management Guidelines set the technology and cyber risk expectations for MAS-regulated financial institutions, with the Notice on Cyber Hygiene providing the legally binding baseline. This page covers the four pillars, the cyber security control areas, the testing and adversarial exercise cadence, and the evidence pack a workspace-driven programme keeps in one place.

FFIEC

The Federal Financial Institutions Examination Council coordinates examination policy across the OCC, the Federal Reserve, the FDIC, the NCUA, and the CFPB. The FFIEC IT Examination Handbook and the Cybersecurity Assessment Tool (CAT) are the working framework federal banking examiners use to read the cybersecurity programme. This page covers the booklets, the CAT inherent risk and maturity model, the testing and adversarial exercise cadence, the Computer Security Incident Notification Rule, and the evidence pack a workspace-driven programme keeps in one place.

RBI Cyber Security Framework

The Reserve Bank of India sets cyber security expectations across the regulated financial population through the 2016 Cyber Security Framework in Banks circular, the Master Direction on IT Governance, Risk, Controls and Assurance Practices effective 1 April 2024, and the Master Direction on Information Technology Governance and Information Risk Management for NBFCs. This page covers the tier classification, the cyber security policy, the Cyber Crisis Management Plan, VAPT cadence, CSITE examination, the CERT-In incident reporting timeline, and the evidence pack a workspace-driven programme keeps in one place.

CISA Secure by Design

CISA Secure by Design is the principles-based framework the Cybersecurity and Infrastructure Security Agency uses to shift the burden of cyber risk from software customers to software manufacturers. This page covers the three principles, the seven goals of the public Secure by Design Pledge, the manufacturer and customer responsibility split, the relationship to NIST SSDF, and how a workspace records the evidence the framework expects.

NIST AI Risk Management Framework

The NIST AI Risk Management Framework (AI RMF 1.0, NIST AI 100-1) is the voluntary, sector-agnostic framework US federal agencies, regulated buyers, and enterprise AI programmes read against when they need to evidence trustworthy AI. This page covers the four core functions (GOVERN, MAP, MEASURE, MANAGE), the seven characteristics of trustworthy AI, the Generative AI Profile (NIST AI 600-1), the Playbook companion, the Profile model, and the audit evidence a workspace-driven AI risk programme is expected to produce.

Continuous Threat Exposure Management (CTEM)

CTEM is the programme model Gartner uses to describe how mature security organisations move from a backlog of vulnerabilities to a continuous, business-aligned exposure reduction programme. This page covers the five stages (Scoping, Discovery, Prioritisation, Validation, Mobilisation), how CTEM differs from risk-based vulnerability management, attack surface management, and threat and vulnerability management, the operating cadence, the evidence pack a CTEM cycle keeps, and how a workspace-driven approach turns the model into a programme rather than a slide deck.

CISA Cybersecurity Performance Goals

The CISA Cybersecurity Performance Goals (CPGs) are a voluntary, prioritised subset of cybersecurity practices CISA publishes for owners and operators across the sixteen critical infrastructure sectors and any organisation that wants a defensible baseline. CPGs v2.0 reorganises the goals against the NIST CSF 2.0 functions (GOVERN, IDENTIFY, PROTECT, DETECT, RESPOND, RECOVER) and rates each goal on cost, complexity, and impact. This page covers the goal set, the NIST CSF 2.0 mapping, the cross-sector versus sector-specific split, the audit evidence each goal expects, and where CPGs sit alongside NIST CSF 2.0, CIS Controls, and the wider cybersecurity baseline regime.

COSO ERM

COSO Enterprise Risk Management (Integrating with Strategy and Performance, 2017) is the enterprise risk framework boards, audit committees, and senior leadership read against. This page covers the five components, the twenty principles, how cyber risk and information security work map into the framework, the operating cadence, the audit evidence the framework expects, and where COSO ERM sits alongside ISO 31000, NIST CSF 2.0, FAIR, and the wider risk regime.

NIST SP 800-161r1

NIST Special Publication 800-161 Revision 1 (May 2022, with the 2024 IPD update on AI considerations) is the federal cybersecurity supply chain risk management framework. It defines the C-SCRM strategy, the C-SCRM plan, the supplier risk management policy, the integration of supply chain risk with NIST SP 800-39 enterprise risk management and NIST SP 800-37 risk management framework, and the security controls in NIST SP 800-53 Rev. 5 that carry the supply chain risk implications. This page covers the three operating tiers, the C-SCRM artefact set, the SR control family in 800-53, the evidence the framework expects, and where 800-161r1 sits alongside SLSA, SSDF, SBOM, EU CRA, and the wider supply chain risk regime.

ISO/IEC 29147

ISO/IEC 29147:2018 (Information technology, Security techniques, Vulnerability disclosure) is the international standard for the external-facing half of vulnerability disclosure. It describes how a vendor receives reports from finders, communicates through the case lifecycle, coordinates where relevant, and publishes the advisory. The standard pairs with ISO/IEC 30111 (Vulnerability handling processes), and is the international anchor that the EU Cyber Resilience Act, the CISA Coordinated Vulnerability Disclosure model, the FIRST PSIRT Services Framework, and the US federal disclosure mandates inherit from. This page covers the five-phase disclosure lifecycle, the policy artefact set, the failure modes the standard surfaces, the relationship with adjacent regimes, and the audit-grade evidence pack the programme produces.

ISO/IEC 30111

ISO/IEC 30111:2019 (Information technology, Security techniques, Vulnerability handling processes) is the international standard for the internal-handling half of vulnerability disclosure. It describes how a vendor that has received a vulnerability report (or surfaced one through internal discovery) operates the internal triage, the root-cause analysis, the fix development, the regression testing, and the release-readiness sign-off that produce the remediation the disclosure record commits to. The standard pairs with ISO/IEC 29147 (Vulnerability disclosure), which covers the externally facing half. It is the operating reference the EU Cyber Resilience Act, the CISA Coordinated Vulnerability Disclosure model, the FIRST PSIRT Services Framework, and the ISO/IEC 27001 Annex A control set read against. This page covers the four-phase handling cycle, the policy and operating-record set, the failure modes the standard surfaces, the relationship with adjacent regimes, and the audit-grade evidence pack the programme produces.

ISO/IEC 27035

ISO/IEC 27035 (Information technology, Security techniques, Information security incident management) is the international standard for the discipline of security incident management as operated inside an information security management system. It is published in three parts: Part 1 names the principles and the five-phase cycle, Part 2 covers planning and preparation, and Part 3 covers ICT incident response operations once an incident is in flight. The standard pairs with ISO/IEC 30111 (vulnerability handling) and ISO/IEC 29147 (vulnerability disclosure) to form the international incident-and-disclosure trio, and it is the operating reference behind the policy and control discipline that ISO/IEC 27001 Annex A 5.24 through 5.30 names. This page covers the five-phase cycle, the operating-record artefact set, the failure modes the standard surfaces, the relationship with NIS2, DORA, SOC 2, PCI DSS, HIPAA, the SEC rule, and NIST SP 800-61, and the audit-grade evidence pack the programme produces.

ISO/IEC 42001

ISO/IEC 42001:2023 (Information technology, Artificial intelligence, Management system) is the international management system standard for AI. Published December 2023, it specifies the requirements for establishing, implementing, maintaining, and continually improving an AI management system (AIMS) inside an organisation that uses, develops, or provides AI systems. The standard is certifiable, in the same shape as ISO/IEC 27001 for information security. This page covers the seven management-system clauses, the Annex A controls (A.2 through A.10), the AI roles the standard names, the failure modes recurring across early adoptions, the relationship with adjacent regimes (NIST AI RMF, ISO/IEC 23894, EU AI Act, ISO/IEC 27001, SOC 2, OWASP AI security lists), and the audit-grade evidence the certification body reads against.

NIST SP 800-207

NIST SP 800-207 (Zero Trust Architecture) is the authoritative reference standard for Zero Trust, published by NIST in August 2020. It defines Zero Trust as a set of design principles for an enterprise cybersecurity architecture that moves the defensive perimeter away from network locations and onto users, assets, and resources. This page covers the seven tenets, the three logical components (Policy Engine, Policy Administrator, Policy Enforcement Point), the trust algorithm inputs, the three core deployment approaches, the variations (Device Agent/Gateway, Enclave Gateway, Resource Portal, Application Sandboxing), the threats specific to ZTA, the relationship with the CISA Zero Trust Maturity Model and OMB M-22-09, and the audit-grade evidence a Zero Trust programme keeps in one operating record.

CSA Cloud Controls Matrix

The Cloud Security Alliance Cloud Controls Matrix (CCM) is the cloud-native control framework most enterprise security programmes converge on for cloud security. CCM v4 organises around 200 control specifications across 17 domains, paired with the CAIQ v4 assessment questionnaire and the CSA STAR registry. This page covers the 17 domains, the shared responsibility model, the assessment and registry mechanics, adoption signals and pitfalls, cross-walks to ISO 27001 / 27017 / 27018, SOC 2, NIST SP 800-53, FedRAMP, and PCI DSS, and the audit-grade evidence a CCM programme keeps in one operating record.

OWASP WSTG

The OWASP Web Security Testing Guide (WSTG) is the consensus-driven manual for testing web applications. WSTG v4.2 is organised into 11 testing categories with hundreds of individual WSTG-IDs, each describing how to test for a specific class of weakness, what evidence to collect, and how to interpret the result. WSTG is the technique reference that pairs with ASVS as the verification standard, CVSS as the severity language, and OWASP Top 10 as the risk taxonomy. This page covers the 11 categories, the WSTG-ID structure, how WSTG sits next to ASVS, OWASP Top 10, PTES, NIST SP 800-115, and OSSTMM, the buyer-side reporting expectations, and the audit-grade evidence a WSTG-aligned engagement keeps in one operating record.

NIST SSDF

The NIST Secure Software Development Framework (SSDF), published as NIST SP 800-218 v1.1, is the consensus reference for what a software producer is expected to do across the development lifecycle. SSDF is the framework behind EO 14028 federal software supply chain expectations, the CISA Secure Software Development Attestation form (CISA SSDA), and the procurement reads buyers run against vendors. This page covers the four practice groups (PO, PS, PW, RV), the 19 practices and 42 tasks they decompose into, how SSDF sits next to OWASP SAMM, BSIMM, SLSA, SBOM, and ISO 27001, the audit evidence the framework expects, and how a workspace-driven approach turns SSDF into a defensible operating record rather than a one-off questionnaire.

NIST SP 800-218A

NIST SP 800-218A, published April 2024, extends the NIST Secure Software Development Framework (SP 800-218) to generative AI and dual-use foundation models. The Community Profile preserves the PO, PS, PW, RV practice-group structure of the baseline SSDF and adds AI-specific tasks underneath each group, so producers of generative AI software operate the baseline SSDF and SP 800-218A together on the same operating record. This page covers the practice-group extensions, the evidence the profile expects, where SP 800-218A sits next to ISO/IEC 42001, NIST AI RMF, OWASP AISVS, the OWASP LLM Top 10, the EU AI Act, and the CISA SSDA, the recurring adoption pitfalls, the procurement read, and how a workspace-driven approach turns SP 800-218A into a defensible record rather than a marketing claim.

NIST SP 800-37

NIST Special Publication 800-37 Revision 2 (December 2018) is the seven-step Risk Management Framework (RMF) federal agencies, FedRAMP cloud service providers, defence contractors, and regulated enterprises operate against. This page covers the seven steps (Prepare, Categorise, Select, Implement, Assess, Authorise, Monitor), the FIPS 199 impact categorisation, the named roles and artefacts (SSP, SAR, POA&M, ADD), how RMF sits next to NIST CSF 2.0, NIST SP 800-53, FedRAMP, and CMMC, the recurring failure modes, the audit evidence the framework expects, and how a workspace-driven approach turns RMF into a defensible operating record rather than a stack of disconnected documents.

FAIR (Factor Analysis of Information Risk)

Factor Analysis of Information Risk (FAIR) is the most widely adopted quantitative cyber risk methodology and the model most enterprise programmes converge on when they need to express cyber risk in financial terms. FAIR is maintained by the FAIR Institute and the Open Group (Open FAIR, the certified analyst stream), is referenced by NIST and ISO, and is methodology-only: it works in spreadsheets, commercial CRQ platforms, and open-source Monte Carlo libraries. This page covers the FAIR ontology, the FAIR Lite variant, the inputs a programme has to feed the model, the audit and board evidence the methodology produces, how FAIR sits next to ISO 31000, NIST SP 800-30, COSO ERM, and NIST AI RMF, and how to run FAIR against an operating security record rather than against a snapshot.

ISO 31000

ISO 31000:2018 (Risk management: Guidelines) is the international standard for enterprise risk management. It is not a certifiable standard, and it does not prescribe a quantification method. Instead, it sets the principles, the framework, and the process every mature enterprise risk programme reads against, and it is the umbrella that ISO 27005, NIST SP 800-30, COSO ERM, NIST AI RMF, and FAIR all reference. This page covers the eight ISO 31000 principles, the seven framework components, the six process steps, the named artefacts, how ISO 31000 sits next to ISO 27005, NIST 800-30, COSO ERM, and FAIR, and how to run an ISO 31000 risk programme on the same operating record the rest of the security programme produces.

NIST SP 800-30

NIST Special Publication 800-30 Revision 1 is the federal guide to conducting risk assessments for information systems and the organisations that operate them. This page covers the four-step assessment process (Prepare, Conduct, Communicate, Maintain), the threat source taxonomy (adversarial, accidental, structural, environmental), the risk factor decomposition, the qualitative, semi-quantitative, and quantitative analytical approaches, how 800-30 sits next to NIST SP 800-39, NIST SP 800-37 (RMF), NIST SP 800-53, ISO 27001, ISO 27005, ISO 31000, FAIR, and COSO ERM, the recurring failure modes, the audit evidence the methodology expects, and how a workspace-driven approach turns 800-30 into a defensible operating record rather than a stack of disconnected assessments.

ISO/IEC 27005

ISO/IEC 27005:2022 (Information security, cybersecurity and privacy protection: Guidance on managing information security risks) is the dedicated ISO standard for information security risk management. It is not a certifiable standard. Instead, it supplies the methodology that satisfies the ISO 27001 clause 6.1.2 and 6.1.3 risk assessment and risk treatment requirements. This page covers the 27005:2022 process (context establishment, risk identification, risk analysis, risk evaluation, risk treatment, risk acceptance, communication and consultation, recording, monitoring and review), the event-based and asset-based identification methods, the risk criteria the standard expects, the audit evidence ISO 27001 certifiers read against, where 27005 sits next to ISO 27001, ISO 31000, NIST SP 800-30, FAIR, and COSO ERM, and how a workspace-driven approach turns 27005 into a defensible operating record rather than a stack of disconnected assessments.

OWASP MASTG

The OWASP Mobile Application Security Testing Guide (MASTG) is the consensus-driven manual for testing iOS and Android applications. MASTG is the procedure reference that pairs with MASVS as the verification standard, with the OWASP Mobile Top 10 as the risk taxonomy, with the OWASP API Security Top 10 for the backend the mobile app calls, and with CVSS as the severity language. This page covers the MASVS-aligned chapter map (STORAGE, CRYPTO, AUTH, NETWORK, PLATFORM, CODE, RESILIENCE, PRIVACY), the MASTG-TEST identifier structure, the static, dynamic, network, and resilience profiles, how MASTG sits next to MASVS, WSTG, the Mobile Top 10, the API Security Top 10, PTES, and NIST SP 800-115, the buyer-side reporting expectations, and the audit-grade evidence a MASTG-aligned mobile engagement holds in one operating record.

CIS Benchmarks

CIS Benchmarks are 100+ prescriptive configuration hardening guides published by the Center for Internet Security. Each benchmark names the exact settings, registry keys, configuration values, and audit commands an operator can run to evidence a defensible baseline against a specific operating system, cloud account, container platform, network device, mobile platform, or database. This page covers what the CIS Benchmarks are, how they differ from the CIS Critical Security Controls, how Level 1 and Level 2 profiles work, how the benchmark catalogue maps to the standard scanner stack, the evidence layout auditors expect, and how a workspace-driven approach turns benchmark assessment into a continuous record rather than a once-a-year snapshot.

NIST SP 800-66 Revision 2

NIST Special Publication 800-66 Revision 2 (February 2024) is the implementation companion to the HIPAA Security Rule. The guide replaces SP 800-66 Rev. 1 (October 2008) and maps the Administrative, Physical, and Technical Safeguards under 45 CFR Part 164 Subpart C to NIST SP 800-53 Revision 5 control families. This page covers the five implementation steps the guide expects (risk assessment, identifying reasonable and appropriate measures, implementing measures, documenting implementation, maintaining continuous security assurance), the safeguard-to-control mapping per 164.308, 164.310, 164.312, 164.314, and 164.316, the recurring failure modes covered entities and business associates hit during the OCR audit protocol, the audit evidence the implementation produces, and how a workspace-driven approach turns SP 800-66 into a defensible operating record rather than a static document the OCR investigator cannot reconcile with the live posture.

COBIT 2019

COBIT 2019 is the ISACA enterprise framework for the governance and management of information and technology. The 2018 to 2019 update replaced COBIT 5 with a modular, tailored model built around 40 governance and management objectives, eleven design factors, and a performance management scheme based on capability and maturity levels. This page covers the five domains (EDM, APO, BAI, DSS, MEA), the 40 objectives with the security-specific objectives called out, the design factor analysis used to tailor the governance system, the performance management scheme, the audit evidence the framework produces, and how COBIT 2019 sits alongside NIST CSF 2.0, ISO 27001, COSO ERM, ITIL 4, and SOC 2 in an enterprise governance stack.

CSA STAR

CSA STAR (Security, Trust, Assurance, and Risk) is the Cloud Security Alliance assurance programme cloud providers publish their security posture against and that enterprise buyers read against the provider longlist during procurement. STAR sits on top of the CSA Cloud Controls Matrix (CCM) and the Consensus Assessments Initiative Questionnaire (CAIQ). It ships three levels (Level 1 self-assessment, Level 2 third-party certification or attestation, Level 3 continuous self-assessment) that map onto progressively higher assurance commitments and that buyers, regulators, and audit committees read against critical-vendor relationships. This page covers the three levels, the registry mechanics, the level-vs-level dimensions, the buyer-side and provider-side operating shape, the failure modes that erode the registry trust, the evidence pack STAR Level 2 reads against, the operating cadence from scope to a Level 2 entry, and the cross-walk to ISO/IEC 27001, ISO/IEC 27017, ISO/IEC 27018, SOC 2, NIST SP 800-53, FedRAMP, PCI DSS, and the regulator-aligned cloud regimes.

ISO/IEC 27036

ISO/IEC 27036 (Cybersecurity for supplier relationships) is the international standard for information security in supplier relationships. The four parts cover the supplier-relationship vocabulary, the normative requirements across the lifecycle (planning, supplier selection, agreement establishment, agreement management, agreement termination, post-agreement disposal), the ICT supply chain extension, and the cloud-services extension. This page covers the four parts, the six lifecycle phases, the supplier categorisation patterns, the minimum agreement clause set, the acquirer-side evidence pack, the operating cadence, the failure modes, and the cross-walk to NIST SP 800-161, DORA Article 28, NIS2 Article 21(2)(d), SOC 2 CC9.2, HIPAA BAA, the EU Cyber Resilience Act, CSA STAR, ISO/IEC 27017, and ISO/IEC 27001 Annex A 5.19 to 5.23.

ISO/IEC 27031

ISO/IEC 27031 (Guidelines for information and communication technology readiness for business continuity) is the international standard that defines what ICT readiness for business continuity looks like inside a broader business continuity programme. It sits beneath ISO 22301 as the ICT-specific operating companion, names the ten guiding principles IRBC reads against, organises the PIRBC operating model (plan, implement and operate, monitor and review, maintain and improve), and connects RTO, RPO, and MTPD across the business impact analysis and the ICT recovery design. This page covers the standard scope, the ten principles, the PIRBC phases, the RTO and RPO and MTPD alignment, the failure scenarios IRBC is designed for, the exercise cadence, the evidence pack, the failure modes, and the cross-walk to ISO 22301, NIST SP 800-34, NIST CSF 2.0 RC.RP, DORA Article 11 and 12, NIS2 Article 21(2)(c), ISO/IEC 27001 Annex A 5.29 and 5.30, and SOC 2 A1.2 and A1.3.

OWASP AISVS

The OWASP Artificial Intelligence Security Verification Standard (AISVS) is the open standard that defines what a verified secure AI application looks like, control by control. Pick a verification level (AISVS-L1 essential, AISVS-L2 defence in depth, AISVS-L3 high assurance), test against the named controls across training data, model lineage, input handling, output handling, authentication, retrieval-augmented generation, agent action boundaries, memory, monitoring, privacy, supply chain, testing, resilience, and governance, and produce a verification report that maps findings to AISVS rather than to a generic LLM risk list. SecPortal runs AISVS engagements as structured records with control-level traceability across the AI application, the backend it sits inside, the inference surface, and the model supply chain.

OWASP MAS Checklist

The OWASP Mobile Application Security (MAS) Checklist is the third deliverable of the OWASP MAS project alongside MASVS (the verification standard) and MASTG (the testing guide). It is the per-control per-test row matrix that turns the standard and the testing guide into an auditable artefact: one row per applicable MASVS control, paired to the MASTG tests that exercised it, recorded per platform with a named result, a finding reference, and a coverage and exclusion note. SecPortal operates a MAS Checklist engagement as one structured record across iOS, Android, and the backend the mobile applications call.

NIST SP 800-40

NIST Special Publication 800-40 Revision 4 is the National Institute of Standards and Technology guide for enterprise patch management planning. It frames patching as a planned, measured, and improving operating discipline rather than an opportunistic IT operations task. The publication names five enterprise patching objectives, a seven-step patching cycle (prepare, discover, plan, test, deploy, verify, improve), a severity-to-SLA mapping, an expedited and emergency patching path that handles actively exploited vulnerabilities, an exception discipline that keeps deferred patches governed, and a per-cycle deliverable set that feeds the audit reads against ISO 27001 Annex A.8.8, SOC 2 CC7.1, PCI DSS Requirement 6.3.3, NIST SP 800-53 SI-2, NIST CSF 2.0 PR.PS, HIPAA, DORA Article 16, NIS2 Article 21, and CIS Control 7. SecPortal operates an SP 800-40 patching cycle as one structured engagement record across the in-scope asset cohort, the maintenance windows, the per-vulnerability per-asset findings, and the verification evidence.

OWASP Top 10 for LLM Applications

The OWASP Top 10 for Large Language Model Applications is the OWASP-published ranked list of the most consequential risks for applications that build on large language models. The list is community-curated by the OWASP GenAI Security Project and refreshed on a regular cadence; the 2025 release covers LLM01 prompt injection, LLM02 sensitive information disclosure, LLM03 supply chain, LLM04 data and model poisoning, LLM05 improper output handling, LLM06 excessive agency, LLM07 system prompt leakage, LLM08 vector and embedding weaknesses, LLM09 misinformation, and LLM10 unbounded consumption. SecPortal operates an LLM Top 10 verification engagement as one structured record across the AI application codebase, the model and version under test, the inference endpoint, the retrieval index, the tool catalogue, the backend the AI feature sits inside, and the verification deliverable.

NIST SP 800-61

NIST Special Publication 800-61 (Computer Security Incident Handling Guide) is the United States federal reference for how organisations build and operate an incident response capability. Revision 2 names a four-phase cycle (preparation, detection and analysis, containment-eradication-recovery, post-incident activity), the organisational structures incident response is built into, the data sources incident handlers read against, the recommended practices for handling specific incident categories, and the communication coordination expectations across the response. Revision 3 (currently in update) layers the framework against NIST CSF 2.0, the Cybersecurity Performance Goals, and the post-2020 landscape of cloud-native incidents, ransomware, supply-chain compromise, and AI-system incidents. SecPortal operates an SP 800-61 cycle as one structured engagement record per incident, with the detection signal, the analysis decision, the containment-eradication-recovery actions, the communications log, the evidence custody trail, and the post-incident review on the same case record that feeds the audit pack across NIST CSF 2.0, NIST SP 800-53 IR family, ISO/IEC 27001 Annex A 5.24 through 5.30, ISO/IEC 27035, NIS2 Article 21 and 23, DORA Articles 19 and 20, SOC 2 CC7.3 through CC7.5, PCI DSS Requirement 12.10, HIPAA 45 CFR 164.308(a)(6), and the SEC cybersecurity disclosure rule.

ISO 22301

ISO 22301 (Security and resilience, Business continuity management systems, Requirements) is the international certifiable standard that defines what a business continuity management system (BCMS) is, what it produces, and how it is audited. ISO 22301:2019 sits alongside ISO 22313 (guidance), ISO 22317 (BIA guidelines), and ISO/IEC 27031 (ICT readiness) as the wider continuity standards family. This page covers the standard scope, the eight load-bearing principles, the PDCA operating model, the business impact analysis discipline, the continuity strategies and solutions, the evidence pack, the failure modes, and the cross-walks to ISO/IEC 27031, ISO/IEC 27001 Annex A 5.29 and 5.30, ISO/IEC 27035, NIST SP 800-61, NIST CSF 2.0 Recover and Respond, DORA Articles 11 to 14, NIS2 Article 21(2)(c), SOC 2 A1.1 to A1.3, and PCI DSS 12.10.

NIST SP 800-63

NIST Special Publication 800-63 is the United States federal reference for digital identity. The current edition (NIST SP 800-63-3) is a four-volume suite covering the overall framework (800-63-3), enrolment and identity proofing (800-63A), authentication and lifecycle management (800-63B), and federation and assertions (800-63C). NIST SP 800-63-4 has been published in draft form and is moving through public review. The framework names three independent assurance dimensions: identity assurance level (IAL) for how confidently a real-world identity is bound to an account, authenticator assurance level (AAL) for how robustly an authentication event proves the claimant controls the authenticator, and federation assurance level (FAL) for how trustworthy the federated assertion that carries the identity between systems is. SecPortal operates an 800-63 evidence pack as one structured engagement record carrying the policy, the Digital Identity Acceptance Statement, the authenticator inventory per AAL level, the proofing record per IAL level, the federation assertion record per FAL level, the lifecycle event trail, and the audit-grade evidence the rest of the identity and access programmes read against.

NYDFS Part 500

23 NYCRR Part 500 is the New York Department of Financial Services cybersecurity regulation for banks, insurers, mortgage servicers, money transmitters, and BitLicense holders. This page covers the seventeen operative sections, the November 2023 Second Amendment, the Class A company obligations, the 72-hour and 24-hour notification clocks, and the annual certification.

OWASP Top 10 CI/CD Security Risks

The OWASP Top 10 CI/CD Security Risks (the OWASP CI/CD Top 10) is the open risk-class catalogue for the CI/CD pipeline itself, maintained by the OWASP CI/CD Security project. The ten CICD-SEC categories name the pipeline-specific risk classes that show up across pipeline-as-code definitions, runner infrastructure, package registries, identity and access management, and observability layers. SecPortal operates a CI/CD Top 10 engagement as one structured record across the in-scope pipeline platforms, repositories, runner environments, and third-party action allowlists.

MITRE D3FEND

MITRE D3FEND is an open knowledge graph of defensive countermeasure techniques, organised as a directed graph anchored on Digital Artefacts the offensive and defensive sides both operate on. Where ATT&CK is the offensive technique catalogue, D3FEND is the defensive technique catalogue paired with ATT&CK at the artefact level. SecPortal operates a D3FEND-aligned engagement as one structured record across the in-scope offensive technique set, the in-scope defensive technique set, the in-scope Digital Artefact inventory, and the per-finding ATT&CK-and-D3FEND pairing.

CISA Zero Trust Maturity Model

The CISA Zero Trust Maturity Model (ZTMM) is the maturity inventory the Cybersecurity and Infrastructure Security Agency publishes for federal civilian agencies and any organisation that wants a published, scorecard-shaped read on Zero Trust progress. ZTMM v2.0, released April 2023, organises Zero Trust across five pillars (Identity, Devices, Networks, Applications and Workloads, Data) plus three cross-cutting capabilities (Visibility and Analytics, Automation and Orchestration, Governance), with four maturity stages per pillar (Traditional, Initial, Advanced, Optimal). It pairs with NIST SP 800-207 as the architectural reference; ZTMM tracks where the programme is, SP 800-207 describes what the architecture is.

ISO/IEC 27034 application security

ISO/IEC 27034 is the international standard for application security governance, organising the organisation-wide structure across the Organization Normative Framework, the per-application Application Normative Framework, the Application Security Controls library, the Application Security Lifecycle Reference Model, and the closed-loop Application Security Verification process. It is the operating framework the verification standard (OWASP ASVS) runs inside and the maturity model (OWASP SAMM, BSIMM) measures against.

MITRE Engage

MITRE Engage is the adversary engagement, deception, and denial planning framework, organised around three goals (Expose, Affect, Elicit) and five activity classes (Prepare, Collect, Detect, Prevent, Direct). Where MITRE ATT&CK catalogues offensive techniques and MITRE D3FEND catalogues defensive countermeasures, Engage sits on the strategy layer above both and gives adversary engagement a per-engagement, per-adversary operating shape. SecPortal operates a MITRE Engage engagement as one structured record across the threat model, the operating environment, the Direct-stage operating posture, and the engagement-time interactions.

NIST SP 800-82 Rev. 3

NIST Special Publication 800-82 Revision 3 (September 2023) is the US federal guide to securing Operational Technology. It covers Industrial Control Systems, SCADA, distributed control systems, programmable logic controllers, building automation, transport systems, physical access control systems, and the safety, reliability, and performance constraints that make OT cybersecurity different from IT cybersecurity. Run an 800-82 programme end to end: scope the OT environment, tier assets by impact, apply the NIST SP 800-53 Rev. 5 OT overlay, schedule safe scans where allowed, track manual and authenticated test findings, manage compensating controls, and produce assessor-ready evidence packs from one workflow.

ISO/IEC 29134

ISO/IEC 29134:2017 (Information technology, Security techniques, Guidelines for privacy impact assessment) is the international methodology standard for the privacy impact assessment (PIA). It is the method GDPR Article 35 DPIAs, ISO/IEC 27701 PIA records, UK ICO DPIA guidance, and many sector privacy regimes read against. The standard names a nine-step process from threshold screening through residual risk decision and follow-up, with a defined consultation discipline, an audit-grade artefact set, and a material-change trigger that keeps the assessment register current rather than launch-date frozen. This page covers the scope, the nine-step process, the operating-record artefacts, the failure modes the standard surfaces, the relationship with GDPR, UK GDPR, ISO/IEC 27701, ISO/IEC 27001, the NIST Privacy Framework, SOC 2, HIPAA, and PCI DSS, and the audit-grade evidence pack the programme produces.

IEC 62443-4-1

IEC 62443-4-1 (Security for industrial automation and control systems, Part 4-1: Secure product development lifecycle requirements) is the international standard that defines how a product supplier develops, ships, and maintains industrial automation and control system components securely. It names eight practices (Security Management, Specification of Security Requirements, Secure by Design, Secure Implementation, Security Verification and Validation Testing, Management of Security-Related Issues, Security Update Management, Security Guidelines), four maturity levels (initial, managed, defined, improving), the per-practice activities, and the per-product evidence the supplier needs to demonstrate the SDL was applied to a given product. This page covers the practices, the maturity model, the certification surface (ISASecure SDLA and equivalent assessor schemes), the relationship with IEC 62443-4-2, the wider IEC 62443 family, NIST SSDF, OWASP SAMM, BSIMM, the EU Cyber Resilience Act, and the audit-grade evidence pack a 62443-4-1 programme runs on.

IEC 62443-4-2

IEC 62443-4-2 (Security for industrial automation and control systems, Part 4-2: Technical security requirements for IACS components) is the international standard that defines the per-component technical security capability industrial automation and control system components must offer at each Security Level. It elaborates the seven foundational requirements (Identification and Authentication Control, Use Control, System Integrity, Data Confidentiality, Restricted Data Flow, Timely Response to Events, Resource Availability) into per-component requirements (CRs) and Requirement Enhancements (REs), tailored across four component types (embedded device, network device, host device, software application) and four Security Levels (SL 1 to SL 4). This page covers the FR and CR set, the Security Levels and REs, the per-component evidence pack the assessment produces, the relationship with IEC 62443-4-1, IEC 62443-3-3, the wider 62443 family, the EU Cyber Resilience Act, Common Criteria, and the audit-grade evidence pack a 62443-4-2 programme runs on.

CISA KEV Catalog

The CISA Known Exploited Vulnerabilities (KEV) Catalog is the authoritative public list of CVEs the Cybersecurity and Infrastructure Security Agency has observed in real-world attack activity. Established under Binding Operational Directive 22-01 in November 2021, the catalog publishes inclusion criteria, mitigation timelines, and a continuously updated entry feed that federal civilian executive branch agencies are mandated to remediate and that the broader internal security community uses as a curated exploitation signal. This page covers the BOD 22-01 mandate, the inclusion criteria, the catalog structure, the cross-walk to NIST CSF 2.0, ISO 27001, SOC 2, PCI DSS, NIS2, DORA, and CIS Controls, the audit evidence an internal KEV programme runs against, and where the KEV catalog sits next to CVSS, EPSS, NVD, and the wider vulnerability intelligence regime.

Track compliance from one workspace

Map findings to your frameworks, generate audit-ready evidence, and ship reports clients trust.

Get Started Free

No credit card required. Free plan available forever.