{"total_controls":158,"frameworks":["soc2","iso27001","iso27017","iso27018","iso27701","iso27036","iso42001","eu_ai_act","gdpr","eidas2","nis2","dora"],"leverage_ratio":2.323,"explanation":"Each Hive control implementation satisfies an average of 2.32 framework requirements. One implementation, many standards.","entries":[{"control_id":"CC1.1","primary_framework":"soc2","title":"Demonstrates commitment to integrity and ethical values","family":"CC1","satisfies":["iso27001","iso42001"],"auditor":"policy_published"},{"control_id":"CC1.2","primary_framework":"soc2","title":"Board demonstrates independence and oversight","family":"CC1","satisfies":["iso27001"],"auditor":"self_attest"},{"control_id":"CC1.3","primary_framework":"soc2","title":"Establishes structures, reporting lines, authorities, and responsibilities","family":"CC1","satisfies":["iso27001"],"auditor":"self_attest"},{"control_id":"CC1.4","primary_framework":"soc2","title":"Demonstrates commitment to competence","family":"CC1","satisfies":["iso27001"],"auditor":"self_attest"},{"control_id":"CC1.5","primary_framework":"soc2","title":"Enforces accountability","family":"CC1","satisfies":["iso27001"],"auditor":"self_attest"},{"control_id":"CC2.1","primary_framework":"soc2","title":"Obtains or generates relevant quality information","family":"CC2","satisfies":["iso27001","iso27701"],"auditor":"log_pipeline_live"},{"control_id":"CC2.2","primary_framework":"soc2","title":"Internal communication of information","family":"CC2","satisfies":["iso27001"],"auditor":"self_attest"},{"control_id":"CC2.3","primary_framework":"soc2","title":"External communication of information","family":"CC2","satisfies":["iso27001"],"auditor":"security_txt_present"},{"control_id":"CC3.1","primary_framework":"soc2","title":"Specifies relevant objectives","family":"CC3","satisfies":["iso27001"],"auditor":"self_attest"},{"control_id":"CC3.2","primary_framework":"soc2","title":"Identifies and analyzes risk","family":"CC3","satisfies":["iso27001"],"auditor":"self_attest"},{"control_id":"CC3.3","primary_framework":"soc2","title":"Considers fraud potential","family":"CC3","satisfies":["iso27001"],"auditor":"self_attest"},{"control_id":"CC3.4","primary_framework":"soc2","title":"Identifies and assesses changes","family":"CC3","satisfies":["iso27001"],"auditor":"git_commit_chain"},{"control_id":"CC4.1","primary_framework":"soc2","title":"Selects, develops, performs ongoing evaluations","family":"CC4","satisfies":["iso27001"],"auditor":"uptime_probe"},{"control_id":"CC4.2","primary_framework":"soc2","title":"Communicates deficiencies","family":"CC4","satisfies":["iso27001"],"auditor":"incident_log"},{"control_id":"CC5.1","primary_framework":"soc2","title":"Selects/develops controls that mitigate risks","family":"CC5","satisfies":["iso27001"],"auditor":"self_attest"},{"control_id":"CC5.2","primary_framework":"soc2","title":"Selects/develops technology controls","family":"CC5","satisfies":["iso27001"],"auditor":"tls_grade"},{"control_id":"CC5.3","primary_framework":"soc2","title":"Deploys through policies and procedures","family":"CC5","satisfies":["iso27001"],"auditor":"policy_published"},{"control_id":"CC6.1","primary_framework":"soc2","title":"Implements logical access security software","family":"CC6","satisfies":["iso27001","iso27017"],"auditor":"tls_grade"},{"control_id":"CC6.2","primary_framework":"soc2","title":"Registers and authorizes new internal/external users","family":"CC6","satisfies":["iso27001"],"auditor":"self_attest"},{"control_id":"CC6.3","primary_framework":"soc2","title":"Authorizes/modifies/removes access","family":"CC6","satisfies":["iso27001"],"auditor":"rbac_probe"},{"control_id":"CC6.4","primary_framework":"soc2","title":"Restricts physical access","family":"CC6","satisfies":["iso27001"],"auditor":"self_attest"},{"control_id":"CC6.5","primary_framework":"soc2","title":"Discontinues logical/physical asset protections","family":"CC6","satisfies":["iso27001","gdpr"],"auditor":"deletion_proof"},{"control_id":"CC6.6","primary_framework":"soc2","title":"Protects against threats from outside system boundaries","family":"CC6","satisfies":["iso27001"],"auditor":"tls_grade"},{"control_id":"CC6.7","primary_framework":"soc2","title":"Restricts transmission/movement of information","family":"CC6","satisfies":["iso27001"],"auditor":"tls_grade"},{"control_id":"CC6.8","primary_framework":"soc2","title":"Implements controls to prevent/detect malicious software","family":"CC6","satisfies":["iso27001"],"auditor":"self_attest"},{"control_id":"CC7.1","primary_framework":"soc2","title":"Detection and monitoring of new vulnerabilities","family":"CC7","satisfies":["iso27001"],"auditor":"vuln_disclosure"},{"control_id":"CC7.2","primary_framework":"soc2","title":"Monitors components and operation","family":"CC7","satisfies":["iso27001"],"auditor":"uptime_probe"},{"control_id":"CC7.3","primary_framework":"soc2","title":"Evaluates security events","family":"CC7","satisfies":["iso27001"],"auditor":"incident_log"},{"control_id":"CC7.4","primary_framework":"soc2","title":"Responds to identified security incidents","family":"CC7","satisfies":["iso27001","nis2"],"auditor":"incident_log"},{"control_id":"CC7.5","primary_framework":"soc2","title":"Recovery from identified security incidents","family":"CC7","satisfies":["iso27001"],"auditor":"self_attest"},{"control_id":"CC8.1","primary_framework":"soc2","title":"Authorizes/designs/develops/implements/configures changes","family":"CC8","satisfies":["iso27001"],"auditor":"git_commit_chain"},{"control_id":"CC9.1","primary_framework":"soc2","title":"Identifies/selects/develops risk mitigation activities","family":"CC9","satisfies":["iso27001"],"auditor":"self_attest"},{"control_id":"CC9.2","primary_framework":"soc2","title":"Manages vendors and business partners","family":"CC9","satisfies":["iso27001","iso27036","dora"],"auditor":"subprocessor_table"},{"control_id":"A1.1","primary_framework":"soc2","title":"Maintains current processing capacity and usage","family":"A","satisfies":["iso27001"],"auditor":"uptime_probe"},{"control_id":"A1.2","primary_framework":"soc2","title":"Authorizes/designs/implements environmental protections","family":"A","satisfies":["iso27001"],"auditor":"self_attest"},{"control_id":"A1.3","primary_framework":"soc2","title":"Tests recovery plan procedures","family":"A","satisfies":["iso27001","dora"],"auditor":"self_attest"},{"control_id":"PI1.1","primary_framework":"soc2","title":"Definitions of data inputs/outputs maintained","family":"PI","satisfies":["iso27001"],"auditor":"self_attest"},{"control_id":"PI1.2","primary_framework":"soc2","title":"System inputs are complete and accurate","family":"PI","satisfies":["iso27001"],"auditor":"input_validation"},{"control_id":"PI1.3","primary_framework":"soc2","title":"System processing is complete/valid/accurate/timely","family":"PI","satisfies":["iso27001"],"auditor":"uptime_probe"},{"control_id":"PI1.4","primary_framework":"soc2","title":"Outputs are complete and accurate","family":"PI","satisfies":["iso27001"],"auditor":"self_attest"},{"control_id":"PI1.5","primary_framework":"soc2","title":"Stores inputs/items in process/outputs completely","family":"PI","satisfies":["iso27001"],"auditor":"self_attest"},{"control_id":"C1.1","primary_framework":"soc2","title":"Identifies and maintains confidential information","family":"C","satisfies":["iso27001","iso27018"],"auditor":"self_attest"},{"control_id":"C1.2","primary_framework":"soc2","title":"Disposes of confidential information","family":"C","satisfies":["iso27001","gdpr"],"auditor":"deletion_proof"},{"control_id":"P1.1","primary_framework":"soc2","title":"Privacy criterion P1.1","family":"P","satisfies":["iso27701","gdpr"],"auditor":"self_attest"},{"control_id":"P2.1","primary_framework":"soc2","title":"Privacy criterion P2.1","family":"P","satisfies":["iso27701","gdpr"],"auditor":"self_attest"},{"control_id":"P3.1","primary_framework":"soc2","title":"Privacy criterion P3.1","family":"P","satisfies":["iso27701","gdpr"],"auditor":"self_attest"},{"control_id":"P3.2","primary_framework":"soc2","title":"Privacy criterion P3.2","family":"P","satisfies":["iso27701","gdpr"],"auditor":"self_attest"},{"control_id":"P4.1","primary_framework":"soc2","title":"Privacy criterion P4.1","family":"P","satisfies":["iso27701","gdpr"],"auditor":"self_attest"},{"control_id":"P4.2","primary_framework":"soc2","title":"Privacy criterion P4.2","family":"P","satisfies":["iso27701","gdpr"],"auditor":"self_attest"},{"control_id":"P4.3","primary_framework":"soc2","title":"Privacy criterion P4.3","family":"P","satisfies":["iso27701","gdpr"],"auditor":"self_attest"},{"control_id":"P5.1","primary_framework":"soc2","title":"Privacy criterion P5.1","family":"P","satisfies":["iso27701","gdpr"],"auditor":"self_attest"},{"control_id":"P5.2","primary_framework":"soc2","title":"Privacy criterion P5.2","family":"P","satisfies":["iso27701","gdpr"],"auditor":"self_attest"},{"control_id":"P6.1","primary_framework":"soc2","title":"Privacy criterion P6.1","family":"P","satisfies":["iso27701","gdpr"],"auditor":"self_attest"},{"control_id":"P6.2","primary_framework":"soc2","title":"Privacy criterion P6.2","family":"P","satisfies":["iso27701","gdpr"],"auditor":"self_attest"},{"control_id":"P6.3","primary_framework":"soc2","title":"Privacy criterion P6.3","family":"P","satisfies":["iso27701","gdpr"],"auditor":"self_attest"},{"control_id":"P6.4","primary_framework":"soc2","title":"Privacy criterion P6.4","family":"P","satisfies":["iso27701","gdpr"],"auditor":"self_attest"},{"control_id":"P6.5","primary_framework":"soc2","title":"Privacy criterion P6.5","family":"P","satisfies":["iso27701","gdpr"],"auditor":"self_attest"},{"control_id":"P6.6","primary_framework":"soc2","title":"Privacy criterion P6.6","family":"P","satisfies":["iso27701","gdpr"],"auditor":"self_attest"},{"control_id":"P6.7","primary_framework":"soc2","title":"Privacy criterion P6.7","family":"P","satisfies":["iso27701","gdpr"],"auditor":"self_attest"},{"control_id":"P7.1","primary_framework":"soc2","title":"Privacy criterion P7.1","family":"P","satisfies":["iso27701","gdpr"],"auditor":"self_attest"},{"control_id":"P8.1","primary_framework":"soc2","title":"Privacy criterion P8.1","family":"P","satisfies":["iso27701","gdpr"],"auditor":"self_attest"},{"control_id":"P5.3","primary_framework":"soc2","title":"Privacy retention controls","family":"P","satisfies":["iso27701","gdpr"],"auditor":"self_attest"},{"control_id":"P6.8","primary_framework":"soc2","title":"Privacy breach notification","family":"P","satisfies":["iso27701","gdpr","nis2"],"auditor":"incident_log"},{"control_id":"P7.2","primary_framework":"soc2","title":"Privacy quality assurance","family":"P","satisfies":["iso27701","gdpr"],"auditor":"self_attest"},{"control_id":"P8.2","primary_framework":"soc2","title":"Privacy disclosure tracking","family":"P","satisfies":["iso27701","gdpr"],"auditor":"self_attest"},{"control_id":"A.5.1","primary_framework":"iso27001","title":"Policies for information security","family":"A.5","satisfies":["soc2"],"auditor":"self_attest"},{"control_id":"A.5.2","primary_framework":"iso27001","title":"Information security roles and responsibilities","family":"A.5","satisfies":["soc2"],"auditor":"self_attest"},{"control_id":"A.5.3","primary_framework":"iso27001","title":"Segregation of duties","family":"A.5","satisfies":["soc2"],"auditor":"self_attest"},{"control_id":"A.5.4","primary_framework":"iso27001","title":"Management responsibilities","family":"A.5","satisfies":["soc2"],"auditor":"self_attest"},{"control_id":"A.5.5","primary_framework":"iso27001","title":"Contact with authorities","family":"A.5","satisfies":["soc2"],"auditor":"self_attest"},{"control_id":"A.5.6","primary_framework":"iso27001","title":"Contact with special interest groups","family":"A.5","satisfies":["soc2"],"auditor":"self_attest"},{"control_id":"A.5.7","primary_framework":"iso27001","title":"Threat intelligence","family":"A.5","satisfies":["soc2"],"auditor":"self_attest"},{"control_id":"A.5.8","primary_framework":"iso27001","title":"Information security in project management","family":"A.5","satisfies":["soc2"],"auditor":"self_attest"},{"control_id":"A.5.9","primary_framework":"iso27001","title":"Inventory of information and other associated assets","family":"A.5","satisfies":["soc2"],"auditor":"self_attest"},{"control_id":"A.5.10","primary_framework":"iso27001","title":"Acceptable use of information and other associated assets","family":"A.5","satisfies":["soc2"],"auditor":"self_attest"},{"control_id":"A.5.11","primary_framework":"iso27001","title":"Return of assets","family":"A.5","satisfies":["soc2"],"auditor":"self_attest"},{"control_id":"A.5.12","primary_framework":"iso27001","title":"Classification of information","family":"A.5","satisfies":["soc2"],"auditor":"self_attest"},{"control_id":"A.5.13","primary_framework":"iso27001","title":"Labelling of information","family":"A.5","satisfies":["soc2"],"auditor":"self_attest"},{"control_id":"A.5.14","primary_framework":"iso27001","title":"Information transfer","family":"A.5","satisfies":["gdpr","iso27701","soc2"],"auditor":"self_attest"},{"control_id":"A.5.15","primary_framework":"iso27001","title":"Access control","family":"A.5","satisfies":["soc2"],"auditor":"rbac_probe"},{"control_id":"A.5.16","primary_framework":"iso27001","title":"Identity management","family":"A.5","satisfies":["soc2"],"auditor":"rbac_probe"},{"control_id":"A.5.17","primary_framework":"iso27001","title":"Authentication information","family":"A.5","satisfies":["soc2"],"auditor":"self_attest"},{"control_id":"A.5.18","primary_framework":"iso27001","title":"Access rights","family":"A.5","satisfies":["soc2"],"auditor":"rbac_probe"},{"control_id":"A.5.19","primary_framework":"iso27001","title":"Information security in supplier relationships","family":"A.5","satisfies":["dora","iso27036","soc2"],"auditor":"subprocessor_table"},{"control_id":"A.5.20","primary_framework":"iso27001","title":"Addressing information security within supplier agreements","family":"A.5","satisfies":["dora","iso27036","soc2"],"auditor":"subprocessor_table"},{"control_id":"A.5.21","primary_framework":"iso27001","title":"Managing information security in the ICT supply chain","family":"A.5","satisfies":["dora","iso27036","soc2"],"auditor":"subprocessor_table"},{"control_id":"A.5.22","primary_framework":"iso27001","title":"Monitoring, review and change management of supplier services","family":"A.5","satisfies":["dora","iso27036","soc2"],"auditor":"subprocessor_table"},{"control_id":"A.5.23","primary_framework":"iso27001","title":"Information security for use of cloud services","family":"A.5","satisfies":["iso27017","iso27018","soc2"],"auditor":"subprocessor_table"},{"control_id":"A.5.24","primary_framework":"iso27001","title":"Information security incident management planning and preparation","family":"A.5","satisfies":["nis2","soc2"],"auditor":"incident_log"},{"control_id":"A.5.25","primary_framework":"iso27001","title":"Assessment and decision on information security events","family":"A.5","satisfies":["nis2","soc2"],"auditor":"incident_log"},{"control_id":"A.5.26","primary_framework":"iso27001","title":"Response to information security incidents","family":"A.5","satisfies":["nis2","soc2"],"auditor":"incident_log"},{"control_id":"A.5.27","primary_framework":"iso27001","title":"Learning from information security incidents","family":"A.5","satisfies":["soc2"],"auditor":"incident_log"},{"control_id":"A.5.28","primary_framework":"iso27001","title":"Collection of evidence","family":"A.5","satisfies":["soc2"],"auditor":"incident_log"},{"control_id":"A.5.29","primary_framework":"iso27001","title":"Information security during disruption","family":"A.5","satisfies":["soc2"],"auditor":"self_attest"},{"control_id":"A.5.30","primary_framework":"iso27001","title":"ICT readiness for business continuity","family":"A.5","satisfies":["soc2"],"auditor":"self_attest"},{"control_id":"A.5.31","primary_framework":"iso27001","title":"Legal, statutory, regulatory and contractual requirements","family":"A.5","satisfies":["soc2"],"auditor":"self_attest"},{"control_id":"A.5.32","primary_framework":"iso27001","title":"Intellectual property rights","family":"A.5","satisfies":["soc2"],"auditor":"self_attest"},{"control_id":"A.5.33","primary_framework":"iso27001","title":"Protection of records","family":"A.5","satisfies":["soc2"],"auditor":"self_attest"},{"control_id":"A.5.34","primary_framework":"iso27001","title":"Privacy and protection of PII","family":"A.5","satisfies":["gdpr","iso27701","soc2"],"auditor":"deletion_proof"},{"control_id":"A.5.35","primary_framework":"iso27001","title":"Independent review of information security","family":"A.5","satisfies":["soc2"],"auditor":"self_attest"},{"control_id":"A.5.36","primary_framework":"iso27001","title":"Compliance with policies, rules and standards for information security","family":"A.5","satisfies":["soc2"],"auditor":"self_attest"},{"control_id":"A.5.37","primary_framework":"iso27001","title":"Documented operating procedures","family":"A.5","satisfies":["soc2"],"auditor":"self_attest"},{"control_id":"A.6.1","primary_framework":"iso27001","title":"Screening","family":"A.6","satisfies":["soc2"],"auditor":"self_attest"},{"control_id":"A.6.2","primary_framework":"iso27001","title":"Terms and conditions of employment","family":"A.6","satisfies":["soc2"],"auditor":"self_attest"},{"control_id":"A.6.3","primary_framework":"iso27001","title":"Information security awareness, education and training","family":"A.6","satisfies":["soc2"],"auditor":"self_attest"},{"control_id":"A.6.4","primary_framework":"iso27001","title":"Disciplinary process","family":"A.6","satisfies":["soc2"],"auditor":"self_attest"},{"control_id":"A.6.5","primary_framework":"iso27001","title":"Responsibilities after termination or change of employment","family":"A.6","satisfies":["soc2"],"auditor":"self_attest"},{"control_id":"A.6.6","primary_framework":"iso27001","title":"Confidentiality or non-disclosure agreements","family":"A.6","satisfies":["soc2"],"auditor":"self_attest"},{"control_id":"A.6.7","primary_framework":"iso27001","title":"Remote working","family":"A.6","satisfies":["soc2"],"auditor":"self_attest"},{"control_id":"A.6.8","primary_framework":"iso27001","title":"Information security event reporting","family":"A.6","satisfies":["soc2"],"auditor":"incident_log"},{"control_id":"A.7.1","primary_framework":"iso27001","title":"Physical security perimeters","family":"A.7","satisfies":["soc2"],"auditor":"self_attest"},{"control_id":"A.7.2","primary_framework":"iso27001","title":"Physical entry","family":"A.7","satisfies":["soc2"],"auditor":"self_attest"},{"control_id":"A.7.3","primary_framework":"iso27001","title":"Securing offices, rooms and facilities","family":"A.7","satisfies":["soc2"],"auditor":"self_attest"},{"control_id":"A.7.4","primary_framework":"iso27001","title":"Physical security monitoring","family":"A.7","satisfies":["soc2"],"auditor":"self_attest"},{"control_id":"A.7.5","primary_framework":"iso27001","title":"Protecting against physical and environmental threats","family":"A.7","satisfies":["soc2"],"auditor":"self_attest"},{"control_id":"A.7.6","primary_framework":"iso27001","title":"Working in secure areas","family":"A.7","satisfies":["soc2"],"auditor":"self_attest"},{"control_id":"A.7.7","primary_framework":"iso27001","title":"Clear desk and clear screen","family":"A.7","satisfies":["soc2"],"auditor":"self_attest"},{"control_id":"A.7.8","primary_framework":"iso27001","title":"Equipment siting and protection","family":"A.7","satisfies":["soc2"],"auditor":"self_attest"},{"control_id":"A.7.9","primary_framework":"iso27001","title":"Security of assets off-premises","family":"A.7","satisfies":["soc2"],"auditor":"self_attest"},{"control_id":"A.7.10","primary_framework":"iso27001","title":"Storage media","family":"A.7","satisfies":["soc2"],"auditor":"self_attest"},{"control_id":"A.7.11","primary_framework":"iso27001","title":"Supporting utilities","family":"A.7","satisfies":["soc2"],"auditor":"self_attest"},{"control_id":"A.7.12","primary_framework":"iso27001","title":"Cabling security","family":"A.7","satisfies":["soc2"],"auditor":"self_attest"},{"control_id":"A.7.13","primary_framework":"iso27001","title":"Equipment maintenance","family":"A.7","satisfies":["soc2"],"auditor":"self_attest"},{"control_id":"A.7.14","primary_framework":"iso27001","title":"Secure disposal or re-use of equipment","family":"A.7","satisfies":["soc2"],"auditor":"self_attest"},{"control_id":"A.8.1","primary_framework":"iso27001","title":"User end point devices","family":"A.8","satisfies":["soc2"],"auditor":"self_attest"},{"control_id":"A.8.2","primary_framework":"iso27001","title":"Privileged access rights","family":"A.8","satisfies":["soc2"],"auditor":"rbac_probe"},{"control_id":"A.8.3","primary_framework":"iso27001","title":"Information access restriction","family":"A.8","satisfies":["soc2"],"auditor":"rbac_probe"},{"control_id":"A.8.4","primary_framework":"iso27001","title":"Access to source code","family":"A.8","satisfies":["soc2"],"auditor":"self_attest"},{"control_id":"A.8.5","primary_framework":"iso27001","title":"Secure authentication","family":"A.8","satisfies":["soc2"],"auditor":"tls_grade"},{"control_id":"A.8.6","primary_framework":"iso27001","title":"Capacity management","family":"A.8","satisfies":["soc2"],"auditor":"self_attest"},{"control_id":"A.8.7","primary_framework":"iso27001","title":"Protection against malware","family":"A.8","satisfies":["soc2"],"auditor":"self_attest"},{"control_id":"A.8.8","primary_framework":"iso27001","title":"Management of technical vulnerabilities","family":"A.8","satisfies":["soc2"],"auditor":"vuln_disclosure"},{"control_id":"A.8.9","primary_framework":"iso27001","title":"Configuration management","family":"A.8","satisfies":["soc2"],"auditor":"git_commit_chain"},{"control_id":"A.8.10","primary_framework":"iso27001","title":"Information deletion","family":"A.8","satisfies":["soc2"],"auditor":"deletion_proof"},{"control_id":"A.8.11","primary_framework":"iso27001","title":"Data masking","family":"A.8","satisfies":["soc2"],"auditor":"self_attest"},{"control_id":"A.8.12","primary_framework":"iso27001","title":"Data leakage prevention","family":"A.8","satisfies":["soc2"],"auditor":"self_attest"},{"control_id":"A.8.13","primary_framework":"iso27001","title":"Information backup","family":"A.8","satisfies":["soc2"],"auditor":"self_attest"},{"control_id":"A.8.14","primary_framework":"iso27001","title":"Redundancy of information processing facilities","family":"A.8","satisfies":["soc2"],"auditor":"self_attest"},{"control_id":"A.8.15","primary_framework":"iso27001","title":"Logging","family":"A.8","satisfies":["soc2"],"auditor":"log_pipeline_live"},{"control_id":"A.8.16","primary_framework":"iso27001","title":"Monitoring activities","family":"A.8","satisfies":["soc2"],"auditor":"uptime_probe"},{"control_id":"A.8.17","primary_framework":"iso27001","title":"Clock synchronization","family":"A.8","satisfies":["soc2"],"auditor":"self_attest"},{"control_id":"A.8.18","primary_framework":"iso27001","title":"Use of privileged utility programs","family":"A.8","satisfies":["soc2"],"auditor":"self_attest"},{"control_id":"A.8.19","primary_framework":"iso27001","title":"Installation of software on operational systems","family":"A.8","satisfies":["soc2"],"auditor":"self_attest"},{"control_id":"A.8.20","primary_framework":"iso27001","title":"Networks security","family":"A.8","satisfies":["soc2"],"auditor":"tls_grade"},{"control_id":"A.8.21","primary_framework":"iso27001","title":"Security of network services","family":"A.8","satisfies":["soc2"],"auditor":"tls_grade"},{"control_id":"A.8.22","primary_framework":"iso27001","title":"Segregation of networks","family":"A.8","satisfies":["soc2"],"auditor":"tls_grade"},{"control_id":"A.8.23","primary_framework":"iso27001","title":"Web filtering","family":"A.8","satisfies":["soc2"],"auditor":"self_attest"},{"control_id":"A.8.24","primary_framework":"iso27001","title":"Use of cryptography","family":"A.8","satisfies":["eidas2","soc2"],"auditor":"tls_grade"},{"control_id":"A.8.25","primary_framework":"iso27001","title":"Secure development life cycle","family":"A.8","satisfies":["soc2"],"auditor":"self_attest"},{"control_id":"A.8.26","primary_framework":"iso27001","title":"Application security requirements","family":"A.8","satisfies":["soc2"],"auditor":"self_attest"},{"control_id":"A.8.27","primary_framework":"iso27001","title":"Secure system architecture and engineering principles","family":"A.8","satisfies":["soc2"],"auditor":"self_attest"},{"control_id":"A.8.28","primary_framework":"iso27001","title":"Secure coding","family":"A.8","satisfies":["soc2"],"auditor":"self_attest"},{"control_id":"A.8.29","primary_framework":"iso27001","title":"Security testing in development and acceptance","family":"A.8","satisfies":["soc2"],"auditor":"self_attest"},{"control_id":"A.8.30","primary_framework":"iso27001","title":"Outsourced development","family":"A.8","satisfies":["soc2"],"auditor":"self_attest"},{"control_id":"A.8.31","primary_framework":"iso27001","title":"Separation of development, test and production environments","family":"A.8","satisfies":["soc2"],"auditor":"self_attest"},{"control_id":"A.8.32","primary_framework":"iso27001","title":"Change management","family":"A.8","satisfies":["soc2"],"auditor":"git_commit_chain"},{"control_id":"A.8.33","primary_framework":"iso27001","title":"Test information","family":"A.8","satisfies":["soc2"],"auditor":"self_attest"},{"control_id":"A.8.34","primary_framework":"iso27001","title":"Protection of information systems during audit testing","family":"A.8","satisfies":["soc2"],"auditor":"self_attest"}]}