{"framework_count":11,"frameworks":{"SOC2":{"name":"SOC 2 Type II","version":"2017","domain":"Trust Services Criteria","controls":{"CC1.1":{"name":"Control Environment — COSO Principle 1","category":"Control Environment"},"CC1.2":{"name":"Control Environment — Board Independence","category":"Control Environment"},"CC2.1":{"name":"Communication of Quality Objectives","category":"Communication & Information"},"CC3.1":{"name":"Risk Assessment — Specify Objectives","category":"Risk Assessment"},"CC5.1":{"name":"Control Activities — Risk Mitigation","category":"Control Activities"},"CC6.1":{"name":"Logical and Physical Access Controls","category":"Logical Access"},"CC6.2":{"name":"Prior to Issuance of System Credentials","category":"Logical Access"},"CC6.3":{"name":"Access Removal","category":"Logical Access"},"CC7.1":{"name":"Configuration Management","category":"System Operations"},"CC7.2":{"name":"Monitoring of System Components","category":"System Operations"}}},"ISO27001":{"name":"ISO/IEC 27001:2022","version":"2022","domain":"Information Security Management","controls":{"A.5.1":{"name":"Policies for Information Security","category":"Organizational Controls"},"A.5.15":{"name":"Access Control","category":"Organizational Controls"},"A.8.2":{"name":"Privileged Access Rights","category":"Technology Controls"},"A.8.5":{"name":"Secure Authentication","category":"Technology Controls"},"A.8.15":{"name":"Logging","category":"Technology Controls"},"A.8.16":{"name":"Monitoring Activities","category":"Technology Controls"},"A.8.24":{"name":"Use of Cryptography","category":"Technology Controls"},"A.9.4.1":{"name":"Information Access Restriction","category":"Access Control"},"A.12.4.1":{"name":"Event Logging","category":"Operations Security"},"A.18.1.3":{"name":"Protection of Records","category":"Compliance"}}},"EU_AI_ACT":{"name":"EU Artificial Intelligence Act","version":"2024","domain":"AI System Governance","controls":{"ART6":{"name":"Classification of High-Risk AI Systems","category":"Risk Classification"},"ART9":{"name":"Risk Management System","category":"Risk Management"},"ART10":{"name":"Data and Data Governance","category":"Data Governance"},"ART11":{"name":"Technical Documentation","category":"Transparency"},"ART12":{"name":"Record-Keeping","category":"Record Keeping"},"ART13":{"name":"Transparency and Information Provision","category":"Transparency"},"ART14":{"name":"Human Oversight","category":"Human Oversight"},"ART15":{"name":"Accuracy, Robustness and Cybersecurity","category":"Technical Robustness"},"ART16":{"name":"Obligations of Providers","category":"Provider Obligations"},"ART72":{"name":"Confidentiality","category":"Confidentiality"}}},"GDPR":{"name":"General Data Protection Regulation","version":"2018","domain":"Data Privacy","controls":{"ART5":{"name":"Principles Relating to Processing of Personal Data","category":"Data Processing"},"ART6":{"name":"Lawfulness of Processing","category":"Legal Basis"},"ART13":{"name":"Information to Be Provided — Data Collected Directly","category":"Transparency"},"ART17":{"name":"Right to Erasure","category":"Data Subject Rights"},"ART25":{"name":"Data Protection by Design and by Default","category":"Privacy by Design"},"ART30":{"name":"Records of Processing Activities","category":"Record Keeping"},"ART32":{"name":"Security of Processing","category":"Security"},"ART33":{"name":"Notification of Personal Data Breach","category":"Breach Notification"},"ART35":{"name":"Data Protection Impact Assessment","category":"DPIA"},"ART44":{"name":"General Principle for Transfers","category":"Data Transfers"}}},"HIPAA":{"name":"Health Insurance Portability and Accountability Act","version":"2013 (Omnibus)","domain":"Healthcare Data Privacy and Security","controls":{"164.308a1":{"name":"Security Management Process","category":"Administrative Safeguards"},"164.308a3":{"name":"Workforce Security","category":"Administrative Safeguards"},"164.308a4":{"name":"Information Access Management","category":"Administrative Safeguards"},"164.310a1":{"name":"Facility Access Controls","category":"Physical Safeguards"},"164.312a1":{"name":"Access Control","category":"Technical Safeguards"},"164.312a2i":{"name":"Unique User Identification","category":"Technical Safeguards"},"164.312b":{"name":"Audit Controls","category":"Technical Safeguards"},"164.312c1":{"name":"Integrity Controls","category":"Technical Safeguards"},"164.312e1":{"name":"Transmission Security","category":"Technical Safeguards"},"164.316b1":{"name":"Documentation — Time Limit","category":"Policies and Procedures"}}},"PCI4":{"name":"PCI DSS v4.0","version":"4.0","domain":"Payment Card Industry Data Security","controls":{"1.2.1":{"name":"Network Security Controls — Configuration","category":"Network Security"},"2.2.1":{"name":"System Components Configuration Standards","category":"System Configuration"},"3.3.1":{"name":"SAD Not Retained After Authorization","category":"Account Data Protection"},"4.2.1":{"name":"Strong Cryptography for Transmission","category":"Cryptography"},"6.3.3":{"name":"Security Patches and Updates","category":"Vulnerability Management"},"7.2.1":{"name":"Access Control Model","category":"Access Control"},"8.2.1":{"name":"User Account Management","category":"Identity Management"},"10.2.1":{"name":"Audit Log Events","category":"Logging & Monitoring"},"10.3.1":{"name":"Audit Log Protection","category":"Logging & Monitoring"},"12.3.1":{"name":"Risk Assessment Process","category":"Risk Management"}}},"SOX404":{"name":"Sarbanes-Oxley Act Section 404","version":"2002","domain":"Financial Reporting Controls","controls":{"ITGC.AC":{"name":"IT General Controls — Access Control","category":"IT General Controls"},"ITGC.CM":{"name":"IT General Controls — Change Management","category":"IT General Controls"},"ITGC.OP":{"name":"IT General Controls — Computer Operations","category":"IT General Controls"},"ITGC.SD":{"name":"IT General Controls — System Development","category":"IT General Controls"},"FINRPT.01":{"name":"Financial Statement Completeness","category":"Financial Reporting"},"FINRPT.02":{"name":"Financial Statement Accuracy","category":"Financial Reporting"},"FINRPT.03":{"name":"Disclosure Controls","category":"Disclosure"},"MGMT.01":{"name":"Management Assessment of ICFR","category":"Management Assessment"},"AUDIT.01":{"name":"External Auditor Attestation","category":"Auditor"},"AUDIT.02":{"name":"Audit Trail Completeness","category":"Audit Trail"}}},"DORA":{"name":"Digital Operational Resilience Act","version":"2025","domain":"Financial Sector Digital Resilience","controls":{"ART5":{"name":"ICT Risk Management Framework","category":"ICT Risk Management"},"ART8":{"name":"Identification of ICT Assets","category":"Asset Management"},"ART9":{"name":"Protection and Prevention","category":"Protection"},"ART10":{"name":"Detection","category":"Detection"},"ART11":{"name":"Response and Recovery","category":"Incident Response"},"ART17":{"name":"ICT-Related Incident Classification","category":"Incident Management"},"ART19":{"name":"Major ICT-Related Incident Reporting","category":"Incident Reporting"},"ART24":{"name":"Digital Operational Resilience Testing","category":"Testing"},"ART28":{"name":"ICT Third-Party Risk Management","category":"Third-Party Risk"},"ART45":{"name":"Information Sharing Arrangements","category":"Threat Intelligence"}}},"NIST_CSF_2_0":{"name":"NIST Cybersecurity Framework 2.0","version":"2.0","domain":"Cybersecurity Risk Management","controls":{"GV.OC-01":{"name":"Organizational Context — Mission","category":"GOVERN"},"GV.RM-01":{"name":"Risk Management Strategy","category":"GOVERN"},"ID.AM-01":{"name":"Asset Inventory — Hardware","category":"IDENTIFY"},"ID.RA-01":{"name":"Vulnerabilities Are Identified and Documented","category":"IDENTIFY"},"PR.AA-01":{"name":"Identities and Credentials Are Managed","category":"PROTECT"},"PR.DS-01":{"name":"Data-at-Rest Protection","category":"PROTECT"},"DE.CM-01":{"name":"Networks Are Monitored","category":"DETECT"},"DE.AE-02":{"name":"Potentially Adverse Events Are Analyzed","category":"DETECT"},"RS.CO-02":{"name":"Incidents Are Reported","category":"RESPOND"},"RC.RP-01":{"name":"Recovery Plan Is Executed","category":"RECOVER"}}},"FEDRAMP":{"name":"Federal Risk and Authorization Management Program","version":"Rev 5","domain":"US Federal Cloud Security","controls":{"AC-1":{"name":"Access Control Policy and Procedures","category":"Access Control"},"AC-2":{"name":"Account Management","category":"Access Control"},"AU-2":{"name":"Event Logging","category":"Audit and Accountability"},"AU-3":{"name":"Content of Audit Records","category":"Audit and Accountability"},"CM-2":{"name":"Baseline Configuration","category":"Configuration Management"},"IA-2":{"name":"Identification and Authentication — Organizational Users","category":"Identification and Authentication"},"IR-4":{"name":"Incident Handling","category":"Incident Response"},"RA-3":{"name":"Risk Assessment","category":"Risk Assessment"},"SC-8":{"name":"Transmission Confidentiality and Integrity","category":"System and Communications Protection"},"SI-2":{"name":"Flaw Remediation","category":"System and Information Integrity"}}},"ISO_42001":{"name":"ISO/IEC 42001:2023","version":"2023","domain":"Artificial Intelligence Management System","controls":{"4.1":{"name":"Understanding the Organization and Its Context","category":"Context"},"5.2":{"name":"AI Policy","category":"Leadership"},"6.1.2":{"name":"AI Risk Assessment","category":"Planning"},"6.1.3":{"name":"AI Risk Treatment","category":"Planning"},"8.4":{"name":"AI System Impact Assessment","category":"Operations"},"8.6":{"name":"AI System Documentation","category":"Operations"},"9.1":{"name":"Monitoring, Measurement, Analysis and Evaluation","category":"Performance Evaluation"},"9.3":{"name":"Management Review","category":"Performance Evaluation"},"10.2":{"name":"Continual Improvement","category":"Improvement"},"A.6.1":{"name":"AI System Objectives and Planning","category":"Annex A Controls"}}}}}