The Global Compliance Crosswalk

One matrix mapping every control domain across ISO 27001, SOC 2, NIST CSF, CIS Controls, GDPR, NIS2, DORA, HIPAA, PCI DSS and CCPA — see equivalents and gaps at a glance.

EquivalentPartialRelated—No direct requirement (gap)

Control domain	ISO 27001	SOC 2	NIST CSF 2.0	CIS Controls v8	NIST 800-53	NIST 800-171	Essential Eight	Cyber Essentials	PCI DSS	GDPR	NIS2	DORA	HIPAA	CCPA / CPRA	LGPD	GLBA
Access control & identity	A.5.15 A.5.16	CC6.1	PR.AA-01 PR.AA-05	6.1	AC-2	3.1.1	E8-3 E8-4	CE-3	Req. 7 Req. 8	—	Art. 21(2)(i)	Art. 9	§164.312(a)(1)	—	—	§314.4(c)(1)
Asset & data inventory	A.5.9	—	ID.AM-01	1.1	CM-8	—	—	—	—	Art. 30	—	—	—	§1798.130	Art. 37	—
Vulnerability management	A.8.8	CC7.1	ID.RA-01	7.1	RA-5	3.11.2	E8-1 E8-2	CE-5	Req. 11	—	—	—	—	—	—	§314.4(d)
Logging, monitoring & detection	A.8.16 A.8.15	CC7.2	DE.CM-01 PR.PS-04	8.1	AU-2	3.3.1	—	—	Req. 10	—	—	Art. 10	§164.312(b)	—	—	§314.4(c)(8)
Cryptography & data protection	A.8.24	CC6.7	PR.DS-01 PR.DS-02	3.11	SC-8 SC-28	3.13.11	—	—	Req. 3 Req. 4	Art. 32	Art. 21(2)(h)	Art. 9	§164.312(e)(1)	—	Art. 46	§314.4(c)(3)
Secure configuration & hardening	A.8.9	—	PR.PS-01	4.1	CM-6	3.4.2	E8-5 E8-6 E8-7	CE-2 CE-1	Req. 2	—	—	—	—	—	—	—
Backup & recovery	A.8.13	—	PR.DS-11	11.1	CP-9	—	E8-8	—	—	Art. 32	—	Art. 12	—	—	—	—
Incident response & breach notification	A.5.24 A.5.26	—	—	—	IR-4 IR-6	3.6.1	—	—	—	Art. 33	Art. 21(2)(b)Art. 23	Art. 17 Art. 19	§164.308(a)(6)§164.404	—	Art. 48	§314.4(h)
Governance & security policy	A.5.1	CC1.1	GV.OC-01	—	PM-1	—	—	—	Req. 12	Art. 25	Art. 21(2)(a)	Art. 6	—	§1798.100	Art. 50	§314.4(a)
Risk assessment & management	—	—	ID.RA-01	—	RA-3	3.11.1	—	—	—	—	Art. 21(2)(a)	Art. 6	§164.308(a)(1)	§1798.150	Art. 46	—

Two-framework crosswalks

Prefer a side-by-side view? Jump straight to any pair.