Compliance Package Database
We call PCI, ISO, NIST, etc. compliance packages. Some packages are available for free or you can create your own.
Introduction
Compliance Packages are simple CSV templates that contain regulations, contracts, standards, etc. Example packages include PCI, SOX, SOC2, ISO, etc.
We keep a free and open repository of the most common compliance packages used around the world that you can access anytime.
You can also create your own compliance packages. If you can not find a template from us simply create one. In most cases you can copy & past the content from the documentation for the standard or regulartion into any spreadsheet software.
In this guide we will explain how to create your own compliance packages and also discuss the repository of compliance packages available to the public.
Copyright
While most compliance packages and regulations are free to download in their original form from the author website some are not freely availabe (ISO is a good example). For that reason we can not make some packages public unless you can provide evidence to us that you have purchased them (by emailing support@eramba.org).
Creating your own Compliance Packages
If you want to upload your own compliance packages you need to create a CSV file and ensure it’s formatted in such a way that eramba can understand the contents. We organise compliance packages (CSV files) into “chapters” and “items”:
Chapters are made of three fields:
- ID
- name
- description
Items are made of four fields:
- ID
- name
- description
- Questions
The following example shows the column entries for PCI-DSS requirement 2 :
In the image above you see the chapter row (composed of three fields) and the item row (composed of four fields). The PCI requirement is translated into a CSV formatted file with the chapter and item all in one straight row.
To successfully create a CSV file follow these guidelines:
- Make sure there are entries in all 7 columns
- There should be no empty cells. If you don't know what to put simply put “N/A”.
- If you are using Microsoft Excel you need to save the spreadsheet as “Windows CSV” (not DOS CSV);
Compliance Package Repository
The following table contains the list of Compliance Packages ready to import into eramba.
Package |
Publisher |
Version |
Notes |
SCF |
2022.2 |
https://www.securecontrolsframework.com/ Thanks to Derek Price |
|
PCI Council |
3.1 |
||
PCI Council |
3.2 |
||
PCI Council |
3.2.1 |
||
PCI Council |
4 |
||
PCI Council |
2 |
||
PCI Council |
2 |
||
CYBERSECURITY REQUIREMENTS FOR FINANCIAL SERVICES COMPANIES (NEW YORK STATE 500 of Title 23) |
March 1st, 2017 - 500 of Title 23 |
||
201 CMR 17.00 |
https://malegislature.gov/laws/generallaws/parti/titlexv/chapter93h |
||
ISO |
2015 |
You need to provide evidence you purchased the standard to get a copy. |
|
ISO |
2013 |
You need to provide evidence you purchased the standard to get a copy. |
|
ISO 27001:2022 | ISO | 2022 | You need to provide evidence you purchased the standard to get a copy. |
ISO |
2013 |
You need to provide evidence you purchased the standard to get a copy. |
|
ISO |
2022 |
You need to provide evidence you purchased the standard to get a copy. |
|
ISO |
2019 |
You need to provide evidence you purchased the standard to get a copy. |
|
CIS |
8 |
https://www.cisecurity.org/controls/ |
|
CIS |
7.1 |
https://www.cisecurity.org/controls/ |
|
SANS |
3 |
||
2.0 |
NIST https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final |
||
NIST |
2021 |
https://csrc.nist.gov/publications/detail/sp/800-172/final Thanks to Derek Price |
|
NIST |
Revision 4 |
||
NIST |
Revision 5 |
||
NIST |
1.0 |
||
NIST |
1.1 |
||
NIST |
1.0 |
||
Jan 2013 | https://www.hhs.gov/hipaa/for-professionals/security/index.html | ||
8 |
|||
9.3.1 |
|||
CSA |
3.0.1 |
https://cloudsecurityalliance.org/research/working-groups/cloud-controls-matrix/ |
|
https://cloudsecurityalliance.org/blog/2019/03/01/introducing-caiq-lite/ Thanks to Mick Otoole |
|||
SOC2 Report (Confidentiality, Security and Availability Principles) |
2016 |
||
SOC2 Report (Confidentiality, Security and Availability Principles) |
2021 |
Thanks Mr. David Davis |
|
1.0 |
https://www.swift.com/myswift/customer-security-programme-csp |
||
European Union |
|||
Thanks to Roshan Fernandes |
|||
Thanks to Roshan Fernandes | |||
1.0 |
Office of the Under Secretary of Defence for Acquisition & Sustainment |
||
Publicly Available Specification 1296: 2018 |
2018 |
You need to provide evidence you purchased the standard to get a copy. Thanks to David Davis |
|
Proof of Age Standards Scheme: Requirements for Identity and Age Verification - PASS-1: 2020 |
2020 |
Thanks to David Davis |
|
TDIF - Trusted Digital Identity - 04 - Functional Requirements |
v1.3 |
Thanks to David Davis |
|
v3.1 |
Ref: https://www.ncsc.gov.uk/collection/caf , Ref: https://discussions.eramba.org/t/compliance-ncsc-cyber-assessment-framework-v3-1/2115 |
||
2022 |
https://www.qatar2022.qa/sites/default/files/Qatar2022Framework.pdf |
||
v2.0 |
https://www.cmmc-compliance.com/ Thanks to Derek Price |
||
4 |
Thanks to Derek Price |
||
AESCSF-SP1 |
Thanks to Bret Watson |
||
AESCSF-SP2 |
Thanks to Bret Watson |
||
AESCSF-SP3 |
Thanks to Bret Watson |
Playlist
- Episode 1Introduction to the Compliance Module16 mins left
- Episode 2Problem vs. Solution Principle14 mins left
- Episode 3Typical Compliance Questions4 mins left
- Episode 4Prerequisites2 mins left
- Episode 5Compliance Package Database2 mins left
- Episode 6Uploading Compliance Packages4 mins left
- Episode 7Mapping Compliance Packages4 mins left
- Episode 8Compliance Management Related Modules0 mins left
- Episode 9Configuring the Compliance Analysis Module1 min left
- Episode 10Mapping Solutions to Compliance Requirements24 mins left
- Episode 11Typical Filters: Compliance Analysis Module5 mins left
- Episode 12Typical Dynamic Statuses: Compliance Analysis Module6 mins left
- Episode 13Typical Reports: Compliance Analysis Module1 min left
- Episode 14Compliance Management Implementation Guidance3 mins left