Server Error
Server Error
Server Error
Server Error
Server Error

Compliance Management

Learn how to do ISO 27001, PCI-DSS, NIST, SOC2 or any other compliance requirement with eramba

  • Episodes9
  • Duration38m 5s
  • LanguagesEN
Episode 5

Compliance Package Database

We call PCI, ISO, NIST, etc. compliance packages. Some packages are available for free or you can create your own.

Introduction

Compliance Packages are simple CSV templates that contain regulations, contracts, standards, etc.  Example packages include PCI, SOX, SOC2, ISO, etc.

We keep a free and open repository of the most common compliance packages used around the world that you can access anytime.

You can also create your own compliance packages.  If you can not find a template from us simply create one.  In most cases you can copy & past the content from the documentation for the standard or regulartion into any spreadsheet software.

In this guide we will explain how to create your own compliance packages and also discuss the repository of compliance packages available to the public.

Copyright

While most compliance packages and regulations are free to download in their original form from the author website some are not freely availabe (ISO is a good example). For that reason we can not make some packages public unless you can provide evidence to us that you have purchased them (by emailing support@eramba.org).

Creating your own Compliance Packages

If you want to upload your own compliance packages you need to create a CSV file and ensure it’s formatted in such a way that eramba can understand the contents. We organise compliance packages (CSV files) into “chapters” and “items”:

Chapters are made of three fields:

  • ID
  • name
  • description

Items are made of four fields:

  • ID
  • name
  • description
  • Questions

The following example shows the column entries for PCI-DSS requirement 2 :

In the image above you see the chapter row (composed of three fields) and the item row (composed of four fields).   The PCI requirement is translated into a CSV formatted file with the chapter and item all in one straight row.

To successfully create a CSV file follow these guidelines:

  • Make sure there are entries in all 7 columns
  • There should be no empty cells. If you don't know what to put simply put “N/A”.
  • If you are using Microsoft Excel you need to save the spreadsheet as “Windows CSV” (not DOS CSV);

Compliance Package Repository

The following table contains the list of Compliance Packages ready to import into eramba.

Package

Publisher

Version

Notes

Secure Control Framework

SCF

2022.2

https://www.securecontrolsframework.com/

 

Thanks to Derek Price

PCI-DSS V3.1

PCI Council

3.1

https://www.pcisecuritystandards.org/

PCI-DSS V3.2

PCI Council

3.2

https://www.pcisecuritystandards.org/

PCI-DSS V3.2.1

PCI Council

3.2.1

https://www.pcisecuritystandards.org/

PCI-DSS V4

PCI Council

4

https://www.pcisecuritystandards.org/

PCI-Card Production-Logical Security Requirements V2

PCI Council

2

https://www.pcisecuritystandards.org/

PCI-Card Production-Physical Security Requirements V2

PCI Council

2

https://www.pcisecuritystandards.org/

CYBERSECURITY REQUIREMENTS FOR FINANCIAL SERVICES COMPANIES (NEW YORK STATE 500 of Title 23)

 

March 1st, 2017 - 500 of Title 23

See the official law codification

Massachusetts General Law Chapter 93H

 

201 CMR 17.00

https://malegislature.gov/laws/generallaws/parti/titlexv/chapter93h

ISO 9001:2015

ISO

2015

You need to provide evidence you purchased the standard to get a copy.

ISO 27001:2013

ISO

2013

You need to provide evidence you purchased the standard to get a copy.

ISO 27001:2022 ISO 2022 You need to provide evidence you purchased the standard to get a copy.

ISO 27002:2013

ISO

2013

You need to provide evidence you purchased the standard to get a copy.

ISO 27002:2022

ISO

2022

You need to provide evidence you purchased the standard to get a copy.

ISO/IEC 27701

ISO

2019

You need to provide evidence you purchased the standard to get a copy.

CIS Controls

CIS

8

https://www.cisecurity.org/controls/

CIS Controls

CIS

7.1

https://www.cisecurity.org/controls/

SANS – Critical Security Controls Top 20

SANS

3

 

NIST 800-171

 

2.0

NIST https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final

NIST 800-172

NIST

2021

https://csrc.nist.gov/publications/detail/sp/800-172/final

Thanks to Derek Price

NIST 800-53 v4

NIST

Revision 4

https://nvd.nist.gov/800-53

NIST 800-53 v5

NIST

Revision 5

https://nvd.nist.gov/800-53

NIST CyberSecurity Framework v1

NIST

1.0

https://www.nist.gov/cyberframework

NIST CyberSecurity Framework v1.1

NIST

1.1

https://www.nist.gov/cyberframework

NIST CyberSecurity Framework v2 NIST 2 https://www.nist.gov/cyberframework

NIST Privacy Framework

NIST

1.0

https://www.nist.gov/privacy-framework

HIPAA Security Rule

  Jan 2013 https://www.hhs.gov/hipaa/for-professionals/security/index.html

HITRUST v8

 

8

https://hitrustalliance.net/

HITRUST CSF v9.3.1

 

9.3.1

https://hitrustalliance.net/

Cloud Security Alliance

CSA

3.0.1

https://cloudsecurityalliance.org/research/working-groups/cloud-controls-matrix/

CSA CAIQ-Lite

   

https://cloudsecurityalliance.org/blog/2019/03/01/introducing-caiq-lite/

Thanks to Mick Otoole

SOC2 Report (Confidentiality, Security and Availability Principles)   2022  

SWIFT CSP v1.0

 

1.0

https://www.swift.com/myswift/customer-security-programme-csp

Cyber Essentials - UK

   

https://www.cyberessentials.ncsc.gov.uk/

GDPR (2016/679)

   

European Union

Australian NSW Cyber Security Framework

   

Thanks to Roshan Fernandes

Australian Government ISM

    Thanks to Roshan Fernandes

Cybersecurity Maturity Model Certification

 

1.0

Office of the Under Secretary of Defence for Acquisition & Sustainment

Publicly Available Specification 1296: 2018

 

2018

You need to provide evidence you purchased the standard to get a copy.

 

Thanks to David Davis

Proof of Age Standards Scheme: Requirements for Identity and Age Verification - PASS-1: 2020 

 

2020

Thanks to David Davis

TDIF - Trusted Digital Identity - 04 - Functional Requirements

 

v1.3

Thanks to David Davis

NCSC Cyber Assessment Framework

 

v3.1

Ref: https://www.ncsc.gov.uk/collection/caf , Ref: https://discussions.eramba.org/t/compliance-ncsc-cyber-assessment-framework-v3-1/2115

Qatar 2022 Cyber Security Framework

 

2022

https://www.qatar2022.qa/sites/default/files/Qatar2022Framework.pdf

CMMC v2.0

 

v2.0

https://www.cmmc-compliance.com/

Thanks to Derek Price

FedRAMP Rev. 4

 

4

https://www.fedramp.gov/

Thanks to Derek Price

AESCSF-SP1    

https://aemo.com.au

Thanks to Bret Watson

AESCSF-SP2    

https://aemo.com.au

Thanks to Bret Watson

AESCSF-SP3    

https://aemo.com.au

Thanks to Bret Watson

Saudi Arabian Monetary Authority - BCM

 

v1

https://www.sama.gov.sa/

Saudi Arabian Monetary Authority - CTI

  v1 https://www.sama.gov.sa/

Saudi Arabian Monetary Authority - CSF

  v1 https://www.sama.gov.sa/
EU Digital Operational Resilience Act (DORA)     https://www.eiopa.europa.eu/digital-operational-resilience-act-dora_en

Thanks to Martin Freeman
UK Government - National Security Cyber Centre (NCSC)     Thanks to Martin Freeman
Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM)   v4.0.6 Thanks to Martin Freeman
Prudential Standard CPS 230 Operational Risk Management   DRAFT Thanks to Martin Freeman