Compliance Frameworks
Overview
Cloud security audits and customer questionnaires rarely arrive in a single framework dialect. A finance customer asks about ISO/IEC 27001:2022 Annex A; a U.S. federal program asks about NIST SP 800-53 rev5 control families; a board reports against NIST CSF 2.0 Govern/Identify/Protect/Detect/Respond/Recover functions; an engineering team configures hardened defaults from a CIS Benchmark. Each framework describes overlapping security outcomes in incompatible vocabularies. This page documents what each framework is for, which exact version this corpus pins, and where the cross-framework mapping lives.
Mapping between frameworks is rarely one-to-one. A single CIS Benchmark recommendation often satisfies one full NIST 800-53 control plus part of another, while an ISO/IEC 27001:2022 Annex A control may correspond to a family of CIS rules and a CSF 2.0 subcategory. NIST publishes the authoritative NIST 800-53 rev5 to ISO/IEC 27001 crosswalk in Appendix B of SP 800-53; CIS publishes Cloud Companion guides that reference both. This guide leans on those primary mappings rather than reinventing them.
Pinned versions matter. CIS bumps benchmarks regularly (CIS GCP moved to v4.0.0 in May 2025; CIS AWS and Azure Foundations both at v3.0.0); ISO/IEC 27001 was substantially restructured in the 2022 revision (the 2013 four-level Annex A numbering does not match the 2022 three-level numbering). Citing "CIS AWS" or "ISO 27001" without a version is ambiguous and reproducibly wrong. The methodology page explains how this corpus enforces pinned versions in every control-box compliance table.
Framework summaries
Five framework families inform this corpus. Each summary below states what the framework is, what it is used for, the exact version pinned by this guide, and where the primary source lives.
CIS Benchmarks
The Center for Internet Security publishes prescriptive, configuration-level hardening benchmarks for individual cloud platforms. Each benchmark enumerates concrete recommendations ("Ensure MFA is enabled for the root user account") tied to specific console toggles, API parameters, and CLI invocations, scored Level 1 (broadly safe to apply) or Level 2 (defense-in-depth, may break legitimate workflows). CIS releases the PDF benchmarks free and sells pre-hardened machine images and CIS-CAT assessment tooling against the same recommendations.
This corpus pins the four cloud-provider Foundations Benchmarks at the following versions, drawn verbatim from docs/control-template.md §Pinned framework versions: CIS AWS Foundations Benchmark v3.0.0 (released January 2024); CIS Microsoft Azure Foundations Benchmark v3.0.0 (released September 2024); CIS Google Cloud Platform Foundation Benchmark v4.0.0 (released May 2025); CIS Oracle Cloud Infrastructure Foundations Benchmark v2.0.0. Every compliance-table row that cites a CIS recommendation prefixes the version exactly as listed; abbreviations such as "CIS AWS 3" or "CIS GCP v4" fail the STD-02 validation grep. See CIS Center for Internet Security — CIS Benchmarks portal (accessed 2026-05) for downloads and the published change logs.
NIST SP 800-53 rev5
NIST Special Publication 800-53, revision 5, update 1 (January 2022) is the United States federal catalog of security and privacy controls. It organizes roughly one thousand controls into twenty families (AC Access Control, AU Audit and Accountability, CM Configuration Management, IA Identification and Authentication, SC System and Communications Protection, and so on), each with optional control enhancements. SP 800-53 is not cloud-specific, but it is the spine that FedRAMP, DoD SRG, CMMC 2.0, and most U.S. federal cloud authorizations consume directly.
Appendix B of SP 800-53 rev5 contains the authoritative crosswalk between NIST control families and ISO/IEC 27001:2013 Annex A. NIST has not yet published a fully revised crosswalk against ISO/IEC 27001:2022; the 2013→2022 transition mapping (published by ISO and BSI) bridges that gap. This corpus cites the controls by their rev5 identifiers (for example IA-2(1) for multifactor authentication to privileged accounts) and uses Appendix B as the primary mapping authority. See NIST SP 800-53 rev5 (upd1, Jan 2022) — Security and Privacy Controls for Information Systems and Organizations (accessed 2026-05).
NIST CSF 2.0
The NIST Cybersecurity Framework 2.0 (February 2024) is an outcome-based framework, not a control catalog. CSF 2.0 organizes security outcomes into six Functions — Govern, Identify, Protect, Detect, Respond, Recover — each subdivided into Categories and Subcategories. The Govern Function was added in CSF 2.0 (CSF 1.1 had five Functions); it covers risk management strategy, organizational context, supply chain, and policy. CSF 2.0 is useful for executive reporting, program maturity assessments, and as a vocabulary bridge between technical control catalogs (SP 800-53 rev5) and business risk discussions.
This corpus references CSF 2.0 in the methodology page and in select control entries where the Subcategory ID adds executive-reporting value (for example PR.AA-01 identity and credential management). CSF 2.0 does not appear as a column in compliance-table rows because the column count budget is already exhausted by the four CIS benchmarks plus NIST 800-53 plus the two ISO/IEC documents. See NIST Cybersecurity Framework 2.0 — Feb 2024 release (accessed 2026-05) for the framework documents, informative references, and the official CSF 2.0 Reference Tool.
ISO/IEC 27001:2022
ISO/IEC 27001:2022 is the international standard for Information Security Management Systems (ISMS). The standard itself specifies the management-system requirements (clauses 4-10 covering context, leadership, planning, support, operation, performance evaluation, and improvement); Annex A enumerates 93 reference controls organized into four themes: Organizational (A.5), People (A.6), Physical (A.7), and Technological (A.8). The 2022 revision consolidated and restructured the 114 controls of the 2013 edition; numbering changed from four-level (e.g., A.9.4.2) to three-level (e.g., A.8.5).
This corpus cites ISO/IEC 27001:2022 controls by their 2022 three-level identifiers exclusively. Citations to ISO/IEC 27001:2013 (four-level) are not used; a mixed-revision corpus would silently misalign with audit evidence. ISO documents are paywalled and cited by document number plus accessed date, not URL contents: ISO/IEC 27001:2022 — Information security, cybersecurity and privacy protection — ISMS requirements (accessed 2026-05).
ISO/IEC 27017:2015
ISO/IEC 27017:2015 is the cloud-specific guidance companion to ISO/IEC 27002. It augments the ISO/IEC 27002 control set with seven cloud-specific controls prefixed CLD. (CLD.6.3.1 shared roles and responsibilities within a cloud computing environment; CLD.8.1.5 removal of cloud service customer assets; CLD.9.5.1 segregation in virtual computing environments; CLD.9.5.2 virtual machine hardening; CLD.12.1.5 administrator's operational security; CLD.12.4.5 monitoring of cloud services; CLD.13.1.4 alignment of security management for virtual and physical networks). ISO/IEC 27017 also adds cloud-specific implementation guidance to many existing ISO/IEC 27002 controls.
This corpus cites ISO/IEC 27017:2015 in compliance-table rows whenever a control has a meaningful cloud-shared-responsibility dimension that ISO/IEC 27002 alone does not fully capture (for example multitenancy isolation, customer-supplied keys, log delivery from the cloud service provider). The 2015 revision remains current; no superseding revision has been published as of the accessed date. See ISO/IEC 27017:2015 — Code of practice for information security controls based on ISO/IEC 27002 for cloud services (accessed 2026-05).
Crosswalk overview
The table below illustrates how a handful of high-level control areas map across the seven pinned columns. It is intentionally short — six rows of common controls, not the full corpus mapping. The complete control-by-control matrix lives in compliance-matrix.html (Phase 10 deliverable; that page is not yet authored, and this section therefore references it as plaintext, not as a hyperlink, to avoid a broken link during the build-up). Reviewers who want exhaustive mapping today can read each domain principle page — every control on iam.html, network.html, data.html, logging.html, workloads.html, and ir.html already carries a populated compliance-table footer.
The crosswalk uses the standard .compliance-table class with seven framework columns. Cells contain the most specific framework identifier this corpus would emit when authoring a real control entry. Where a framework does not address a control area directly (for example ISO/IEC 27017:2015 has no dedicated incident-response control because it inherits from ISO/IEC 27002), the cell carries an em-dash. A "—" is a deliberate mapping signal, not an authoring gap.
| Control area | CIS AWS Foundations v3.0.0 | CIS Microsoft Azure Foundations v3.0.0 | CIS GCP Foundation v4.0.0 | CIS OCI Foundation v2.0.0 | NIST SP 800-53 rev5 | ISO/IEC 27001:2022 | ISO/IEC 27017:2015 |
|---|---|---|---|---|---|---|---|
| Multi-factor authentication on privileged identities | 1.5, 1.10 | 1.1.1, 1.1.2 | 1.2 | 1.7 | IA-2(1), IA-2(2) | A.5.17, A.8.5 | CLD.6.3.1 |
| Encryption of data at rest with managed keys | 2.1.1, 3.6 | 3.1, 3.2 | 3.1, 4.6 | 4.1 | SC-13, SC-28 | A.8.24 | CLD.10.1.1 |
| Centralized audit logging (control plane) | 3.1, 3.2 | 5.1.1, 5.1.2 | 2.1, 2.2 | 3.1, 3.2 | AU-2, AU-6, AU-12 | A.8.15, A.8.16 | CLD.12.4.5 |
| Network segmentation and default-deny ingress | 5.2, 5.3 | 6.1, 6.2 | 3.6, 3.7 | 2.1, 2.2 | SC-7, SC-7(5) | A.8.20, A.8.22 | CLD.13.1.4 |
| Vulnerability management and configuration baseline | 4.1, 4.2 | 5.3, 7.6 | 4.8, 4.9 | 4.6, 4.13 | RA-5, CM-6 | A.8.8, A.8.9 | — |
| Incident response readiness | 3.14 (org-level) | 2.1.21 | 2.16 | — | IR-4, IR-8 | A.5.24, A.5.26 | — |
This table is illustrative. The complete compliance-matrix.html will list every control authored across the corpus, group them by framework, and provide bidirectional navigation (jump from a CIS recommendation to every domain page that implements it, or from an ISO/IEC 27001:2022 Annex A control to its NIST 800-53 rev5 peers). Until Phase 10 ships that page, the per-control compliance-table footers on each domain page are the authoritative source. The methodology page §Compliance mapping methodology documents how each cell value is verified against the framework primary source rather than transcribed from a blog.
Pinned version contract
The seven version strings below are the single source of truth for every compliance-table header in this corpus. They are reproduced verbatim from docs/control-template.md §Pinned framework versions; any divergence between the two documents is a corpus bug. The STD-02 validation grep matches the exact version suffix; abbreviations fail the build.
| Framework family | Pinned version (verbatim) | Release |
|---|---|---|
| CIS Amazon Web Services Foundations | CIS AWS Foundations v3.0.0 | January 2024 |
| CIS Microsoft Azure Foundations | CIS Microsoft Azure Foundations v3.0.0 | September 2024 |
| CIS Google Cloud Platform Foundation | CIS GCP Foundation v4.0.0 | May 2025 |
| CIS Oracle Cloud Infrastructure Foundations | CIS OCI Foundation v2.0.0 | — |
| NIST Special Publication 800-53 | NIST SP 800-53 rev5 (upd1, Jan 2022) | January 2022 |
| ISO/IEC 27001 (ISMS) | ISO/IEC 27001:2022 | October 2022 |
| ISO/IEC 27017 (cloud guidance) | ISO/IEC 27017:2015 | December 2015 |
The corpus-bump policy is strict: when any framework releases a new version mid-project, the entire corpus is updated in one operation during Phase 12 polish, never piecemeal. A mixed-version corpus (some pages citing CIS AWS v3.0.0 and others citing CIS AWS v4.0.0, for example) silently breaks the Phase 10 compliance matrix and the Phase 11 search index. The pinned-version table here, in docs/control-template.md, and in every per-control compliance-table header must agree. See the methodology page §Compliance mapping methodology for the verification procedure.