Compliance Frameworks
Overview
Cloud security audits and customer questionnaires rarely arrive in a single framework dialect. A finance customer asks about ISO/IEC 27001:2022 Annex A. A U.S. federal program asks about NIST SP 800-53 rev5 control families. A board reports against the NIST CSF 2.0 Govern/Identify/Protect/Detect/Respond/Recover functions, and an engineering team configures hardened defaults from a CIS Benchmark. Each framework describes the same security outcomes in a vocabulary the others do not share. This page documents what each framework is for, which exact version this corpus pins, and where the cross-framework mapping lives.
Mapping between frameworks is rarely one-to-one. A single CIS Benchmark recommendation often satisfies one full NIST 800-53 control plus part of another, while an ISO/IEC 27001:2022 Annex A control may correspond to a family of CIS rules and a CSF 2.0 subcategory. NIST publishes the authoritative NIST 800-53 rev5 to ISO/IEC 27001 crosswalk in Appendix B of SP 800-53, and CIS publishes Cloud Companion guides that reference both. This guide relies on those primary mappings rather than reinventing them.
Pinned versions matter. CIS bumps benchmarks regularly (CIS GCP moved to v5.0.0 in 2026, with CIS AWS Foundations at v7.0.0 and Azure Foundations at v6.0.0), and ISO/IEC 27001 was substantially restructured in the 2022 revision: the 2013 four-level Annex A numbering does not match the 2022 three-level numbering. Citing "CIS AWS" or "ISO 27001" without a version is ambiguous, and the ambiguity produces wrong answers every time. The methodology page explains how this corpus enforces pinned versions in every control-box compliance table.
Framework summaries
Five framework families inform this corpus. Each summary below states what the framework is, what it is used for, the exact version this guide pins, and where the primary source lives.
CIS Benchmarks
The Center for Internet Security publishes prescriptive, configuration-level hardening benchmarks for individual cloud platforms. Each benchmark enumerates concrete recommendations ("Ensure MFA is enabled for the root user account") tied to specific console toggles, API parameters, and CLI invocations, scored Level 1 (broadly safe to apply) or Level 2 (defense-in-depth, which may break legitimate workflows). CIS releases the PDF benchmarks free and sells pre-hardened machine images and CIS-CAT assessment tooling that check against the same recommendations.
This corpus pins the four cloud-provider Foundations Benchmarks at the following versions: CIS AWS Foundations Benchmark v7.0.0; CIS Microsoft Azure Foundations Benchmark v6.0.0; CIS Google Cloud Platform Foundation Benchmark v5.0.0; CIS Oracle Cloud Infrastructure Foundations Benchmark v3.1.0. CIS Kubernetes Benchmark v2.0.0 is the pinned generic Kubernetes benchmark version. Every compliance-table row that cites a CIS recommendation prefixes the version exactly as listed; abbreviations such as "CIS AWS 7" or "CIS GCP v5" fail the STD-02 validation grep. See CIS Center for Internet Security — CIS Benchmarks portal (accessed 2026-05) for downloads and the published change logs.
NIST SP 800-53 rev5
NIST Special Publication 800-53, revision 5, update 1 (January 2022) is the United States federal catalog of security and privacy controls. It organizes roughly one thousand controls into twenty families (AC Access Control, AU Audit and Accountability, CM Configuration Management, IA Identification and Authentication, SC System and Communications Protection, and so on), each with optional control enhancements. SP 800-53 is not cloud-specific, but FedRAMP, DoD SRG, CMMC 2.0, and most U.S. federal cloud authorizations consume it directly.
Appendix B of SP 800-53 rev5 contains the authoritative crosswalk between NIST control families and ISO/IEC 27001:2013 Annex A. NIST has not yet published a fully revised crosswalk against ISO/IEC 27001:2022, so the 2013-to-2022 transition mapping (published by ISO and BSI) bridges that gap. This corpus cites the controls by their rev5 identifiers (for example IA-2(1) for multifactor authentication to privileged accounts) and uses Appendix B as the primary mapping authority. See NIST SP 800-53 rev5 (upd1, Jan 2022) — Security and Privacy Controls for Information Systems and Organizations (accessed 2026-05). NIST released Revision 5.2.0 on August 27, 2025, introducing 3 new controls. The underlying Revision 5 baseline (upd1, Jan 2022) remains authoritative for citation purposes, and the existing /r5/upd1/final URL remains stable.
NIST CSF 2.0
The NIST Cybersecurity Framework 2.0 (February 2024) is an outcome-based framework, not a control catalog. CSF 2.0 organizes security outcomes into six Functions (Govern, Identify, Protect, Detect, Respond, Recover), each subdivided into Categories and Subcategories. The Govern Function was added in CSF 2.0; CSF 1.1 had five Functions. Govern covers risk management strategy, organizational context, supply chain, and policy. CSF 2.0 is useful for executive reporting, program maturity assessments, and as a vocabulary bridge between technical control catalogs (SP 800-53 rev5) and business risk discussions.
This corpus references CSF 2.0 in the methodology page and in select control entries where the Subcategory ID adds executive-reporting value (for example PR.AA-01 identity and credential management). CSF 2.0 does not appear as a column in compliance-table rows because the four CIS benchmarks, NIST 800-53, and the two ISO/IEC documents already use up the column budget. See NIST Cybersecurity Framework 2.0 — Feb 2024 release (accessed 2026-05) for the framework documents, informative references, and the official CSF 2.0 Reference Tool.
ISO/IEC 27001:2022
ISO/IEC 27001:2022 is the international standard for Information Security Management Systems (ISMS). The standard itself specifies the management-system requirements (clauses 4-10 covering context, leadership, planning, support, operation, performance evaluation, and improvement); Annex A enumerates 93 reference controls organized into four themes: Organizational (A.5), People (A.6), Physical (A.7), and Technological (A.8). The 2022 revision consolidated and restructured the 114 controls of the 2013 edition; numbering changed from four-level (e.g., A.9.4.2) to three-level (e.g., A.8.5).
This corpus cites ISO/IEC 27001:2022 controls by their 2022 three-level identifiers exclusively. It does not use citations to ISO/IEC 27001:2013 (four-level), because a mixed-revision corpus would silently misalign with audit evidence. ISO documents are paywalled and cited by document number plus accessed date, not by URL contents: ISO/IEC 27001:2022 — Information security, cybersecurity and privacy protection — ISMS requirements (accessed 2026-05).
ISO/IEC 27017:2015
ISO/IEC 27017:2015 is the cloud-specific guidance companion to ISO/IEC 27002. It augments the ISO/IEC 27002 control set with seven cloud-specific controls prefixed CLD. (CLD.6.3.1 shared roles and responsibilities within a cloud computing environment; CLD.8.1.5 removal of cloud service customer assets; CLD.9.5.1 segregation in virtual computing environments; CLD.9.5.2 virtual machine hardening; CLD.12.1.5 administrator's operational security; CLD.12.4.5 monitoring of cloud services; CLD.13.1.4 alignment of security management for virtual and physical networks). ISO/IEC 27017 also adds cloud-specific implementation guidance to many existing ISO/IEC 27002 controls.
This corpus cites ISO/IEC 27017:2015 in compliance-table rows whenever a control has a meaningful cloud-shared-responsibility dimension that ISO/IEC 27002 alone does not fully capture (for example multitenancy isolation, customer-supplied keys, log delivery from the cloud service provider). The 2015 revision remains current, and no superseding revision has been published as of the accessed date. See ISO/IEC 27017:2015 — Code of practice for information security controls based on ISO/IEC 27002 for cloud services (accessed 2026-05).
Crosswalk overview
The table below illustrates how a handful of high-level control areas map across the seven pinned columns. It is intentionally short: six rows of common controls, not the full corpus mapping. The complete control-by-control matrix lives in compliance-matrix.html (a Phase 10 deliverable). That page is not yet authored, so this section references it as plaintext rather than a hyperlink to avoid a broken link during the build-up. Reviewers who want exhaustive mapping today can read each domain principle page. Every control on iam.html, network.html, data.html, logging.html, workloads.html, and ir.html already carries a populated compliance-table footer.
The crosswalk uses the standard .compliance-table class with seven framework columns. Cells contain the most specific framework identifier this corpus would emit when authoring a real control entry. Where a framework does not address a control area directly (for example ISO/IEC 27017:2015 has no dedicated incident-response control because it inherits from ISO/IEC 27002), the cell carries an em-dash. The "—" is a deliberate mapping signal, not an authoring gap.
| Control area | CIS AWS Foundations v7.0.0 | CIS Microsoft Azure Foundations v6.0.0 | CIS GCP Foundation v5.0.0 | CIS OCI Foundation v3.1.0 | NIST SP 800-53 rev5 | ISO/IEC 27001:2022 | ISO/IEC 27017:2015 |
|---|---|---|---|---|---|---|---|
| Multi-factor authentication on privileged identities | 1.5, 1.10 | 1.1.1, 1.1.2 | 1.2 | 1.7 | IA-2(1), IA-2(2) | A.5.17, A.8.5 | CLD.6.3.1 |
| Encryption of data at rest with managed keys | 2.1.1, 3.6 | 3.1, 3.2 | 3.1, 4.6 | 4.1 | SC-13, SC-28 | A.8.24 | CLD.10.1.1 |
| Centralized audit logging (control plane) | 3.1, 3.2 | 5.1.1, 5.1.2 | 2.1, 2.2 | 3.1, 3.2 | AU-2, AU-6, AU-12 | A.8.15, A.8.16 | CLD.12.4.5 |
| Network segmentation and default-deny ingress | 5.2, 5.3 | 6.1, 6.2 | 3.6, 3.7 | 2.1, 2.2 | SC-7, SC-7(5) | A.8.20, A.8.22 | CLD.13.1.4 |
| Vulnerability management and configuration baseline | 4.1, 4.2 | 5.3, 7.6 | 4.8, 4.9 | 4.6, 4.13 | RA-5, CM-6 | A.8.8, A.8.9 | — |
| Incident response readiness | 3.14 (org-level) | 2.1.21 | 2.16 | — | IR-4, IR-8 | A.5.24, A.5.26 | — |
This table is illustrative. The complete compliance-matrix.html will list every control authored across the corpus, group them by framework, and provide bidirectional navigation (jump from a CIS recommendation to every domain page that implements it, or from an ISO/IEC 27001:2022 Annex A control to its NIST 800-53 rev5 peers). Until Phase 10 ships that page, the per-control compliance-table footers on each domain page are the authoritative source. The methodology page §Compliance mapping methodology documents how each cell value is verified against the framework's primary source rather than transcribed from a blog.
Pinned version contract
The seven version strings below are the single source of truth for every compliance-table header in this corpus. They are reproduced verbatim from docs/control-template.md §Pinned framework versions, and any divergence between the two documents is a corpus bug. The STD-02 validation grep matches the exact version suffix, so abbreviations fail the build.
| Framework family | Pinned version (verbatim) | Release |
|---|---|---|
| CIS Amazon Web Services Foundations | CIS AWS Foundations v7.0.0 | 2026 |
| CIS Microsoft Azure Foundations | CIS Microsoft Azure Foundations v6.0.0 | 2026 |
| CIS Google Cloud Platform Foundation | CIS GCP Foundation v5.0.0 | 2026 |
| CIS Oracle Cloud Infrastructure Foundations | CIS OCI Foundation v3.1.0 | 2025 |
| NIST Special Publication 800-53 | NIST SP 800-53 rev5 (upd1, Jan 2022) | January 2022 |
| ISO/IEC 27001 (ISMS) | ISO/IEC 27001:2022 | October 2022 |
| ISO/IEC 27017 (cloud guidance) | ISO/IEC 27017:2015 | December 2015 |
The corpus-bump policy is strict: when any framework releases a new version mid-project, the entire corpus is updated in one operation during the Polish phase, never piecemeal. A mixed-version corpus (some pages citing CIS AWS v7.0.0 and others citing an older version, for example) silently breaks the compliance matrix and the search index. The pinned-version table here, the table in docs/control-template.md, and every per-control compliance-table header must agree. See the methodology page §Compliance mapping methodology for the verification procedure.