Compliance Package Database
We call PCI, ISO, NIST, etc. compliance packages. Some packages are available for free or you can create your own.
Introduction
Compliance Packages are simple CSV templates that contain regulations, contracts, standards, etc. Example packages include PCI, SOX, SOC2, ISO, etc.
We keep a free and open repository of the most common compliance packages used around the world that you can access anytime.
You can also create your own compliance packages. If you can not find a template from us simply create one. In most cases you can copy & past the content from the documentation for the standard or regulartion into any spreadsheet software.
In this guide we will explain how to create your own compliance packages and also discuss the repository of compliance packages available to the public.
Copyright
While most compliance packages and regulations are free to download in their original form from the author website some are not freely availabe (ISO is a good example). For that reason we can not make some packages public unless you can provide evidence to us that you have purchased them (by emailing support@eramba.org).
Creating your own Compliance Packages
If you want to upload your own compliance packages you need to create a CSV file and ensure it’s formatted in such a way that eramba can understand the contents. We organise compliance packages (CSV files) into “chapters” and “items”:
Chapters are made of three fields:
- ID
- name
- description
Items are made of four fields:
- ID
- name
- description
- Questions
The following example shows the column entries for PCI-DSS requirement 2 :
In the image above you see the chapter row (composed of three fields) and the item row (composed of four fields). The PCI requirement is translated into a CSV formatted file with the chapter and item all in one straight row.
To successfully create a CSV file follow these guidelines:
- Make sure there are entries in all 7 columns
- There should be no empty cells. If you don't know what to put simply put “N/A”.
- If you are using Microsoft Excel you need to save the spreadsheet as “Windows CSV” (not DOS CSV);
Compliance Package Repository
The following table contains the list of Compliance Packages ready to import into eramba.
|
Package |
Publisher |
Version |
Notes |
|
SCF |
2022.2 |
https://www.securecontrolsframework.com/ Thanks to Derek Price |
|
|
PCI Council |
3.1 |
||
|
PCI Council |
3.2 |
||
|
PCI Council |
3.2.1 |
||
|
PCI Council |
4 |
||
|
PCI Council |
2 |
||
|
PCI Council |
2 |
||
|
CYBERSECURITY REQUIREMENTS FOR FINANCIAL SERVICES COMPANIES (NEW YORK STATE 500 of Title 23) |
March 1st, 2017 - 500 of Title 23 |
||
|
201 CMR 17.00 |
https://malegislature.gov/laws/generallaws/parti/titlexv/chapter93h |
||
| ISO 22301 | ISO | 2019 | You need to provide evidence you purchased the standard to get a copy. |
|
ISO |
2015 |
You need to provide evidence you purchased the standard to get a copy. |
|
|
ISO |
2013 |
You need to provide evidence you purchased the standard to get a copy. |
|
| ISO 27001 | ISO | 2022 | You need to provide evidence you purchased the standard to get a copy. |
|
ISO |
2013 |
You need to provide evidence you purchased the standard to get a copy. |
|
|
ISO |
2022 |
You need to provide evidence you purchased the standard to get a copy. |
|
|
ISO |
2019 |
You need to provide evidence you purchased the standard to get a copy. |
|
| ISO 42001 | ISO | 2023 | You need to provide evidence you purchased the standard to get a copy. |
|
CIS |
8.1 |
https://www.cisecurity.org/controls/ |
|
|
CIS |
8 |
https://www.cisecurity.org/controls/ |
|
|
CIS |
7.1 |
https://www.cisecurity.org/controls/ |
|
|
SANS |
3 |
||
| NIST |
2.0 |
NIST https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final |
|
| NIST SP 800-171 r3 | NIST | 3.0 | NIST https://csrc.nist.gov/pubs/sp/800/171/r3/final |
|
NIST |
2021 |
https://csrc.nist.gov/publications/detail/sp/800-172/final Thanks to Derek Price |
|
|
NIST |
Revision 4 |
||
|
NIST |
Revision 5 |
||
|
NIST |
1.0 |
||
|
NIST |
1.1 |
||
| NIST CyberSecurity Framework v2 | NIST | 2 | https://www.nist.gov/cyberframework |
|
NIST |
1.0 |
||
| Jan 2013 | https://www.hhs.gov/hipaa/for-professionals/security/index.html | ||
|
8 |
|||
|
9.3.1 |
|||
|
CSA |
3.0.1 |
https://cloudsecurityalliance.org/research/working-groups/cloud-controls-matrix/ |
|
|
https://cloudsecurityalliance.org/blog/2019/03/01/introducing-caiq-lite/ Thanks to Mick Otoole |
|||
| SOC2 Report (Confidentiality, Security and Availability Principles) | 2022 | ||
|
1.0 |
https://www.swift.com/myswift/customer-security-programme-csp |
||
| SWIFT CSF | 2024 | Thanks to Sonia Azeem | |
| Cyber Essentials v14 | https://www.cyberessentials.ncsc.gov.uk/ | ||
|
European Union |
|||
|
Thanks to Roshan Fernandes |
|||
| Thanks to Roshan Fernandes | |||
|
1.0 |
Office of the Under Secretary of Defence for Acquisition & Sustainment |
||
|
Publicly Available Specification 1296: 2018 |
2018 |
You need to provide evidence you purchased the standard to get a copy. Thanks to David Davis |
|
|
Proof of Age Standards Scheme: Requirements for Identity and Age Verification - PASS-1: 2020 |
2020 |
Thanks to David Davis |
|
|
TDIF - Trusted Digital Identity - 04 - Functional Requirements |
v1.3 |
Thanks to David Davis |
|
|
v3.1 |
Ref: https://www.ncsc.gov.uk/collection/caf , Ref: https://discussions.eramba.org/t/compliance-ncsc-cyber-assessment-framework-v3-1/2115 |
||
|
2022 |
https://www.qatar2022.qa/sites/default/files/Qatar2022Framework.pdf |
||
|
v2.0 |
https://www.cmmc-compliance.com/ Thanks to Derek Price |
||
|
4 |
Thanks to Derek Price |
||
| AESCSF-SP1 |
Thanks to Bret Watson |
||
| AESCSF-SP2 |
Thanks to Bret Watson |
||
| AESCSF-SP3 |
Thanks to Bret Watson |
||
|
|
v1 |
https://www.sama.gov.sa/ |
|
| v1 | https://www.sama.gov.sa/ | ||
| v1 | https://www.sama.gov.sa/ | ||
| EU Digital Operational Resilience Act (DORA) | European Union | https://www.eiopa.europa.eu/digital-operational-resilience-act-dora_en | |
| UK Government - National Security Cyber Centre (NCSC) | Thanks to Martin Freeman | ||
| Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM) | v4.0.6 | Thanks to Martin Freeman | |
| Prudential Standard CPS 230 Operational Risk Management | DRAFT | Thanks to Martin Freeman | |
| NIS2 Directive | European Union | 2 | https://digital-strategy.ec.europa.eu/en/faqs/directive-measures-high-common-level-cybersecurity-across-union-nis2-directive-faqs |
| TISAX | Trusted Information Security Assessment Exchange | 6.0.2 | https://portal.enx.com/ |
| PKI Maturity Model | PKI Consortium | v1 | https://pkic.org/pkimm/model/ |
| Cloud Computing Compliance Control Catalog (C5) | BSI | C5:2020 | Thanks to Tobias Gurtzick |
Playlist
- Episode 1Introduction to Compliance Management3 mins left
- Episode 2Problem vs. Solution Principle5 mins left
- Episode 3Typical Compliance Questions9 mins left
- Episode 4Identify Compliance Requirements3 mins left
- Episode 5Compliance Package Database6 mins left
- Episode 6Uploading Compliance Packages3 mins left
- Episode 7Mapping Compliance Packages4 mins left
- Episode 8Identify Compliance Solutions4 mins left
- Episode 9Mapping Solutions to Requirements2 mins left