This is for a digital download of the current Excel spreadsheet versions of the Set Theory Relationship Mapping (STRM) used to crosswalk the Secure Controls Framework (SCF).
There is a one (1) month period of time to access the STRM download (from the date of purchase). Included in the 2025.3 STRM mappings in Excel format include the following:
- Universal - AICPA Trust Services Criteria (TSC) with (2022 points of focus)
- Universal - Critical Security Controls (CSC) version 8.1
- Universal - IEC TR 60601-4-5:2021
- Universal - ISO/IEC 27001:2022
- Universal - ISO/IEC 27002:2022
- Universal - ISO/IEC 42001:2023
- Universal - Insurance Data Security Model Law (MDL-668)
- Universal - NIST AI 100-1 (Artificial Intelligence Risk Management Framework 1.0)
- Universal - NIST AI 600-1 (AI RMF Generative Artificial Intelligence Profile)
- Universal - NIST SP 800-53 R5.2
- Universal - NIST SP 800-161 R1
- Universal - NIST SP 800-171 R2
- Universal - NIST SP 800-171 R3
- Universal - NIST SP 800-171A
- Universal - NIST SP 800-171A R3
- Universal - NIST SP 800-207
- Universal - NIST SP 800-218
- Universal - NIST Cybersecurity Framework (CSF) v2.0
- Universal - Payment Card Industry Data Security Standard (PCI DSS) v4.01
- Universal - Space Attack Research & Tactic Analysis (SPARTA) Countermeasures
- Universal - Trusted Information Security Assessment Exchange (TISAX) ISA 6.0.3
- US - CISA Cross-Sector Cybersecurity Performance Goals (CPG)
- US - Criminal Justice Information Services (CJIS) Security Policy v5.9.3
- US - Cybersecurity Maturity Model Certification (CMMC) v2.0 Level 1
- US - Data Privacy Framework (DPF)
- US - DoD Zero Trust Execution Roadmap
- US - DoD Zero Trust Reference Architecture v2
- US - CISA Secure Software Development Attestation Form (SSDAF)
- US - CISA Trusted Internet Connections 3.0 Security Capabilities Catalog
- US - Executive Order 14028 (EO 14028)
- US - Farm Credit Administration (FCA) Cyber Risk Management
- US - Gramm Leach Bliley Act (GLBA) - CFR 314 (Dec 2023)
- US - HIPAA Security Rule (includes mapping to NIST SP 800-66 R2)
- US - NERC CIP
- US - SEC Cybersecurity Final Rule
- US - California Consumer Privacy Act (CCPA) / California Privacy Rights Act (CPRA)
- US - NY DFS 23 NYCRR500
- US - OR Consumer Privacy Act (SB 619)
- US - TN Information Protection Act
- US - TX Consumer Data Protection Act (CDPA)
- US - TX SB 2610 (Safe Harbor Law)
- US - TX SB2610
- EMEA - EU Artificial Intelligence Act
- EMEA - EU Cyber Resilience Act
- EMEA - EU Cyber Resilience Act - Annexes
- EMEA - Digital Operational Resilience Act (DORA)
- EMEA - EU General Data Protection Regulation (GDPR)
- EMEA - ENISA NIS2 (Directive (EU)
- EMEA - ENISA NIS2 Annex
- EMEA - Saudi Arabia IoT CGIoT-1:2024
- EMEA - Saudi Arabia Personal Data Protection Law (PDPL)
- EMEA - Spain BOE-A-2022-7191
- EMEA - UAE National Information Assurance Framework (NIAF)
- EMEA - UK Cyber Assessment Framework (CAF) v4.0
- EMEA - UK Ministry of Defence Standard 05-138
- APAC - Australia Essential Eight
- APAC - Australian Government Information Security Manual (ISM)
- APAC - China Cybersecurity Law
- APAC - India Digital Personal Data Protection Act
- APAC - NZ Health Information Security Framework
- APAC - NZ Health Information Security Framework Guidance for Suppliers
- Americas - Canada ITSP.10.171
- Americas - Canada B-13
2 Reviews
-
STRM
You will save a long time trying to map these controls out yourself if all you do is purchase the material for your latest NIS2 project. There are no doubt many ways that this can be applied and if we have this material to show an auditor how the material was organized, I am sure without a doubt that the material will pay off in a big way. The Secure Control Framework is amazing, and I am happy to support the project in any small way that we can.
-
Excellent value and huge time saver!
We use SCF to map product features to multiple compliance frameworks using control cross-walking. Adding the STRM information, especially the actual requirement text, allows us to tailor our answers specifically to the framework. And for the price, it's a real bargain! Even if you only need to copy and paste requirement descriptions manually, you'll end up paying more in lost work time than buying the whole package. Plus, you'll miss out on the STRM weights, which help to prioritize controls.