Control
Satisfies (collect evidence once)
Access control
Restrict access on least privilege and need-to-know.
ISO/IEC 27001:2022, SOC 2, PCI DSS 4.0, NIST CSF 2.0
Multi-factor authentication
Require MFA for access to key systems.
PCI DSS 4.0, SOC 2
Encryption and key management
Protect data with cryptography in transit and at rest.
ISO/IEC 27001:2022, PCI DSS 4.0, SOC 2
Risk assessment
Operate a documented risk assessment and treatment process.
ISO/IEC 27001:2022, SOC 2, NIST CSF 2.0
Incident response
Detect, respond to and report security and privacy incidents.
ISO/IEC 27001:2022, SOC 2, NIST CSF 2.0, DPDP Act 2023, GDPR
Business continuity
Maintain and recover critical operations within objectives.
ISO/IEC 27001:2022, SOC 2, NIST CSF 2.0
Security policy and governance
Maintain an approved security policy and leadership oversight.
ISO/IEC 27001:2022, PCI DSS 4.0, SOC 2, NIST CSF 2.0
Asset management
Maintain an inventory of assets and acceptable use.
ISO/IEC 27001:2022, NIST CSF 2.0
Supplier and third-party security
Manage security in supplier relationships.
ISO/IEC 27001:2022
Awareness and training
Provide security and privacy awareness training.
ISO/IEC 27001:2022, NIST CSF 2.0, POSH Act 2013
Monitoring and logging
Log and monitor access and detect anomalies.
PCI DSS 4.0, SOC 2, NIST CSF 2.0
Change management
Authorise, test and approve changes.
SOC 2
Data-subject and principal rights
Enable access, correction, erasure and objection.
DPDP Act 2023, GDPR, ISO/IEC 27701:2019, CCPA / CPRA
Consent and choice
Obtain and record consent and offer withdrawal.
DPDP Act 2023, GDPR, ISO/IEC 27701:2019
Retention and minimisation
Limit data to what is necessary and erase when done.
DPDP Act 2023, GDPR, ISO/IEC 27701:2019
Harassment policy and committee
Adopt a workplace harassment policy and constitute a complaints committee.
POSH Act 2013
Grievance, timelines and annual reporting
Run a time-bound complaint process and file the statutory annual report.
POSH Act 2013