One scan. 25 frameworks. Citations included.

Service Organization Controls covering Trust Service Criteria — Security, Availability, Confidentiality, Processing Integrity, Privacy.

Example controls

• CC6.1 — Logical access controls
• CC6.6 — Encryption of data at rest
• CC7.1 — System monitoring and incident detection
• CC8.1 — Change management procedures

International standard for ISMS. Annex A controls mapped to cloud-infrastructure findings.

Example controls

• A.8.5 — Secure authentication
• A.8.9 — Configuration management
• A.8.15 — Logging and monitoring
• A.8.24 — Use of cryptography

Payment Card Industry Data Security Standard — required for any entity that stores, processes, or transmits cardholder data.

Example controls

• Req 1 — Network security controls (firewalls, segmentation)
• Req 3 — Protect stored account data
• Req 8 — Identify users + authenticate access
• Req 10 — Log and monitor all access

Health Insurance Portability and Accountability Act — required when handling ePHI.

Example controls

• §164.312(a) — Access control
• §164.312(c) — Integrity of ePHI
• §164.312(d) — Person or entity authentication
• §164.312(e) — Transmission security

General Data Protection Regulation — required when processing EU residents' personal data.

Example controls

• Art 25 — Data protection by design and by default
• Art 30 — Records of processing activities
• Art 32 — Security of processing
• Art 33 — Breach notification within 72 hours

Center for Internet Security prioritized cybersecurity practices, mapped per cloud (AWS / Azure / GCP).

Example controls

• CIS 1 — Inventory of enterprise assets
• CIS 3 — Data protection
• CIS 4 — Secure configuration
• CIS 6 — Access control management

NIST Cybersecurity Framework, organized into Identify · Protect · Detect · Respond · Recover.

Example controls

• ID.AM-2 — Software platform inventory
• PR.AC-1 — Identity and access management
• PR.DS-1 — Data-at-rest protection
• DE.CM-1 — Network monitoring

AWS's own architectural guidance — IAM, detection, infrastructure protection, data protection, incident response.

Example controls

• SEC02 — Manage identities for people and machines
• SEC04 — Detect and investigate security events
• SEC08 — Protect data at rest
• SEC10 — Anticipate, respond to, and recover from incidents

Securities and Exchange Board of India's cybersecurity framework — applicable to brokers, depositories, AMCs, and other regulated financial entities.

Example controls

• Inventory of cryptographic and key-management assets
• Network segmentation between production and operations
• Encryption of data at rest and in transit
• Incident reporting + 6-hour escalation to CERT-In

Reserve Bank of India's IT framework for banks and NBFCs — application security, network controls, BCP/DR, third-party risk.

Example controls

• Application-layer access controls
• Endpoint protection on all administrative workstations
• Vendor / third-party risk assessment
• Data localization for payment-system operators

Indian Computer Emergency Response Team mandates — incident reporting, log retention, breach notification.

Example controls

• Incident reporting within 6 hours of detection
• Log retention for 180 days minimum
• Vulnerability disclosure obligations
• NTP synchronization to national time service

Digital Personal Data Protection Act — consent, purpose limitation, data principal rights, breach notification.

Example controls

• Lawful basis + consent capture for personal-data processing
• Data Principal access / erasure rights workflow
• Cross-border transfer safeguards
• Breach notification to Data Protection Board

Ministry of Electronics & IT empanelment guidelines for cloud service providers serving government workloads.

Example controls

• Data residency in MeitY-empanelled regions
• ISO 27001 + ISO 27017 + ISO 27018 baseline
• Audit trail retention
• Encryption controls for government workloads