Control Mapping across multiple frameworks like SOX vs. PCI DSS vs. ISO 27001 - alishahbaz/ITGRC GitHub Wiki

ITGRC Control Mapping Table

Here’s a control mapping across key ITGRC frameworks: SOX, PCI DSS, ISO 27001, NIST CSF, and GDPR.

Control Category	SOX (Sarbanes-Oxley)	PCI DSS (Payment Security)	ISO 27001 (Information Security)	NIST CSF (Cyber Framework)	GDPR (Data Privacy)
Access Control	User access review, Segregation of duties (SoD)	Strong authentication, Role-based access (RBAC)	A.9 - Access control, A.11 - User security	Protect (PR.AC)	Data access policies (Article 32)
Privileged Access Mgmt (PAM)	SOX 404 controls on privileged user access	Requirement 7 - Restrict admin access	A.9.4 - Privileged access control	Protect (PR.AC-6)	Access minimization (Article 25)
Change Management	IT change control, Approval workflow	Req. 6 - Secure software development	A.14 - Secure development lifecycle (SDLC)	Protect (PR.IP-3)	Data processing security (Article 5)
Logging & Monitoring (SIEM)	SOX audit log retention	Req. 10 - Log tracking & SIEM	A.12.4 - Event logging	Detect (DE.AE-3)	Security monitoring (Article 30)
Encryption & Data Security	Financial data encryption	Req. 3 - Encrypt cardholder data	A.10 - Cryptography	Protect (PR.DS-1)	Article 32 - Encryption requirement
Incident Response	IT incident reporting	Req. 12 - Incident response planning	A.16 - Security incident management	Respond (RS)	Article 33 - Breach notification
Risk Management	Financial IT risk assessment	Req. 12 - Risk assessment for PCI	A.6 - Risk management framework	Identify (ID.RM)	DPIA (Article 35)
Vendor & Third-Party Risk	SOX vendor controls	Req. 12.8 - Vendor management	A.15 - Supplier security	Identify (ID.SC)	Third-party data processing (Article 28)
Backup & Disaster Recovery	Financial record retention	Req. 12.10 - Business continuity	A.17 - Business continuity planning	Recover (RC)	Availability requirement (Article 32)

Key Takeaways from This Mapping

SOX & PCI DSS focus heavily on financial integrity and cardholder security, respectively.
ISO 27001 & NIST CSF provide a broader security framework applicable across industries.
GDPR is unique as it emphasizes data privacy, consent, and breach notification requirements.