Compliance Mapping Matrix
From Overview to Action
A reference chapter only has value when teams can directly use it to plan, design and deliver.
For Compliance Mapping Matrix it is about demonstrability: translating standards into ownership, planning and verification.
This keeps this chapter from being theory, and instead makes it a usable compass for consistent execution.
Immediate measures (15 minutes)
Why this matters
The core of Compliance Mapping Matrix is risk reduction in practice. Technical context supports the measure selection, but implementation and assurance are central.
Matrix: Chapters x Frameworks
Web Security
| # | Chapter | NIS2 | ISO 27001 | CIS v8 | GDPR | BIO |
|---|---|---|---|---|---|---|
| Web 01 | SQL Injection Prevention | Art. 21.2e | A.8.26, A.8.28 | CIS 16 | Art. 32.1b | BIO 14.2.1 |
| Web 02 | XSS Prevention | Art. 21.2e | A.8.26, A.8.28 | CIS 16 | Art. 32.1b | BIO 14.2.1 |
| Web 03 | Command Injection Prevention | Art. 21.2e | A.8.26, A.8.28 | CIS 16 | Art. 32.1b | BIO 14.2.1 |
| Web 04 | Path Traversal Prevention | Art. 21.2e | A.8.26, A.8.28 | CIS 16 | Art. 32.1b | BIO 14.2.1 |
| Web 05 | SSTI Prevention | Art. 21.2e | A.8.26, A.8.28 | CIS 16 | Art. 32.1b | BIO 14.2.1 |
| Web 06 | XXE Prevention | Art. 21.2e | A.8.9, A.8.26 | CIS 4, 16 | Art. 32.1b | BIO 14.2.1 |
| Web 07 | SSRF Prevention | Art. 21.2e | A.8.22, A.8.26 | CIS 12, 16 | Art. 25.2 | BIO 13.1.3, 14.2.1 |
| Web 08 | Deserialization Prevention | Art. 21.2e | A.8.26, A.8.28 | CIS 16 | Art. 32.1b | BIO 14.2.1 |
| Web 09 | Client-side Security | Art. 21.2e | A.8.26 | CIS 9, 16 | Art. 32.1b | BIO 14.1.2 |
| Web 10 | Authentication Hardening | Art. 21.2i, 21.2j | A.5.17, A.8.3, A.8.5 | CIS 5, 6 | Art. 32.1b | BIO 9.4.1, 9.4.2 |
| Web 11 | Security Headers | Art. 21.2e | A.8.26 | CIS 9, 16 | Art. 32.1b | BIO 14.1.2 |
| Web 12 | Input-Output Validation | Art. 21.2e | A.8.26, A.8.28 | CIS 16 | Art. 25.1, 32.1b | BIO 14.2.1 |
| Web 13 | TLS Configuration | Art. 21.2h | A.8.24 | CIS 3 | Art. 32.1a | BIO 10.1.1 |
| Web 14 | API Security | Art. 21.2e, 21.2i | A.8.3, A.8.26 | CIS 6, 16 | Art. 25.2, 32.1b | BIO 9.4.1, 14.1.2 |
| Web 15 | File Upload Hardening | Art. 21.2e | A.8.26 | CIS 16 | Art. 32.1b | BIO 14.2.1 |
| Web 16 | OAuth & OpenID Connect | Art. 21.2i, 21.2j | A.5.16, A.8.5 | CIS 5, 6 | Art. 32.1b | BIO 9.4.1 |
Network & AD Hardening
| # | Chapter | NIS2 | ISO 27001 | CIS v8 | GDPR | BIO |
|---|---|---|---|---|---|---|
| Network 01 | Preventing Initial Access | Art. 21.2a, 21.2g, 21.2j | A.8.5, A.8.7 | CIS 9, 14 | Art. 32.1b | BIO 9.4.2, 12.2.1 |
| Network 02 | Detection & Stopping Evasion | Art. 21.2b, 21.2f | A.8.7, A.8.15, A.8.16 | CIS 8, 10, 13 | Art. 32.1d | BIO 12.2.1, 12.4.1 |
| Network 03 | Preventing Privilege Escalation | Art. 21.2a, 21.2i | A.8.2, A.8.18 | CIS 5, 6 | Art. 32.1b | BIO 9.2.3 |
| Network 04 | Active Directory Hardening | Art. 21.2i | A.5.15, A.5.16, A.8.2, A.8.3 | CIS 1, 5, 6 | Art. 32.1b | BIO 9.2.3, 9.4.1 |
| Network 05 | Kerberos Hardening | Art. 21.2h, 21.2i | A.8.5, A.8.24 | CIS 3, 5 | Art. 32.1a | BIO 10.1.1 |
| Network 06 | Stopping Lateral Movement | Art. 21.2a | A.8.20, A.8.22 | CIS 12, 13 | Art. 32.1b | BIO 13.1.1, 13.1.3 |
| Network 07 | Credential Protection | Art. 21.2h | A.5.17, A.8.24 | CIS 3 | Art. 32.1a | BIO 10.1.1, 10.1.2 |
| Network 08 | ADCS Hardening | Art. 21.2h | A.8.24 | CIS 3 | Art. 32.1a | BIO 10.1.1, 10.1.2 |
| Network 09 | Detecting Persistence | Art. 21.2b, 21.2c | A.8.13, A.8.15, A.8.16 | CIS 8, 11 | Art. 32.1c | BIO 12.4.1, 16.1.2 |
| Network 10 | Preventing Tunneling | Art. 21.2a | A.8.20, A.8.23 | CIS 12, 13 | Art. 32.1b | BIO 13.1.1 |
| Network 11 | Linux Hardening | Art. 21.2e | A.8.1, A.8.9 | CIS 4 | Art. 32.1b | BIO 12.6.1 |
| Network 12 | Windows Hardening | Art. 21.2e | A.8.1, A.8.7, A.8.9, A.8.19 | CIS 2, 4, 10 | Art. 32.1b | BIO 12.2.1, 12.6.1 |
| Network 13 | Email & DNS Hardening | Art. 21.2a | A.8.21 | CIS 9 | Art. 32.1b | BIO 13.1.1 |
| Network 14 | MSSQL Hardening | Art. 21.2e | A.8.9, A.8.26 | CIS 4, 16 | Art. 32.1b | BIO 14.1.2 |
| Network 15 | Network Segmentation & Firewall | Art. 21.2a | A.8.20, A.8.22 | CIS 12, 13 | Art. 32.1b | BIO 6.1.1, 13.1.3 |
Cloud Hardening
| # | Chapter | NIS2 | ISO 27001 | CIS v8 | GDPR | BIO |
|---|---|---|---|---|---|---|
| Cloud 01 | Preventing Cloud Reconnaissance | Art. 21.2a | A.5.23, A.8.8 | CIS 1, 15 | Art. 32.1b | BIO 12.6.1 |
| Cloud 02 | AWS Hardening | Art. 21.2d, 21.2i | A.5.23, A.8.2 | CIS 5, 6, 15 | Art. 32.1b | BIO 9.2.3 |
| Cloud 03 | Azure / Entra ID Hardening | Art. 21.2d, 21.2i | A.5.23, A.8.2, A.8.5 | CIS 5, 6, 15 | Art. 32.1b | BIO 9.2.3 |
| Cloud 04 | GCP Hardening | Art. 21.2d, 21.2i | A.5.23, A.8.2 | CIS 5, 6, 15 | Art. 32.1b | BIO 9.2.3 |
| Cloud 05 | Container Hardening | Art. 21.2e | A.5.23, A.8.9, A.8.19 | CIS 2, 4 | Art. 32.1b | BIO 12.6.1 |
| Cloud 06 | CI/CD Pipeline Hardening | Art. 21.2d, 21.2e | A.5.23, A.8.4, A.8.25 | CIS 15, 16 | Art. 32.1b | BIO 14.2.1 |
| Cloud 07 | Serverless Hardening | Art. 21.2e | A.5.23, A.8.6, A.8.26 | CIS 16 | Art. 32.1b | BIO 14.1.2 |
| Cloud 08 | Stopping Cloud Lateral Movement | Art. 21.2a | A.5.23, A.8.12, A.8.22 | CIS 12, 13 | Art. 32.1b | BIO 13.1.3 |
| Cloud 09 | Preventing Cloud Persistence | Art. 21.2b, 21.2c | A.5.23, A.8.13, A.8.15 | CIS 8, 11 | Art. 32.1c | BIO 12.4.1 |
| Cloud 10 | Cloud Detection & Logging | Art. 21.2b, 21.2f | A.5.23, A.8.15, A.8.16 | CIS 8, 13 | Art. 32.1d, 33 | BIO 12.4.1, 16.1.2 |
| Cloud 11 | Kubernetes Hardening | Art. 21.2e | A.5.23, A.8.9, A.8.19 | CIS 2, 4 | Art. 32.1b | BIO 12.6.1 |
| Cloud 12 | Infrastructure as Code Security | Art. 21.2d, 21.2e | A.5.23, A.8.9, A.8.25, A.8.32 | CIS 4, 16 | Art. 32.1b | BIO 14.2.1 |
| Cloud 13 | Secrets Management | Art. 21.2h | A.5.23, A.8.24 | CIS 3 | Art. 32.1a | BIO 10.1.1 |
Reference Pages
| # | Reference Page | NIS2 | ISO 27001 | CIS v8 | GDPR | BIO |
|---|---|---|---|---|---|---|
| Ref 01 | Attack-Defense Mapping | Art. 21.2a, 21.2f | A.5.7, A.8.8 | CIS 7, 18 | Art. 35 | BIO 12.6.1 |
| Ref 02 | Implementation Priorities | Art. 21.2a | A.8.8, A.8.27 | CIS 7 | Art. 35 | BIO 12.6.1, 14.2.5 |
| Ref 03 | Incident Response | Art. 21.2b, Art. 23 | A.5.24-A.5.28 | CIS 17 | Art. 33, 34 | BIO 16.1.2 |
| Ref 04 | Compliance & Governance | Art. 21 (full) | A.5 (organizational) | CIS 1-18 | Art. 5, 25, 32 | BIO (full) |
| Ref 05 | Hardening Checklists | Art. 21.2e, 21.2f | A.8.9 | CIS 4 | Art. 32.1b | BIO 12.6.1, 18.2.3 |
| Ref 06 | Compliance Mapping Matrix | Art. 21 (full) | A.5/A.8 mapping | CIS 1-18 mapping | Art. 5, 25, 32 mapping | BIO mapping |
| Ref 07 | Secret Management and API Key Rotation | Art. 21.2h, 21.2b | A.8.24, A.5.24-A.5.28 | CIS 3, 17 | Art. 32.1a, 33 | BIO 10.1.1, 16.1.2 |
Quick Reference per Framework
NIS2 Articles
| NIS2 Obligation | Relevant Chapters |
|---|---|
| Art. 21.2a – Risk management measures | Network 01, 03, 06, 10, 15, Cloud 01, 08, Ref 01, Ref 02 |
| Art. 21.2b – Incident handling | Network 02, 09, Cloud 09, 10, Ref 03, Ref 07 |
| Art. 21.2c – Business continuity | Network 09, Cloud 09, 10 |
| Art. 21.2d – Supply chain security | Cloud 02, 03, 04, 06, 12 |
| Art. 21.2e – Security in acquisition/development | Web 01, Web 02, Web 03, Web 04, Web 05, Web 06, Web 07, Web 08, Web 09, Web 10, Web 11, Web 12, Web 13, Web 14, Web 15, Web 16, Network 11, 12, 14, Cloud 05, 06, 07, 11, 12, Ref 05 |
| Art. 21.2f – Effectiveness assessment | Network 02, Cloud 10, Ref 01, Ref 05 |
| Art. 21.2g – Cyber hygiene and training | Network 01, 07, Web 10 |
| Art. 21.2h – Cryptography policy | Web 13, Network 05, 07, 08, Cloud 13, Ref 07 |
| Art. 21.2i – Access management | Web 10, 14, 16, Network 03, 04, Cloud 02, 03, 04 |
| Art. 21.2j – Multi-factor authentication | Web 10, 16, Network 01, Cloud 02, 03, 04 |
| Art. 23 – Incident notification (24/72 hours) | Ref 03 |
CIS Controls Top 18
| CIS Control | Relevant Chapters |
|---|---|
| CIS 1 – Inventory of Enterprise Assets | Network 04, Cloud 01 |
| CIS 2 – Inventory of Software Assets | Network 02, 12, Cloud 05, 11 |
| CIS 3 – Data Protection | Web 13, Network 05, 07, 08, Cloud 13, Ref 07 |
| CIS 4 – Secure Configuration | Network 11, 12, 14, Cloud 05, 06, 11, 12, Ref 05 |
| CIS 5 – Account Management | Web 10, 16, Network 03, 04, 05, Cloud 02, 03, 04 |
| CIS 6 – Access Control Management | Web 10, 14, 16, Network 03, 04, Cloud 02, 03, 04 |
| CIS 7 – Continuous Vulnerability Management | Network 03, Ref 01, Ref 02 |
| CIS 8 – Audit Log Management | Network 02, 09, Cloud 09, 10 |
| CIS 9 – Email & Web Browser Protections | Web 09, 11, Network 01, 13 |
| CIS 10 – Malware Defenses | Network 02, 12 |
| CIS 11 – Data Recovery | Network 09, Cloud 09 |
| CIS 12 – Network Infrastructure Management | Network 06, 10, 15, Cloud 08 |
| CIS 13 – Network Monitoring and Defense | Network 02, 10, 15, Cloud 08, 10 |
| CIS 14 – Security Awareness Training | Network 01 |
| CIS 15 – Service Provider Management | Cloud 01, 02, 03, 04, 06 |
| CIS 16 – Application Software Security | Web 01, Web 02, Web 03, Web 04, Web 05, Web 06, Web 07, Web 08, Web 09, Web 10, Web 11, Web 12, Web 13, Web 14, Web 15, Web 16, Cloud 06, 07, 12, Network 14 |
| CIS 17 – Incident Response | Ref 03, Ref 07 |
| CIS 18 – Penetration Testing | Ref 01 |
OWASP Top 10 (2021)
| # | OWASP Item | Relevant Web Chapters | Other Chapters |
|---|---|---|---|
| A01 | Broken Access Control | Web 10, 14, 16 | Cloud 02, Cloud 03, Cloud 04 |
| A02 | Cryptographic Failures | Web 13 | Cloud 13, Network 07 |
| A03 | Injection | Web 01, 02, 03, 05, 12 | Network 14 |
| A04 | Insecure Design | Web 12, 14, 15 | Ref 02 |
| A05 | Security Misconfiguration | Web 06, 11 | Network 11, 12, Ref 05 |
| A06 | Vulnerable and Outdated Components | – | Cloud 06, 12, Ref 02 |
| A07 | Identification and Authentication Failures | Web 10, 16 | Network 01, 05 |
| A08 | Software and Data Integrity Failures | Web 08 | Cloud 06, 12 |
| A09 | Security Logging and Monitoring Failures | – | Cloud 10, Network 02 |
| A10 | Server-Side Request Forgery | Web 07 | Cloud 01 |
ISO 27001:2022 Technological Controls (A.8)
| ISO Control | Description | Relevant Chapters |
|---|---|---|
| A.8.1 | User endpoint devices | Network 11, 12 |
| A.8.2 | Privileged access rights | Network 03, 04, Cloud 02, 03, 04 |
| A.8.3 | Information access restriction | Web 10, 14, Network 04 |
| A.8.4 | Access to source code | Cloud 06, 12 |
| A.8.5 | Secure authentication | Web 10, 16, Network 01, 05, Cloud 03 |
| A.8.6 | Capacity management | Cloud 02, 03, 04, 07 |
| A.8.7 | Protection against malware | Network 02, 12 |
| A.8.8 | Management of technical vulnerabilities | Network 03, Ref 01, Ref 02 |
| A.8.9 | Configuration management | Network 11, 12, 14, Cloud 05, 11, 12, Ref 05 |
| A.8.10 | Information deletion | Cloud 13, Network 07 |
| A.8.11 | Data masking | Web 12, 14, Cloud 13 |
| A.8.12 | Data leakage prevention | Network 10, 15, Cloud 08 |
| A.8.13 | Information backup | Network 09, Cloud 09 |
| A.8.14 | Redundancy | Cloud 02, 03, 04, 11 |
| A.8.15 | Logging | Network 02, 09, Cloud 09, 10 |
| A.8.16 | Monitoring | Network 02, 09, Cloud 10 |
| A.8.17 | Clock synchronization | Cloud 10, Network 02 |
| A.8.18 | Use of privileged utility programs | Network 02, 03, 12 |
| A.8.19 | Installation of software on operational systems | Network 02, 12, Cloud 05, 11 |
| A.8.20 | Network security | Network 06, 10, 15 |
| A.8.21 | Security of network services | Network 13, 15, Web 13 |
| A.8.22 | Segregation of networks | Network 15, Cloud 08 |
| A.8.23 | Web filtering | Network 10, 15 |
| A.8.24 | Use of cryptography | Web 13, Network 05, 07, 08, Cloud 13, Ref 07 |
| A.8.25 | Secure development lifecycle | Web 01, Web 02, Web 03, Web 04, Web 05, Web 06, Web 07, Web 08, Web 09, Web 10, Web 11, Web 12, Web 13, Web 14, Web 15, Web 16, Cloud 06, 12 |
| A.8.26 | Application security requirements | Web 01, Web 02, Web 03, Web 04, Web 05, Web 06, Web 07, Web 08, Web 09, Web 10, Web 11, Web 12, Web 13, Web 14, Web 15, Web 16, Cloud 07, Network 14 |
| A.8.27 | Secure system architecture | Network 15, Cloud 08, Ref 02 |
| A.8.28 | Secure coding | Web 01, Web 02, Web 03, Web 04, Web 05, Web 06, Web 07, Web 08, 12 |
| A.8.29 | Security testing in development | Cloud 06, Ref 01, Web 01, Web 02, Web 03, Web 04, Web 05, Web 06, Web 07, Web 08, Web 09, Web 10, Web 11, Web 12, Web 13, Web 14, Web 15, Web 16 |
| A.8.30 | Outsourced development | Cloud 06, 12 |
| A.8.31 | Separation of environments | Cloud 06, 02, 03, 04 |
| A.8.32 | Change management | Cloud 06, 12 |
| A.8.33 | Test information | Cloud 06, Web 14 |
| A.8.34 | Protection during audit tests | Cloud 10, Ref 01 |
GDPR Articles
| GDPR Article | Subject | Relevant Chapters |
|---|---|---|
| Art. 5.1f | Integrity and confidentiality | Web 13, Network 07, 15, Cloud 13 |
| Art. 25.1 | Privacy by design | Web 12, 13, 14, Cloud 13 |
| Art. 25.2 | Privacy by default | Web 07, 12, 14 |
| Art. 28 | Processor requirements | Cloud 02, 03, 04, 06 |
| Art. 32.1a | Pseudonymization and encryption | Web 13, Network 05, 07, 08, Cloud 13, Ref 07 |
| Art. 32.1b | Confidentiality, integrity, availability | All chapters (technical security measures) |
| Art. 32.1c | Recovery after incidents | Network 09, Cloud 09, Ref 03 |
| Art. 32.1d | Regular assessment | Network 02, Cloud 10, Ref 01, Ref 05 |
| Art. 33 | Data breach notification to supervisory authority | Cloud 10, Ref 03, Ref 07 |
| Art. 34 | Data breach notification to data subjects | Ref 03 |
| Art. 35 | DPIA | Ref 01, Ref 02 |
Coverage Overview
The table below shows per framework how many of the required controls are addressed by the Securitymaatregelen.nl chapters.
| Framework | Total controls | Addressed (technical) | Not addressed (organizational/legal) |
|---|---|---|---|
| NIS2 Art. 21.2 | 10 obligations | 10 (complete) | Governance aspects out of scope |
| ISO 27001:2022 Annex A | 93 controls | 34 (A.8 complete) + 13 (A.5 selection) | A.5 (partial), A.6, A.7 |
| CIS Controls v8 | 18 controls | 18 (complete) | Implementation depth varies per IG |
| GDPR | 11 relevant articles | 9 technical | Art. 6, 9 (legal basis) |
| BIO | 18 key controls | 18 (complete) | BBN3 requirements partially out of scope |
Summary
This matrix is a living document. When chapters are added to Securitymaatregelen.nl or when frameworks are updated, this mapping should be updated accordingly.
Use this matrix for:
- Audit preparation – look up the framework in the column header and identify per row all relevant chapters that you need to be able to present as evidence. Print the relevant section and use it as a checklist.
- Gap analysis – go through the rows and check whether each chapter is addressed in your security program. Empty cells in your organization are potential compliance gaps.
- Prioritization – combine this mapping with Reference 02 (Implementation Priorities) to determine which compliance gaps should be closed first. Focus on controls that appear in multiple frameworks – those deliver the most compliance value per invested hour.
- Management reporting – use the coverage table and the matrix to show at a glance which compliance frameworks are covered by which measures. Managers love tables. Give them tables.
- Cross-framework analysis – look for patterns in the matrix. Chapters that appear in many columns (e.g. Web 10, Network 15, Cloud 13) are universal building blocks that address virtually every framework. Prioritize these.
Further reading in the knowledge base
These articles in the portal give you more background and practical context:
- Incident Response — when things go wrong
- Compliance — following rules without losing your mind
- Least Privilege — give people only what they need
- Patch management — the most boring thing that can save your life
- Backups — the most boring topic that can save your life
You need an account to access the knowledge base. Log in or register.
Related security measures
These articles provide additional context and depth:
