| AIG-001 | | AI PolicyAI | T1 | 7 |
| AIG-002 | | AI Roles and ResponsibilitiesAI | T1 | 5 |
| AIG-003 | | AI System InventoryAI | T1 | 3 |
| AIG-004 | | AI Risk Tolerance and Governance ObjectivesAI | T2 | 3 |
| AIG-005 | | AI Risk Management ProcessAI | T2 | 9 |
| AIG-006 | | AI Impact AssessmentAI | T2 | 9 |
| AIG-007 | | AI System Requirements and Design DocumentationAI | T2 | 7 |
| AIG-008 | | AI System Verification, Validation and TestingAI | T2 | 9 |
| AIG-009 | | AI System Deployment and Change ManagementAI | T2 | 4 |
| AIG-010 | | AI Model Registry and VersioningAI | T2 | 3 |
| AIG-011 | | AI System DecommissioningAI | T2 | 2 |
| AIG-012 | | Training Data Management and QualityAI | T2 | 8 |
| AIG-013 | | Training Data ProvenanceAI | T2 | 4 |
| AIG-014 | | Special Category Data in AI TrainingAI | T2 | 3 |
| AIG-015 | | AI System Technical DocumentationAI | T2 | 6 |
| AIG-016 | | AI Interaction and Output DisclosureAI | T2 | 5 |
| AIG-017 | | AI Model ExplainabilityAI | T2 | 4 |
| AIG-018 | | AI System Operational MonitoringAI | T2 | 5 |
| AIG-019 | | AI Model Performance and Drift DetectionAI | T2 | 5 |
| AIG-020 | | AI System Event LoggingAI | T2 | 5 |
| AIG-021 | | AI Incident Response and Error CommunicationAI | T2 | 6 |
| AIG-022 | | Human Oversight of AI OutputsAI | T2 | 6 |
| AIG-023 | | AI System Override and Safe-State MechanismsAI | T2 | 3 |
| AIG-024 | | Prohibited AI PracticesAI | T2 | 8 |
| AIG-025 | | AI Fairness and Bias ControlsAI | T3 | 5 |
| AIG-026 | | AI Security and Adversarial RobustnessAI | T2 | 4 |
| AIG-027 | | AI Output Validation and Confidence ControlsAI | T2 | 3 |
| AIG-028 | | Hallucination and Factual Accuracy ControlsAI | T2 | 3 |
| AIG-029 | | Prompt Injection ProtectionAI | T2 | 2 |
| AIG-030 | | AI Prompt and Input Audit LoggingAI | T2 | 3 |
| AIG-031 | | AI Misuse, Jailbreak and Abuse DetectionAI | T2 | 3 |
| AIG-032 | | Third-Party AI Risk ManagementAI | T2 | 7 |
| AIG-033 | | AI Supply Chain Responsibility AllocationAI | T2 | 4 |
| AIG-034 | | Customer and Deployer Obligations CommunicationAI | T2 | 7 |
| AIG-035 | | Training Data Memorisation and Extraction ControlsAI | T2 | 3 |
| APP-001 | | Secure Development Lifecycle Policy | T2 | 5 |
| APP-002 | | Security Requirements in Design | T2 | 4 |
| APP-003 | | Secure Coding Standards | T2 | 4 |
| APP-004 | | Security Testing in the Development Pipeline | T2 | 4 |
| APP-005 | | Penetration Testing | T2 | 2 |
| APP-006 | | Vulnerability Management | T2 | 6 |
| APP-007 | | Patch and Dependency Management | T2 | 5 |
| APP-008 | | Secrets Management | T2 | 4 |
| APP-009 | | Change Management | T2 | 6 |
| APP-010 | | Environment Separation | T2 | 5 |
| APP-011 | | API Security | T2 | 4 |
| APP-012 | | Software Integrity Verification | T3 | 4 |
| APP-013 | | Secure System Architecture and Design Principles | T2 | 3 |
| APP-014 | | Vulnerability Disclosure Programme | T2 | 3 |
| BCM-001 | | Business Continuity Plan | T2 | 5 |
| BCM-002 | | Disaster Recovery Plan | T2 | 4 |
| BCM-003 | | RTO and RPO Definitions | T2 | 4 |
| BCM-004 | | Backup Policy and Implementation | T1 | 5 |
| BCM-005 | | Backup Restoration Testing | T2 | 4 |
| BCM-006 | | BCM and DR Testing | T2 | 5 |
| BCM-007 | | Alternate Processing and Communications | T2 | 4 |
| DAT-001 | | Data Classification Scheme | T2 | 6 |
| DAT-002 | | Information Labelling | T2 | 3 |
| DAT-003 | | Encryption at Rest | T2 | 8 |
| DAT-004 | | Encryption in Transit | T1 | 8 |
| DAT-005 | | Cryptographic Key Management | T2 | 6 |
| DAT-006 | | Data Inventory and Records of Processing | T2 | 7 |
| DAT-007 | | Data Minimisation and Purpose Limitation | T2 | 6 |
| DAT-008 | | Data Retention and Deletion | T2 | 7 |
| DAT-009 | | Privacy Notice and Transparency | T2 | 6 |
| DAT-010 | | Consent Management | T2 | 5 |
| DAT-011 | | Data Subject Rights Fulfilment | T2 | 7 |
| DAT-012 | | Data Protection by Design and Default | T2 | 6 |
| DAT-013 | | Data Protection Impact Assessment | T3 | 7 |
| DAT-014 | | Personal Data Breach Notification | T2 | 7 |
| DAT-015 | | Data Transfer Controls | T3 | 7 |
| DAT-016 | | Data Masking and Pseudonymisation | T2 | 4 |
| DAT-017 | | Data Leakage Prevention | T2 | 4 |
| DAT-018 | | Data Protection Officer | T3 | 5 |
| DAT-019 | | Lawful Basis for Processing | T2 | 4 |
| DAT-020 | | Accuracy of Personal Data | T2 | 3 |
| GOV-001 | | Information Security Policy | T2 | 6 |
| GOV-002 | | Information Security Roles and Responsibilities | T2 | 6 |
| GOV-003 | | Management Commitment and Accountability | T2 | 5 |
| GOV-004 | | Information Security Program | T2 | 4 |
| GOV-005 | | Risk Assessment | T2 | 6 |
| GOV-006 | | Risk Management Program | T2 | 6 |
| GOV-007 | | Risk Treatment and Remediation Tracking | T2 | 5 |
| GOV-008 | | Fraud Risk Assessment | T2 | 3 |
| GOV-009 | | Segregation of Duties | T2 | 4 |
| GOV-010 | | Legal, Regulatory, and Contractual Compliance Inventory | T2 | 4 |
| GOV-011 | | Compliance Monitoring and Internal Audit | T2 | 7 |
| GOV-012 | | Continuous Monitoring Strategy | T2 | 3 |
| GOV-013 | | Policy Exception Management | T2 | 3 |
| GOV-014 | | Asset Inventory | T1 | 3 |
| GOV-015 | | Intellectual Property Rights Management | T2 | 3 |
| GOV-016 | | Records and Information Governance | T2 | 5 |
| GOV-017 | | Contact with Authorities and Special Interest Groups | T2 | 4 |
| GOV-018 | | Threat Intelligence Program | T2 | 4 |
| GOV-019 | | Information Security in Project Management | T2 | 3 |
| GOV-020 | | Independent Security Review | T2 | 4 |
| GOV-021 | | Audit and Assurance Policy | T2 | 3 |
| GOV-022 | | Privacy Program and Data Protection Policy | T2 | 5 |
| GOV-023 | | Security Measures Performance Measurement | T2 | 3 |
| GOV-024 | | Documented Operating Procedures | T2 | 3 |
| GOV-025 | | Acceptable Use of Information Assets | T1 | 5 |
| GOV-026 | | Return of Assets on Termination | T1 | 3 |
| GOV-027 | | Insider Threat Program | T2 | 3 |
| HRS-001 | | Personnel Security Policy | T2 | 3 |
| HRS-002 | | Pre-Employment Background Screening | T2 | 5 |
| HRS-003 | | Employment Agreements and Security Obligations | T1 | 6 |
| HRS-004 | | Security Awareness Training | T1 | 7 |
| HRS-005 | | Role-Based Security Training | T2 | 5 |
| HRS-006 | | Disciplinary Process for Security Violations | T2 | 4 |
| HRS-007 | | Termination and Access Revocation | T1 | 7 |
| HRS-008 | | Remote Working Security | T2 | 4 |
| HRS-009 | | Security Event Reporting by Personnel | T1 | 3 |
| HRS-010 | | Personnel Roles and Security Responsibilities | T2 | 3 |
| IAM-001 | | Access Control Policy | T1 | 5 |
| IAM-002 | | Identity Inventory and Unique Identifiers | T1 | 5 |
| IAM-003 | | User Account Lifecycle Management | T1 | 5 |
| IAM-004 | | Access Review and Recertification | T2 | 3 |
| IAM-005 | | Least Privilege and Need-to-Know Enforcement | T1 | 5 |
| IAM-006 | | Role-Based Access Control and Separation of Duties | T2 | 5 |
| IAM-007 | | Privileged Access Management | T2 | 4 |
| IAM-008 | | Multi-Factor Authentication | T1 | 4 |
| IAM-009 | | Authentication Information Management | T1 | 4 |
| IAM-010 | | Service Account and Non-Human Identity Management | T2 | 4 |
| IAM-011 | | Remote Access Controls | T2 | 3 |
| IAM-012 | | Session Management | T2 | 4 |
| IAM-013 | | Logon Failure and Account Lockout | T1 | 3 |
| IAM-014 | | Access to Source Code and Development Assets | T2 | 4 |
| INC-001 | | Incident Response Plan | T1 | 5 |
| INC-002 | | Incident Detection and Triage | T2 | 5 |
| INC-003 | | Incident Classification and Escalation | T2 | 3 |
| INC-004 | | Incident Containment and Eradication | T2 | 5 |
| INC-005 | | Incident Reporting and Regulatory Notification | T2 | 7 |
| INC-006 | | Customer Breach Notification | T2 | 4 |
| INC-007 | | Evidence Collection and Preservation | T2 | 4 |
| INC-008 | | Post-Incident Review | T2 | 4 |
| INC-009 | | Incident Response Training and Testing | T2 | 4 |
| INC-010 | | External Contact and Communication Points | T2 | 3 |
| INF-001 | | Cloud Security Configuration and Governance | T2 | 6 |
| INF-002 | | Configuration Baseline and Hardening | T1 | 7 |
| INF-003 | | System Component Inventory | T1 | 3 |
| INF-004 | | Network Segmentation | T2 | 5 |
| INF-005 | | Secure Network Architecture and Defence | T2 | 7 |
| INF-006 | | Transmission Encryption | T1 | 4 |
| INF-007 | | Vulnerability Management | T2 | 6 |
| INF-008 | | Patch Management | T1 | 4 |
| INF-009 | | Malware and Endpoint Protection | T2 | 7 |
| INF-010 | | Web Filtering and Egress Controls | T2 | 3 |
| INF-011 | | Penetration Testing | T2 | 3 |
| INF-012 | | Capacity and Performance Management | T2 | 4 |
| INF-013 | | Infrastructure Redundancy | T2 | 3 |
| INF-014 | | Clock Synchronisation | T1 | 4 |
| MON-001 | | Audit Log Scope and Generation | T1 | 9 |
| MON-002 | | Log Integrity and Protection | T2 | 5 |
| MON-003 | | Log Retention | T2 | 4 |
| MON-004 | | Centralised Log Management | T2 | 5 |
| MON-005 | | Security Monitoring and Alerting | T2 | 7 |
| MON-006 | | Log Storage Capacity Management | T2 | 3 |
| MON-007 | | Continuous Monitoring Programme | T3 | 4 |
| VND-001 | | Vendor Risk Assessment and Due Diligence | T2 | 8 |
| VND-002 | | Security Requirements in Vendor Contracts | T2 | 7 |
| VND-003 | | Sub-Processor Management | T2 | 5 |
| VND-004 | | Cloud Service Provider Security Management | T2 | 5 |
| VND-005 | | ICT Supply Chain Risk Management | T2 | 7 |
| VND-006 | | Vendor Monitoring and Performance Review | T2 | 8 |
| VND-007 | | Vendor Access Controls | T2 | 6 |
| VND-008 | | Vendor Offboarding | T2 | 5 |
| VND-009 | | AI Supply Chain and Third-Party AI Risk | T2 | 7 |
| VND-010 | | Third-Party Data Disclosure Controls | T2 | 5 |