| AIG-001 | AI Policy | — | — | — | GOVERN 1.1GOVERN 1.2GOVERN 1.4 | EU-AI-Art.17.1 | A.2.2A.2.4A.2.3 | — | — |
| AIG-002 | AI Roles and Responsibilities | — | — | — | GOVERN 2.1GOVERN 2.3GOVERN 3.2 | EU-AI-Art.26.2 | A.3.2 | — | — |
| AIG-003 | AI System Inventory | — | — | — | GOVERN 1.6MAP 1.4 | — | A.4.2 | — | — |
| AIG-004 | AI Risk Tolerance and Governance Objectives | — | — | — | GOVERN 1.3MAP 1.5 | — | A.6.1.2 | — | — |
| AIG-005 | AI Risk Management Process | — | — | — | GOVERN 1.5MANAGE 1.1MANAGE 1.2MANAGE 1.3MANAGE 1.4 | EU-AI-Art.9.1EU-AI-Art.9.2EU-AI-Art.9.4 | A.6.1.3 | — | — |
| AIG-006 | AI Impact Assessment | — | — | — | MAP 5.1MAP 3.2MEASURE 2.12 | EU-AI-Art.9.6EU-AI-Art.26.8 | A.5.2A.5.3A.5.4A.5.5 | — | — |
| AIG-007 | AI System Requirements and Design Documentation | — | — | — | MAP 1.1MAP 1.6MAP 2.1MAP 3.3 | EU-AI-Art.11.1 | A.6.2.2A.6.2.3 | — | — |
| AIG-008 | AI System Verification, Validation and Testing | — | — | — | MEASURE 2.1MEASURE 2.3MEASURE 2.5MEASURE 2.6MEASURE 1.3MEASURE 2.11 | EU-AI-Art.9.5EU-AI-Art.15.1 | A.6.2.4 | — | — |
| AIG-009 | AI System Deployment and Change Management | — | — | — | MANAGE 1.1MANAGE 4.1 | EU-AI-Art.43.3 | A.6.2.5 | — | — |
| AIG-010 | AI Model Registry and Versioning | — | — | — | GOVERN 1.6 | EU-AI-Art.11.1 | A.4.3 | — | — |
| AIG-011 | AI System Decommissioning | — | — | — | GOVERN 1.7MANAGE 4.1 | — | — | — | — |
| AIG-012 | Training Data Management and Quality | — | — | — | MAP 2.3 | EU-AI-Art.10.1EU-AI-Art.10.2EU-AI-Art.10.3 | A.7.2A.7.3A.7.4A.7.6 | — | — |
| AIG-013 | Training Data Provenance | — | — | — | GOVERN 6.1 | EU-AI-Art.10.2EU-AI-Art.53.3 | A.7.5 | — | — |
| AIG-014 | Special Category Data in AI Training | — | — | — | MEASURE 2.10 | EU-AI-Art.10.4 | — | — | GDPR-Art.5.1a |
| AIG-015 | AI System Technical Documentation | — | — | — | MEASURE 2.8 | EU-AI-Art.11.1EU-AI-Art.18.1EU-AI-Art.53.1EU-AI-Art.53.4 | A.6.2.7 | — | — |
| AIG-016 | AI Interaction and Output Disclosure | — | — | — | MEASURE 2.8 | EU-AI-Art.50.1EU-AI-Art.50.2EU-AI-Art.50.4 | A.8.2 | — | — |
| AIG-017 | AI Model Explainability | — | — | — | MEASURE 2.9MAP 2.2 | EU-AI-Art.13.3 | — | — | GDPR-Art.22 |
| AIG-018 | AI System Operational Monitoring | — | — | — | MEASURE 2.4MANAGE 4.1MEASURE 3.1 | EU-AI-Art.26.4 | A.6.2.6 | — | — |
| AIG-019 | AI Model Performance and Drift Detection | — | — | — | MEASURE 4.3MANAGE 2.2MANAGE 3.2MEASURE 1.2 | EU-AI-Art.15.2 | — | — | — |
| AIG-020 | AI System Event Logging | — | — | — | MANAGE 4.3 | EU-AI-Art.12.1EU-AI-Art.16.4EU-AI-Art.26.5 | A.6.2.8 | — | — |
| AIG-021 | AI Incident Response and Error Communication | — | — | — | MANAGE 4.3MANAGE 2.3 | EU-AI-Art.26.4EU-AI-Art.55.3 | A.8.4A.3.3 | — | — |
| AIG-022 | Human Oversight of AI Outputs | — | — | — | MAP 3.5GOVERN 3.2MAP 3.4 | EU-AI-Art.14.1EU-AI-Art.14.2EU-AI-Art.26.2 | — | — | — |
| AIG-023 | AI System Override and Safe-State Mechanisms | — | — | — | MANAGE 2.4 | EU-AI-Art.14.2EU-AI-Art.15.2 | — | — | — |
| AIG-024 | Prohibited AI Practices | — | — | — | — | EU-AI-Art.5.1aEU-AI-Art.5.1bEU-AI-Art.5.1cEU-AI-Art.5.1dEU-AI-Art.5.1eEU-AI-Art.5.1fEU-AI-Art.5.1gEU-AI-Art.5.1h | — | — | — |
| AIG-025 | AI Fairness and Bias Controls | — | — | — | MEASURE 2.11GOVERN 3.1 | EU-AI-Art.10.2EU-AI-Art.15.1 | — | — | GDPR-Art.5.1a |
| AIG-026 | AI Security and Adversarial Robustness | — | — | — | MEASURE 2.7MEASURE 2.6 | EU-AI-Art.15.3EU-AI-Art.55.1 | — | — | — |
| AIG-027 | AI Output Validation and Confidence Controls | — | — | — | MEASURE 2.3MANAGE 2.4 | EU-AI-Art.13.3 | — | — | — |
| AIG-028 | Hallucination and Factual Accuracy Controls | — | — | — | MEASURE 2.5MAP 2.2 | EU-AI-Art.15.1 | — | — | — |
| AIG-029 | Prompt Injection Protection | — | — | — | MEASURE 2.7 | EU-AI-Art.15.3 | — | — | — |
| AIG-030 | AI Prompt and Input Audit Logging | — | — | — | MEASURE 2.4 | EU-AI-Art.12.1 | A.6.2.8 | — | — |
| AIG-031 | AI Misuse, Jailbreak and Abuse Detection | — | — | — | MANAGE 4.1MEASURE 3.3 | EU-AI-Art.15.3 | — | — | — |
| AIG-032 | Third-Party AI Risk Management | — | — | — | GOVERN 6.1GOVERN 6.2MANAGE 3.1MANAGE 3.2MAP 4.1 | EU-AI-Art.25.1 | A.10.3 | — | — |
| AIG-033 | AI Supply Chain Responsibility Allocation | — | — | — | MAP 4.2 | EU-AI-Art.25.2EU-AI-Art.53.2 | A.10.2 | — | — |
| AIG-034 | Customer and Deployer Obligations Communication | — | — | — | — | EU-AI-Art.13.2EU-AI-Art.13.3EU-AI-Art.26.1EU-AI-Art.26.8 | A.10.4A.8.2A.8.5 | — | — |
| AIG-035 | Training Data Memorisation and Extraction Controls | — | — | — | MEASURE 2.7MEASURE 2.10 | EU-AI-Art.15.3 | — | — | — |
| APP-001 | Secure Development Lifecycle Policy | — | 8.25 | SA-3SA-15 | — | — | — | AIS-01AIS-04 | — |
| APP-002 | Security Requirements in Design | — | 8.26 | SA-4SA-8 | — | — | — | AIS-02 | — |
| APP-003 | Secure Coding Standards | CC8.1 | 8.28 | SA-15 | — | — | — | AIS-02 | — |
| APP-004 | Security Testing in the Development Pipeline | CC8.1 | 8.29 | SA-11 | — | — | — | AIS-05 | — |
| APP-005 | Penetration Testing | — | — | CA-8 | — | — | — | TVM-07 | — |
| APP-006 | Vulnerability Management | — | — | RA-5SI-2 | — | — | — | TVM-01TVM-03TVM-08TVM-09 | — |
| APP-007 | Patch and Dependency Management | CC6.8 | 8.19 | SI-2SA-22 | — | — | — | AIS-07 | — |
| APP-008 | Secrets Management | CC6.1 | 5.17 | IA-5 | — | — | — | IAM-14 | — |
| APP-009 | Change Management | CC8.1 | 8.32 | CM-3CM-4 | — | — | — | CCC-01CCC-03 | — |
| APP-010 | Environment Separation | — | 8.318.33 | CM-5 | — | — | — | CCC-06AIS-06 | — |
| APP-011 | API Security | CC6.6 | 8.26 | SI-10 | — | — | — | AIS-08 | — |
| APP-012 | Software Integrity Verification | CC6.8 | 8.29 | SI-7SA-10 | — | — | — | — | — |
| APP-013 | Secure System Architecture and Design Principles | — | 8.27 | SA-8 | — | — | — | AIS-04 | — |
| APP-014 | Vulnerability Disclosure Programme | — | 8.29 | SI-5 | — | — | — | TVM-01 | — |
| BCM-001 | Business Continuity Plan | — | — | CP-2 | — | — | — | BCR-01BCR-03BCR-04BCR-05 | — |
| BCM-002 | Disaster Recovery Plan | A1.2 | 5.30 | CP-10 | — | — | — | BCR-09 | — |
| BCM-003 | RTO and RPO Definitions | — | 5.30 | CP-2 | — | — | — | BCR-02BCR-03 | — |
| BCM-004 | Backup Policy and Implementation | A1.2 | 8.13 | CP-6CP-9 | — | — | — | BCR-08 | — |
| BCM-005 | Backup Restoration Testing | A1.3 | 8.13 | CP-4 | — | — | — | BCR-08 | — |
| BCM-006 | BCM and DR Testing | A1.3 | 5.30 | CP-4 | — | — | — | BCR-06BCR-10 | — |
| BCM-007 | Alternate Processing and Communications | — | 5.30 | CP-7CP-8 | — | — | — | BCR-07 | — |
| DAT-001 | Data Classification Scheme | — | 5.125.13 | RA-2 | — | — | — | DSP-04DSP-01 | GDPR-Art.5.1c |
| DAT-002 | Information Labelling | — | 5.13 | AC-16 | — | — | — | DSP-04 | — |
| DAT-003 | Encryption at Rest | CC6.1 | 8.24 | SC-28SC-13 | — | — | — | CEK-03CEK-04UEM-08 | GDPR-Art.32.1 |
| DAT-004 | Encryption in Transit | CC6.7 | 5.148.24 | SC-8SC-13 | — | — | — | CEK-03DSP-10 | GDPR-Art.32.1 |
| DAT-005 | Cryptographic Key Management | — | 8.24 | SC-12SC-13 | — | — | — | CEK-01CEK-04CEK-09 | — |
| DAT-006 | Data Inventory and Records of Processing | — | — | PM-18 | — | — | — | DSP-03DSP-05DSP-06 | GDPR-Art.30.1GDPR-Art.30.2GDPR-Art.5.2 |
| DAT-007 | Data Minimisation and Purpose Limitation | — | — | PT-3PT-2 | — | — | — | DSP-12DSP-07 | GDPR-Art.5.1bGDPR-Art.5.1c |
| DAT-008 | Data Retention and Deletion | P4.2 | 8.10 | SI-12 | — | — | — | DSP-16DSP-02 | GDPR-Art.5.1eGDPR-Art.17 |
| DAT-009 | Privacy Notice and Transparency | P1.1 | — | PT-5 | — | — | — | — | GDPR-Art.13.1GDPR-Art.13.2GDPR-Art.14.1GDPR-Art.5.1a |
| DAT-010 | Consent Management | P2.1P3.2 | — | PT-4 | — | — | — | DSP-08 | GDPR-Art.5.1a |
| DAT-011 | Data Subject Rights Fulfilment | — | — | — | — | — | — | DSP-11 | GDPR-Art.15GDPR-Art.17GDPR-Art.20GDPR-Art.16GDPR-Art.18GDPR-Art.21.1 |
| DAT-012 | Data Protection by Design and Default | — | — | SA-8SA-17 | — | — | — | DSP-07DSP-08 | GDPR-Art.25.1GDPR-Art.25.2 |
| DAT-013 | Data Protection Impact Assessment | — | — | RA-8 | MEASURE 2.10 | EU-AI-Art.26.8 | — | DSP-09 | GDPR-Art.35.1GDPR-Art.35.7GDPR-Art.35.9 |
| DAT-014 | Personal Data Breach Notification | P6.5P6.6 | — | — | — | — | — | — | GDPR-Art.33.1GDPR-Art.33.3GDPR-Art.33.5GDPR-Art.34.1GDPR-Art.34.3 |
| DAT-015 | Data Transfer Controls | — | 5.14 | — | — | — | — | DSP-10DSP-13 | GDPR-Art.44GDPR-Art.45GDPR-Art.46GDPR-Art.49 |
| DAT-016 | Data Masking and Pseudonymisation | — | 8.11 | — | — | — | — | DSP-17DSP-15 | GDPR-Art.32.1 |
| DAT-017 | Data Leakage Prevention | — | 8.12 | PM-17 | — | — | — | DSP-17 | GDPR-Art.32.1 |
| DAT-018 | Data Protection Officer | P8.1 | — | PM-19 | — | — | — | — | GDPR-Art.37GDPR-Art.38GDPR-Art.39 |
| DAT-019 | Lawful Basis for Processing | — | — | PT-2 | — | — | — | DSP-12 | GDPR-Art.5.1aGDPR-Art.24 |
| DAT-020 | Accuracy of Personal Data | — | — | SI-12 | — | — | — | — | GDPR-Art.5.1dGDPR-Art.16 |
| GOV-001 | Information Security Policy | CC5.3 | 5.1 | PL-1 | — | — | — | GRC-01GRC-03 | GDPR-Art.24 |
| GOV-002 | Information Security Roles and Responsibilities | CC1.3 | 5.2 | PM-2PM-29 | GOVERN 2.1 | — | — | GRC-06 | — |
| GOV-003 | Management Commitment and Accountability | CC1.2CC1.5 | 5.4 | PM-1 | GOVERN 2.3 | — | — | — | — |
| GOV-004 | Information Security Program | CC1.3 | 5.1 | PM-1 | — | — | — | GRC-05 | — |
| GOV-005 | Risk Assessment | CC3.2CC3.4 | 5.1 | RA-3 | — | — | — | GRC-02 | GDPR-Art.32.2 |
| GOV-006 | Risk Management Program | CC9.1 | — | PM-9PM-28 | GOVERN 1.3MAP 1.5 | — | — | GRC-02 | — |
| GOV-007 | Risk Treatment and Remediation Tracking | CC4.2 | — | PM-4CA-5RA-7 | — | — | — | A&A-06 | — |
| GOV-008 | Fraud Risk Assessment | CC3.3 | 5.3 | PM-12 | — | — | — | — | — |
| GOV-009 | Segregation of Duties | CC6.3 | 5.3 | AC-5 | — | — | — | IAM-04 | — |
| GOV-010 | Legal, Regulatory, and Contractual Compliance Inventory | — | 5.31 | PL-1 | — | — | — | GRC-07A&A-04 | — |
| GOV-011 | Compliance Monitoring and Internal Audit | CC4.1CC4.2 | 5.355.36 | CA-7 | — | — | — | A&A-03A&A-05 | — |
| GOV-012 | Continuous Monitoring Strategy | — | — | PM-31CA-7 | — | — | — | A&A-03 | — |
| GOV-013 | Policy Exception Management | — | 5.1 | PM-9 | — | — | — | GRC-04 | — |
| GOV-014 | Asset Inventory | — | 5.9 | PM-5 | — | — | — | GRC-05 | — |
| GOV-015 | Intellectual Property Rights Management | — | 5.32 | — | GOVERN 6.1 | EU-AI-Art.53.3 | — | — | — |
| GOV-016 | Records and Information Governance | — | 5.33 | AU-11 | — | — | — | SEF-09 | GDPR-Art.30.1GDPR-Art.30.2 |
| GOV-017 | Contact with Authorities and Special Interest Groups | — | 5.55.6 | PM-15 | — | — | — | GRC-08 | — |
| GOV-018 | Threat Intelligence Program | CC3.4 | 5.7 | PM-16 | — | — | — | GRC-08 | — |
| GOV-019 | Information Security in Project Management | CC5.1 | 5.8 | PL-2 | — | — | — | — | — |
| GOV-020 | Independent Security Review | — | 5.35 | CA-1 | MEASURE 1.3 | — | — | A&A-03 | — |
| GOV-021 | Audit and Assurance Policy | — | 8.34 | CA-1 | — | — | — | A&A-01 | — |
| GOV-022 | Privacy Program and Data Protection Policy | — | 5.34 | PM-18PM-19 | — | — | — | DSP-01 | GDPR-Art.24 |
| GOV-023 | Security Measures Performance Measurement | CC4.1 | — | PM-6 | — | — | — | GRC-02 | — |
| GOV-024 | Documented Operating Procedures | — | 5.37 | PL-2 | — | — | — | GRC-03 | — |
| GOV-025 | Acceptable Use of Information Assets | CC1.1 | 5.10 | PL-4 | — | — | — | HRS-02HRS-13 | — |
| GOV-026 | Return of Assets on Termination | — | 5.11 | PS-4 | — | — | — | HRS-05 | — |
| GOV-027 | Insider Threat Program | CC3.3 | 5.3 | PM-12 | — | — | — | — | — |
| HRS-001 | Personnel Security Policy | — | 6.2 | PS-1 | — | — | — | HRS-09 | — |
| HRS-002 | Pre-Employment Background Screening | — | 6.1 | PS-3PS-2SA-21 | — | — | — | HRS-01 | — |
| HRS-003 | Employment Agreements and Security Obligations | — | 6.26.6 | PL-4 | — | — | — | HRS-07HRS-08HRS-10 | — |
| HRS-004 | Security Awareness Training | — | 6.3 | AT-2AT-4 | GOVERN 2.2 | — | — | HRS-11HRS-12HRS-13 | — |
| HRS-005 | Role-Based Security Training | — | 6.3 | AT-3AT-4PM-13 | — | — | — | HRS-12 | — |
| HRS-006 | Disciplinary Process for Security Violations | CC1.5 | 6.4 | PS-8 | — | — | — | HRS-09 | — |
| HRS-007 | Termination and Access Revocation | CC6.2 | 6.5 | PS-4PS-5PS-7 | — | — | — | HRS-06HRS-05 | — |
| HRS-008 | Remote Working Security | CC6.6 | 6.7 | PS-4 | — | — | — | HRS-04 | — |
| HRS-009 | Security Event Reporting by Personnel | — | 6.8 | AT-2 | — | — | — | HRS-13 | — |
| HRS-010 | Personnel Roles and Security Responsibilities | — | 5.2 | PS-2 | — | — | — | HRS-09 | — |
| IAM-001 | Access Control Policy | CC6.1 | 5.15 | AC-1IA-1 | — | — | — | IAM-01 | — |
| IAM-002 | Identity Inventory and Unique Identifiers | — | 5.16 | IA-4IA-2 | — | — | — | IAM-03IAM-12 | — |
| IAM-003 | User Account Lifecycle Management | CC6.2 | 5.18 | AC-2 | — | — | — | IAM-06IAM-07 | — |
| IAM-004 | Access Review and Recertification | — | 5.18 | AC-2 | — | — | — | IAM-08 | — |
| IAM-005 | Least Privilege and Need-to-Know Enforcement | CC6.3 | 8.3 | AC-6AC-3 | — | — | — | IAM-05 | — |
| IAM-006 | Role-Based Access Control and Separation of Duties | CC6.3 | 5.15 | AC-5 | — | — | — | IAM-04IAM-15 | — |
| IAM-007 | Privileged Access Management | — | 8.2 | AC-6 | — | — | — | IAM-09IAM-10 | — |
| IAM-008 | Multi-Factor Authentication | CC6.1 | 8.5 | IA-2 | — | — | — | IAM-13 | — |
| IAM-009 | Authentication Information Management | — | 5.17 | IA-5 | — | — | — | IAM-02IAM-14 | — |
| IAM-010 | Service Account and Non-Human Identity Management | — | 5.16 | IA-9IA-8 | — | — | — | IAM-03 | — |
| IAM-011 | Remote Access Controls | CC6.6 | 8.5 | AC-17 | — | — | — | — | — |
| IAM-012 | Session Management | — | 8.5 | AC-12AC-11IA-11 | — | — | — | — | — |
| IAM-013 | Logon Failure and Account Lockout | — | 8.5 | AC-7 | — | — | — | IAM-13 | — |
| IAM-014 | Access to Source Code and Development Assets | — | 8.4 | AC-3 | — | — | — | IAM-05CCC-04 | — |
| INC-001 | Incident Response Plan | — | 5.24 | IR-1IR-8 | — | — | — | SEF-01SEF-03 | — |
| INC-002 | Incident Detection and Triage | CC7.4 | 5.25 | IR-4IR-5 | — | — | — | SEF-06 | — |
| INC-003 | Incident Classification and Escalation | — | — | IR-4IR-6 | — | — | — | SEF-07 | — |
| INC-004 | Incident Containment and Eradication | CC7.4CC7.5 | 5.26 | IR-4 | — | — | — | SEF-07 | — |
| INC-005 | Incident Reporting and Regulatory Notification | P6.5 | — | IR-6 | — | EU-AI-Art.26.4 | — | SEF-08 | GDPR-Art.33.1GDPR-Art.33.3GDPR-Art.34.1 |
| INC-006 | Customer Breach Notification | P6.5P6.6 | — | — | — | — | — | SEF-08 | GDPR-Art.34.1 |
| INC-007 | Evidence Collection and Preservation | — | 5.28 | IR-4 | — | — | — | SEF-09 | GDPR-Art.33.5 |
| INC-008 | Post-Incident Review | CC7.5 | 5.27 | IR-4 | — | — | — | SEF-09 | — |
| INC-009 | Incident Response Training and Testing | — | — | IR-2IR-3 | — | — | — | SEF-04SEF-05 | — |
| INC-010 | External Contact and Communication Points | — | — | IR-6IR-7 | — | — | — | SEF-10 | — |
| INF-001 | Cloud Security Configuration and Governance | CC6.1 | 5.23 | CM-2CM-6 | — | — | — | I&S-01I&S-07 | — |
| INF-002 | Configuration Baseline and Hardening | CC7.1 | 8.9 | CM-6CM-7 | — | — | — | I&S-04CCC-06CCC-07 | — |
| INF-003 | System Component Inventory | CC6.1 | — | CM-8 | — | — | — | DCS-07 | — |
| INF-004 | Network Segmentation | — | 8.22 | SC-7SC-32 | — | — | — | I&S-05I&S-06 | — |
| INF-005 | Secure Network Architecture and Defence | — | 8.208.21 | SC-5SC-7 | — | — | — | I&S-03I&S-08I&S-09 | — |
| INF-006 | Transmission Encryption | — | 8.24 | SC-8SC-13 | — | — | — | I&S-07 | — |
| INF-007 | Vulnerability Management | — | 8.8 | RA-5SI-2 | — | — | — | TVM-03TVM-08TVM-09 | — |
| INF-008 | Patch Management | — | 8.8 | SI-2 | — | — | — | TVM-05TVM-06 | — |
| INF-009 | Malware and Endpoint Protection | — | 8.78.18.19 | SI-3 | — | — | — | UEM-05UEM-09UEM-10 | — |
| INF-010 | Web Filtering and Egress Controls | — | 8.23 | SC-7 | — | — | — | I&S-03 | — |
| INF-011 | Penetration Testing | CC7.1 | — | CA-7 | — | — | — | TVM-07 | — |
| INF-012 | Capacity and Performance Management | A1.1 | 8.6 | SC-5 | — | — | — | I&S-02 | — |
| INF-013 | Infrastructure Redundancy | A1.2 | 8.14 | — | — | — | — | BCR-11 | — |
| INF-014 | Clock Synchronisation | — | 8.17 | SC-45AU-8 | — | — | — | LOG-06 | — |
| MON-001 | Audit Log Scope and Generation | — | 8.15 | AU-2AU-3AU-12 | — | EU-AI-Art.12.1 | — | LOG-07LOG-09LOG-12LOG-13 | — |
| MON-002 | Log Integrity and Protection | — | — | AU-9AU-5 | — | — | — | LOG-02LOG-04LOG-10 | — |
| MON-003 | Log Retention | — | — | AU-11 | — | EU-AI-Art.16.4EU-AI-Art.26.5 | — | LOG-02 | — |
| MON-004 | Centralised Log Management | CC7.1 | — | AU-6CA-7 | — | — | — | LOG-01LOG-03 | — |
| MON-005 | Security Monitoring and Alerting | CC7.2 | 8.16 | SI-4AU-6 | — | — | — | LOG-03LOG-05LOG-14 | — |
| MON-006 | Log Storage Capacity Management | — | — | AU-4AU-5 | — | — | — | LOG-14 | — |
| MON-007 | Continuous Monitoring Programme | CC4.1CC4.2 | — | CA-7 | — | — | — | LOG-01 | — |
| VND-001 | Vendor Risk Assessment and Due Diligence | CC9.2 | 5.19 | SR-6 | GOVERN 6.1 | — | — | STA-10STA-16STA-01 | GDPR-Art.28.1 |
| VND-002 | Security Requirements in Vendor Contracts | P6.4 | 5.20 | SR-3 | — | EU-AI-Art.25.2 | — | STA-11STA-12 | GDPR-Art.28.3 |
| VND-003 | Sub-Processor Management | — | — | — | — | — | A.10.2 | DSP-13DSP-14 | GDPR-Art.28.2GDPR-Art.29 |
| VND-004 | Cloud Service Provider Security Management | — | 5.23 | SR-2 | GOVERN 6.1 | — | — | STA-11IPY-04 | — |
| VND-005 | ICT Supply Chain Risk Management | — | 5.21 | SR-2SR-3PM-30 | — | — | A.10.3 | STA-08STA-01 | — |
| VND-006 | Vendor Monitoring and Performance Review | CC9.2 | 5.22 | SR-6 | MANAGE 3.1 | — | — | STA-12STA-13STA-14STA-15 | — |
| VND-007 | Vendor Access Controls | CC9.2 | 5.195.20 | SR-7 | — | — | — | UEM-14 | GDPR-Art.29 |
| VND-008 | Vendor Offboarding | — | 5.225.23 | — | — | — | — | DSP-16DSP-02 | GDPR-Art.28.3 |
| VND-009 | AI Supply Chain and Third-Party AI Risk | — | — | SR-3 | GOVERN 6.1GOVERN 6.2MANAGE 3.1 | EU-AI-Art.25.2 | A.10.2A.10.3 | — | — |
| VND-010 | Third-Party Data Disclosure Controls | P6.2P6.4 | — | — | — | — | — | DSP-10 | GDPR-Art.5.1bGDPR-Art.44 |