Coverage across 64 frameworks and regulations.

Aurora’s opinionated baseline of essential security, privacy, resilience, and SDLC controls. Intended to cover common requirements across major security/privacy frameworks and customer due diligence.

Mapping of the COBIT 2019 Core Model governance and management objectives (EDM/APO/BAI/DSS/MEA) to Aurora controls.

The CRI Profile provides diagnostic statements aligned to the NIST Cybersecurity Framework (CSF) for financial services and other regulated organizations.

Cloud security control framework (CCM) with 17 domains and 197 control objectives.

Template for authoring customer-defined or internal frameworks in Aurora. Replace the example requirements with your own statements, IDs, and mappings to Aurora controls.

FedRAMP High baseline security controls aligned to NIST SP 800-53 Rev. 5, sourced from the official FedRAMP Security Controls Baseline workbook. Includes NIST control statements and FedRAMP parameters/guidance where provided.

FedRAMP Low baseline security controls aligned to NIST SP 800-53 Rev. 5, sourced from the official FedRAMP Security Controls Baseline workbook. Includes NIST control statements and FedRAMP parameters/guidance where provided.

FedRAMP Moderate baseline security controls aligned to NIST SP 800-53 Rev. 5, sourced from the official FedRAMP Security Controls Baseline workbook. Includes NIST control statements and FedRAMP parameters/guidance where provided.

FFIEC Cybersecurity Assessment Tool (CAT), May 2017 edition. The FFIEC announced that the CAT would be sunset effective August 31, 2025; this mapping preserves the May 2017 requirements for reference and legacy assessment support.

FFIEC IT Examination Handbook (IT Handbook) – Information Security Booklet. Requirements are represented using the booklet's table of contents entries to ensure full topical coverage.

Standard for insurance licensees to protect nonpublic information.

An open-source baseline of minimum security requirements for software products and services, published by the MVSP project (CC0).

Baseline security controls for GovRAMP/StateRAMP Authorization aligned to NIST SP 800-53 Rev. 5. Includes Authorized Low Impact (153 controls) and Authorized Moderate Impact (319 controls).

Mapping of VDA Information Security Assessment (ISA) questionnaire v6.0.3 requirements (Information Security and Prototype Protection and Data Protection) used by the TISAX assessment scheme to Aurora controls.

TX-RAMP Control Baselines v2.0 including Level 1 (117 controls) and Level 2 (223 controls) requirements.

Internal Aurora bundle of common requirements across major US state consumer privacy laws (VCDPA, Colorado CPA, CTDPA, and UCPA).

Japan Act on the Protection of Personal Information, consolidated and amended through Act No. 37 of 2021.

APRA Prudential Standard CPS 234 (July 2019) – Information Security.

Australian Privacy Principles (Schedule 1) and Notifiable Data Breaches scheme (Part IIIC) under the Privacy Act 1988 (Cth).

AWS Foundational Technical Review (FTR) validation checklist requirements for AWS Partners (as published in the APN Foundational checklists).

Brazil General Data Protection Law (Lei Geral de Proteção de Dados Pessoais), Law No. 13,709/2018, as amended.

California consumer privacy law establishing rights and obligations for businesses processing personal information.

California privacy law amendments expanding the CCPA, including sensitive personal information, correction rights, and the California Privacy Protection Agency.

Canada Personal Information Protection and Electronic Documents Act (PIPEDA).

CAIQ v4.0.3 assessment questionnaire aligned to CSA CCM v4.0.12 control objectives.

EU Digital Operational Resilience Act establishing ICT risk management, incident reporting, testing, and ICT third-party risk requirements for financial entities.

Compliance mapping for FDA 21 CFR Part 11 (Electronic Records; Electronic Signatures).

FedRAMP 20x Phase 2 pilot requirements and recommendations for providers and assessors, including Key Security Indicators (KSIs) and supporting requirement modules (MAS, UCM, ADS, VDR, SCN, CCM, RSC, FSI, PVA, ICP).

Compliance mapping for FERPA (Family Educational Rights and Privacy Act) Regulations.

EU regulation governing personal data processing and privacy rights.

FTC Standards for Safeguarding Customer Information

Compliance mapping for HIPAA Privacy, Security, and Breach Notification Rules.

High-level mapping of the IEC 62443 Foundational Requirements (FRs) to Aurora controls. This provides an OT/ICS-aligned control coverage view across the seven FR categories: Identification & Authentication Control (IAC), Use Control (UC), System Integrity (SI), Data Confidentiality (DC), Restricted Data Flow (RDF), Timely Response to Events (TRE), and Resource Availability (RA).

Quality Management System (QMS) requirements for organizations involved in the lifecycle of medical devices.

International standard specifying requirements for planning, establishing, implementing, operating, monitoring, reviewing, maintaining, and improving a documented management system to protect against, reduce the likelihood of, prepare for, respond to, and recover from disruptive incidents.

Mapping of ISO 22301:2019 BCMS requirements (clauses 4–10, including sub-clauses) to Aurora controls. Framework metadata references ISO 22301:2019 and its Amendment 1:2024 (climate action changes).

Quality Management System (QMS) requirements for organizations.

Service management system (SMS) requirements for planning, establishing, implementing, operating, monitoring, reviewing, maintaining and improving service management.

International standard specifying requirements for establishing, implementing, maintaining, and continually improving an information security management system (ISMS), including Annex A reference controls.

Mapping of ISO/IEC 27017:2015 cloud-specific controls (Annex A extended control set) to Aurora controls.

Mapping of ISO/IEC 27018:2025 Annex A (public cloud PII processor extended control set for PII protection) to Aurora controls.

Mapping of ISO/IEC 27701:2025 PIMS requirements and Annex B implementation guidance for PII controllers and processors to Aurora controls.

AI management system requirements (clauses 4–10) and Annex A reference control objectives and controls for responsible AI governance.

ISO/SAE 21434:2021 cybersecurity engineering mapping built around the standard's defined work products (WP-XX-YY), which represent the primary evidence artifacts produced across cybersecurity management, product development, and post-development/operations phases. Each work product is mapped to the most relevant Aurora control(s) for implementation and evidence collection.

A practical mapping of Aurora controls to the NAIC Insurance Data Security Model Law (668) baseline used in the Aurora portal. Controls are mapped to canonical AURORA.* controls so evidence and status can be tracked once and reused across many frameworks.

EU Directive on measures for a high common level of cybersecurity across the Union (NIS2), including risk-management measures and incident reporting obligations for essential and important entities.

Mapping of OWASP ASVS v5.0.0 verification requirements to Aurora controls.

Payment Card Industry Data Security Standard

Personal Information Protection Law of the People's Republic of China.

Compliance mapping for SEC Regulation S-P (Privacy of Consumer Financial Information).

South Africa Protection of Personal Information Act 4 of 2013 (POPIA).

AS 21.36.010 - Standards for safeguarding customer information.

Colorado consumer privacy law establishing controller/processor obligations and consumer rights.

Connecticut consumer privacy law establishing controller/processor obligations and consumer rights.

Cybersecurity Requirements for Financial Services Companies

SC Code Section 38-99-10 et seq.

Utah consumer privacy law establishing controller/processor obligations and consumer rights.

Virginia consumer privacy law establishing controller/processor obligations and consumer rights.