List of Mandates 

We support the following mandates for report generation. The mandates are categorized by region or sector for your quick reference.

Mandates by Region

Australia

  • APRA Prudential Practice Guide (PPG): CPG 234 - Management of Security Risk in IT v1.0
  • The Australian Signals Directorate - The Essential 8 Strategies (ASD 8) (Nov 2023)
  • Australian Signals Directorate Information Security Manual (ISM) (Jun 2024)

European Union

  • General Data Protection Regulation (GDPR), (EU) 2016/679
  • The Network and Information Systems (NIS 2 Directive) (EU) 2022/2555

France

ANSSI 40 Essential Measures for a Healthy Network v1.0

Global

  • California Consumer Privacy Act of 2018 (SB-1121) (Jan 1, 2020)
  • CIS Controls v8.0
  • CIS Controls v8.1
  • Cloud Controls Matrix (CCM) v3.0.1
  • ISO/IEC 27001:2022 Third Edition 2022-10
  • Microsoft Cloud Security Benchmark (MCSB) v1.0
  • Payment Card Industry Data Security Standard (PCI-DSS) v4.0
  • SWIFT Customer Security Controls Framework - Customer Security Programme v2024

India

  • IRDAI Guidelines On Information and Cyber Security for Insurers v1.0
  • Reserve Bank of India (RBI) - Baseline Cyber Security and Resilience Requirements (Annex 1) v1.0 (June 2, 2016)

New Zealand

New Zealand Information Security Manual (NZISM) v3.2

North America

NERC Critical Infrastructure Protection (CIP) v5.0

Singapore

  • Monetary Authority of Singapore (MAS) - Notice 834: Cyber Hygiene Practices (Issue date: Aug 6, 2019)
  • Technology Risk Management (TRM) Guidelines, Jan-2021

United Arab Emirates (UAE)

NESA UAE Information Assurance Standards (IAS) v1.0

United Kingdom

NCSC Basic Cyber Security Controls (BCSC) v1.0 (Aug 2017)

United States

  • 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy
  • Criminal Justice Information Services (CJIS) Security Policy v5.9
  • Federal Risk and Authorization Management Program (FedRAMP H) - High Security Baseline, Rev. 5
  • Federal Risk and Authorization Management Program (FedRAMP L) - Low Security Baseline, Rev. 5
  • Federal Risk and Authorization Management Program (FedRAMP LI-SaaS) - LI-SaaS Security Baseline, Rev. 5
  • Federal Risk and Authorization Management Program (FedRAMP M) - Moderate Security Baseline, Rev. 5
  • Gramm-Leach-Bliley Act (GLBA), version 2004
  • Health Insurance Portability and Accountability (HIPAA) Security Rule 45 CFR Parts 160/164, Subparts A/C:1996, v2.0 Rev 3, 2007
  • IRS Publication 1075, Rev. 11-2016
  • Minimum Acceptable Risk Standards for Exchanges (MARS-E) v2.0
  • NIST 800-53 (Special Publication), Rev 5
  • NIST Special Publication 800-171, Rev 3
  • Sarbanes-Oxley Act: IT Security v2002
  • US Cybersecurity Maturity Model Certification (CMMC) 2.0 Level 2 
  • The NIST Cybersecurity Framework (CSF) v2.0
  • US Cybersecurity Maturity Model Certification (CMMC) 2.0 Level 1

Mandates by Sector

General

  • 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy
  • ANSSI 40 Essential Measures for a Healthy Network v1.0
  • The Australian Signals Directorate - The Essential 8 Strategies (ASD 8) (Nov 2023)
  • Australian Signals Directorate Information Security Manual (ISM) (Jun 2024)
  • California Consumer Privacy Act of 2018 (SB-1121) (Jan 1, 2020)
  • CIS Controls v8.0
  • CIS Controls v8.1
  • General Data Protection Regulation (GDPR), (EU) 2016/679
  • ISO/IEC 27001:2022 Third Edition 2022-10
  • Microsoft cloud security benchmark (MCSB) v1.0
  • NCSC Basic Cyber Security Controls (BCSC) v1.0 (Aug 2017)
  • The Network and Information Systems (NIS 2 Directive) (EU) 2022/2555
  • NESA UAE Information Assurance Standards (IAS) v1.0
  • NIST 800-53 (Special Publication), Rev 5
  • NIST Special Publication 800-171, Rev 3
  • The NIST Cybersecurity Framework (CSF) v2.0

Banking

Reserve Bank of India (RBI) - Baseline Cyber Security and Resilience Requirements (Annex 1) v1.0 (June 2, 2016)

Cloud

Cloud Controls Matrix (CCM) v3.0.1

Defense

  • US Cybersecurity Maturity Model Certification (CMMC) 2.0 Level 1
  • US Cybersecurity Maturity Model Certification (CMMC) 2.0 Level 2

Energy

NERC Critical Infrastructure Protection (CIP) v5.0

Financial Services

  • APRA Prudential Practice Guide (PPG): CPG 234 - Management of Security Risk in IT v1.0
  • Gramm-Leach-Bliley Act (GLBA), version 2004
  • Monetary Authority of Singapore (MAS) - Notice 834: Cyber Hygiene Practices (Issue date: Aug 6, 2019)
  • SWIFT Customer Security Controls Framework - Customer Security Programme v2024
  • Technology Risk Management (TRM) Guidelines, Jan-2021

Government

  • Federal Risk and Authorization Management Program (FedRAMP H) - High Security Baseline, Rev. 5
  • Federal Risk and Authorization Management Program (FedRAMP L) - Low Security Baseline, Rev. 5
  • Federal Risk and Authorization Management Program (FedRAMP LI-SaaS) - LI-SaaS Security Baseline, Rev. 5
  • Federal Risk and Authorization Management Program (FedRAMP M) - Moderate Security Baseline, Rev. 5
  • IRS Publication 1075, Rev. 11-2016
  • New Zealand Information Security Manual (NZISM) v3.2

Healthcare

  • Health Insurance Portability and Accountability (HIPAA) Security Rule 45 CFR Parts 160/164, Subparts A/C:1996, v2.0 Rev 3, 2007
  • Minimum Acceptable Risk Standards for Exchanges (MARS-E) v2.0

Insurance

IRDAI Guidelines On Information and Cyber Security for Insurers v1.0

Law Enforcement

Criminal Justice Information Services (CJIS) Security Policy v5.9

Payment Card

  • Payment Card Industry Data Security Standard (PCI-DSS) v4.0

Public Companies

Sarbanes-Oxley Act: IT Security v2002

 

© 2025 Qualys, Inc. All rights reserved. Privacy Policy.