About Mandates

Mandates are regulatory or good practice standards, compliance framework etc. designed by government organizations. We provide you a set of pre-defined mandates which you can use to generate mandate based reports.

 

A mandate has a set of requirements which may include one or more levels of sub-requirements. These requirements contain control-objectives and the control-objectives have sub-control-objectives or controls.

No, the mandates are pre-defined and cannot be edited. However, you can download the mandate or view the mandate. 

To view a mandate, go to PC > Policies > Mandates. Select View from the Quick Actions menu for any mandate in the list.

Tip - Use the Search option above the list to find mandates by title, publisher, release date, and more. 

To download the mandates list, go to PC > Policies > Mandates. Select Download from the New menu above the data list. Choose a download file format and click Download. Learn more

You can easily generate a report directly from the Mandates tab. Simply select one or more Mandates and from the Actions menu select Generate Report. Show meShow me

Generate Report option on Mandates tab

List of Mandates  

Note: Mandates are categorized by region and sector for your quick reference.

Australia 

  • Australian Signals Directorate - The Essential 8 Strategies (ASD 8) 
  • Australian Signals Directorate Information Security Manual (ISM) 
  • Australian Signals Directorate - Essential Eight Maturity Model 
  • APRA Prudential Practice Guide (PPG): CPG 234 - Management of Security Risk in Information and Information Technology 

Brazil 

Brazilian General Data Protection Law (LGPD) 

Canada 

  • Personal Information Protection and Electronic Documents Act 
  • Annex 3A (Security Control Catalogue) to IT Security Risk Management: A Lifecycle Approach (ITSG- 33) 

European Union 

  • Network and Information Systems (NIS 2 Directive) (EU) 2022/2555 
  • Digital Operational Resilience Act (DORA) - Regulation (EU) 2022/2554 
  • General Data Protection Regulation (GDPR) 
  • European Union Agency for Network and Information Security 

France 

ANSSI 40 Essential Measures for a Healthy Network 

Global 

  • SWIFT Customer Security Controls Framework - Customer Security Programme v2024 
  • SWIFT Customer Security Controls Framework - Customer Security Programme v2023 
  • SWIFT Customer Security Controls Framework - Customer Security Programme v2021 
  • SWIFT Customer Security Controls Framework - Customer Security Programme v2019 
  • Secure Controls Framework (SCF) 
  • Payment Card Industry Data Security Standard (PCI-DSS) v4.0 
  • Payment Card Industry Data Security Standard (PCI-DSS) v3.2.1 
  • ISO/IEC 27001:2022 
  • ISO/IEC 27001:2013 
  • Critical Systems Cybersecurity Controls 
  • Cloud Controls Matrix (CCM) 
  • CIS Controls Version 8.1 
  • CIS Controls Version 8 
  • CIS Controls 

India 

  • Reserve Bank of India (RBI) - Baseline Cyber Security and Resilience Requirements (Annex 1) 
  • IRDAI Guidelines On Information and Cyber Security for Insurers 

Malaysia 

Risk Management in Technology (RMiT) 

New Zealand

New Zealand Information Security Manual (NZISM)

North America 

NERC Critical Infrastructure Protection (CIP) 

Qatar 

  • Qatar 2022 Cybersecurity Framework 
  • National Information Assurance Policy 

Saudi Arabia 

  • Saudi Aramco SACS-002 Third Party Cybersecurity Standard 
  • Saudi Arabian Monetary Authoirty (SAMA) Cyber Security Framework (CSF) 
  • Essential Cybersecurity Controls 

Singapore 

  • Technology Risk Management (TRM) Guidelines 
  • Monetary Authority of Singapore (MAS) - Notice 834: Cyber Hygiene Practices 

South Africa 

Protection of Personal Information Act (POPI Act) 

Spain 

  • Royal Decree 311/2022 - Annex II (MEDIUM) 
  • Royal Decree 311/2022 - Annex II (HIGH) 
  • Royal Decree 311/2022 - Annex II (BASIC) 
  • Royal Decree 311/2022 

United Arab Emirates (UAE) 

NESA UAE Information Assurance Standards (IAS) 

United Kingdom 

NCSC Basic Cyber Security Controls (BCSC) 

United States 

  • US Gramm Leach Bliley Act (GLBA) 
  • US Food & Drug Administration (FDA) 
  • US Cybersecurity Maturity Model Certification (CMMC) 2.0 Level 2 
  • US Cybersecurity Maturity Model Certification (CMMC) 2.0 Level 1 
  • The NIST Cybersecurity Framework (CSF) 
  • Sarbanes-Oxley Act: IT Security 
  • NIST Special Publication 800-171 
  • NIST Cyber Security Framework (CSF) 
  • NIST AI 100-1 - Artificial Intelligence Risk Management Framework, January 2023 
  • NIST 800-53 (Special Publication) 
  • New York State Department of Financial Services 23 NYCRR 500 
  • Minimum Acceptable Risk Standards for Exchanges (MARS-E) 
  • Microsoft Cloud Security Benchmark 
  • IRS Publication 1075 
  • Health Insurance Portability and Accountability (HIPAA) Security Rule 45 CFR Parts 160/164, Subparts A/C:1996 
  • Federal Risk and Authorization Management Program (FedRAMP M) - Moderate Security Baseline 
  • Federal Risk and Authorization Management Program (FedRAMP LI-SaaS) - LI-SaaS Security Baseline 
  • Federal Risk and Authorization Management Program (FedRAMP L) - Low Security Baseline 
  • Federal Risk and Authorization Management Program (FedRAMP H) - High Security Baseline 
  • Federal Financial Institutions Examination Council (FFIEC) 
  • Federal Acquisition Regulation (FAR) 
  • Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7008-7012 
  • Cybersecurity Maturity Model Certification (CMMC) Level 5 
  • Cybersecurity Maturity Model Certification (CMMC) Level 4 
  • Cybersecurity Maturity Model Certification (CMMC) Level 3 
  • Cybersecurity Maturity Model Certification (CMMC) Level 2 
  • Cybersecurity Maturity Model Certification (CMMC) Level 1 
  • Cybersecurity Maturity Model Certification (CMMC) 
  • CSA 405(d) - Technical Volume 2: Cybersecurity Practices for Medium and Large Healthcare Organizations 
  • CSA 405(d) - Technical Volume 1: Cybersecurity Practices for Small Healthcare Organizations 
  • Criminal Justice Information Services (CJIS) Security Policy 
  • Control Objectives for Information and Related Technologies (COBIT) 
  • CERT Resilience Management Model 
  • California Consumer Privacy Act of 2018 (SB-1121) 
  • 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy 

Artificial Intelligence and Emerging Technologies 

NIST AI 100-1 - Artificial Intelligence Risk Management Framework, January 2023 

Critical Infrastructure and National Security 

  • Royal Decree 311/2022 and associated Annexes 
  • The Network and Information Systems (NIS 2 Directive) (EU) 2022/2555 
  • Digital Operational Resilience Act (DORA) 
  • NESA UAE Information Assurance Standards (IAS) 
  • National Information Assurance Policy 
  • Critical Systems Cybersecurity Controls 
  • Annex 3A (Security Control Catalogue) to IT Security Risk Management: A Lifecycle Approach (ITSG- 33) 

Cross-Sector 

  • ANSSI 40 Essential Measures for a Healthy Network 
  • Control Objectives for Information and Related Technologies (COBIT) 
  • Essential Cybersecurity Controls 
  • 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy 
  • Minimum Acceptable Risk Standards for Exchanges (MARS-E) 

Defense / Government Contracts 

  • Cybersecurity Maturity Model Certification (CMMC) 
  • Cybersecurity Maturity Model Certification (CMMC) Level 1 
  • Cybersecurity Maturity Model Certification (CMMC) Level 2 
  • Cybersecurity Maturity Model Certification (CMMC) Level 3 
  • Cybersecurity Maturity Model Certification (CMMC) Level 4 
  • Cybersecurity Maturity Model Certification (CMMC) Level 5 
  • US Cybersecurity Maturity Model Certification (CMMC) 2.0 Level 1 
  • US Cybersecurity Maturity Model Certification (CMMC) 2.0 Level 2 
  • Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7008-7012 
  • NIST Special Publication 800-171 
  • NIST 800-53 (Special Publication) 
  • Criminal Justice Information Services (CJIS) Security Policy 
  • European Union Agency for Network and Information Security 

Energy / Utilities 

  • NERC Critical Infrastructure Protection (CIP) 
  • Saudi Aramco SACS-002 Third Party Cybersecurity Standard 

Finance 

  • US Gramm Leach Bliley Act (GLBA) 
  • Sarbanes-Oxley Act: IT Security 
  • Saudi Arabian Monetary Authoirty (SAMA) Cyber Security Framework (CSF) 
  • Monetary Authority of Singapore (MAS) - Notice 834: Cyber Hygiene Practices 
  • Risk Management in Technology (RMiT) 
  • Federal Financial Institutions Examination Council (FFIEC) 
  • Reserve Bank of India (RBI) - Baseline Cyber Security and Resilience Requirements (Annex 1) 
  • New York State Department of Financial Services 23 NYCRR 500 

Federal and Public Sector (US) 

  • Federal Risk and Authorization Management Program (FedRAMP) (Low, Moderate, High Security Baselines) 
  • Federal Acquisition Regulation (FAR) 
  • IRS Publication 1075 
  • NCSC Basic Cyber Security Controls (BCSC) 

General Technology / Information Security 

  • NIST Cyber Security Framework (CSF) 
  • Secure Controls Framework (SCF) 
  • Cloud Controls Matrix (CCM) 
  • CIS Controls Version 8/8.1 
  • CERT® Resilience Management Model 
  • Microsoft Cloud Security Benchmark 
  • ISO/IEC 27001:2022 
  • ISO/IEC 27001:2013 
  • Technology Risk Management (TRM) Guidelines 
  • New Zealand Information Security Manual (NZISM) 
  • The Australian Signals Directorate - The Essential 8 Strategies (ASD 8) 
  • Australian Signals Directorate Information Security Manual (ISM) 
  • APRA Prudential Practice Guide (PPG): CPG 234 
  • Qatar 2022 Cybersecurity Framework 

Healthcare 

  • Health Insurance Portability and Accountability Act (HIPAA) Security Rule 45 CFR Part 164, Subparts C 
  • CSA 405(d) - Cybersecurity Practices for Medium and Large Healthcare Organizations 
  • CSA 405(d) - Cybersecurity Practices for Small Healthcare Organizations 
  • US Food & Drug Administration (FDA) 

Insurance 

IRDAI Guidelines On Information and Cyber Security for Insurers 

Payment Systems 

  • Payment Card Industry Data Security Standard (PCI-DSS) v4.0/v3.2.1 
  • SWIFT Customer Security Controls Framework - Customer Security Programme v2024 
  • SWIFT Customer Security Controls Framework - Customer Security Programme v2023 
  • SWIFT Customer Security Controls Framework - Customer Security Programme v2021 
  • SWIFT Customer Security Controls Framework - Customer Security Programme v2019 

Privacy / Data Protection 

  • General Data Protection Regulation (GDPR) 
  • California Consumer Privacy Act (CCPA) 
  • Brazilian General Data Protection Law (LGPD) 
  • Protection of Personal Information Act (POPI Act) 
  • Personal Information Protection and Electronic Documents Act (PIPEDA) 

 

Check out this video: