Controls are your cybersecurity & data privacy program ---- A control is the power to influence or direct behaviors and the course of events.

Secure Controls Framework (SCF) Council

STRM Bundle - Excel Versions

$20.00
2 reviews Write a Review
Excel version of STRM mapping
SKU:
STRM-Bundle

This is for a digital download of the current Excel spreadsheet versions of the Set Theory Relationship Mapping (STRM) used to crosswalk the Secure Controls Framework (SCF). 

There is a one (1) month period of time to access the STRM download (from the date of purchase). Included in the 2025.4 STRM mappings in Excel format include the following:

  1. AICPA Trust Services Criteria (TSC) with (2022 points of focus)
  2. APEC Privacy Framework (2015)
  3. Critical Security Controls (CSC) version 8.1
  4. Critical Security Controls (CSC) version 8.1 - IG1
  5. Critical Security Controls (CSC) version 8.1 - IG2
  6. Critical Security Controls (CSC) version 8.1 - IG3
  7. GovRAMP Core
  8. GovRAMP Low
  9. GovRAMP Low+
  10. GovRAMP Moderate
  11. GovRAMP High
  12. IEC TR 60601-4-5:2021 - Medical electrical equipment - Part 4-5: Guidance and interpretation - Safety-related technical security specifications
  13. International Maritime Organization (IMO) Guidelines on Maritime Cyber Risk Management
  14. ISO/IEC 27001:2022 - Information Security Management Systems (ISMS) - Requirements
  15. ISO/IEC 27002:2022 - Information security, cybersecurity and privacy protection - Information security controls
  16. ISO/IEC 27701: 2025 - Privacy information management systems
  17. ISO/IEC 29100:2024 Information technology — Security techniques — Privacy framework
  18. ISO/IEC 42001:2023 - Information technology - Artificial intelligence - Management system
  19. Insurance Data Security Model Law (MDL-668)
  20. NIST AI 100-1 (Artificial Intelligence Risk Management Framework 1.0)
  21. NIST AI 600-1 (AI RMF Generative Artificial Intelligence Profile)
  22. NIST SP 800-53 R5 - Security and Privacy Controls for Information Systems and Organizations
  23. NIST SP 800-53 R5 - Security and Privacy Controls for Information Systems and Organizations (privacy baseline)
  24. NIST SP 800-53 R5 - Security and Privacy Controls for Information Systems and Organizations (low baseline)
  25. NIST SP 800-53 R5 - Security and Privacy Controls for Information Systems and Organizations (moderate baseline)
  26. NIST SP 800-53 R5 - Security and Privacy Controls for Information Systems and Organizations (high baseline)
  27. NIST SP 800-53 R5 - Security and Privacy Controls for Information Systems and Organizations (Select Not Otherwise Categorized (NOC) controls)
  28. NIST SP 800-161 R1 - Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations
  29. NIST SP 800-161 R1 - Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations (C-SCRM Baseline)
  30. NIST SP 800-161 R1 - Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations (Flow Down)
  31. NIST SP 800-161 R1 - Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations (Level 1)
  32. NIST SP 800-161 R1 - Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations (Level 2)
  33. NIST SP 800-161 R1 - Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations (Level 3)
  34. NIST SP 800-171 R2 - Protecting CUI in Nonfederal Systems and Organizations
  35. NIST SP 800-171 R3 - Protecting CUI in Nonfederal Systems and Organizations
  36. NIST SP 800-171A - Assessing Security Requirements for Controlled Unclassified Information
  37. NIST SP 800-171A R3 - Assessing Security Requirements for Controlled Unclassified Information
  38. NIST SP 800-172 - Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations: Enhanced Security Requirements for Critical Programs and High Value Assets
  39. NIST SP 800-207 - Zero Trust Architecture
  40. NIST SP 800-218 - Secure Software Development Framework (SSDF) Version 1.1:
  41. NIST Cybersecurity Framework (CSF) v2.0
  42. OECD Privacy Principles
  43. Payment Card Industry Data Security Standard (PCI DSS) v4.01
  44. Payment Card Industry Data Security Standard (PCI DSS) v4.0.1 - SAQ A
  45. Payment Card Industry Data Security Standard (PCI DSS) v4.0.1 - SAQ A-EP
  46. Payment Card Industry Data Security Standard (PCI DSS) v4.0.1 - SAQ B
  47. Payment Card Industry Data Security Standard (PCI DSS) v4.0.1 - SAQ B-IP
  48. Payment Card Industry Data Security Standard (PCI DSS) v4.0.1 - SAQ C
  49. Payment Card Industry Data Security Standard (PCI DSS) v4.0.1 - SAQ C-VT
  50. Payment Card Industry Data Security Standard (PCI DSS) v4.0.1 - SAQ D Merchant
  51. Payment Card Industry Data Security Standard (PCI DSS) v4.0.1 - SAQ D Service Provider
  52. Payment Card Industry Data Security Standard (PCI DSS) v4.0.1 - SAQ P2PE
  53. Space Attack Research & Tactic Analysis (SPARTA) Countermeasures
  54. Trusted Information Security Assessment Exchange (TISAX) ISA 6.0.3
  55. CISA Cross-Sector Cybersecurity Performance Goals (CPG)
  56. Criminal Justice Information Services (CJIS) Security Policy v5.9.3
  57. Cybersecurity Maturity Model Certification (CMMC) v2.0 Level 1
  58. Cybersecurity Maturity Model Certification (CMMC) v2.0 Level 1 Assessment Objectives
  59. Cybersecurity Maturity Model Certification (CMMC) v2.0 Level 2
  60. Data Privacy Framework (DPF)
  61. DoD Zero Trust Execution Roadmap
  62. DoD Zero Trust Reference Architecture v2
  63. CISA Secure Software Development Attestation Form (SSDAF)
  64. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) Trusted Internet Connections 3.0 Security Capabilities Catalog
  65. Executive Order 14028 (EO 14028)
  66. Farm Credit Administration (FCA) Cyber Risk Management
  67. Fair Information Practice Principles (FIPPs)
  68. Gramm Leach Bliley Act (GLBA) - CFR 314 (Dec 2023)
  69. HHS § 155.260 Privacy and Security of Personally Identifiable Information.
  70. HIPAA Administrative Simplification (2013)
  71. HIPAA Security Rule (includes mapping to NIST SP 800-66 R2)
  72. North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP) 2024
  73. Cybersecurity Final Rule (Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure) - 17 CFR Parts 229, 232, 239, 240, and 249
  74. CA - California Consumer Privacy Act (CCPA) January 2026 (amended California Privacy Rights Act (CPRA))
  75. NV - Nevada Operation of Gaming Establishments - Regulation 5.260 (Cybersecurity)
  76. NY - Cybersecurity Requirements for Financial Services Companies (DFS 23 NYCRR500) - 2023 Amendment 2
  77. OR - Consumer Privacy Act (SB 619)
  78. TN - Information Protection Act
  79. TX - SB 2610 (Safe Harbor Law)
  80. VA - Virginia Consumer Data Protection Act (2023)
  81. EU Artificial Intelligence (AI)I Act (Regulation (EU) 2024/1689)
  82. EU Cyber Resilience Act
  83. EU Cyber Resilience Act - Annexes
  84. Digital Operational Resilience Act (DORA) (2023)
  85. General Data Protection Regulation (GDPR)
  86. ENISA NIS2 (Directive (EU) 2022/2555)
  87. ENISA NIS2 Annex
  88. Saudi Arabia IoT CGIoT-1:2024
  89. Saudi Arabia Personal Data Protection Law (PDPL)
  90. BOE-A-2022-7191
  91. UAE National Information Assurance Framework (NIAF)
  92. Cyber Assessment Framework (CAF) v4.0
  93. Ministry of Defence Standard 05-138 (14 May 2024)
  94. Australia Essential Eight
  95. Australian Government Information Security Manual (ISM) (June 2024)
  96. China Cybersecurity Law of the People's Republic of China (China Cybersecurity Law) 2017
  97. India Digital Personal Data Protection Act 2023
  98. SEBI Cybersecurity and Cyber Resilience Framework (CSCRF)
  99. NZ Health Information Security Framework (2022)
  100. HISO 10029:2024 NZ Health Information Security Framework Guidance for Suppliers
    B-13
    Protecting controlled information in non-Government of Canada systems and organizations (ITSP.10.171)

2 Reviews

  • 4
    STRM

    Posted by Eric Andresen on Jun 23rd 2025

    You will save a long time trying to map these controls out yourself if all you do is purchase the material for your latest NIS2 project. There are no doubt many ways that this can be applied and if we have this material to show an auditor how the material was organized, I am sure without a doubt that the material will pay off in a big way. The Secure Control Framework is amazing, and I am happy to support the project in any small way that we can.

  • 5
    Excellent value and huge time saver!

    Posted by Udo Schneider on Oct 10th 2024

    We use SCF to map product features to multiple compliance frameworks using control cross-walking. Adding the STRM information, especially the actual requirement text, allows us to tailor our answers specifically to the framework. And for the price, it's a real bargain! Even if you only need to copy and paste requirement descriptions manually, you'll end up paying more in lost work time than buying the whole package. Plus, you'll miss out on the STRM weights, which help to prioritize controls.

© 2026 Secure Controls Framework All rights reserved. | Sitemap