Skip to content
OnticBeta
Tier 3 — Best Practice

Framework Crosswalks — NIST CSF, ISO 27001, SOC 2, NIST AI RMF, ISO 42001, EU AI Act, GDPR

Publisher

Ontic Labs

Version

v1

Last verified

February 15, 2026

Frameworks

NIST CSF 2.0ISO/IEC 27001:2022SOC 2NIST AI RMF 1.0ISO/IEC 42001:2023EU AI ActGDPR

Industries

Applies to all industries

Crosswalks - Overview

This oracle does not add new requirements; it encodes how core frameworks map to each other so Goober can reuse controls and evidence instead of treating each regime as siloed. Published mappings and comparative analyses show strong structural overlap among NIST CSF 2.0, ISO 27001:2022, SOC 2, NIST AI RMF, ISO 42001, the EU AI Act, and GDPR, and support using one framework as the “hub” for others. avestia

Crosswalks - What It Is

The crosswalk is a meta‑oracle: a set of high‑level equivalence relationships between Functions / Clauses / Criteria / Legal Articles, not a control‑by‑control mapping. Its purpose is to:

  • Let retrieval answer “how do these frameworks intersect?” questions without repeating the same explanation in every oracle.
  • Support evidence reuse: one log, policy, or control can satisfy multiple frameworks. ijbei-journal
  • Provide routing hints to the ontology boundary enums so Goober knows when to caveat or block answers about frameworks without first‑class oracles.

It is organised into three main clusters:

  1. Cybersecurity backbone: NIST CSF 2.0 ↔ ISO 27001:2022 ↔ SOC 2. csecurity.kubg.edu
  2. AI governance stack: NIST AI RMF ↔ ISO 42001 ↔ EU AI Act. zengrc
  3. Data protection & ADM: GDPR ↔ EU AI Act (high‑risk, ADM, human oversight). globallegalinsights

Crosswalks - Cybersecurity Backbone (NIST CSF ↔ ISO 27001 ↔ SOC 2)

NIST CSF 2.0 ↔ ISO/IEC 27001:2022

Studies and practitioner guides consistently treat NIST CSF and ISO 27001 as complementary: CSF provides Functions / Categories / Subcategories (outcomes) and ISO 27001 provides Annex A controls (means). mdpi

High‑level equivalences:

  • CSF Govern (GV) ↔ ISO 27001 Clauses 4–10 (context, leadership, planning, support, operation, performance evaluation, improvement) for security. mdpi
  • CSF Identify (ID) ↔ ISO 27001 Annex A sections on asset management, risk assessment, and organisational controls. censinet
  • CSF Protect (PR) ↔ ISO 27001 Annex A controls on access control, cryptography, operations, physical security, secure configuration, and backup. pmc.ncbi.nlm.nih
  • CSF Detect (DE) ↔ ISO 27001 Annex A logging, monitoring, and detection controls.
  • CSF Respond (RS) / Recover (RC) ↔ ISO 27001 Annex A incident management and business continuity controls. mdpi

In practice, many organisations implement ISO 27001 once and map it to CSF 2.0 using a matrix, with CSF as the external narrative and ISO as the internal control system. mdpi

NIST CSF 2.0 ↔ SOC 2

NIST CSF maps cleanly to SOC 2 Trust Services Criteria, and can be used as the “how‑to” for SOC 2 programmes. linfordco

High‑level equivalences:

  • CSF Protect ↔ SOC 2 Security (Common Criteria) controls around access control, change management, configuration, malware protection, and incident response. cbh
  • CSF Detect ↔ SOC 2 Security criteria on monitoring, logging, and anomaly detection.
  • CSF Respond/Recover ↔ SOC 2 Availability and Security criteria on incident handling and continuity. linfordco

SOC 2 reports then act as attestation that CSF‑aligned (and ISO‑aligned) controls exist and operate effectively. thoropass

ISO 27001 ↔ SOC 2

Vendor and academic mappings show substantial overlap: ISO 27001 Annex A security controls support SOC 2 Security, Availability, Confidentiality, and often parts of Privacy. ampcuscyber

Patterns:

  • ISO 27001 Annex A.5–A.9 (policies, organisation, human resources, access control) ↔ SOC 2 Security / Confidentiality criteria.
  • Annex A.12–A.17 (operations security, communications security, system acquisition, incident management, business continuity) ↔ SOC 2 Security / Availability / Processing Integrity. avestia

This lets you treat NIST CSF, ISO 27001, and SOC 2 as a triangulated cyber backbone rather than three independent programmes. xantrion

Crosswalks - AI Governance Stack (NIST AI RMF ↔ ISO 42001 ↔ EU AI Act)

NIST AI RMF ↔ ISO/IEC 42001

NIST has published an official crosswalk mapping AI RMF Functions (Govern, Map, Measure, Manage) to ISO 42001 AIMS clauses, and practitioners emphasise their complementarity. fairnow

High‑level mapping:

  • AI RMF Govern ↔ ISO 42001 Clauses 4–7 (context, leadership, planning, support) plus governance expectations in Clause 8 (operation). aws.amazon
  • AI RMF Map ↔ ISO 42001 requirements for AI use‑case scoping, risk identification, and AI lifecycle planning within AIMS operations. ieeexplore.ieee
  • AI RMF Measure ↔ ISO 42001 performance evaluation requirements (Clause 9) and testing/monitoring expectations in Clause 8. ieeexplore.ieee
  • AI RMF Manage ↔ ISO 42001 operational controls, corrective action, and continual improvement (Clauses 8 and 10). vanta

Practical rule: NIST AI RMF is the risk playbook, ISO 42001 is the certifiable management system that governs that playbook. fairnow

NIST AI RMF / ISO 42001 ↔ EU AI Act (High‑Risk)

Cloud Security Alliance, governance vendors, and academic work present ISO 42001 and NIST AI RMF as primary routes to operationalising EU AI Act obligations. cloudsecurityalliance

Key equivalences:

  • AI RMF Govern + ISO 42001 leadership/strategy ↔ EU AI Act Articles on accountability, QMS (Art. 17), AI literacy, and governance requirements for providers and deployers. cloudsecurityalliance
  • AI RMF Map ↔ EU AI Act risk management (Art. 9) and fundamental‑rights impact assessment (Art. 27). ieeexplore.ieee
  • AI RMF Measure ↔ EU AI Act requirements for accuracy, robustness, cybersecurity (Art. 15), logging (Art. 12), and ongoing monitoring. cloudsecurityalliance
  • AI RMF Manage ↔ EU AI Act risk mitigation measures, post‑market monitoring, incident reporting, and corrective actions. ieeexplore.ieee

Operationally: implement AI RMF + ISO 42001 once, then add EU AI Act‑specific deltas (classification, CE marking, registration, penalties) for EU‑exposed systems. zengrc

Crosswalks - Data Protection & ADM (GDPR ↔ EU AI Act)

Analyses of the EU AI Act’s relationship with GDPR show they must be read together for any AI system processing personal data. privacymatters.dlapiper

Key intersections:

  • Data Governance: EU AI Act Art. 10 (data and data governance) complements GDPR’s principles of lawfulness, fairness, transparency, purpose limitation, data minimisation, and accuracy; data used for training/high‑risk must still have a GDPR basis and respect data protection by design. globallegalinsights
  • Special Category Data: AI Act Art. 10(5) allows processing of special categories for bias detection/correction but only within GDPR Art. 9 safeguards. globallegalinsights
  • Automated Decision‑Making vs Human Oversight: GDPR Art. 22 governs “solely automated” decisions with legal/similar effects, while EU AI Act imposes human oversight and technical‑governance duties for high‑risk systems; together they define requirements for ADM, explanation, and oversight. cidob
  • Impact Assessments: GDPR DPIAs (Art. 35) and EU AI Act FRIAs (Art. 27) overlap; many organisations will run a combined assessment rather than separate processes. privacymatters.dlapiper

Your oracles should treat GDPR + EU AI Act as a joint constraint for EU‑touching, personal‑data‑driven AI.

Crosswalks - Governance Stack (COSO ERM, ISO 37301, DOJ ECCP)

At the governance level:

  • COSO ERM provides the enterprise risk meta‑framework; ISO 37301 provides a compliance management system; DOJ ECCP provides the enforcement lens for criminal/corporate compliance. erm.ncsu
  • NIST CSF, ISO 27001, SOC 2, NIST AI RMF, ISO 42001, EU AI Act, and GDPR can all be treated as risk/controls programmes that roll up into COSO ERM’s components (Governance & Culture; Strategy & Objective‑Setting; Performance; Review & Revision; Information, Communication & Reporting). arxiv
← Oracle LibraryChat with Goober →