This Tactical Tier control triangle seeks to ensure that the organisation’s information systems meet regulatory, legal, and industry standards, and that they operate in accordance with internal policies and external requirements.

This control rolls down from the Manage Demand Domain and cascades into: 1.3.3.1-Policy Compliance, 1.3.3.2-Regulatory Compliance, and 1.3.3.3-Industry Compliance controls.

---

Control Mappings:
Cobit:2019 ➡️ EDM01; EDM01.03; EDM05; EDM05.01; APO01; APO01.09; APO13; APO13.01; BAI11; BAI11.05; DSS04; DSS04.01; DSS05; DSS05.06; DSS06; DSS06.01; MEA01; MEA01.02; MEA02; MEA02.01; MEA02.03; MEA02.04; MEA03; MEA03.01; MEA03.02; MEA03.03; MEA03.04; MEA04; MEA04.01; MEA04.02; MEA04.03; MEA04.04; MEA04.05; MEA04.06; MEA04.08
PCI:DSSv4.01 ➡️ 12; 12.4; 12.5.2.1
GDPR:2024 ➡️ Art.5; Art.6; Art.7; Art.8; Art.9; Art.10; Art.13; Art.14; Art.19; Art.23; Art.24; Art.26; Art.29; Art.49; Art.58; Art.70; Art.72; Art.77; Art.83; Art.84; Art.85; Art.86; Art.87; Art.88; Art.89; Art.91; Art.94; Art.95; Art.96; Art.97; Art.98
HIPAA:2005:Rev2007 ➡️ 164.308(a)(8); 164.316(a); 164.316(b)(1); 164.316(b)(2)(i); 164.316(b)(2)(ii)
ISO27001:2022 ➡️ 4; 4.2; 4.4; 5; 5.1; 6; 6.1; 6.1.1; 6.2; 8; 8.3; 10; 10.1
ISO27005:2022 ➡️ 6; 6.2
ISO31000:2018 ➡️ 6.6
ISO38500:2024 ➡️ 4; 4.2; 5; 5.5.2; 5.8; 7; 7.2
ITIL:v4 ➡️ GM1; GM3; GM7; GM9; GM10; GM12
NIST:CSFv2 ➡️ GV; GV.OC; GV.OC-02; GV.RM-03; GV.OV