The compliance chain

Requirements — from different frameworks

ISO 27001 A-5.18

Access rights

ISO/IEC 27001:2022

NIST PR.AA-05

Access permissions, entitlements, and authorizations

NIST CSF 2.0

DORA Art. 21

Access control

DORA Regulation

implement once, comply with all three

Measure — the pivot point

MSR-012

Access reviews & recertification

1 measure addresses 3 requirements across 3 frameworks

Maturity (CMM)

verified by controls across assets

Controls — operational verification per asset

CTL-027

Access rights review

ERP System (SAP)

CTL-028

Access rights review

HR Management System

CTL-029

Access rights review

Active Directory

Tasks — assigned to people

TSK-091

Quarterly SAP access review

Jean Dupont

TSK-105

Yearly HR SaaS access review

Marie Laurent

TSK-120

Monthly AD access review

Paul Meier

Toggle control health — scores cascade upward through all layers

Done on time

Target achieved

CTL-027SAP access review

Yes

CTL-028HR system access review

Yes

CTL-029AD access review

Yes

Health

100