Compliance

Compliance Overview

Supported compliance frameworks and how APVISO maps findings to framework controls automatically.

Supported Frameworks

APVISO maps scan findings to controls in the following compliance frameworks:

  • OWASP Top 10 — the standard for web application security risks.
  • NIST Cybersecurity Framework (CSF) — a comprehensive framework for managing cybersecurity risk.
  • ISO 27001 — international standard for information security management systems.
  • PCI-DSS 4.0 — payment card industry data security standard.
  • SOC 2 — service organization controls for security, availability, and confidentiality.
  • GDPR — European data protection regulation.
  • CIS Controls — prioritized security actions for cyber defense.
  • NIS2 — EU directive on network and information security.
  • DORA — Digital Operational Resilience Act for financial entities.
  • Czech ZOKB — Czech law on cybersecurity (Zakon o kyberneticke bezpecnosti).

How Mapping Works

When a finding is created, APVISO's reporter agent automatically maps it to relevant framework controls. For example, an SQL injection finding (CWE-89) maps to:

  • OWASP Top 10: A03 Injection.
  • PCI-DSS 4.0: Requirement 6.2.4 (software development security).
  • NIST CSF: PR.DS-5 (data leak protection).
  • ISO 27001: A.8.26 (application security).

These mappings appear on the finding detail page and are included in reports.

Compliance Dashboard

The compliance dashboard (available on Business tier and above) provides:

  • Framework view — select a framework to see all its controls and which ones have associated findings.
  • Control status — each control is rated as passing, failing, or not assessed based on scan results.
  • Posture score — an overall compliance posture percentage for each framework.
  • History — track how your posture score changes over time.

Using Compliance Data

  • Share compliance reports with auditors to demonstrate proactive security testing.
  • Use the framework view to identify gaps — controls with no assessment may need manual review.
  • Track posture scores over time to demonstrate continuous improvement.
  • Export compliance data via the API for inclusion in GRC platforms.

Limitations

APVISO's compliance mappings cover technical controls that can be validated through penetration testing. Administrative, physical, and procedural controls (e.g., security policies, employee training) are outside the scope of automated testing and are marked as not_assessed.

Back to Knowledge Base