Appendix F: Control and Compliance Mappings

NIST Control Family
Xcavate Control Implementation
Compliance Reference

Access Control (AC)

Role-based access, least privilege, multi-factor authentication

GDPR Art. 32, FCA SYSC

Audit and Accountability (AU)

Logging, monitoring, regular internal and third-party audits

GDPR Art. 30, FCA record-keeping

System and Communications Protection (SC)

Encryption in transit and at rest, secure APIs, Zero Trust architecture

GDPR Recital 83, FCA data security

Incident Response (IR)

Incident reporting workflow, detection mechanisms, response drills

GDPR Art. 33-34, FCA SYSC 4.1.1

Risk Assessment (RA)

Formal risk register, regular assessments using SP 800-30

FCA SYSC, GDPR Recital 83

Security Assessment (CA)

Control assessments using SP 800-53A, audit reports

FCA audits, GDPR accountability principle

Configuration Management (CM)

Secure configurations aligned with SP 800-128, continuous updates

GDPR Art. 32, FCA operational resilience

Privacy Controls (PT)

Data minimization, user consent, rights management

GDPR Art. 5-8, FCA privacy requirements

AI Controls (Custom)

Bias detection, explainability, monitoring AI decisions

EU AI Act (proposed), FCA guidance

PreviousE.3: SOC 2 Type II Compliance ChecklistNextSecurity

Last updated