Compliance mapping
Built for the frameworks your auditors live by
Identity and privileged-access controls are the backbone of every major security framework. Here is how Tanflow maps to each one - Indian regimes first, because that's where our customers get examined.
Control coverage at a glance
Seven controls your auditor will ask about
The platform capabilities regulators look for, against the frameworks they examine. Every cell is evidenced from the same audit store.
| Platform control | CERT-In | DPDP 2023 | RBI | ISO 27001 | PCI DSS | SOC 2 |
|---|---|---|---|---|---|---|
| Multi-factor authentication | ✔ | ✔ | ✔ | ✔ | ✔ | ✔ |
| Privileged session recording | ✔ | ✔ | ✔ | ✔ | ✔ | ✔ |
| Real-time command control | ✔ | · | ✔ | ✔ | · | ✔ |
| Just-in-time / time-boxed access | · | ✔ | ✔ | ✔ | ✔ | ✔ |
| Access certification campaigns | · | ✔ | ✔ | ✔ | ✔ | ✔ |
| Automated leaver deprovisioning | ✔ | ✔ | ✔ | ✔ | ✔ | ✔ |
| Tamper-evident audit retention | ✔ | ✔ | ✔ | ✔ | ✔ | ✔ |
✔ directly evidenced by the platform · dot = supporting rather than primary control for that framework
Framework by framework
Choose your framework
CERT-In Directions (2022)
Indian · MandatoryMandatory logging, time synchronisation and incident reporting for Indian entities.
- 180-day-plus retention of identity and privileged-access logs, timestamped and exportable
- Synchronised clocks across the platform (NTP) for correlation-ready evidence
- Session recordings and command logs accelerate the 6-hour incident-reporting timeline
DPDP Act 2023
Indian · Data protectionIndia's data protection law: purpose limitation, security safeguards and breach accountability for personal data.
- Access to personal-data systems restricted to named, authenticated identities
- Justification workflows and recorded sessions document why data was accessed
- Instant deprovisioning supports data-minimisation and least-privilege duties
RBI Cyber Security Framework
Indian · BFSIBaseline and advanced cyber controls for banks and NBFCs, with explicit privileged-access expectations.
- Privileged sessions to CBS and payment infrastructure recorded and command-controlled
- MFA on administrative and remote access; maker-checker on access grants
- Vendor access time-boxed and supervised; audit evidence export for RBI inspections
SEBI Cyber Resilience Framework
Indian · MarketsCyber resilience requirements for stock brokers, depositories and market intermediaries.
- Access governance with periodic certification campaigns and SoD checks
- Privileged access to trading and settlement systems fully audited
- Log retention and reporting aligned to SEBI inspection formats
IRDAI Guidelines
Indian · InsuranceInformation and cyber security guidelines for insurers.
- Identity lifecycle automation across policy administration systems
- Recorded privileged access to policyholder-data stores
- Board-reportable access-governance metrics and attestations
ISO 27001 / 27002
Global · ISMSThe international ISMS standard; Annex A access-control requirements map directly to IAM/PAM.
- A.9 access control: provisioning, review and revocation as automated workflows
- A.9.4 privileged utility restriction via command control and JIT elevation
- A.12.4 logging and monitoring through the tamper-evident audit store
NIST CSF
Global · FrameworkThe Identify-Protect-Detect-Respond-Recover framework used by security programs worldwide.
- PR.AC: identities, credentials and access managed and audited centrally
- DE.CM: privileged sessions monitored in real time with policy alerts
- RS.AN: session replay provides ground-truth forensics for response
PCI DSS
Global · PaymentsCard-data security standard; Requirements 7, 8 and 10 are identity-shaped.
- Req. 7: access to cardholder systems by business need-to-know via RBAC
- Req. 8: unique IDs, MFA and credential vaulting for all administrative access
- Req. 10: every access to cardholder-adjacent systems logged and replayable
SOC 2
Global · Trust servicesTrust-services criteria for service organisations; access control is central to the Security criterion.
- Logical access provisioning, review and revocation with complete audit trails
- Privileged activity monitoring evidence for Type II observation periods
- Access-certification campaigns generate reviewer-attested records
GDPR
Global · EU dataEU data protection regulation, relevant to Indian companies serving European customers.
- Art. 32 security of processing: access control, encryption and tested controls
- Accountability principle supported by demonstrable access governance
- Processor-facing evidence for customer due-diligence requests
HIPAA
Global · HealthcareUS health-data law; §164.312 technical safeguards enumerate identity controls by name.
- Unique user identification via SSO - even on shared clinical workstations
- Emergency access procedure implemented as audited break-glass workflows
- Automatic logoff and audit controls enforced centrally
SWIFT CSP
Global · BFSICustomer Security Programme for SWIFT-connected institutions.
- Privileged access to the SWIFT secure zone isolated behind the PAM gateway
- Credential vaulting and rotation for SWIFT-related operator accounts
- Session recordings evidence the CSP attestation's access-control claims
How audits go with Tanflow
Evidence accrues while your team works
Preparing for an inspection?
Bring your framework checklist to a working session - we'll show which controls Tanflow evidences out of the box and how deployment fits your audit timeline.