Tanflow IAM Suite & PAM - enterprise identity and privileged access security for the modern enterprise. Get a Demo →

Compliance mapping

Built for the frameworks your auditors live by

Identity and privileged-access controls are the backbone of every major security framework. Here is how Tanflow maps to each one - Indian regimes first, because that's where our customers get examined.

Control coverage at a glance

Seven controls your auditor will ask about

The platform capabilities regulators look for, against the frameworks they examine. Every cell is evidenced from the same audit store.

Platform control CERT-InDPDP 2023RBIISO 27001PCI DSSSOC 2
Multi-factor authentication
Privileged session recording
Real-time command control · ·
Just-in-time / time-boxed access ·
Access certification campaigns ·
Automated leaver deprovisioning
Tamper-evident audit retention

✔ directly evidenced by the platform · dot = supporting rather than primary control for that framework

Framework by framework

Choose your framework

CERT-In Directions (2022)

Indian · Mandatory

Mandatory logging, time synchronisation and incident reporting for Indian entities.

  • 180-day-plus retention of identity and privileged-access logs, timestamped and exportable
  • Synchronised clocks across the platform (NTP) for correlation-ready evidence
  • Session recordings and command logs accelerate the 6-hour incident-reporting timeline

DPDP Act 2023

Indian · Data protection

India's data protection law: purpose limitation, security safeguards and breach accountability for personal data.

  • Access to personal-data systems restricted to named, authenticated identities
  • Justification workflows and recorded sessions document why data was accessed
  • Instant deprovisioning supports data-minimisation and least-privilege duties

RBI Cyber Security Framework

Indian · BFSI

Baseline and advanced cyber controls for banks and NBFCs, with explicit privileged-access expectations.

  • Privileged sessions to CBS and payment infrastructure recorded and command-controlled
  • MFA on administrative and remote access; maker-checker on access grants
  • Vendor access time-boxed and supervised; audit evidence export for RBI inspections

SEBI Cyber Resilience Framework

Indian · Markets

Cyber resilience requirements for stock brokers, depositories and market intermediaries.

  • Access governance with periodic certification campaigns and SoD checks
  • Privileged access to trading and settlement systems fully audited
  • Log retention and reporting aligned to SEBI inspection formats

IRDAI Guidelines

Indian · Insurance

Information and cyber security guidelines for insurers.

  • Identity lifecycle automation across policy administration systems
  • Recorded privileged access to policyholder-data stores
  • Board-reportable access-governance metrics and attestations

ISO 27001 / 27002

Global · ISMS

The international ISMS standard; Annex A access-control requirements map directly to IAM/PAM.

  • A.9 access control: provisioning, review and revocation as automated workflows
  • A.9.4 privileged utility restriction via command control and JIT elevation
  • A.12.4 logging and monitoring through the tamper-evident audit store

NIST CSF

Global · Framework

The Identify-Protect-Detect-Respond-Recover framework used by security programs worldwide.

  • PR.AC: identities, credentials and access managed and audited centrally
  • DE.CM: privileged sessions monitored in real time with policy alerts
  • RS.AN: session replay provides ground-truth forensics for response

PCI DSS

Global · Payments

Card-data security standard; Requirements 7, 8 and 10 are identity-shaped.

  • Req. 7: access to cardholder systems by business need-to-know via RBAC
  • Req. 8: unique IDs, MFA and credential vaulting for all administrative access
  • Req. 10: every access to cardholder-adjacent systems logged and replayable

SOC 2

Global · Trust services

Trust-services criteria for service organisations; access control is central to the Security criterion.

  • Logical access provisioning, review and revocation with complete audit trails
  • Privileged activity monitoring evidence for Type II observation periods
  • Access-certification campaigns generate reviewer-attested records

GDPR

Global · EU data

EU data protection regulation, relevant to Indian companies serving European customers.

  • Art. 32 security of processing: access control, encryption and tested controls
  • Accountability principle supported by demonstrable access governance
  • Processor-facing evidence for customer due-diligence requests

HIPAA

Global · Healthcare

US health-data law; §164.312 technical safeguards enumerate identity controls by name.

  • Unique user identification via SSO - even on shared clinical workstations
  • Emergency access procedure implemented as audited break-glass workflows
  • Automatic logoff and audit controls enforced centrally

SWIFT CSP

Global · BFSI

Customer Security Programme for SWIFT-connected institutions.

  • Privileged access to the SWIFT secure zone isolated behind the PAM gateway
  • Credential vaulting and rotation for SWIFT-related operator accounts
  • Session recordings evidence the CSP attestation's access-control claims

How audits go with Tanflow

Evidence accrues while your team works

Deploy the controls MFA, vaulting, recording, certification - switched on as policy, not built as projects.
Evidence accumulates Every login, grant, session and command lands in the tamper-evident audit store automatically.
Export for the auditor Framework-aligned reports and session replays answer findings in minutes, not weeks.

Preparing for an inspection?

Bring your framework checklist to a working session - we'll show which controls Tanflow evidences out of the box and how deployment fits your audit timeline.