Supported Standards and Frameworks
    • 01 Oct 2025
    • 3 Minutes to read
    • PDF

    Supported Standards and Frameworks

    • PDF

    Article summary

    Red Canary helps many organizations satisfy or support their compliance controls through our monitoring and security operations. We’re happy to help you and your auditors better understand how Red Canary works behind the scenes.

    The following tables list common controls, describe how Red Canary supports those controls, and map to the relevant compliance framework sections.

    Asset Management/Inventory Management

    Control Family/Name/Activity

    Asset Management/Inventory Management

    The organization maintains an inventory of system devices, which is reconciled in accordance with the organization-defined frequency

    How Red Canary Helps Satisfy This Control

    Inventory of monitored endpoints within Red Canary can be used to help satisfy this control

    ISO27001:2013

    SOC

    FedRAMP

    PCI-DSS

    BSI C5

    HIPAA

    NIST 800-171

    CMCC

    A.8.1.1

    CC6.1

    CM-8

    9.6.1

    9.7

    9.7.1

    AM-01

    -

    3.4.1

    3.4.1

    CM.2.06

    CM.2.064

    Configuration Management/Configuration Checks

    Control Family/Name/Activity

    Configuration Management/Configuration Checks

    The organization uses mechanisms to detect deviations from baseline configurations in production environments.

    How Red Canary Helps Satisfy This Control

    Appropriately configured logging and alerting within Red Canary can help satisfy this control.

    ISO27001:2013

    SOC

    FedRAMP

    PCI-DSS

    BSI C5

    HIPAA

    NIST 800-171

    CMCC

    A.9.4.4

    A.12.5.1

    CC6.8

    CM-6

    CM-7

    1.2.2

    10.4.2

    11.4

    11.5

    11.5.1

    5.3

    IDM-12

    KOS-01

    RM-22

    164.306(a)(2)

    3.1.1

    3.1.2

    3.1.5

    3.1.6

    3.1.7

    3.4.5

    3.4.6

    3.4.7

    3.4.8

    3.4.9

    AC.1.001

    AC.1.002

    AC.1.007

    AC.2.007

    AC.2.008

    AC.3.018

    CM.3.067

    CM.2.062

    CM.3.068

    CM.3.069

    CM.4.073

    CM.2.063

    Incident Response

    Control Family/Name/Activity

    Incident Response

    Confirmed incidents are assigned a priority level and managed to resolution.

    How Red Canary Helps Satisfy This Control

    Red Canary's incident management process (including tracking and logging within Red Canary) can be used to help satisfy this control.

    ISO27001:2013

    SOC

    FedRAMP

    PCI-DSS

    BSI C5

    HIPAA

    NIST 800-171

    CMCC

    A.16.1.1

    A.16.1.2

    A.16.1.4

    A.16.1.5

    A.16.1.6

    A.16.1.7

    CC2.2

    CC7.3

    CC7.4

    CC7.5

    IR-4

    IR-5

    IR-9

    10.6.3

    10.8.1

    12.10.3

    SIM-01

    SIM-02

    SIM-03

    SIM-04

    SIM-05

    SIM-06

    SIM-07

    SPN-01

    164.308(a)(1)(ii)(D)

    164.308(a)(6)(i)

    164.308(a)(6)(ii)

    164.308(a)(7)(i)

    3.3.1

    3.3.2

    3.3.5

    3.6.1

    3.6.2

    AU.2.042

    AU.2.042

    AU.2.044

    AU.3.048

    AU.3.051

    IR.2.092

    IR.2.093

    IR.2.095

    IR.2.097

    IR.3.098

    Systems Monitoring/Audit Logging

    Control Family/Name/Activity

    Systems Monitoring/Audit Logging

    The organization logs critical information system activity.

    How Red Canary Helps Satisfy This Control

    Logs within Red Canary can be used to help satisfy this control.

    ISO27001:2013

    SOC

    FedRAMP

    PCI-DSS

    BSI C5

    HIPAA

    NIST 800-171

    CMCC

    A.12.4.1

    CC6.8

    CC7.1

    CC7.2

    A12

    AU-12

    AU-2

    MA-4

    SC-7

    -

    RB-10

    RB-11

    RB-14

    SIM-05

    164.312(b)

    164.312.(c)(2)

    3.3.1

    3.3.2

    3.3.5

    AU.2.42

    AU.2.041

    AU.3.051

    Systems Monitoring/Secure Audit Logging

    Control Family/Name/Activity

    Systems Monitoring/Secure Audit Logging

    The organization logs critical information system activity to a secure repository.

    How Red Canary Helps Satisfy This Control

    Logs within Red Canary can be used to help satisfy this control.

    ISO27001:2013

    SOC

    FedRAMP

    PCI-DSS

    BSI C5

    HIPAA

    NIST 800-171

    CMCC

    -

    CC7.2

    -

    10.5

    10.5.1

    10.5.2

    10.5.3

    10.5.4

    -

    -

    3.4.1

    3.4.2

    3.4.3

    3.4.4

    3.4.5

    3.4.6

    3.4.7

    3.4.8

    CM.2.061

    CM.2.064

    CM.2.065

    CM.2.066

    CM.3.067

    CM.3.068

    CM.3.069

    CM.4.073

    Systems Monitoring/Audit Logging: Cardholder Data Environment Activity

    Control Family/Name/Activity

    Systems Monitoring/Audit Logging: Cardholder Data Environment Activity

    The organization logs the following activity for cardholder data environments:

    • Individual user access to cardholder data

    • Administrative actions

    • Access to logging servers

    • Failed logins

    • Modifications to authentication mechanisms and user privileges

    • Initialization, stopping, or pausing of the audit logs

    • Creation and deletion of system-level objects

    • Security events

    • Logs of all system components that store, process, transmit, or could impact the security of cardholder data (CHD) and/or sensitive authentication data (SAD)

    • Logs of all critical system components

    • Logs of all servers and system components that perform security functions. For example, firewalls, intrusion-detection systems/intrusion-prevention systems (IDS/IPS), authentication servers, ecommerce redirection servers, and so on.

    How Red Canary Helps Satisfy This Control

    Logs within Red Canary can be used to help satisfy this control.

    ISO27001:2013

    SOC

    FedRAMP

    PCI-DSS

    BSI C5

    HIPAA

    NIST 800-171

    CMCC

    -

    -

    -

    10.1

    10.2

    10.2.1

    10.2.2

    10.2.3

    10.2.4

    10.2.5

    10.2.6

    10.2.7

    10.6.1

    -

    -

    -

    -

    Systems Monitoring/Security Monitoring Alert Criteria

    Control Family/Name/Activity

    Systems Monitoring/Security Monitoring Alert Criteria

    The organization defines security monitoring alert criteria, how alert criteria will be flagged, and identifies authorized personnel for flagged system alerts.

    How Red Canary Helps Satisfy This Control

    Configurable alerts within Red Canary can be used to help satisfy this control.

    ISO27001:2013

    SOC

    FedRAMP

    PCI-DSS

    BSI C5

    HIPAA

    NIST 800-171

    CMCC

    A.9.4.4

    A.12.4.3

    -

    AC-2

    AU-2

    AU-3

    AU-8

    AU-12

    10.8

    10.9

    12.10.5

    12.5

    12.5.2

    IDM-06

    IDM-12

    RB-10

    RB-11

    RB-15

    -

    3.1.1

    3.1.2

    3.1.5

    3.1.6

    3.1.7

    3.3.8

    3.3.9

    AC.1.001

    AC.1.002

    AC.2.007

    AC.2.008

    AC.3.018

    AU.3.049

    AU.3.050

    Systems Monitoring/Security Monitoring Alert Criteria: Privileged Functions

    Control Family/Name/Activity

    Systems Monitoring/Security Monitoring Alert Criteria: Privileged Functions

    The organization defines security monitoring alert criteria for privileged functions executed by both authorized and unauthorized users.

    How Red Canary Helps Satisfy This Control

    Configurable alerts within Red Canary can be used to help satisfy this control.

    ISO27001:2013

    SOC

    FedRAMP

    PCI-DSS

    BSI C5

    HIPAA

    NIST 800-171

    CMCC

    -

    -

    -

    10.6

    -

    -

    -

    -

    Systems Monitoring/Security Monitoring Alert Criteria: Cardholder System Components

    Control Family/Name/Activity

    Systems Monitoring/Security Monitoring Alert Criteria: Cardholder System Components

    The organization defines security monitoring alert criteria for system components that store, process, transmit, or could impact the security of cardholder data and/or sensitive authentication data.

    How Red Canary Helps Satisfy This Control

    Configurable alerts within Red Canary can be used to help satisfy this control.

    ISO27001:2013

    SOC

    FedRAMP

    PCI-DSS

    BSI C5

    HIPAA

    NIST 800-171

    CMCC

    -

    -

    -

    10.6.1

    -

    -

    -

    -

    Systems Monitoring/System Security Monitoring

    Control Family/Name/Activity

    Systems Monitoring/System Security Monitoring

    Critical systems are monitored in accordance to predefined security criteria and alerts are sent to authorized personnel. Confirmed incidents are tracked to resolution.

    How Red Canary Helps Satisfy This Control

    Configurable alerts within Red Canary can be used to help satisfy this control.

    ISO27001:2013

    SOC

    FedRAMP

    PCI-DSS

    BSI C5

    HIPAA

    NIST 800-171

    CMCC

    A.12.4.3

    CC7.2

    CC7.3

    A1.2

    AU-2

    AU-5

    AU-9

    SC-7

    SI-4

    10.2

    10.2.4

    10.5.5

    10.6

    10.6.1

    10.6.2

    10.6.3

    10.8.1

    12.10.5

    314.3(B)(2)

    314.4

    IDM-06

    IDM-12

    RB-10

    RB-11

    RB-15

    164.308(a)(1)(ii)(D)

    164.308(a)(5)(ii)(B)

    164.308(a)(5)(ii)(C)

    164.308(a)(6)(i)

    164.308(a)(6)(ii)

    164.312(b)

    3.3.1

    3.3.2

    3.3.8

    3.3.9

    AC.1.001

    AC.1.002

    AU.3.049

    AU.3.050

    Vulnerability Management/External Alerts and Advisories

    Control Family/Name/Activity

    Vulnerability Management/External Alerts and Advisories

    The organization reviews alerts and advisories from management-approved security forums and communicates verified threats to authorized personnel.

    How Red Canary Helps Satisfy This Control

    Configurable alerts, searchable activity logs, and incident management functions within Red Canary can be used to help satisfy this control.

    ISO27001:2013

    SOC

    FedRAMP

    PCI-DSS

    BSI C5

    HIPAA

    NIST 800-171

    CMCC

    A.16.1.1

    A.6.1.4

    -

    -

    6.1

    -

    -

    3.3.1

    3.3.2

    3.3.5

    3.6.1

    3.6.2

    3.14.1

    3.14.2

    3.14.3

    AC.1.001

    AC.1.002

    AU.3.051

    IR.2.092

    IR.3.098

    SI.1.210

    SI.1.211

    SI.2.214

    Vulnerability Management/Vulnerability Remediation

    Control Family/Name/Activity

    Vulnerability Management/Vulnerability Remediation

    The organization assigns a risk rating to identified vulnerabilities and prioritizes remediation of legitimate vulnerabilities according to the assigned risk.

    How Red Canary Helps Satisfy This Control

    Threat identification, logging, and alerting within Red Canary can be used to help satisfy this control.

    ISO27001:2013

    SOC

    FedRAMP

    PCI-DSS

    BSI C5

    HIPAA

    NIST 800-171

    CMCC

    A.6.1.5

    A.12.6.1

    A.14.2.8

    CC7.1

    CA-7

    6.1

    RB-17

    RB-19

    RB-21

    164.306(a)(1)

    164.306(a)(2)

    164.306(a)(3)

    164.308(a)(1)(ii)(B)

    3.11.1

    3.11.2

    3.11.3

    3.12.1

    3.12.2

    3.12.3

    3.14.1

    3.14.2

    RM.2.141

    RM.2.142

    RM.2.143

    SI.1.210

    SI.2.211

    SI.2.214

    CA.2.158

    CA.2.159

    CA.3.161


    Was this article helpful?

    Changing your password will log you out immediately. Use the new password to log back in.
    First name must have atleast 2 characters. Numbers and special characters are not allowed.
    Last name must have atleast 1 characters. Numbers and special characters are not allowed.
    Enter a valid email
    Enter a valid password
    Your profile has been successfully updated.