- 01 Oct 2025
- 3 Minutes to read
- PDF
Supported Standards and Frameworks
- Updated on 01 Oct 2025
- 3 Minutes to read
- PDF
Red Canary helps many organizations satisfy or support their compliance controls through our monitoring and security operations. We’re happy to help you and your auditors better understand how Red Canary works behind the scenes.
The following tables list common controls, describe how Red Canary supports those controls, and map to the relevant compliance framework sections.
Asset Management/Inventory Management
Control Family/Name/Activity | Asset Management/Inventory Management The organization maintains an inventory of system devices, which is reconciled in accordance with the organization-defined frequency | ||||||
How Red Canary Helps Satisfy This Control | Inventory of monitored endpoints within Red Canary can be used to help satisfy this control | ||||||
ISO27001:2013 | SOC | FedRAMP | PCI-DSS | BSI C5 | HIPAA | NIST 800-171 | CMCC |
---|---|---|---|---|---|---|---|
A.8.1.1 | CC6.1 | CM-8 | 9.6.1 9.7 9.7.1 | AM-01 | - | 3.4.1 3.4.1 | CM.2.06 CM.2.064 |
Configuration Management/Configuration Checks
Control Family/Name/Activity | Configuration Management/Configuration Checks The organization uses mechanisms to detect deviations from baseline configurations in production environments. | ||||||
How Red Canary Helps Satisfy This Control | Appropriately configured logging and alerting within Red Canary can help satisfy this control. | ||||||
ISO27001:2013 | SOC | FedRAMP | PCI-DSS | BSI C5 | HIPAA | NIST 800-171 | CMCC |
---|---|---|---|---|---|---|---|
A.9.4.4 A.12.5.1 | CC6.8 | CM-6 CM-7 | 1.2.2 10.4.2 11.4 11.5 11.5.1 5.3 | IDM-12 KOS-01 RM-22 | 164.306(a)(2) | 3.1.1 3.1.2 3.1.5 3.1.6 3.1.7 3.4.5 3.4.6 3.4.7 3.4.8 3.4.9 | AC.1.001 AC.1.002 AC.1.007 AC.2.007 AC.2.008 AC.3.018 CM.3.067 CM.2.062 CM.3.068 CM.3.069 CM.4.073 CM.2.063 |
Incident Response
Control Family/Name/Activity | Incident Response Confirmed incidents are assigned a priority level and managed to resolution. | ||||||
How Red Canary Helps Satisfy This Control | Red Canary's incident management process (including tracking and logging within Red Canary) can be used to help satisfy this control. | ||||||
ISO27001:2013 | SOC | FedRAMP | PCI-DSS | BSI C5 | HIPAA | NIST 800-171 | CMCC |
---|---|---|---|---|---|---|---|
A.16.1.1 A.16.1.2 A.16.1.4 A.16.1.5 A.16.1.6 A.16.1.7 | CC2.2 CC7.3 CC7.4 CC7.5 | IR-4 IR-5 IR-9 | 10.6.3 10.8.1 12.10.3 | SIM-01 SIM-02 SIM-03 SIM-04 SIM-05 SIM-06 SIM-07 SPN-01 | 164.308(a)(1)(ii)(D) 164.308(a)(6)(i) 164.308(a)(6)(ii) 164.308(a)(7)(i) | 3.3.1 3.3.2 3.3.5 3.6.1 3.6.2 | AU.2.042 AU.2.042 AU.2.044 AU.3.048 AU.3.051 IR.2.092 IR.2.093 IR.2.095 IR.2.097 IR.3.098 |
Systems Monitoring/Audit Logging
Control Family/Name/Activity | Systems Monitoring/Audit Logging The organization logs critical information system activity. | ||||||
How Red Canary Helps Satisfy This Control | Logs within Red Canary can be used to help satisfy this control. | ||||||
ISO27001:2013 | SOC | FedRAMP | PCI-DSS | BSI C5 | HIPAA | NIST 800-171 | CMCC |
---|---|---|---|---|---|---|---|
A.12.4.1 | CC6.8 CC7.1 CC7.2 A12 | AU-12 AU-2 MA-4 SC-7 | - | RB-10 RB-11 RB-14 SIM-05 | 164.312(b) 164.312.(c)(2) | 3.3.1 3.3.2 3.3.5 | AU.2.42 AU.2.041 AU.3.051 |
Systems Monitoring/Secure Audit Logging
Control Family/Name/Activity | Systems Monitoring/Secure Audit Logging The organization logs critical information system activity to a secure repository. | ||||||
How Red Canary Helps Satisfy This Control | Logs within Red Canary can be used to help satisfy this control. | ||||||
ISO27001:2013 | SOC | FedRAMP | PCI-DSS | BSI C5 | HIPAA | NIST 800-171 | CMCC |
---|---|---|---|---|---|---|---|
- | CC7.2 | - | 10.5 10.5.1 10.5.2 10.5.3 10.5.4 | - | - | 3.4.1 3.4.2 3.4.3 3.4.4 3.4.5 3.4.6 3.4.7 3.4.8 | CM.2.061 CM.2.064 CM.2.065 CM.2.066 CM.3.067 CM.3.068 CM.3.069 CM.4.073 |
Systems Monitoring/Audit Logging: Cardholder Data Environment Activity
Control Family/Name/Activity | Systems Monitoring/Audit Logging: Cardholder Data Environment Activity The organization logs the following activity for cardholder data environments:
| ||||||
How Red Canary Helps Satisfy This Control | Logs within Red Canary can be used to help satisfy this control. | ||||||
ISO27001:2013 | SOC | FedRAMP | PCI-DSS | BSI C5 | HIPAA | NIST 800-171 | CMCC |
---|---|---|---|---|---|---|---|
- | - | - | 10.1 10.2 10.2.1 10.2.2 10.2.3 10.2.4 10.2.5 10.2.6 10.2.7 10.6.1 | - | - | - | - |
Systems Monitoring/Security Monitoring Alert Criteria
Control Family/Name/Activity | Systems Monitoring/Security Monitoring Alert Criteria The organization defines security monitoring alert criteria, how alert criteria will be flagged, and identifies authorized personnel for flagged system alerts. | ||||||
How Red Canary Helps Satisfy This Control | Configurable alerts within Red Canary can be used to help satisfy this control. | ||||||
ISO27001:2013 | SOC | FedRAMP | PCI-DSS | BSI C5 | HIPAA | NIST 800-171 | CMCC |
---|---|---|---|---|---|---|---|
A.9.4.4 A.12.4.3 | - | AC-2 AU-2 AU-3 AU-8 AU-12 | 10.8 10.9 12.10.5 12.5 12.5.2 | IDM-06 IDM-12 RB-10 RB-11 RB-15 | - | 3.1.1 3.1.2 3.1.5 3.1.6 3.1.7 3.3.8 3.3.9 | AC.1.001 AC.1.002 AC.2.007 AC.2.008 AC.3.018 AU.3.049 AU.3.050 |
Systems Monitoring/Security Monitoring Alert Criteria: Privileged Functions
Control Family/Name/Activity | Systems Monitoring/Security Monitoring Alert Criteria: Privileged Functions The organization defines security monitoring alert criteria for privileged functions executed by both authorized and unauthorized users. | ||||||
How Red Canary Helps Satisfy This Control | Configurable alerts within Red Canary can be used to help satisfy this control. | ||||||
ISO27001:2013 | SOC | FedRAMP | PCI-DSS | BSI C5 | HIPAA | NIST 800-171 | CMCC |
---|---|---|---|---|---|---|---|
- | - | - | 10.6 | - | - | - | - |
Systems Monitoring/Security Monitoring Alert Criteria: Cardholder System Components
Control Family/Name/Activity | Systems Monitoring/Security Monitoring Alert Criteria: Cardholder System Components The organization defines security monitoring alert criteria for system components that store, process, transmit, or could impact the security of cardholder data and/or sensitive authentication data. | ||||||
How Red Canary Helps Satisfy This Control | Configurable alerts within Red Canary can be used to help satisfy this control. | ||||||
ISO27001:2013 | SOC | FedRAMP | PCI-DSS | BSI C5 | HIPAA | NIST 800-171 | CMCC |
---|---|---|---|---|---|---|---|
- | - | - | 10.6.1 | - | - | - | - |
Systems Monitoring/System Security Monitoring
Control Family/Name/Activity | Systems Monitoring/System Security Monitoring Critical systems are monitored in accordance to predefined security criteria and alerts are sent to authorized personnel. Confirmed incidents are tracked to resolution. | ||||||
How Red Canary Helps Satisfy This Control | Configurable alerts within Red Canary can be used to help satisfy this control. | ||||||
ISO27001:2013 | SOC | FedRAMP | PCI-DSS | BSI C5 | HIPAA | NIST 800-171 | CMCC |
---|---|---|---|---|---|---|---|
A.12.4.3 | CC7.2 CC7.3 A1.2 | AU-2 AU-5 AU-9 SC-7 SI-4 | 10.2 10.2.4 10.5.5 10.6 10.6.1 10.6.2 10.6.3 10.8.1 12.10.5 314.3(B)(2) 314.4 | IDM-06 IDM-12 RB-10 RB-11 RB-15 | 164.308(a)(1)(ii)(D) 164.308(a)(5)(ii)(B) 164.308(a)(5)(ii)(C) 164.308(a)(6)(i) 164.308(a)(6)(ii) 164.312(b) | 3.3.1 3.3.2 3.3.8 3.3.9 | AC.1.001 AC.1.002 AU.3.049 AU.3.050 |
Vulnerability Management/External Alerts and Advisories
Control Family/Name/Activity | Vulnerability Management/External Alerts and Advisories The organization reviews alerts and advisories from management-approved security forums and communicates verified threats to authorized personnel. | ||||||
How Red Canary Helps Satisfy This Control | Configurable alerts, searchable activity logs, and incident management functions within Red Canary can be used to help satisfy this control. | ||||||
ISO27001:2013 | SOC | FedRAMP | PCI-DSS | BSI C5 | HIPAA | NIST 800-171 | CMCC |
---|---|---|---|---|---|---|---|
A.16.1.1 A.6.1.4 | - | - | 6.1 | - | - | 3.3.1 3.3.2 3.3.5 3.6.1 3.6.2 3.14.1 3.14.2 3.14.3 | AC.1.001 AC.1.002 AU.3.051 IR.2.092 IR.3.098 SI.1.210 SI.1.211 SI.2.214 |
Vulnerability Management/Vulnerability Remediation
Control Family/Name/Activity | Vulnerability Management/Vulnerability Remediation The organization assigns a risk rating to identified vulnerabilities and prioritizes remediation of legitimate vulnerabilities according to the assigned risk. | ||||||
How Red Canary Helps Satisfy This Control | Threat identification, logging, and alerting within Red Canary can be used to help satisfy this control. | ||||||
ISO27001:2013 | SOC | FedRAMP | PCI-DSS | BSI C5 | HIPAA | NIST 800-171 | CMCC |
---|---|---|---|---|---|---|---|
A.6.1.5 A.12.6.1 A.14.2.8 | CC7.1 | CA-7 | 6.1 | RB-17 RB-19 RB-21 | 164.306(a)(1) 164.306(a)(2) 164.306(a)(3) 164.308(a)(1)(ii)(B) | 3.11.1 3.11.2 3.11.3 3.12.1 3.12.2 3.12.3 3.14.1 3.14.2 | RM.2.141 RM.2.142 RM.2.143 SI.1.210 SI.2.211 SI.2.214 CA.2.158 CA.2.159 CA.3.161 |