Email + domain controls, mapped to your framework

Final guideline July 2022, in force since January 2024

Canadian-first crosswalk. Mappings for Principle 1 (Governance), Principle 5 (Technology Resilience), Principle 6 (Cyber Security), and Principle 7 (Third-Party Technology and Cyber Risk). Every Canadian FRFI is mid first-/second-cycle B-13 assessments right now - email controls are an under-tested surface.

Audience: Schedule I/II/III banks, federal trust + loan, federal insurance, co-op credit associations

Final guideline August 2024, in force April 1 2026

Operational resilience crosswalk pairing with B-13. Mappings for Principle 1 (Governance), Principle 2 (Risk Taxonomy), Principle 3 (Critical Operations + Dependencies), Principle 4 (Tolerances for Disruption), and Principle 5 (Internal Controls + Monitoring). Customer-communication email is a mapped critical-operation dependency under Principle 3.

Audience: All FRFIs preparing for the April 2026 in-force date

2022 revision, transition from 2013 mandatory by October 31 2025

Annex A control crosswalk for the 2022 revision. Maps A.5.7 (Threat intelligence), A.5.14 (Information transfer), A.5.19-A.5.23 (Supplier relationships), A.5.30 (ICT business-continuity readiness), A.8.5 (Secure authentication), A.8.16 (Monitoring), A.8.20-A.8.21 (Networks), A.8.23 (Web filtering). Includes the 11 new-in-2022 controls.

Audience: Any organisation pursuing or maintaining ISO 27001:2022 certification

Rev. 5 baselines (effective May 2023), NIST SP 800-53 Rev. 5

Control crosswalk against the Rev. 5 baselines (Low / Moderate / High) US federal cloud authorisations are evaluated against. Mappings for AU-2/AU-12 (audit), IA-2/IA-5 (authentication), IR-4/IR-6 (incident), SC-7/SC-8/SC-12/SC-13 (transport + crypto), SI-3/SI-4 (system monitoring), and the new-in-Rev. 5 SR-2/SR-3 supply-chain controls.

Audience: CSPs pursuing FedRAMP Low / Moderate / High authorisation

ASD Information Security Manual, quarterly updates; IRAP assessor program

ISM control crosswalk for IRAP assessments at OFFICIAL, PROTECTED, and SECRET. Mappings for email DMARC / SPF / DKIM, transport encryption (TLS 1.2+, MTA-STS), ASD-approved cryptography, system monitoring + audit-log integrity, third-party service providers, and DNS security. Pairs with the Essential Eight where it touches email surfaces.

Audience: Australian government bodies + commercial cloud / SaaS providers handling Australian government data

S.C. 2000 c.5; mandatory breach reporting under s.10.1 since November 2018

Schedule 1 principle-by-principle crosswalk for Canadian federally-regulated private-sector privacy. Mappings for Principle 7 (Safeguards), s.10.1 breach notification, principle 4.7 (Safeguards apply to outsourcing), Principle 8 (Openness), and Principle 10 (Challenging Compliance). Quebec residents are covered by Law 25 instead.

Audience: Canadian private-sector organisations outside Alberta / BC / Quebec

Phased September 2022 → September 2024; CPO + breach reporting + portability all in force

Provincial Quebec privacy law, materially more demanding than PIPEDA. Mappings for the person-in-charge designation, mandatory PIAs, confidentiality-incident reporting, security measures (s.10), privacy by default (s.12.1), cross-border disclosure (s.14), data portability (s.21), and automated decision making (s.12). Penalties up to 4% of global turnover or CAD 25M.

Audience: Enterprises operating in Quebec

Canadian CEO / CFO certification of disclosure controls + internal control over financial reporting

Crosswalk for the Canadian SOX-equivalent: CEO + CFO certification of DCPs + ICFR. Email shows up as an ITGC supporting access management, change management, and operations + monitoring. Recent CSA + audit-firm focus on email-channel controls after 2024 wire-transfer attacks at two issuers.

Audience: Canadian reporting issuers (TSX, TSXV, CSE)

16 CFR Part 314 - 2021 revisions effective June 9 2023; 500+ customer breach notification since May 2024

FTC Safeguards Rule control mapping for US financial institutions. Mappings for 314.4(c)(3) encryption in transit, 314.4(c)(5) MFA, 314.4(d) monitoring + testing, 314.4(f) service-provider oversight, 314.4(h) incident response, and the 30-day FTC notification rule. Population dramatically expanded by the 2021 revision.

Audience: US financial institutions under FTC jurisdiction (broader than banks)

NIST 800-53 Rev. 5-based baselines updated 2023-2024; FedRAMP reciprocity path available

Authorisation programme for cloud service providers selling to US state, local, and education (SLED) agencies. Mirrors FedRAMP baselines (Low / Moderate / High) with state-specific parameterisation. ConMon submission cadence + supply-chain controls are the email-channel-relevant focus areas.

Audience: CSPs pursuing StateRAMP Authorisation for SLED procurements

Final rule effective December 2024; phased DFARS contract inclusion 2025-2028

Defense Industrial Base certification framework. Level 1 (17 FAR controls), Level 2 (110 NIST 800-171 controls, C3PAO-assessed), Level 3 (additional NIST 800-172 controls). Email + domain controls span AC, AU, IA, IR, SC, SI domains; covers DFARS 252.204-7012 DIBNet 72-hour incident reporting.

Audience: US DoD contractors + sub-contractors handling FCI or CUI

13 Australian Privacy Principles; NDB scheme since February 2018; 2022 amendments raised penalties to AUD 50M+

APP-by-APP crosswalk for the Australian Privacy Act + the Notifiable Data Breaches scheme. Mappings for APP 1 (Open + transparent), APP 6 (Use + disclosure), APP 8 (Cross-border), APP 11 (Security), APP 11.2 (Destruction), NDB s.26WK assessment + s.26WL notification. OAIC explicitly identifies DMARC / DKIM / SPF as APP 11 baseline.

Audience: APP entities (turnover > AUD 3M, government agencies, health-service providers, credit reporters)

In force since 1 July 2019; intensified post-2022 industry breach review

Australian financial-services information-security prudential standard. Mappings for Information Security Capability, Implementation of Controls, Service Provider Arrangements, Independent Testing, and 72-hour Incident Notification. Email + identity controls are an actively-examined surface.

Audience: ADIs (banks, credit unions), insurers, super funds, RSEs - and their material service providers

In force since 1 July 2025 - first compliance cycle live

Australian operational risk management + critical operations + service-provider arrangements. Email + domain controls subset only (the full standard is much broader). New + actively interpreted - banks scrambling for tooling.

Audience: APRA-regulated entities with material email-as-critical-operation scope

v4.0 + 4.0.1 amendments, in force since March 2025

Mappings for Requirement 1 (DMZ / segmentation), Req. 2 (configuration), Req. 4 (encryption in transit), Req. 5 (anti-malware), Req. 8 (authentication), and Req. 11 (testing). Highest-volume crosswalk we ship - PCI applies to anyone touching cardholder data.

Audience: Card-present + e-commerce, payment processors, SaaS billing

45 CFR Part 164 Subpart C, updated 2024

Mappings for the technical safeguards (§164.312 access controls, audit controls, integrity, transmission security) and administrative safeguards (§164.308). Email controls show up under Transmission Security - DMARC enforcement is the most-cited expectation for healthcare CISOs in 2026.

Audience: Healthcare providers, payors, business associates

2017 Trust Services Criteria with 2022 PoF clarifications

Mappings for CC6 (logical access), CC7 (system operations / monitoring), and CC9 (vendor management). The most relevant Wiredepth surfaces for SOC 2: continuous monitoring evidence, vendor inventory, and email-auth posture demonstrating logical-access controls extend to outbound channels.

Audience: SaaS, cloud platforms, B2B-software auditors

Directive (EU) 2022/2555, national transposition deadlines 2024-2025

Mappings for Article 21's risk-management measures (multi-factor auth, vulnerability handling, incident response, supply-chain security). Email controls are explicit under Annex C-style implementing acts. NIS2 enforcement teeth - fines up to 2% of global turnover for essential entities - have made this a budget conversation.

Audience: EU essential + important entities (~100k organizations)

EU Regulation 2022/2554, in force 17 January 2025

EU financial-services digital operational resilience. Mappings for ICT risk management (Articles 5-16), incident management + reporting (17-23), digital operational resilience testing (24-27), and ICT third-party risk (28-44). Companion to NIS2 for financial entities.

Audience: EU credit institutions, insurance, investment firms, crypto-asset providers, central counterparties + designated critical ICT providers

Effective for FY 2024+ filings (12/15/23 compliance date)

Mappings for Reg S-K Item 106 (annual disclosure of cyber risk-management and governance) and Form 8-K Item 1.05 (4-business-day material-incident disclosure). Domain posture + email-auth show up under 'processes for assessing, identifying, and managing material risks from cyber threats'.

Audience: US public companies (any size); foreign private issuers

23 NYCRR Part 500 - November 2023 amendments with phased compliance through April 2025

New York State Department of Financial Services cybersecurity requirements. Mappings for cybersecurity programme (§500.2), third-party service-provider security (§500.11), encryption of nonpublic information (§500.15), incident response (§500.16), and 72-hour incident notification to the Superintendent (§500.17).

Audience: Financial services companies licensed by or registered with NYDFS - banks, insurers, mortgage originators, money transmitters, virtual currency businesses