IAM Maturity by Compliance Framework
Every AXIS assessment question carries regulatory citations. Those citations are resolved to the frameworks below, each with a research-derived maturity threshold, so one assessment shows where your identity program stands against the regulations and standards that apply to you.
EU Regulations & Directives
Binding EU rules that place identity and access controls inside broader risk, resilience, and data protection duties.
Digital Operational Resilience Act (DORA)
DORA (Regulation (EU) 2022/2554) sets ICT risk management requirements for banks, insurers, investment firms, and other financial entities operating in the EU, and has applied since January 2025. Identity and access controls sit inside its ICT risk management framework, with management-body accountability for how access to ICT assets is protected and monitored.
10 mapped questions · 3 IAM domains
NIS2 Directive
NIS2 (Directive (EU) 2022/2555) sets cybersecurity risk management duties for essential and important entities across EU member states. Article 21(2) explicitly lists access control policies and multi-factor authentication among the measures entities are expected to adopt, alongside governance and accountability obligations.
10 mapped questions · 3 IAM domains
General Data Protection Regulation (GDPR)
The EU General Data Protection Regulation governs the processing of personal data. Articles 25 and 32 expect appropriate technical and organizational measures, and provisions on consent, data minimization, and data subject rights shape how customer identity programs are designed and operated.
5 mapped questions · 3 IAM domains
Payment Services Directive 2 (PSD2)
The EU Payment Services Directive 2 (Directive (EU) 2015/2366) introduced Strong Customer Authentication (SCA) for electronic payments, detailed in regulatory technical standards. For identity programs it primarily shapes customer authentication, onboarding, and identity proofing flows for payment services.
2 mapped questions · 1 IAM domain
US Regulations & Programs
US federal and state requirements where access management is a core control family for auditors and regulators.
Sarbanes-Oxley Act Section 404 (SOX)
Section 404 of the US Sarbanes-Oxley Act requires management to assess internal control over financial reporting. Auditors evaluate IT general controls, where access management is a core control family: who can reach financial systems, how access is granted, reviewed, separated, and evidenced.
10 mapped questions · 4 IAM domains
HIPAA Security Rule
The HIPAA Security Rule (45 CFR 164.312) requires covered entities and business associates in US healthcare to implement technical safeguards for electronic protected health information, including access control, audit controls, and person or entity authentication.
8 mapped questions · 6 IAM domains
California Consumer Privacy Act (CCPA/CPRA)
The California Consumer Privacy Act, as amended by the CPRA, grants California consumers rights over their personal information and expects businesses to maintain reasonable security procedures. For identity programs it mainly shapes customer registration, consent and preference handling, and identity verification for consumer requests.
3 mapped questions · 1 IAM domain
FedRAMP (Moderate Baseline)
FedRAMP authorizes cloud services for use by US federal agencies, building on the NIST SP 800-53 control catalog. The Moderate baseline expects documented and continuously monitored controls with automation across account management, access enforcement, and auditing. A High baseline variant carries stricter continuous-monitoring expectations.
1 mapped question · 1 IAM domain
Standards & Certifications
International standards, attestation criteria, and control catalogs that define identity and access expectations.
ISO/IEC 27001:2022
ISO/IEC 27001:2022 is the international standard for information security management systems. Annex A contains a substantial block of identity and access controls, including A.5.15 to A.5.18 on access control and identity management and A.8.2 to A.8.5 on privileged access rights, information access restriction, and secure authentication. Certification requires controls that are implemented and demonstrably effective.
32 mapped questions · 9 IAM domains
SOC 2 Type II
SOC 2 reports on a service organization’s controls against the AICPA Trust Services Criteria. The CC6 logical access series covers access provisioning, authentication, and removal, and a Type II report tests operating effectiveness over a period of time rather than at a point in time.
25 mapped questions · 9 IAM domains
NIST Cybersecurity Framework 2.0
The NIST Cybersecurity Framework 2.0 is a voluntary framework for managing cybersecurity risk. Identity, authentication, and access control live primarily in the PR.AA category, governance expectations in the GV function, and identity threat detection in the DE function. Implementation Tier 2 corresponds to risk-informed, repeatable processes.
34 mapped questions · 9 IAM domains
NIST SP 800-53 (Moderate Baseline)
NIST SP 800-53 is the control catalog used across US federal systems and many regulated programs. The Access Control (AC) and Identification and Authentication (IA) families define account management, least privilege, separation of duties, and authenticator management. AXIS scores against the Moderate baseline; the High baseline carries a stricter threshold for enhanced and automated controls.
19 mapped questions · 6 IAM domains
NIST SP 800-63B Digital Identity Guidelines
NIST SP 800-63B, part of the Digital Identity Guidelines, defines Authentication Assurance Levels (AAL1 to AAL3) for digital authentication. It covers authenticator types, phishing resistance, session management, and account recovery, and is widely referenced for both workforce and customer authentication design.
8 mapped questions · 3 IAM domains
Industry Mandates
Sector-specific mandates with prescriptive identity and access requirements for participating organizations.
PCI DSS 4.0
PCI DSS v4.0 applies to organizations that store, process, or transmit payment card data. Requirement 7 restricts access to cardholder data by business need to know, and Requirement 8 covers identification and strong authentication, including MFA for access to the cardholder data environment.
11 mapped questions · 5 IAM domains
NERC Critical Infrastructure Protection (CIP)
NERC CIP standards are mandatory for operators of the North American bulk electric system. CIP-004 covers personnel risk assessment and access management, and CIP-007 covers system security management, including access authorization, revocation, and monitoring for critical cyber assets. The threshold reflects the automated-controls bar of critical infrastructure.
11 mapped questions · 5 IAM domains
Framework mappings are derived from the AXIS question bank and scored with the same engine that powers assessment results. Alignment scores are indicative: they are not a certification, an audit opinion, or legal advice. See each framework page for the exact question mapping and threshold.
See Your Alignment in One Assessment
Answer the assessment once; AXIS scores your identity program against every applicable framework, filtered by your scope and industry.