Framework mapping
How WASViking maps findings to PCI DSS v4.0, LGPD, GDPR, BACEN, and ISO 27001:2022 controls from one rule table.
WASViking® maps every finding category to specific controls across five frameworks, from a single rule table. The mapping is rendered in the PDF report and in the portal Compliance tab from the same source of truth.
Frameworks covered
| Framework | Scope of mapping |
|---|---|
| PCI DSS v4.0 | Cardholder data environment, AppSec, vulnerability management. |
| LGPD | Article 46 security measures. |
| GDPR | Article 32 technical measures, processor accountability. |
| BACEN 4893 + 4658 | Brazilian financial cyber resolution. |
| ISO 27001:2022 | Annex A.5-A.8 technical controls. |
How a finding maps
Each finding category carries a list of control IDs per framework. The mapping is many-to-many: a single SQLi can map to PCI 6.5.1, LGPD Art.46, GDPR Art.32, BACEN 14.II, and ISO A.8.25 at the same time.
Example, condensed:
| Finding category | PCI v4.0 | LGPD | GDPR | BACEN | ISO 27001 |
|---|---|---|---|---|---|
sqli |
6.5.1, 6.4.2 | Art.46 | Art.32(1)(b) | 14.II | A.8.25, A.8.28 |
xss |
6.5.7 | Art.46 | Art.32(1)(b) | 14.II | A.8.28 |
graphql_bola |
6.5.8 | Art.46 | Art.32(1)(b) | 14.II | A.8.3, A.5.15 |
jwt_alg_confusion |
6.5.10 | Art.46 | Art.32(1)(d) | 14.II | A.8.5 |
vulnerable_component |
6.2, 6.3 | Art.46 | Art.32(1)(d) | 16.IV | A.8.8, A.8.9 |
token_exposure |
8.2, 8.3 | Art.46 | Art.32(1)(b) | 14.II | A.8.5 |
tls_misconfiguration |
4.2 | Art.46 | Art.32(1)(a) | 14.II | A.8.24 |
The full mapping table lives in code and is the source of truth. Adding a new analyzer category requires adding its line, by policy.
Primary catalog per scan
A scan profile selects a primary compliance catalog. The portal Compliance tab and the PDF report render that catalog first.
| Scan profile | Primary catalog (default) |
|---|---|
full |
Driven by industry signal on the org. |
web_app |
OWASP Top 10 + ISO 27001. |
api_jwt |
OWASP API Security + ISO 27001. |
soap |
BACEN for BR financial; ISO 27001 otherwise. |
network |
ISO 27001 + PCI infrastructure. |
The other four catalogs remain available in the Compliance tab; only the primary is leading.
What this is not
The mapping is a tool to find the right controls and produce evidence for them. It is not a substitute for an auditor's judgement and it is not a guarantee that any control is met. A control is met when the finding it maps to has been mitigated and the mitigation evidence is on file.
WASViking can also help with the second half (Evidence Bundle, Posture Shares, audit log), but the operator decides what is "met."
Where in the portal
- Reports → Scan report PDF. The Compliance section renders the primary catalog and lists framework hits per finding.
- Findings. Filter by
compliance(e.g.,pci:6.5.1) to see every finding that maps to a specific control. - Compliance dashboard. Per-control counts open, accepted, mitigated, fixed. Shows the team where the auditor's questions will land first.