How to Use This Page
Find your compliance framework below
Locate the specific requirement
Click linked FixMyCert content
Use as-is or customize for your environment
Enterprise customers: Your customizations inherit these mappings automatically.
What This Mapping Provides
This page maps FixMyCert guides and runbooks to specific controls as supporting evidence and implementation guidance. It does not represent full compliance coverage.
Scope: Cryptography, TLS, PKI, and certificate lifecycle portions of each framework only.
Your organization's internal policies, procedures, and approval workflows complete the compliance picture. FixMyCert provides the operational HOW - your policies define the WHAT and WHO.
The Two-Layer Model
| Layer | Contains | Provided By |
|---|---|---|
| Your Enterprise Layer | Internal policies, control IDs, owners, reviewers, approval dates | Your organization |
| FixMyCert Base Layer | Operational guides, runbooks, platform configurations, procedures | FixMyCert |
Together = Audit-Ready
When an auditor asks "Show me how you manage certificate key compromise," you provide:
- Your Key Management Policy (defines the requirement)
- FixMyCert's Key Compromise Response Runbook (documents the procedure)
- Evidence of execution (incident tickets, change records)
PCI DSS 4.0
Payment Card Industry Data Security Standard
For organizations handling credit card data. Focus areas: encryption in transit, key management, certificate lifecycle.
Scope: Requirements 3.5-3.7 (key management) and 4.2 (transmission encryption) as they relate to TLS certificates and PKI operations.
| Requirement | Description | FixMyCert Content |
|---|---|---|
| 4.2.1 | Strong cryptography for PAN transmission | TLS Comparison Guide, Cipher Suite Decoder, How TLS Works |
| 4.2.1.1 | Trusted certificates for PAN transmission | Certificate Chain Guide, Root Stores Demo, CA Hierarchy |
| 4.2.1.2 | Valid, unexpired certificates | Certificate Lifecycle Demo, Certificate Renewal Runbook |
| 4.2.2 | PAN secured with strong cryptography | Encryption Basics, RSA vs ECC |
| 3.6.1 | Key management procedures documented | Key Compromise Response Runbook, HSM Guide |
| 3.7.1 | Key generation procedures | OpenSSL Key Generation, RSA vs ECC Guide |
| 3.7.2 | Secure key distribution | Certificate Chain Guide, PKCS12/PFX Guide |
| 3.7.4 | Cryptoperiod management | Certificate Lifecycle Demo, Compliance Hub Deadlines |
| 3.7.5 | Key retirement/replacement | CA Migration Runbook, Emergency Replacement Runbook |
| 3.7.6 | Split knowledge for manual keys | HSM Guide |
| 3.7.7 | Prevent unauthorized key substitution | Certificate Pinning Guide, CAA Records Guide |
| 12.3.3 | Cryptographic cipher inventory | Cipher Suite Decoder, TLS Comparison |
Strong cryptography for PAN transmission
Trusted certificates for PAN transmission
SOC 2 Type II
Trust Services Criteria
For service organizations. Focus areas: security controls, encryption, access management.
Scope: CC6.x (logical access via certificates, transmission security) and CC7.x/CC8.x (monitoring, incident response) as they relate to TLS and PKI.
| Criteria | Description | FixMyCert Content |
|---|---|---|
| CC6.1 | Logical access security | mTLS Guide, Certificate Pinning |
| CC6.6 | Encryption of data in transit | How TLS Works, TLS Handshake Demo |
| CC6.7 | Transmission security | Cipher Suite Decoder, Forward Secrecy Guide |
| CC7.1 | Configuration management | F5 SSL Profiles Guide, OpenSSL Guides |
| CC7.2 | Change management | Certificate Renewal Runbook, CA Migration Runbook |
| CC8.1 | Incident response | Key Compromise Response, Emergency Replacement |
| A1.2 | Recovery procedures | Emergency Certificate Replacement |
ISO 27001:2022
Information Security Management
International standard for information security. Annex A controls relevant to cryptography and PKI.
Scope: Annex A controls A.8.24 (cryptography), A.8.20/A.8.21 (network/web security), and A.8.9 (configuration) as they apply to certificates and TLS.
| Control | Description | FixMyCert Content |
|---|---|---|
| A.8.24 | Use of cryptography | Encryption Basics, How TLS Works, Hash Functions |
| A.8.24 | Key management | Certificate Lifecycle, HSM Guide, Key Compromise Response |
| A.8.20 | Networks security | TLS Comparison, Cipher Suite Decoder |
| A.8.21 | Web services security | F5 SSL Guides, CDN SSL Guides |
| A.8.9 | Configuration management | OpenSSL Guides, F5 Certificate Installation |
| A.5.37 | Documented operating procedures | All Runbooks, Certificate Renewal |
NIST Cybersecurity Guidelines
U.S. Federal Standards
U.S. federal standards widely adopted in private sector.
Scope: Key management (SP 800-57), TLS configuration (SP 800-52), and algorithm transitions (SP 800-131A) as they apply to PKI operations.
NIST SP 800-57 (Key Management)
| Recommendation | Description | FixMyCert Content |
|---|---|---|
| Part 1, §5.2 | Cryptoperiods | Certificate Lifecycle Demo, Compliance Hub |
| Part 1, §5.3 | Key states | Revocation Guide, Certificate Lifecycle |
| Part 1, §6.1 | Key generation | OpenSSL Key Generation, RSA vs ECC |
| Part 1, §8.1 | Key compromise | Key Compromise Response |
| Part 1, §8.3 | Key revocation | Revocation Deep Dive, CRL/OCSP Demo |
NIST SP 800-52 (TLS Guidelines)
| Recommendation | Description | FixMyCert Content |
|---|---|---|
| §3.1 | TLS version requirements | TLS Comparison Guide |
| §3.2 | Server certificate requirements | DV/OV/EV Guide, Certificate Anatomy |
| §3.3 | Cipher suite requirements | Cipher Suite Decoder, F5 SSL Labs A+ Guide |
| §3.4 | Extensions (SNI, OCSP) | F5 SNI Configuration, OCSP Stapling Demo |
NIST SP 800-131A (Transitioning Crypto)
| Recommendation | Description | FixMyCert Content |
|---|---|---|
| Algorithm transitions | Deprecated algorithms | Compliance Hub, Crypto Agility Guide |
| Key length requirements | Minimum key sizes | RSA vs ECC Guide, CSR Checker Tool |
CIS Controls v8
Center for Internet Security
Prioritized security controls for cyber defense.
Scope: Controls related to encryption in transit, network infrastructure, and cryptographic resources.
| Control | Description | FixMyCert Content |
|---|---|---|
| 3.10 | Encrypt sensitive data in transit | How TLS Works, TLS Handshake Demo |
| 3.11 | Encrypt sensitive data at rest | Encryption Basics |
| 12.1 | Network infrastructure management | F5 SSL Profiles, CDN SSL Guides |
| 12.8 | Establish and maintain dedicated compute resources | HSM Guide |
CA/Browser Forum Requirements
Baseline Requirements
Industry requirements for publicly-trusted certificates. Already tracked in our Compliance Hub.
Scope: Baseline Requirements for certificate validity, key requirements, validation methods, and revocation.
| Requirement | Description | FixMyCert Content |
|---|---|---|
| Certificate validity | Maximum validity periods | Compliance Hub, Certificate Lifecycle |
| Key requirements | Minimum key sizes and algorithms | RSA vs ECC Guide, CSR Checker |
| Domain validation | DCV methods | Domain Validation Methods |
| Certificate revocation | Revocation timelines | Revocation Deep Dive Guide |
| Certificate transparency | CT logging | Certificate Transparency Guide |
| CAA records | DNS CAA checking | CAA Records Guide |
FixMyCert Enterprise: Compliance Ready
Enterprise customers can:
- ✓Add internal control numbers to any content
- ✓Map to your specific audit requirements
- ✓Add approval signatures and review dates
- ✓Export documentation for auditor review
- ✓Track which procedures staff have acknowledged
Attach internal documentation to each mapping:
| Field | Purpose | Example |
|---|---|---|
| Internal Doc Link | Your policy/procedure | Key Management Policy v2.3 |
| Control ID | Your numbering system | PKI-KM-01, CRYPTO-003 |
| Owner | Responsible party | InfoSec Team |
| Reviewer | Approval authority | CISO |
| Last Review | Audit evidence | 2024-12-15 |
| Next Review | Compliance calendar | 2025-12-15 |
- ✓Clone runbooks per business unit while retaining mappings
Frequently Asked Questions
Does using FixMyCert make me compliant?
No. FixMyCert provides implementation guidance and supporting evidence for the certificate and cryptography portions of compliance frameworks. Full compliance requires your organization's policies, procedures, and evidence of execution across ALL control areas.
What if my auditor asks for something not in the mapping?
These mappings cover PKI/TLS/certificate-related controls only. For controls outside this scope (physical security, HR policies, general access management), you'll need documentation from other sources.
Can I use FixMyCert content as my official policy?
FixMyCert guides document HOW to implement controls. Your policies should define WHAT controls exist, WHO is responsible, and WHEN reviews occur. We recommend using FixMyCert guides as procedural attachments to your policy documents.
How do I handle multiple CAs or platforms?
Enterprise customers can clone runbooks for different environments while maintaining the same compliance mappings. For example, separate Key Compromise Response procedures for your public CA vs. internal ADCS, both mapping to the same PCI/NIST/ISO controls.
Disclaimer: This mapping provides guidance for the cryptography, TLS, PKI, and certificate lifecycle portions of each framework. Your auditor has final authority on what satisfies requirements. FixMyCert content serves as supporting evidence and implementation guidance - it does not represent full compliance coverage or guarantee audit outcomes.