Every standard your data stack
needs to know about.

Backups must preserve attribution, audit trails, and original record metadata. Backups that lose audit trails or signature metadata are not valid restoration sources for regulated records.

Requires unique identification and traceability throughout production. Transformations of A&D data must preserve identification and produce auditable transformation logs.

Standard A&D quality metrics with industry benchmarks. Reported to OEM customers as part of AS9100 supplier scorecards.

Industry-specific quality standard built on ISO 9001 with A&D-specific clauses around configuration management, traceability, and counterfeit parts prevention.

Detailed shipment notification with parts, quantities, packaging, traceability data (lot, serial). Required to enable receiving, JIS sequencing, and traceability.

Process assessment model for automotive software development. ISO/IEC 33000-aligned. Capability levels (CL0-CL5) used by OEMs to qualify suppliers for software-intensive components.

Standard taxonomy for equipment classification, reliability data, and maintenance history. Used for benchmarking and analytics.

Documentary evidence that NIST SP 800-171 controls are implemented, including configuration evidence, access logs, training records, and incident response artifacts.

Every record ingested into a regulated system must capture who entered/changed it, when, and what was the previous value. Audit trails must be reviewable by the user, retained per record retention rules, and protected from modification.

Calculations for risk-weighted assets, expected credit loss, market risk capital, and other regulatory metrics must be reproducible from source data with documented logic and lineage.

Wholesale market settlements (ERCOT, MISO, PJM, CAISO, etc.) require auditable calculations of energy, ancillary services, transmission charges with documented logic.

Visualizations of attribution coverage, audit trail completeness, contemporaneous data entry rate, and other ALCOA+ leading indicators.

14 principles covering governance, infrastructure, accuracy, completeness, timeliness, and adaptability of risk data. Originally for G-SIBs but now influencing all systemically important banks.

Banks must be able to generate accurate and reliable risk data. Includes documented data quality controls, reconciliation between sources, and known data quality issue reporting.

Bank reports must be clear, frequent enough for supervisory needs, and distributed appropriately. Requires documented and understood data flows.

Banks must be able to generate accurate and reliable risk data on a largely automated basis to minimize manual intervention. Requires a single semantic source for risk metrics across the bank.

Requires automotive suppliers to identify and evaluate manufacturing risks, establish contingency plans for emergencies, and periodically test those plans.

Standard specifying requirements for BCMS. Covers business impact analysis, continuity strategies, plans, and testing — applied to manufacturing operations and IT/OT systems.

ISO standard for product data exchange between PLM, ERP, and supplier systems. AP242 covers managed model-based 3D data.

Mandatory regulatory capital metrics. Basel IV (effective 2023, full transition 2028) introduced output floor (72.5%) and revised standardized approaches for credit, market, and operational risk.

California's privacy law affecting most retailers. Consumer rights to know, delete, correct, opt-out of sale.

Privacy rights for California employees, customers, and contractors. Similar laws in Virginia (VCDPA), Colorado (CPA), Connecticut, Utah, and growing list.

California's privacy law applies to connected vehicle data of California residents. Includes opt-out rights for sale/sharing of personal info derived from vehicle telemetry.

Provides California residents with rights to know, delete, correct, opt-out of sale/sharing of their personal information. CPRA (effective 2023) expanded employee data and added 'sensitive personal information'.

Engineering and manufacturing changes go through formal review, impact analysis, approval, and validation before implementation. PFMEA updates often required.

China's PIPL requires data processed in China to stay in China unless specific cross-border mechanisms are used. Specific automotive guidance issued by CAC (Cyberspace Administration of China).

DoD program requiring third-party certification of NIST SP 800-171 (Level 2) and additional NIST SP 800-172 enhanced controls (Level 3). Phased implementation 2024-2027.

Mexico's banking and securities regulator, with its own data protection, cybersecurity, and resilience expectations including CUB (Circular Única de Bancos).

Mexico's federal regulatory authority for sanitary risks, including pharma manufacturing and importation. Has its own data integrity, validation, and serialization expectations aligned with international norms.

MKT calculations applied to temperature time-series, with rules for time-out-of-refrigeration thresholds. Required for biologics, vaccines, and many small molecules.

Every configuration change has documented justification, approval chain, impact analysis, and effectivity. Provides forensic-quality history of product evolution.

Each part, sub-assembly, software component has a managed master record with versioning, effectivity dates, applicability conditions, and approved sources.

Required as the final step of RMF: ongoing monitoring of security controls, vulnerabilities, threats, and operational status with documented frequency and reporting.

FCC regulations protecting telecom customer information including call records, services subscribed, and usage. Specific consent rules.

Modernization of CSV emphasizing critical thinking and risk-based testing over exhaustive documentation. Encourages automated testing and continuous validation approaches.

Specific marking, storage, transmission, and destruction requirements for CUI categories (CTI, NSI, etc.) per Executive Order 13556 and NARA CUI Registry.

Customer identifiers, premises, accounts mastered with privacy controls per NIST guidance and state utility commission rules.

Banks must capture all material risk and report it on a comprehensive basis. Requires a single counterparty view across products, geographies, and entities.

Monitoring that detects gaps in audit trails, missing timestamps, unattributed changes, deleted records — and alerts on them in near real-time.

Includes data and information requirements: documented information, suitability, criteria for acceptance. Applied to data products supporting production and service.

Includes control of data and information used for production. Data quality is implicit in production control requirements.

Security gates in CI/CD pipelines aligned with ISO/SAE 21434 work products: TARA (Threat Analysis and Risk Assessment), security goals, security concept.

Requires 'adequate security' (defined as NIST SP 800-171), incident reporting within 72 hours, malicious software submission, and damage assessment cooperation.

Workflows that affect federal data must have documented standard operating procedures, role definitions, and approval chains aligned with RMF expectations.

Comprehensive ICT risk management framework for EU financial entities, including third-party risk, incident reporting, and resilience testing.

Requires comprehensive ICT business continuity, including documented response and recovery plans, testing, threat-led penetration testing (TLPT) for significant entities, and major incident reporting.

Effective January 17, 2025. Requires documented ICT change management with risk assessments, testing, and rollback plans for in-scope EU financial entities. Includes major changes to outsourced ICT services.

Major incidents must be reported to competent authorities within strict timelines: initial notification (within 4 hours of classification), intermediate report (72 hours), final report (1 month).

Mandates electronic, interoperable, item-level traceability of prescription drugs through the US supply chain. Full enforcement of unit-level traceability by November 2024.

Bureau of Industry and Security regulations covering export of dual-use technology. Less restrictive than ITAR but still requires classification, license determination, and recordkeeping.

Provides usage policy enforcement, contract negotiation, and data exchange between sovereign data spaces. Reference implementation for IDS (International Data Spaces).

North American EDI standard: 850 PO, 855 PO Acknowledgment, 856 ASN, 810 Invoice, 870 Order Status. Standard for retailer-supplier communication in NA.

Industry standard for configuration management covering identification, change control, status accounting, and verification. Foundation for A&D and defense configuration practices.

GS1-defined data exchange standard for serialization events (commissioning, shipping, receiving, dispensing). Version 2.0 (2022) added REST API support and JSON-LD format.

Standardized event data (Object, Aggregation, Transaction, Transformation events) for tracking products through supply chain.

International standard for systematic identification of industrial equipment. Used for engineering documents, asset management, and maintenance.

EU regulation requiring one-step-up, one-step-down traceability for all food products, with rapid response capability for safety incidents.

EU regulation requiring documented traceability with rapid response capability for safety incidents.

EU equivalent of 21 CFR Part 11, covering validation, data integrity, and risk management for computerized systems used in GMP-regulated activities.

Requires unique product serial numbers, anti-tampering features, and verification at point of dispensing through the European Medicines Verification System (EMVS).

Replaces the prior Medical Device Directive. Requires UDI (Unique Device Identification), expanded clinical evidence, post-market surveillance, and EUDAMED database registration.

Instead of updating records in place, every change is captured as an event. The current state is computed by replaying events. Naturally aligned with audit trail requirements.

OEE, Yield, First Pass Yield, Cost per Unit, Quality metrics — universal F&B production metrics.

Requires UK firms to identify Important Business Services, set Impact Tolerances, and remain within them during severe-but-plausible scenarios. Full compliance required by March 2025.

Examination guidance for resilience programs at US banks. Covers business impact analysis, recovery strategies, plan documentation, testing, and integration with enterprise risk management.

Comprehensive guidance covering Architecture/Operations, Information Security, Outsourcing, Audit, and Business Continuity. Used by US bank examiners (OCC, FDIC, FRB, NCUA) during examinations.

Standard messaging protocol for trading-related communications between buy-side, sell-side, exchanges, and ECNs. Used for order routing, execution reporting, allocations, and reference data.

FDA rule (effective January 2026) requiring traceability for high-risk foods (FTL — Food Traceability List) including leafy greens, soft cheeses, eggs, fish, shell eggs, etc.

End-to-end lineage from supplier raw materials through manufacturing to finished vehicle, with linkage to PPAP, FAI (First Article Inspection), and audit records.

The de-facto standard for validating computerized systems in life sciences. Categorizes systems by risk (Cat 1–5) and prescribes appropriate validation rigor. Cloud platforms and SaaS systems are explicitly addressed in the Second Edition (2022).

Systems are classified into 5 categories based on risk and complexity (Cat 1: Infrastructure, Cat 3: Non-configured COTS, Cat 4: Configured, Cat 5: Custom). Validation rigor scales with category.

Comprehensive EU data protection law with extraterritorial reach. Defines lawful bases for processing, data subject rights (access, erasure, portability), DPO requirements, breach notification within 72 hours, and data transfer restrictions.

Standard methods for emissions accounting — Scope 1 (direct), Scope 2 (purchased energy), Scope 3 (value chain).

Standardized methods for measuring and reporting Scope 1, 2, 3 emissions. Foundation for SEC climate disclosure rules, EU CSRD, and voluntary disclosures (CDP).

Requires US financial institutions to protect customer information through written information security programs, risk assessment, and customer notification on privacy practices.

FDA regulations for food manufacturing facilities including hygiene, equipment, processes, and controls.

European/international EDI standards. EDIFACT (UN/EDIFACT) is the global standard; GS1 EDI provides retail-specific implementation.

Quality guidelines from FDA and EMA covering Good Manufacturing, Laboratory, Clinical, and Distribution Practices. Any infrastructure that touches data used in regulatory submissions or product release decisions must be GxP-validated.

Manufacturers must accurately attribute payments and transfers of value to specific HCPs and HCOs, then report to CMS Open Payments. Resolution errors result in misattributed payments and reporting violations.

Defines protections for Protected Health Information (PHI) — names, dates, geo identifiers, contact info, biometrics, etc. when associated with health data. Requires Business Associate Agreements (BAAs) with vendors that touch PHI.

Suite of ISO standards defining how medicinal products are identified, classified, and exchanged across regulatory submissions globally.

Includes substance, strength, dose form, presentation, manufacturer, regulatory status, and regional authorization details — all with managed identifiers.

International standard for substation automation and protection. Defines logical nodes, GOOSE messaging, sampled values, and substation configuration language (SCL).

Defines semantic objects for grid topology (substations, lines, transformers), customers, measurements, and operations. Foundational for utility information sharing.

Standard data exchange model for electric utility operations. Defines XML/RDF schemas for grid topology, assets, customers, measurements, and operations.

Security extensions for power system protocols including IEC 61850, ICCP, IEC 60870-5. Specifies authentication, encryption, intrusion detection.

Multi-part standard covering security for industrial control systems. Defines security levels (SL1-SL4), security zones, and conduits between zones.

Identification and authentication, use control, system integrity per IEC 62443 security levels (SL1-SL4). Required for ICS/SCADA environments.

Identification, authentication, use control aligned with security levels. Includes MFA for critical functions.

Logical and physical segmentation of OT networks into security zones based on Purdue Reference Model (Levels 0-5) with controlled conduits between zones.

Multi-part standard defining models and terminology for integration between enterprise (ERP) and control systems (MES, SCADA). Defines hierarchy levels (L0 sensors → L4 ERP) and B2MML XML schemas.

XML schemas for ISA-95 information models, used for ERP-MES integration. Defines product, equipment, material, personnel, and process segment hierarchies.

ISO standard for exchanging 3D CAD data with PMI (Product Manufacturing Information) between A&D enterprises. Replaces older AP203 and AP214.

International standard for BCMS. Provides systematic framework for resilience.

International standard specifying requirements for an Information Security Management System (ISMS). Covers 93 controls across organizational, people, physical, and technological domains.

Identity management, access provisioning/de-provisioning, privileged access, MFA — applied to manufacturing IT environments.

International standard for ISMS. Updated 2022 with new control structure (4 themes, 93 controls).

ISO 27017 for cloud security; ISO 27018 for protection of PII in public cloud. Particularly relevant for TMT.

International standard for supply chain security management. Increasingly required by major retailers from suppliers.

International standard for energy management. Defines energy performance indicators (EnPIs), energy review, baseline, and continuous improvement.

International standard for managing cybersecurity in road vehicles throughout development, production, and post-production. Aligned with UN R155 regulation requiring CSMS (Cybersecurity Management System).

Access controls aligned with vehicle cybersecurity management — least privilege, MFA for security-critical changes, tiered access by clearance.

Technical data subject to ITAR must be physically and logically restricted to US persons. Cloud storage must be in US-only regions with screened US-persons-only operations staff.

Access to ITAR-restricted technical data is restricted to US persons (citizens, lawful permanent residents, certain protected individuals). Requires screening, training, and ongoing monitoring.

Every data ingestion must screen for ITAR/EAR-controlled content (technical data, specifications, drawings) before processing or storage. Includes automated content classification and access restriction.

Globally unique 20-character identifier for legal entities engaging in financial transactions. Issued by Local Operating Units (LOUs) under the Global LEI Foundation (GLEIF).

Every reported number must be traceable to its source. SOX expects ITGC-backed change management on transformation logic. Basel/IFRS 9 expect audit trails for capital and provisioning calculations.

Layered security including MFA for high-risk transactions and access to sensitive systems. Updated 2021 guidance specifically addresses risk of phishing-resistant MFA.

Models that affect financial reporting, risk decisions, or regulatory capital must be inventoried, validated, and continuously monitored. Includes ML/AI models with growing emphasis post-2023.

Mandatory cybersecurity standards (CIP-002 through CIP-014) for the bulk electric system in North America. Covers asset identification, security management, personnel & training, electronic security perimeters, physical security, system security, incident reporting, recovery, configuration, vulnerability assessments, information protection, supply chain risk.

Requires training, awareness, personnel risk assessment, and access management for personnel with access to BES Cyber Systems.

Requires identification of Electronic Security Perimeters (ESPs), control of inbound/outbound communications, and remote access management.

Requires ports & services management, security patch management, malware prevention, security event monitoring, system access control.

CIP-008: incident response and reporting. CIP-009: recovery plans for BES Cyber Systems including testing requirements.

Requires baseline configurations, change documentation, configuration monitoring, and vulnerability assessments for BES Cyber Systems.

110 security controls across 14 families covering access control, audit, configuration management, identification, incident response, etc. Required for all defense contractors handling Controlled Unclassified Information (CUI).

Includes account management, separation of duties, least privilege, unsuccessful login attempts, system use notification, session lock, remote access, mobile device control.

Comprehensive guidance on Business Impact Analysis, contingency strategy, plan development, testing, and maintenance. Required reference for federal systems.

Applies to large US banks (≥$50B). Requires formal risk governance framework with continuous monitoring of risks, independent risk function, and board-level reporting.

Industry-standard protocol for industrial communications. Cross-platform, secure (X.509 certificates, encryption), with rich semantic information modeling.

Industry-specific information models built on OPC UA (e.g., umati for machine tools, OPC UA for Robotics, AutoML). Enables semantic interoperability across vendors.

Security framework defined by PCI Security Standards Council for any entity that stores, processes, or transmits cardholder data. v4.0 introduced in 2022 with full transition required by March 2025.

Required for any retailer accepting card payments. 12 control domains; v4.0 added customized approach, MFA for all CDE access, and continuous compliance.

China's comprehensive data protection law with strict cross-border transfer restrictions. Requires security assessments, standard contracts, or certification for outbound personal data.

DORA requires least-privilege, time-bounded access, MFA for privileged operations. NIS2 (effective October 2024) extends similar requirements to broader 'essential' and 'important' entities.

Manufacturing quality metrics tied to batch release decisions. RFT measures % of batches released without rework. Deviations and OOS feed into trending for systemic risk identification.

Continuous comparison of key figures (e.g., total assets, deposits, RWA) across systems with documented break management.

Sales, Gross Margin Return on Investment, Sell-Through Rate, Conversion Rate, Same-Store Sales — universal retail metrics.

Process for federal IT systems: Categorize → Select Controls → Implement → Assess → Authorize (ATO) → Monitor. Required for all federal information systems and systems handling federal data.

Access decisions tied to QMS-defined roles (QA Approver, Production Operator, QA Reviewer, etc.) rather than ad-hoc IT roles, with documented role definitions and access matrix.

XML-based standard for authoring, managing, and publishing technical documentation for A&D products. Modular Data Modules with rich metadata for automated processing and translation.

Documented software development lifecycle with security reviews, code reviews, automated testing, and deployment controls.

Every automated workflow that affects regulated data needs an approved SOP describing what it does, when it runs, who can modify it, and how exceptions are handled.

AWS GovCloud, Azure Government, Google Cloud Government — staffed by screened US persons in physically secured US data centers, with no foreign access.

Controls over IT systems supporting financial reporting. Applies to public retailers and CPG companies.

Industry-specific SPC requirements covering control charts, capability analysis, and statistical sampling for critical characteristics.

Annual or biannual stress tests where banks submit projected balance sheet, P&L, and capital ratios under severely adverse scenarios.

Same supplier may have different IDs across QMS (PPAP records), AP (vendor master), and program management (RFQ system). Resolution is critical for accurate supplier scorecards.

Maintaining accurate, single-record-per-supplier data across procurement, quality, finance, and program systems with regular synchronization to ASL.

ISO 9001 requires control of externally provided products and services. Inconsistent supplier identity prevents effective control.

Mandatory cybersecurity controls for the 11,000+ institutions on the SWIFT network. Annual self-attestation against the Customer Security Controls Framework (CSCF), with independent assessment for some controls.

Legacy MT (Message Type) format being phased out in favor of MX (XML, ISO 20022). Cross-border payments migration to ISO 20022 ends November 2025 (CBPR+). Many regulators reject non-ISO 20022 messages after that.

Automotive industry information security assessment. Three assessment levels (AL1-AL3) covering information security, prototype protection, and data protection. Required by most German OEMs for suppliers handling sensitive data.

Highest TISAX assessment level, required for handling of vehicle prototypes and pre-production data. Includes physical security, secured rooms, controlled access, and strict identity management.

Average Revenue Per User, Monthly Recurring Revenue, Net Revenue Retention, Churn Rate, Customer Lifetime Value — universal TMT metrics.

Foundational quality requirement: organizations must identify outputs, and where traceability is required, control unique identification of outputs.

Process recipes, formulas, and manufacturing know-how are valuable IP. Information protection programs prevent inadvertent disclosure.

Detailed guidance on temperature monitoring, mean kinetic temperature calculations, and excursion management for cold chain pharmaceutical products.

Standard EDI message formats for automotive supply chain (DELFOR demand forecasts, DELJIT JIT calls, ASN ship notifications, INVOIC). VDA used in Germany; Odette across Europe.

Standard interface specification for automotive intralogistics AGV/AMR systems, enabling vendor-agnostic master control. Defines vehicle states, tasks, and reporting messages.

17-character globally unique identifier for vehicles. ISO 3779 defines structure (WMI, VDS, VIS); ISO 3780 defines World Manufacturer Identifier codes.

Defines requirements for electronic records and electronic signatures to be considered equivalent to paper. Includes audit trails, system validation, copies of records, record retention, and signature authority.

Requires unique authentication, signature manifestation (printed name + date/time + meaning of signature), and protection against signature transfer or forgery. Often requires two distinct identifiers.