| A | B | C | D | E | F | G | H | I | J | K | L | M | N | O | P | Q | R | S | T | U | V | W | X | Y | Z | |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
1 | READ ME. Methodology, sources and what this does not cover | |||||||||||||||||||||||||
2 | How I built this, which version of each framework I have used, and where I am confident in a mapping against where I am really making a judgement call. | |||||||||||||||||||||||||
3 | ||||||||||||||||||||||||||
4 | WHAT THIS IS | |||||||||||||||||||||||||
5 | When I started this, the question I kept in front of me was a simple one. If a small AI safety organisation had to build its security from nothing, which policies would it actually need to write, and what would each one be worth. This workbook is my answer to that. I began with the RAND report on securing AI model weights, because it is the most thorough work in this area, and then I scaled it down to the threat these organisations really face. After that I checked every policy against both the AI risk frameworks and the security frameworks I already work with. The reason I went to that trouble is that one policy can usually be made to count towards several standards at once, and when an organisation is short on both time and money, that is the part that matters most. | |||||||||||||||||||||||||
6 | ||||||||||||||||||||||||||
7 | THE FRAMEWORKS I USED, with the version current as of June 2026 | |||||||||||||||||||||||||
8 | Framework | Version | Where it sits in this work | |||||||||||||||||||||||
9 | NIST AI Risk Management Framework | AI 100-1, version 1.0 (Jan 2023) | The main AI alignment | |||||||||||||||||||||||
10 | NIST Generative AI Profile | AI 600-1 (Jul 2024) | Used for the agentic layer | |||||||||||||||||||||||
11 | NIST Cybersecurity Framework | CSF 2.0 (Feb 2024) | Adds the Govern function | |||||||||||||||||||||||
12 | NIST SP 800-53 | Revision 5 (2020, patched 5.1.1 2023 and 5.2 2025) | The control catalogue | |||||||||||||||||||||||
13 | SOC 2 | |||||||||||||||||||||||||
14 | ISO/IEC 27001 | 2022, including the 2024 climate amendment | The Annex A controls | |||||||||||||||||||||||
15 | UK Cyber Essentials | Version 3.3, the Danzell question set (in force 27 Apr 2026) | Replaced version 3.2, Willow | |||||||||||||||||||||||
16 | RAND | RRA2849-1, Securing AI Model Weights | The source for the threats and controls | |||||||||||||||||||||||
17 | Cyber Insurance | |||||||||||||||||||||||||
18 | ||||||||||||||||||||||||||
19 | One thing is worth flagging, because it is recent and easy to miss. Cyber Essentials moved to version 3.3 on the 27th of April 2026, with a new question set called Danzell, replacing version 3.2. The five technical controls themselves have not changed, but two things in the new version matter for these organisations. Multi factor authentication is now required on any cloud service that offers it, and if it is missing the whole assessment fails. Cloud services can also no longer be left out of scope, which means a small organisation's Google Workspace now sits firmly inside the assessment. I have written the Cyber Essentials column to reflect version 3.3. | |||||||||||||||||||||||||
20 | ||||||||||||||||||||||||||
21 | HOW I DID THE MAPPING, worth reading before you quote any cell | |||||||||||||||||||||||||
22 | The two NIST AI frameworks are not like the others, so I was careful about how I used them. They describe outcomes an organisation should reach rather than controls it should put in place, and there is no official list telling you which security policy meets which part of them. So when you see a policy tagged against one of these, read it as me saying the policy genuinely helps reach that outcome, not that it ticks a defined box. For the generative AI guidance I simply named the risk the policy speaks to, such as information security, rather than claiming a precision the document itself does not offer. | |||||||||||||||||||||||||
23 | The other four frameworks are the opposite, and these mappings I am confident about. Cyber Essentials, ISO 27001, the NIST Cybersecurity Framework and 800-53 all list named controls, so each policy points to the control it puts into practice. When I cite something like 800-53 control AC-6 for least privilege, I mean the policy backs that control, not that the organisation has already built it out in full. | |||||||||||||||||||||||||
24 | The last thing I did was tie each policy back to the RAND report itself, naming the attack it most reduces and the least capable attacker for whom that attack becomes a genuine worry. That sits on the RAND Threat Linkage sheet, and I included it so you can see the set is driven by real threats rather than by a generic checklist. | |||||||||||||||||||||||||
25 | ||||||||||||||||||||||||||
26 | WHAT I SCOPED OUT, and where I am being honest about gaps | |||||||||||||||||||||||||
27 | I rebalanced the scope, and this was the decision I thought hardest about. RAND is written for frontier laboratories, so I kept the lower security levels in full, took a realistic slice of the middle level, and left the top two mapped but not written. A small organisation will almost certainly never face a nation state, and could not build those defences even if it tried, so writing them out in detail would have looked impressive and helped no one. | |||||||||||||||||||||||||
28 | The AI framework tags are my considered judgement, not a certified mapping. An assessor might reasonably place a policy under a neighbouring part of the framework, and I would not argue with them. | |||||||||||||||||||||||||
29 | Everything here is right as of June 2026. Cyber Essentials 3.3, the Cybersecurity Framework 2.0 and ISO 27001:2022 are the current editions, but these things move, so it is worth a quick check before any audit. | |||||||||||||||||||||||||
30 | I have left fairness and wider social impact deliberately light, and I want to be open about that. They matter, but they sit outside what a security policy can honestly claim to cover, so I would rather hand them to whoever owns ethics in the organisation than stretch this work to pretend it reaches them. | |||||||||||||||||||||||||
31 | ||||||||||||||||||||||||||
32 | CHANGE LOG | |||||||||||||||||||||||||
33 | Version 1, the gap analysis | Where I first listed the policies across all five security levels and worked out what each one earned towards Cyber Essentials, ISO 27001 and SOC 2. | ||||||||||||||||||||||||
34 | Version 2, aligned to NIST AI RMF | Where I rebalanced the scope, brought in the AI risk framework and the generative AI guidance, and sorted the policies into build tiers. | ||||||||||||||||||||||||
35 | Version 3, this one | Where I added the Cybersecurity Framework, 800-53, ISO 27001 Annex A and Cyber Essentials 3.3, tied everything back to RAND, and wrote the methodology and coverage sheets. | ||||||||||||||||||||||||
36 | ||||||||||||||||||||||||||
37 | ||||||||||||||||||||||||||
38 | ||||||||||||||||||||||||||
39 | ||||||||||||||||||||||||||
40 | ||||||||||||||||||||||||||
41 | ||||||||||||||||||||||||||
42 | ||||||||||||||||||||||||||
43 | ||||||||||||||||||||||||||
44 | ||||||||||||||||||||||||||
45 | ||||||||||||||||||||||||||
46 | ||||||||||||||||||||||||||
47 | ||||||||||||||||||||||||||
48 | ||||||||||||||||||||||||||
49 | ||||||||||||||||||||||||||
50 | ||||||||||||||||||||||||||
51 | ||||||||||||||||||||||||||
52 | ||||||||||||||||||||||||||
53 | ||||||||||||||||||||||||||
54 | ||||||||||||||||||||||||||
55 | ||||||||||||||||||||||||||
56 | ||||||||||||||||||||||||||
57 | ||||||||||||||||||||||||||
58 | ||||||||||||||||||||||||||
59 | ||||||||||||||||||||||||||
60 | ||||||||||||||||||||||||||
61 | ||||||||||||||||||||||||||
62 | ||||||||||||||||||||||||||
63 | ||||||||||||||||||||||||||
64 | ||||||||||||||||||||||||||
65 | ||||||||||||||||||||||||||
66 | ||||||||||||||||||||||||||
67 | ||||||||||||||||||||||||||
68 | ||||||||||||||||||||||||||
69 | ||||||||||||||||||||||||||
70 | ||||||||||||||||||||||||||
71 | ||||||||||||||||||||||||||
72 | ||||||||||||||||||||||||||
73 | ||||||||||||||||||||||||||
74 | ||||||||||||||||||||||||||
75 | ||||||||||||||||||||||||||
76 | ||||||||||||||||||||||||||
77 | ||||||||||||||||||||||||||
78 | ||||||||||||||||||||||||||
79 | ||||||||||||||||||||||||||
80 | ||||||||||||||||||||||||||
81 | ||||||||||||||||||||||||||
82 | ||||||||||||||||||||||||||
83 | ||||||||||||||||||||||||||
84 | ||||||||||||||||||||||||||
85 | ||||||||||||||||||||||||||
86 | ||||||||||||||||||||||||||
87 | ||||||||||||||||||||||||||
88 | ||||||||||||||||||||||||||
89 | ||||||||||||||||||||||||||
90 | ||||||||||||||||||||||||||
91 | ||||||||||||||||||||||||||
92 | ||||||||||||||||||||||||||
93 | ||||||||||||||||||||||||||
94 | ||||||||||||||||||||||||||
95 | ||||||||||||||||||||||||||
96 | ||||||||||||||||||||||||||
97 | ||||||||||||||||||||||||||
98 | ||||||||||||||||||||||||||
99 | ||||||||||||||||||||||||||
100 | ||||||||||||||||||||||||||