Custodian LabsCustodian Labs

Frameworks

Local statute, international standards. One evidence base.

Custodian GRC ships every framework below as a first-class control library. The customer does not model them on a Monday morning. The mapping is the product.

01Local · primary

The Zimbabwean statute book, in working order.

  • [Chapter 12:07] · Act 5 of 2021

    Cyber and Data Protection Act

    The Zimbabwean primary statute, modelled clause-by-clause as a control library. Sections 13, 16, 18, 19, 20, 27, and 28 are individually mapped to controls in the platform.

  • POTRAZ data protection regulations

    SI 155 of 2024

    The licensing regulations behind the Act. Forms DP1, DP2, and DP3 ship as first-class artefacts, with the POTRAZ tier bands and fee schedule encoded into the licensing module.

  • Sector regulator · Telecoms and broader

    POTRAZ data protection regulations

    POTRAZ Authority guidance treated as a working framework, not a footnote. Filings track inside the same record the Authority opens.

  • Banks · MFIs · Payment systems

    RBZ cyber and operational risk

    Reserve Bank of Zimbabwe Cyber Risk Guidelines and Operational Risk requirements modelled directly. The bank that operates Custodian GRC runs one programme, not three.

  • Insurers · Brokers · Pension funds

    IPEC prudential and conduct

    Insurance and Pensions Commission requirements mapped against the same controls a CDPA RoPA already exposes. The insurance arm of a financial group is not running a parallel programme.

  • Parastatals · State-owned enterprises

    Public Entities Corporate Governance Act

    PECG governance requirements modelled for parastatals running a custody-grade programme alongside their commercial peers.

02International · alignment

What the parent group, correspondent bank, and reinsurer expect.

  • Information Security Management System

    ISO/IEC 27001

    Annex A controls mapped natively to CDPA, RBZ, and IPEC controls. A single evidence base satisfies certification audits and the local regulator at the same time.

  • Privacy Information Management System

    ISO/IEC 27701

    PIMS extension over an existing ISMS, modelled so the privacy work the CDPA already requires is not done twice.

  • Cybersecurity Framework

    NIST CSF 2.0

    Govern, identify, protect, detect, respond, recover. The function map international counterparties expect to see, mapped onto the controls the local regulator inspects.

  • Payment card data

    PCI DSS 4.0

    Where in scope. Card data flows tracked with the same control language as the rest of the programme.

  • Trust Services Criteria

    SOC 2

    On request, for customers selling to North American counterparties. The TSC mapping reads off the same evidence as the rest of the platform.

Ninety minutes · Your stack

A working session against your control catalogue and your last audit.

We bring Custodian GRC live, mapped to your frameworks. You bring the open items. We leave with a starting plan.

Request a demoEmail the team

Tendai Moyo · Head of Compliance Practice