Frameworks overview

Adobe Common Controls Framework (CCF) v4.0. To support ongoing compliance efforts, Adobe implemented an open, foundational framework of security processes and controls . CCF helps protect infrastructure, applications and services, as well as helps us comply with a number of industry-accepted best practices, standards, regulations and certifications. In creating CCF, Adobe analyzed the criteria for the most common security certifications for cloud-based businesses and rationalized the more than 1,350 requirements down to Adobe-specific controls that map to approximately a dozen industry standards.

AIPCA SOC 2 - 2017 Trust Services Criteria With Revised Points of Focus — 2022. The 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (2017 TSC) presents control criteria established by the AICPA’s Assurance Services Executive Committee (ASEC) for use in attestation or consulting engagements to evaluate and report on controls over the security, availability, processing integrity, confidentiality, or privacy of information and systems used to provide products or services (a) across an entire entity; (b) at a subsidiary, division, or operating unit level; (c) within a function relevant to the entity’s operational, reporting, or compliance objectives; and (d) for a particular type of information used by the entity. This version of the 2017 TSC has been modified to reflect new points of focus and edits to extant points of focus (collectively referred to as revisions) relevant to certain of the trust services criteria. Points of focus represent important characteristics of the criteria. As such, they may assist both management and the practitioner when they are evaluating whether controls were suitably designed and operated effectively to achieve the entity’s objectives based on the trust services criteria.

Americans with Disabilities Act (ADA) and Web Content Accessibility Guidelines (WCAG) v2.2. Combines Title I and Title III of the Americans with Disabilities Act (ADA) with the Web Content Accessibility Guidelines (WCAG) v2.2. Title I of the ADA prohibits employment discrimination against qualified individuals with disabilities (EEOC). Title III of the ADA prohibits discrimination based on disability in places of public accommodation. WCAG documents explain how to make web content more accessible to people with disabilities.

APRA CPS 230 and CPS 234. An information security regulation issued by the Australian Prudential Regulation Authority. It requires financial institutions to establish and maintain security measures that protect critical data and IT systems. The regulation mandates proactive risk management, secure outsourcing arrangements, incident response planning, and governance structures to ensure resilience against cyber threats and unauthorized data access.

Australia ASD Essential Eight Maturity Model - Nov 2023. Outlines the Essential Eight as a comprehensive set of strategies to mitigate cyber security incidents, providing organizations with a baseline defense against various cyber threats. The Essential Eight is designed to protect Australian businesses and government agencies from cyber attacks, emphasizing the importance of a proactive and layered approach to cyber security. The strategies include application control to prevent unauthorized software execution; patch applications to secure vulnerabilities; configure Microsoft Office macro settings; user application hardening against exploitation; restrict administrative privileges to essential users; multi-factor authentication for additional security layers; daily backup of important data; and patching operating systems. These measures are aimed at making it more difficult for adversaries to compromise systems, ensuring the integrity, confidentiality, and availability of sensitive information.

Australian ISM for IRAP and ASD by Australian Cyber Security Centre (ACSC) - Sep 2024. For TOP SECRET systems, including sensitive compartmented information systems, security assessments can be undertaken by ASD assessors (or their delegates). While for SECRET and below systems, security assessments can be undertaken by an organisation’s own assessors or Infosec Registered Assessors Program (IRAP) assessors.

AWS Well-Architected Framework - 2023. A comprehensive guide designed to help cloud architects build secure, high-performing, resilient, and efficient infrastructure for their applications and workloads. It is based on five key pillars: Operational Excellence, Security, Reliability, Performance Efficiency, and Cost Optimization. Each pillar includes best practices, design principles, and actionable guidance, enabling architects to evaluate and improve their cloud architecture. The framework also offers a structured approach to review and refine systems, ensuring they align with AWS's established best practices.

Bank Secrecy Act Compliance Program (BSA). Includes regulations and illustrative controls covering selected regulations from Title 31 Chapter X and Title 12 Chapter I. It includes regulations addressing Customer Identification Program (CIP), Customer Due Diligence (CDD), Anti-money Laundering (AML), Enhanced Due Diligence (EDD), Currency Transaction Reports (CTR), Suspicious Activity Reporting (SAR), and others.

Brazilian General Data Protection Law (LGPD). Contains provisions and requirements related to the processing of personal data of individuals, where the data is of individuals located in Brazil, where the data is collected or processed in Brazil, or where the data is used to offer goods or services to individuals in Brazil.

BSI Cloud Computing Compliance Controls Catalog (C5 v2020). A German government-backed attestation scheme introduced in Germany by the Federal Office for Information Security (BSI). C5 helps organizations demonstrate operational security against common cyber-attacks when using cloud services within the context of the German Government's "Security Recommendations for Cloud Providers".

C4 CryptoCurrency Security Standard (CCSS). A security standard that helps secure all information systems that make use of cryptocurrencies. By standardizing the security techniques and methodologies used by cryptocurrency systems around the globe, end-users will be able to easily make educated decisions about which products and services to use and with which companies they wish to align.

CA Browser Forum (CAB) Network Security Controls v1.3. Network and Certificate System Security Requirements (Requirements) that apply to all publicly trusted Certification Authorities (CAs).

California Consumer Privacy Act (CCPA). A bill intended to enhance privacy rights and consumer protection for residents of California, United States.

Canadian OSFI Guideline B-13: Technology and Cyber Risk Management. Provides comprehensive cybersecurity risk management standards for federally regulated financial institutions in Canada. It outlines best practices to enhance cyber resilience, focusing on governance, risk assessment, controls, and incident response. The guideline aims to help institutions protect against and respond to cybersecurity threats effectively, ensuring the stability and security of the financial system.

Canadian Personal Information Protection and Electronic Documents Act (PIPEDA) - Privacy Guide for Business. A Canadian law relating to data privacy. It governs how private sector organizations collect, use, and disclose personal information in the course of commercial business.

China Cybersecurity Law - Personal Information (PI). Specifies principles and security requirements relating to the processing of PI, including collection, storage, use, sharing, transfer, and public disclosure. This specification applies to the processing of PI by various entities, as well as to the supervision, administration, and assessment of PI processing activities by entities such as supervisory authorities and third-party review organizations.

CIS Controls v8.1 - Center for Internet Security. Simplified and prioritized cyber defense guidance. Enhanced to keep up with evolving technology (modern systems and software), evolving threats, and even the evolving workplace.

Cisco Cloud Controls Framework (CCF) v2. A rationalized framework with comprehensive control requirements taken from numerous, globally accepted, security compliance frameworks and certifications. It provides a structured, “build-once-use-many” approach for achieving multiple regional and international certifications, enabling market access and scalability, as well as easing compliance strain.

CMS Acceptable Risk Safeguards 5.0x and Information Systems Security and Privacy Policy (IS2P2) v3.0. Defines the framework for protecting and controlling the confidentiality, integrity, and availability of CMS information and information systems. It also provides direction for all CMS employees, contractors, and any individual who receives authorization to access CMS information technology (IT) systems; systems maintained on behalf of CMS; and other collections of information.

CMS Minimum Acceptable Risk Safeguards for Exchanges (MARS-E) Harmonized Security and Privacy Framework v2.2. Defines a structure for managing the security and privacy requirements of systems deployed to administer the provisions of the Affordable Care Act (ACA) that ensure affordable healthcare for all Americans.

COBIT 2019. A framework for the governance and management of enterprise information and technology, aimed at the whole enterprise.

CSA Consensus Assessments Initiative Questionnaire (CAIQ) v4 for Cloud Controls Matrix (CCM). A standardized questionnaire designed to assess cloud providers' security and compliance capabilities. It consists of a set of yes/no questions that align with the Cloud Security Alliance's CCM, covering domains such as data security, identity management, and risk management. The CAIQ enables cloud customers to evaluate the security posture of potential cloud service providers, ensuring alignment with best practices and regulatory requirements.

CSA Cloud Controls Matrix (CCM) v4 + Consensus Assessments Initiative Questionnaire (CAIQ) v4. A cybersecurity control framework for cloud computing. It is composed of 197 control objectives that are structured in 17 domains covering all key aspects of cloud technology. It can be used as a tool for the systematic assessment of a cloud implementation, and provides guidance on which security controls should be implemented by which actor within the cloud supply chain. The controls framework is aligned to the CSA Security Guidance for Cloud Computing, and is considered a de-facto standard for cloud security assurance and compliance.

Cyber Risk Institute (CRI) Profile 2.0. Designed to help financial institutions manage and mitigate cyber risks. Developed in collaboration with industry experts, the Profile 2.0 provides a comprehensive set of standards and best practices to enhance cybersecurity resilience. It aligns with various regulatory requirements and industry guidelines, enabling organizations to systematically assess, prioritize, and address cybersecurity threats. The Profile 2.0 emphasizes a risk-based approach, promoting effective cyber risk management through continuous monitoring, assessment, and improvement of security measures.

Cybersecurity Capability Maturity Model (C2M2) v2.1. Enables organizations to evaluate their cybersecurity capabilities and optimize security investments.

Cybersecurity Maturity Model Certification (CMMC v1.02). A DoD certification process that measures a DIB sector company’s ability to protect FCI and CUI. Select levels 1-5 to create a program with the requirements for that level.

Cybersecurity Maturity Model Certification (CMMC 2.0). A new requirement for existing DoD contractors, replacing the self-attestation model and moving to third-party certification. In November 2021, the Department announced CMMC 2.0, an updated program structure and requirements designed to achieve the primary goals of the internal review.

Department of Homeland Security (DHS) 4300A - Sensitive Systems Handbook. Serves as the foundation on which Department of Homeland Security (DHS) components are to develop, build, and implement their information security programs; it provides specific techniques and procedures for implementing the requirements of the DHS Information Security Program for Sensitive Systems, and for meeting the Program’s Baseline Security Requirements (BLSR), which are generated by the DHS information security policies published in DHS Sensitive Systems Policy Directive 4300A. Components must address these BLSRs when developing and maintaining information for their security documents. This Handbook contains a compilation of DHS Component best practices that adhere to DHS Information Technology (IT) security policies and meet requirements contained in various National Institute of Standards and Technology (NIST) publications, Office of Management and Budget (OMB) direction, and Congressional and Executive mandates.

Digital Operational Resilience Act (DORA). A European Union (EU) regulation that creates a binding, comprehensive information and communication technology (ICT) risk management framework for the EU financial sector.

Digital Operational Resilience Act (DORA) with ITS and RTS. A European Union (EU) regulation that creates a binding, comprehensive information and communication technology (ICT) risk management framework for the EU financial sector. Includes documents: 2024/1774, 2024/1772, 2025/301, 2024/1773, 2024/1505, 2024/1502, 2024/2956, JC 2024 34, JC 2024 29, and JC 2024 53, JC 2024 36, and JC 2024 35.

Digital Services Act (DSA). Regulates online intermediaries and platforms such as marketplaces, social networks, content-sharing platforms, app stores, and online travel and accommodation platforms. Its main goal is to prevent illegal and harmful activities online and the spread of disinformation. It ensures user safety, protects fundamental rights, and creates a fair and open online platform environment. The DSA protects consumers and their fundamental rights online by setting clear and proportionate rules. It fosters innovation, growth and competitiveness, and facilitates the scaling up of smaller platforms, SMEs and start-ups. The roles of users, platforms, and public authorities are rebalanced according to European values, placing citizens at the centre.

DJCP Multi-Level Protection Scheme (MLPS) 2.0 Level 3 - MLPS GB/T 22239-2019 and 22240-2020. A set of cybersecurity protection requirements for basic information networks, information systems and big data, which is mandatory for all the network operators in China.

EASA Part-IS. Introduced by Commission Implementing Regulation (EU) 2023/203 of 27 October 2022, establishes a mandatory information-security-risk-management system within the EASA regulatory framework, requiring organizations and competent authorities to identify, assess and mitigate information-security risks that could impact aviation safety. It extends across numerous existing EASA rules by embedding Part-IS requirements into each rule, so that every segment of aviation operations and oversight systematically incorporates information-security risk management.

ETSI EN 319 401 v3.1.1. A European standard that provides the general requirements for Trust Service Providers (TSPs) offering electronic trust services, such as digital signatures, time-stamping, and electronic seals. This standard forms the foundational framework within the ETSI 319 series and outlines the baseline security requirements, operational practices, and procedures that TSPs must adhere to, ensuring the reliability, integrity, and trustworthiness of their services. Version 3.1.1 includes updated guidelines for risk management, incident handling, and compliance with legal and regulatory obligations, ensuring that TSPs operate in a secure and trustworthy manner, in alignment with the latest technological advancements and security practices.

The EU AI Act (June 2024). Applies to organizations within the European Union that meet certain criteria, primarily focusing on high-risk AI models. Organizations facing European legal risks related to AI should adhere to this framework. For example, a small organization using ChatGPT's API would generally be considered low risk, whereas a bespoke model that reviews legal documents for banks would be classified as high risk.

EU Cyber Resilience Act 2024/2847. Establishes uniform cybersecurity requirements for products with digital elements across the European Union. Adopted on October 23, 2024, and effective from June 2025, it mandates that manufacturers integrate security measures throughout a product's life cycle, including design, development, and maintenance phases. The regulation applies to both hardware and software, ensuring that products are resilient against cyber threats and that consumers are better informed about cybersecurity risks.

EU-U.S. Data Privacy Framework (EU-U.S. DPF) - Privacy Shield. The UK Extension to the EU-U.S. Data Privacy Framework (UK Extension to the EU-U.S. DPF), and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) were developed to facilitate transatlantic commerce by providing U.S. organizations with reliable mechanisms for personal data transfers to the United States from the European Union / European Economic Area, the United Kingdom (and Gibraltar), and Switzerland that are consistent with EU, UK, and Swiss law.

Family Educational Rights and Privacy Act of 1974 (FERPA) with PTAC Guidance. Helps protect the privacy of student education records. The Act provides for the right to inspect and review education records, the right to seek to amend those records and to limit disclosure of information from the records. The intent of the legislation is to protect the rights of students and to ensure the privacy and accuracy of education records.

FBI Criminal Justice Information Services (CJIS) Security Policy, version 5.9.5. The CJIS Security Policy provides Criminal Justice Agencies (CJA) and Noncriminal Justice Agencies (NCJA) with a minimum set of security requirements for access to Federal Bureau of Investigation (FBI) Criminal Justice Information Services (CJIS) Division systems and information and to protect and safeguard Criminal Justice Information (CJI).

FDA Electronic Records; Electronic Signatures (21 CFR Part 11). Defines the criteria under which electronic records and electronic signatures are considered trustworthy, reliable, and equivalent to paper records. It applies to drug makers, medical device manufacturers, biotech companies, biologics developers, CROs, and other FDA-regulated industries, with some specific exceptions. It requires that they implement controls, including audits, system validations, audit trails, electronic signatures, and documentation for software and systems involved in processing the electronic data that FDA predicate rules require them to maintain.

FedRAMP LI-SaaS rev5. Requirements provide a more efficient path for Low Impact-Software as a Service providers to achieve a FedRAMP Agency Authorization to Operate (ATO).

FedRAMP rev4. A government-wide program that promotes the adoption of secure cloud services across the federal government by providing a standardized approach to security and risk assessment for cloud technologies and federal agencies. Select High, Moderate, or Low to create a program with the requirements for that security baseline.

FedRAMP rev5. A government-wide program that promotes the adoption of secure cloud services across the federal government by providing a standardized approach to security and risk assessment for cloud technologies and federal agencies. Select High, Moderate, or Low to create a program with the requirements for that security baseline.

FFIEC Cybersecurity Assessment Tool (CAT) 2017. Developed by the Federal Financial Institutions Examination Council (FFIEC) on behalf of its members, FFIEC helps institutions identify their risks and determine their cybersecurity maturity. The content of the Assessment is consistent with the principles of the FFIEC Information Technology Examination Handbook (IT Handbook) and the National Institute of Standards and Technology (NIST) Cybersecurity Framework, as well as industry-accepted cybersecurity practices. The Assessment provides institutions with a repeatable and measurable process to inform management of their institution’s risks and cybersecurity preparedness.

Florida Information Protection Act (FIPA) 2019. A Florida state law governing privacy rules for entities handling personal information. Updated 2019.

French ANSSI SecNumCloud v3.2. France’s top-tier "trusted-cloud" qualification, published on 8 March 2022. It applies to SaaS, PaaS, CaaS and IaaS offerings and asks providers to satisfy 360-plus prescriptive controls grouped under 14 security domains that extend ISO 27001 (e.g., risk management, cryptography, incident response, business continuity, compliance). Qualification is granted service-by-service for three years and is monitored by annual audits.

French ASIP HDS - HDH Certification v2.0. Constitutes the certification reference system applicable to hosts wishing to obtain certification for the scope of "physical infrastructure provider" or "IT managed services provider" of personal health data in France.

General Data Protection Regulation 2016/679 (GDPR). A regulation in EU law on data protection and privacy for all individual citizens of the European Union and the European Economic Area. It also addresses the transfer of personal data outside the EU and EEA areas. Hyperproof's version of the European Union's GDPR legislation has been reduced to only those requirements that apply directly to Data Controllers and Processors.

Gramm-Leach-Bliley Act (GLBA) and FTC Safeguards Rule (15 USC 6801-6803, 6821; 16 CFR 313, 314; 12 CFR Part 225 A.F.). Requires financial institutions – companies that offer consumers financial products or services like loans, financial or investment advice, or insurance – to explain their information-sharing practices to their customers and to safeguard sensitive data. Includes 12 CFR Appendix F to Part 225, "Interagency Guidelines Establishing Information Security Standards"; 16 CFR 313, "Privacy of Consumer Financial Information", and 16 CFR 314, "Standards for Safeguarding Customer Information".

Health Insurance Portability and Accountability Act (HIPAA). United States legislation that provides data privacy and security provisions for safeguarding medical information.

Hyperproof Common Control Framework (CCF) 2024.3. This framework is a modern set of cybersecurity and privacy controls, each distilled from key elements found in established frameworks such as NIST 800-53, AICPA SOC 2, ISO 27001, CIS, GDPR, and PCI DSS. This framework facilitates organizational compliance by standardizing processes to effectively address cybersecurity, privacy, and information system risks. Designed to support organizations in advancing their compliance maturity, it provides a structured yet flexible approach to cybersecurity and privacy risk management.

IATF 16949:2016 - Automotive Quality Management Standard. An international quality management standard specifically designed for the automotive industry, emphasizing defect prevention, continual improvement, and waste reduction across the automotive supply chain. It integrates ISO 9001 requirements with automotive-specific criteria to enhance customer satisfaction, product safety, and reliability.

Note you must have a license acquired from AIAG to use the IATF 16949 program.

IBM Cloud Framework for Financial Services. Designed to help address the needs of financial services institutions with regulatory compliance, security, and resiliency during the initial deployment phase and with ongoing operations.

IEC 62443 4-1:2018 and 4-2:2019: Security for Industrial Automation and Control Systems. International standards series designed to secure industrial communication networks and systems. IEC 62443 4-1 focuses on secure product development lifecycle requirements. It outlines practices and procedures for developing and maintaining secure products, addressing aspects from specification and design to maintenance. IEC 62443 4-2 deals with technical security requirements for industrial automation and control systems components. It specifies how to secure components against unauthorized access and misuse, thereby ensuring the resilience and integrity of industrial operations. Together, these standards provide a framework for enhancing the cybersecurity of industrial environments.

Information System Security Management and Assessment Program (ISMAP). A Japanese government program for assessing the security of public cloud services. The aim of ISMAP is to enable a common set of security standards for the Cloud Service Provider (CSP) to comply as baseline requirements for government procurement. ISMAP introduces security requirements for the cloud domains, practices, and procedures that cloud service providers must implement. Cloud service providers must engage with a ISMAP approved third party assessor to assess compliance with the ISMAP security requirements in order to apply as a ISMAP registered provider. The ISMAP program will evaluate the security of cloud service provider, and register those who satisfy the Japanese government’s security requirements. Upon successful ISMAP registration as a registered providers, government procurement departments can accelerate their engagement with the registered providers.

ISO 9001:2015 Quality Management Systems - Requirements. Specifies requirements for a quality management system when an organization: a) needs to demonstrate its ability to consistently provide products and services that meet customer and applicable statutory and regulatory requirements, and b) aims to enhance customer satisfaction through the effective application of the system, including processes for improvement of the system and the assurance of conformity to customer and applicable statutory and regulatory requirements. All the requirements of ISO 9001:2015 are generic and are intended to be applicable to any organization, regardless of its type or size, or the products and services it provides.

ISO 14001:2015 Environmental Management Systems - Requirements with Guidance for Use. Environmental management systems provides organizations with a framework to protect the environment and respond to changing environmental conditions in balance with socio-economic needs. It specifies requirements that enable an organization to achieve the intended outcomes it sets for its environmental management system.

ISO 17025:2017 General Requirements for the Competence of Testing and Calibration Laboratories. Specifies the general requirements for the competence, impartiality, and consistent operation of laboratories.

The ISO 20000-1:2018 Information Technology - Service Management System Requirements. Specifies requirements for an organization to establish, implement, maintain and continually improve a service management system (SMS). The requirements specified include the planning, design, transition, delivery and improvement of services to meet the service requirements and deliver value.

ISO/IEC 20243:2023 - Open Trusted Technology Provider Standard (O-TTPS)ISO/IEC 20243:2023 - Open Trusted Technology Provider Standard (O-TTPS). An international standard focused on mitigating risks in the supply chain for information and communication technology (ICT) products. It establishes best practices for detecting and avoiding counterfeit, maliciously tainted, or unauthorized products within the supply chain. By implementing ISO 20243, organizations can enhance the security and integrity of their ICT systems by ensuring trustworthy sourcing and production processes.

The ISO/SAE 21434:2021 Road Vehicles - Cybersecurity Engineering. This program addresses the cybersecurity perspective in engineering of electrical and electronic (E/E) systems within road vehicles. By ensuring appropriate consideration of cybersecurity, this document aims to enable the engineering of E/E systems to keep up with state-of-the-art technology and evolving attack methods.

ISO 22301:2019 Security and Resilience - Business Continuity Management Systems. Specifies requirements to implement, maintain and improve a management system to protect against, reduce the likelihood of the occurrence of, prepare for, respond to and recover from disruptions when they arise. The requirements specified in this document are generic and intended to be applicable to all organizations, or parts thereof, regardless of type, size and nature of the organization. The extent of application of these requirements depends on the organization's operating environment and complexity.

ISO 26262:2018 - Standards 3, 4, 5, 6, 7, 8, and 9. An international standard that ensures the functional safety of electrical and electronic systems in road vehicles throughout the entire safety life-cycle, from concept to production.

The Hyperproof program integrates Standards 2, 4, 5, 6, 7, 8, and 9 of ISO 26262, which provide essential compliance requirements for automotive safety processes. Other standards within ISO 26262 offer guidance and definitions and are not included in this program. Any non-applicable requirements can be marked as not applicable. This approach helps automotive manufacturers and suppliers develop reliable and safe vehicle systems effectively.

ISO 27001:2013 Information Technology - Security Techniques. An international standard to provide requirements for establishing, implementing, maintaining and continually improving an information security management system.

ISO 27001:2019 Security Techniques - Extension to ISO/IEC 27001:2013 for Privacy Information Management.

ISO 27001:2022 - Information Security Management Systems. IT security, cybersecurity, and privacy protection are vital for companies and organizations today. The ISO/IEC 27000 family of standards keeps them safe. ISO/IEC 27001 is is the world’s best-known standard for information security management systems (ISMS) and their requirements.

ISO 27002:2013 - Information Technology - Security Techniques - Code of Practice for Information Security Controls. This International Standard is designed for organizations to use as a reference for selecting controls within the process of implementing an Information Security Management System (ISMS) based on ISO/IEC 27001 or as a guidance document for organizations implementing commonly accepted information security controls. This standard is also intended for use in developing industry- and organization-specific information security management guidelines, taking into consideration their specific information security risk environment(s).

ISO 27002:2022. Provides a reference set of generic information security controls and guidance designed to be used by organizations within the context of ISO 27001 and based on internationally recognized best practices.

ISO 27017:2015 Information Technology - Security Techniques - Code of Practice for Information Security Controls Based on ISO/IEC 27002 for Cloud Services. Provides guidelines for information security controls applicable to the provision and use of cloud services by providing: - additional implementation guidance for relevant controls specified in ISO/IEC 27002; - additional controls with implementation guidance that specifically relate to cloud services. This Recommendation | International Standard provides controls and implementation guidance for both cloud service providers and cloud service customers.

ISO 27018:2019 Information Technology - Security Techniques - Code of Practice for Protection of Personally Identifiable Information (PII) in Public Clouds.

ISO 27799:2016 Health Informatics - Information Security Management in Health using ISO/IEC 27002. This International standard provides guidance to healthcare organizations and other custodians of personal health information on how best to protect the confidentiality, integrity and availability of such information. It is based upon and extends the general guidance provided by ISO/IEC 27002:2013 and addresses the special information security management needs of the health sector and its unique operating environments.

ISO 28000:2022 Security and Resilience - Security Management Systems. Specifies requirements for a security management system, including those aspects critical to the security assurance of the supply chain. It requires the organization to assess the security environment in which it operates including its supply chain (including dependencies and interdependencies); determine if adequate security measures are in place to effectively manage security-related risks; manage compliance with statutory, regulatory and voluntary obligations to which the organization subscribes; and align security processes and controls, including the relevant upstream and downstream processes and controls of the supply chain to meet the organization’s objectives.

ISO 42001 - Artificial Intelligence Management System. An international standard that provides a framework for organizations to manage the ethical development, deployment, and governance of Artificial Intelligence (AI) systems. It details mandatory clauses and control requirements aimed at ensuring AI systems are developed and utilized in a manner that considers ethical implications, bias, transparency, and accountability. The standard includes guidance on organizational context analysis, stakeholder engagement, AI policy formulation, risk assessment processes, and internal audit mechanisms. Annex A of the standard further elaborates on specific requirements for AI system development and usage, covering aspects such as policies, resources, impact assessments, and data management. ISO 42001's applicability is intended for various industries and organizations aiming to adhere to responsible AI practices.

ISO 45001:2018 Occupational Health and Safety Management Systems. Contains requirements that can be used by an organization to implement an OHandS management system and to assess conformity.

Israeli Protection of Privacy Law and Regulations. The Israeli privacy laws, particularly those from 1981 (Protection of Privacy Law, 5741-1981), 2001 (Regulations Under the Protection of Privacy Law, 5761-2001), 2017 (Protection of Privacy Law Amendment, 5777-2017), and 2023 (further amendments in 5783-2023), establish a robust legal framework designed to protect the privacy and personal data of individuals. The 1981 law laid the foundation, establishing basic privacy rights and creating the framework for data protection, which prohibits the misuse or unauthorized sharing of personal data. Subsequent amendments and regulations, such as those in 2001, have updated the law to include specific guidelines on data security and the responsibilities of data controllers, adapting to technological advances. The 2017 amendment further tightened data security requirements, introducing obligations for notification of data breaches. Most recently, the 2023 amendments have focused on enhancing transparency and granting individuals greater control over their personal data, reflecting global trends towards stronger data protection and privacy rights.

International Traffic in Arms Regulation (ITAR) Compliance Program Guidelines. Contains information on the elements of an effective ITAR Compliance Program (ICP) and how to design and implement an ICP for organizations that manufacture, export, broker, or temporarily import defense articles and defense services described on the United States Munitions List (USML).

Italian ACN Cybersecurity and Privacy Regulations. A comprehensive framework that aims to protect national cyberspace, promote digital autonomy, and ensure compliance with cybersecurity regulations. It plays a central role in developing and implementing the National Cybersecurity Strategy, overseeing the National Cybersecurity Perimeter, and acting as the National Competent Authority for NIS2.

The ITSG-33 Government of Canada Controls Catalogue. Developed to help Government of Canada (GC) departments ensure security and considered right from the start. These requirements have been derived from ITSG-33 Annex 3A which covers roles, responsibilities and activities of GC department risk management. Published 2012.

Personal Information & Information Security Management System (ISMS-P) 2024. A Korean integrated certification system that consolidated 'Personal Information Management System (PIMS) certification' and 'Information Security Management System (ISMS) certification' into one certification system, both of which were operated separately. ISMS-P has been enforced since November 7, 2018. Enterprises and institutions can expect to improve the external reliability of their personal information protection and security and reduce the risk of external and internal personal information infringements through the 'Personal information and Information Security Management System.'

Microsoft Supplier Data Protection Requirements (SSPA DPR) v11. These requirements apply to each Microsoft supplier that processes personal data or Microsoft confidential data in connection with that supplier’s performance (e.g., provision of services, software licenses, cloud services) under the terms of its contract with Microsoft (e.g. purchase order terms, master agreement).

Monetary Authority of Singapore (MAS) Technology Risk Management (TRM) Guidelines 2021 set out technology risk management principles and best practices for the financial sector, to guide FIs in the Establishment of Sound and Robust Technology Risk Governance and Oversight, and Maintain Cyber Resilience.

NERC Critical Infrastructure Protection (CIP) 09.2024. A set of regulatory standards developed by the North American Electric Reliability Corporation to safeguard the security and reliability of the bulk power system in North America. These standards focus on protecting critical cyber assets, physical infrastructure, and personnel from threats, vulnerabilities, and risks that could disrupt the operation of power grids. The CIP standards require utility companies to implement robust security measures, including risk assessments, access controls, incident response, and regular compliance audits to ensure the continuous protection of vital infrastructure.

NIS2 Directive (2022) Articles 20, 21, 23, 29, 30 with ISO 27001 Controls. Revises the European Union's Network and Information Security Directive, expanding its scope to include additional sectors and services such as health, energy, and digital infrastructure. It imposes more stringent security measures and comprehensive incident reporting requirements.

Only those articles most relevant to organizations are included in the program. Those articles that apply to member states are not included.

NIST AI Risk Managment Framework or NIST AI RMF

NIST AI Risk Management Framework (AI RMF). Intended for voluntary use and to improve the ability to incorporate trustworthiness considerations into the design, development, use, and evaluation of AI products, services, and systems.

NIST 800-53 rev4 - Security and Privacy Controls for Federal Information Systems and Organizations. Provides a catalog of security and privacy controls for federal information systems and organizations and a process for selecting controls to protect organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation from a diverse set of threats including hostile cyber attacks, natural disasters, structural failures, and human errors.

NIST SP 800-53 rev5 Selectable Baseline. Provides a catalog of security and privacy controls for information systems and organizations to protect organizational operations and assets, individuals, other organizations, and the Nation from a diverse set of threats and risks, including hostile attacks, human errors, natural disasters, structural failures, foreign intelligence entities, and privacy risks. Select Low, Medium, or High to create a program with the requirements in that baseline. Optionally add the privacy baseline requirements as well.

NIST SP 800-53 rev5.1.1 Full Catalog with SSP Reporting. - Provides a catalog of security and privacy controls for information systems and organizations to protect organizational operations and assets, individuals, other organizations, and the Nation from a diverse set of threats and risks, including hostile attacks, human errors, natural disasters, structural failures, foreign intelligence entities, and privacy risks.

NIST 800-82 rev3. Provides guidance on how to improve the security of Operational Technology (OT) systems while addressing their unique performance, reliability, and safety requirements.

NIST 800-161 rev1 Supply Chain Risk Management Practices for Federal Information Systems and Organizations. This framework is not yet final; the current requirements represent Draft 2, dated October 28, 2021.

NIST 800-171 rev2 with Assessment Objectives. The protection of Controlled Unclassified Information (CUI) resident in non-federal systems and organizations is of paramount importance to federal agencies and can directly impact the ability of the federal government to successfully conduct its assigned missions and business operations. This publication provides federal and non-federal organizations with assessment procedures and a methodology that can be employed to conduct assessments of the CUI security requirements in NIST Special Publication 800-171, Protecting Controlled Unclassified Information in Non-federal Systems and Organizations. The assessment procedures are flexible and can be customized to the needs of the organizations and the assessors conducting the assessments. Security assessments can be conducted as self-assessments; independent, third-party assessments; or government-sponsored assessments and can be applied with various degrees of rigor, based on customer-defined depth and coverage attributes. The findings and evidence produced during the security assessments can facilitate risk-based decisions by organizations related to the CUI requirements.

NIST 800-171 rev3 with Assessment Objectives. This publication provides federal agencies with recommended security requirements for protecting the confidentiality of Controlled Unclassified Information (CUI) when the information is resident in non-federal systems and organizations. The requirements apply to components of nonfederal systems that process, store, or transmit CUI or that provide protection for such components. The security requirements are intended for use by federal agencies in contractual vehicles or other agreements established between those agencies and nonfederal organizations. This publication can be used in conjunction with its companion publication, NIST Special Publication 800-171A, which provides a comprehensive set of procedures to assess the security requirements.

NIST 800-218 - Secure Software Development Framework (SSDF) Version 1.1. Recommendations for Mitigating the Risk of Software Vulnerabilities. Few software development life cycle (SDLC) models explicitly address software security in detail, so secure software development practices usually need to be added to each SDLC model to ensure that the software being developed is well-secured. This document recommends the Secure Software Development Framework (SSDF) – a core set of high-level secure software development practices that can be integrated into each SDLC implementation. Following these practices should help software producers reduce the number of vulnerabilities in released software, mitigate the potential impact of the exploitation of undetected or unaddressed vulnerabilities, and address the root causes of vulnerabilities to prevent future recurrences.

NIST Cybersecurity Framework (CSF) 1.1. A voluntary framework consisting of standards, guidelines and best practices to manage cybersecurity risks.

NIST CSF 2.0 with CSF Controls. Provides guidance to industry, government agencies, and other organizations to manage cybersecurity risks. It offers a taxonomy of high-level cybersecurity outcomes that can be used by any organization—regardless of its size, sector, or maturity—to better understand, assess, prioritize, and communicate its cybersecurity efforts.

NIST CSF 2.0 with NIST 800-53 rev. 5.1.1 Controls. NIST Cybersecurity Framework (CSF) is a voluntary framework consisting of standards, guidelines and best practices to manage cybersecurity risk.

NIST Privacy Framework (PF) 1.0. A voluntary tool designed to enable better privacy engineering practices that support privacy by design concepts and help organizations protect individuals' privacy.

NISTIR 8374 Ransomware Risk Management. Helps organizations gauge their level of readiness to counter threats, deal with the potential consequences of events, and identify opportunities for improvement. It maps security objectives from the Framework for Improving Critical Infrastructure Cybersecurity, Version1.1 to security capabilities and measures that help to identify, protect against, detect, respond to, and recover from ransomware events.

NYDFS Part 500 Cybersecurity Requirements for Financial Services Companies (2023 Amendments). Effective March 1, 2017, The New York Department of Financial Services (NYDFS) promulgated 23 NYCRR Part 500, a regulation establishing cybersecurity requirements for financial services companies.

OWASP Application Security Verification Standard (ASVS) v4.0.3. Provides a basis for testing web application technical security controls and also provides developers with a list of requirements for secure development.

Payment Card Industry Data Security Standard (PCI DSS) v3.2.1. Developed to encourage and enhance cardholder data security and facilitate the broad adoption of consistent data security measures globally. PCI DSS provides a baseline of technical and operational requirements designed to protect account data. PCI DSS applies to all entities involved in payment card processing—including merchants, processors, acquirers, issuers, and service providers. PCI DSS also applies to all other entities that store, process or transmit cardholder data (CHD) and/or sensitive authentication data (SAD).

Payment Card Industry Data Security Standard (PCI DSS) v4.0 with Test Procedures. Developed to encourage and enhance payment card account data security and facilitate the broad adoption of consistent data security measures globally. PCI DSS provides a baseline of technical and operational requirements designed to protect account data. While specifically designed to focus on environments with payment card account data, PCI DSS can also be used to protect against threats and secure other elements in the payment ecosystem.

Payment Card Industry Data Security Standard (PCI DSS) v4.0.1. Developed to encourage and enhance cardholder data security and facilitate the broad adoption of consistent data security measures globally. PCI DSS provides a baseline of technical and operational requirements designed to protect account data. While specifically designed to focus on environments with payment card account data, PCI DSS can also be used to protect against threats and secure other elements in the payment ecosystem.

SASB ESG.This supplement provides an overview of SASB’s approach to greenhouse gas emissions and related topics in the SASB ESG and offers guidance for reporting entities that wish to disclose Scope 1, 2, or 3 emissions.

Saudi Arabia Essential Cybersecurity Controls (ECC) 2018. Measures that aim to help government and government-affiliated organizations enhance their cybersecurity posture. The Kingdom of Saudi Arabia, as part of the Saudi Vision 2030, has developed and promulgated the Essential Cybersecurity Controls (ECC).

Secure Controls Framework (SCF) July 2025. Focuses on internal controls. These are the cybersecurity and privacy-related policies, standards, procedures, technologies and associated processes that are designed to provide reasonable assurance that business objectives will be achieved and undesired events will be prevented, detected, and corrected.

SEC 17 CFR Part 240 15c: Rules Relating to Over-the-Counter Markets (§§ 240.15c-2 and 240.1c-3),. Under the Securities Exchange Act of 1934; the bulk of 240.15c is included in this framework, with the exception of definitions and terms.

SEC 17 CFR PART 240 17a: Preservation of Records and Reports of Stabilizing Activities (§§ 240.17a-1 – 240.17f-2). Under the Securities Exchange Act of 1934, specify minimum requirements with respect to the records that broker-dealers must make, and how long those records and other documents relating to a broker-dealer's business must be kept. The bulk of 240.17 is included in this framework, with the exception of definitions and terms.

Sarbanes-Oxley Act (SOX) of 2002. SOX ICFR and ITGC includes sections 302, 401, 403, 404 and 409. Additionally, it includes Regulation S-X, "Form and Content of and Requirements for Financial Statements"; Regulation S-K, "disclosure requirements"; COSO Internal Control - Integrated Framework; and COBIT Control Objectives for Information and Related Technologies. These additional inclusion are some of the primary rules, items, practices, and standards used by organizations to meet the requirements SOX. Internal control over financial reporting (ICFR) and Information Technology General Controls (ITGC) illustrative control templates are included with this program.

Spanish National Security Scheme (ENS) 2022. A regulatory and reference framework established in Spain based on Spanish legislation and European regulations related to information security. The ENS was established in 2010 and is based on Royal Decree 311/2022, establishing the principles and requirements to protect information confidentiality, integrity, availability, and authenticity in public entities and organizations.

StateRAMP rev5. Represents the shared interests of state and local governments, third party assessment organizations, and service providers with IaaS, SaaS, and PaaS solutions. StateRAMP is built on the National Institute of Standards and Technology Special Publication 800-53 framework, modeled in part after FedRAMP, and based on a “complete once, use many” concept that saves time and reduces costs for both service providers and governments. Like FedRAMP, StateRAMP relies on FedRAMP Authorized 3PAOs to conduct assessments.

Swift Customer Security Controls Framework (CSP CSCF) v2024. Outlines a comprehensive set of mandatory and advisory security controls for institutions using the SWIFT network. This framework is designed to protect against fraud and cyber threats by enforcing rigorous standards around user access, security policies, and incident response. The v2024 update strengthens existing controls while introducing new measures to address emerging cybersecurity challenges and compliance requirements.

Task Force on Climate-Related Financial Disclosures (TCFD). Committed to market transparency and stability, we believe that better information will allow companies to incorporate climate-related risks and opportunities into their risk management and strategic planning processes. As this occurs, companies’ and investors’ understanding of the financial implications associated with climate change will grow, empowering the markets to channel investment to sustainable and resilient solutions, opportunities, and business models.

Trusted Information Security Assessment Exchange (TISAX VDA ISA v6). An information security requirements catalogue based on key aspects of the international standard ISO/IEC 27001. It is used by companies both for internal purposes as well as assessments by suppliers and service providers who process sensitive information from their respective companies.

Texas Risk and Authorization Management Program (TX-RAMP v2.0). A standardized approach to the assessment and evaluation of cloud computing services. Per 1 Texas Administrative Code Chapter 202, it defines the processes, procedures, and compliance requirements relating to the use of cloud computing services by Texas state agencies.

UK Cyber Essentials 2023: Requirements for IT Infrastructure is an effective, government-backed scheme that will help you to protect your organization, whatever its size, against a whole range of the most common cyber attacks. Includes the illustrative test specification.

WebTrust for CAs - S/MIME Certificates v1.0. The Baseline Requirements for the Issuance and Management of S/MIME Certificates enables efficient and secure electronic communication, whilst addressing user concerns about the trustworthiness of certificates. The requirements also serve to inform users and help them to make informed decisions when relying on certificates.

WebTrust for CAs - SSL Baseline with Network Security v2.7. The WebTrust Principles and Criteria for Certification Authorities — SSL Baseline with Network Security (“Criteria”) is used as a basis for a practitioner to conduct a SSL Baseline Requirements and Network and Certificate Systems Security Requirements engagement. The primary goal of the CA/Browser Forum’s Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates and Network and Certificate Systems Security Requirements is to enable efficient and secure electronic communication, whilst addressing user concerns about the trustworthiness of certificates. The requirements also serve to inform users and help them to make informed decisions when relying on certificates. The CA/Browser Forum, that consists of many of the issuers of digital certificates and browser and other application developers, has developed guidelines that set out the expected requirements for issuing SSL1 certificates. The Forum has also issued additional security guidelines that apply to all publicly trusted Certification Authorities (CAs), regardless of certificate type being issued.