Streamline and follow the most rigorous security and privacy standards

SOC 2 is a cybersecurity compliance framework developed for service and technology providers that handle customer data. SOC 2 drives organizations to build strong, continuous security processes to protect their customer data.

ISO 27001 is a universal standard built for organizations around the globe to establish, maintain, and continually improve their information security management system (ISMS).

Merchants or service providers that process, store, transmit, or impact credit card data need to meet the 300+ PCI DSS requirements to safeguard cardholder data.

Cyber Essentials is a certificate required for organizations working with the UK government to protect against common online threats by implementing a baseline of five essential security controls and best practices.

The New York Department of Financial Services (NYDFS) requires covered entities to uphold cybersecurity requirements related to protecting sensitive customer data and the overall security of systems and personnel within your NYDFS scope.

Financial institutions that are under the jurisdiction of the Federal Trade Commission (FTC) need to meet the Safeguards Rule to protect the security of customer data.

ISO 27017 is an international standard providing guidelines for information security controls applicable to cloud services. It addresses both cloud service providers and customers, ensuring security and compliance in cloud environments through additional controls and best practices tailored to the unique aspects of cloud computing.

Suppliers that are part of Microsoft's information supply chain need to comply with Microsoft’s Supplier Privacy and Assurance Standards (SSPA) and complete an assessment against Microsoft’s Data Protection Requirements (DPR).

NIS2 is an updated EU directive aimed at enhancing cybersecurity across all member states by improving national capabilities, cooperation, and risk management practices among key sectors and digital service providers.

The Essential Eight is a set of cybersecurity strategies recommended by the Australian Cyber Security Centre (ACSC) to help organizations mitigate cyber threats and protect their systems against a range of cyber attacks.

Center for Internet Security (CIS) enforces the Critical Security Controls (CSCs), a set of best practices and guidelines designed to safeguard organizations against cyber threats. CIS is a comprehensive approach to cybersecurity, including regular updates and audits, to ensure adherence to industry-standard security measures and enhance overall cyber defense capabilities.

SOX ITGC refers to the Information Technology General Controls under the Sarbanes-Oxley Act, which are internal controls IT departments must implement to support the integrity of financial reporting.

EU Digital Operational Resilience Act (DORA) is a regulation aimed at enhancing the operational resilience of financial institutions in the European Union in order to withstand and recover from various disruptions and threats.

TISAX (Trusted Information Security Assessment Exchange) is a European standard for information security assessments, required for companies in the automotive industry—such as suppliers and service providers—that handle sensitive information to ensure compliance with stringent data protection standards.

NIST 800-53 - High includes the greatest amount of controls to help federal agencies and their supporting contractors protect their data and systems and comply with the Federal Information Security Modernization Act (FISMA). Organizations should comply with NIST 800-53 - High if the loss of sensitive data would have a severe or catastrophic impact on their business.

NIST 800-53 - Moderate includes controls to help federal agencies and their supporting contractors protect their data and systems and comply with the Federal Information Security Modernization Act (FISMA). Organizations should comply with NIST 800-53 - Moderate if the loss of sensitive data would have a sufficient, but not catastrophic, impact on their business.

NIST 800-53 - low includes the least amount of controls to help federal agencies and their supporting contractors protect their data and systems and comply with the Federal Information Security Modernization Act (FISMA). Organizations should comply with NIST 800-53 - Low if the loss of sensitive data would have a minor impact on their business. 

Contractors and subcontractors working with federal or state agencies that handle Controlled Unclassified Information (CUI) must comply with NIST 800-171.

The NIST Cybersecurity Framework (NIST CSF 2.0) is required for any organization that works with the US federal government, institutions supported by federal grants, or within the supply chain for a federal agency. NIST CSF 2.0 helps organizations understand risk and improve their cybersecurity programs.

The Federal Risk and Authorization Management Program (FedRAMP) is required for any cloud service provider that works with the US federal government or handles federal data. FedRAMP standardizes security assessments, authorization, and continuous monitoring for cloud products and services, ensuring they meet strict cybersecurity requirements before being used by federal agencies.

GovRAMP (formerly known as StateRAMP) standardizes cloud security requirements for State, Local, Tribal, and Territorial (SLTT) governments and public institutions including universities, helping them securely adopt cloud technologies. GovRAMP helps streamline procurement and risk management for SLTT governments and public institutions while ensuring vendors meet consistent security standards and requirements.

The Criminal Justice Information Services (CJIS) framework is for government entities that access or manage sensitive information from the US Justice Department. CJIS is designed to ensure data security in law enforcement. 

The Cybersecurity Maturity Model Certification (CMMC) 2.0 is an evolving model that contractors working with the Department of Defense (DoD) and other federal agencies must meet. 

TX-RAMP (Texas Risk and Authorization Management Program) is a framework that standardizes the risk management and authorization process for cloud services used by Texas state agencies and institutions. Organizations need to comply with TX-RAMP to ensure they meet the state's security and privacy requirements, facilitating secure and efficient cloud service usage within the public sector.

Modern healthcare plans, providers, insurers, clearinghouses, biotech organizations, and pharmaceutical organizations must achieve and maintain compliance with the Health Insurance Portability and Accountability Act (HIPAA).

ISO 27701 is the data privacy extension of ISO 27001. ISO 27001 is for organizations around the globe to establish, maintain, and continually improve their information security management system (ISMS).

Organizations that handle European Union (EU) and United Kingdom (UK) customer data must uphold the various privacy and security requirements to comply with the General Data Protection Regulation (GDPR).

Businesses that target or collect the personal data of California residents need to achieve and maintain compliance with the California Consumer Protection Act (CCPA).

The California Privacy Rights Act (CPRA) amends CCPA's consumer rights by introducing new requirements for businesses to protect customer data and includes an enforcement agency, the California Privacy Protection Agency (CPPA).

For organizations that are incorporating AI into their products and processes, Secureframe helps with NIST AI RMF compliance and risk management associated with AI systems.

For organizations that are incorporating AI into their products and processes, Secureframe helps organizations comply with ISO 42001, and manage responsible development and use of AI systems.

Use Secureframe to create custom frameworks based on your unique requirements, industry standards, and regulatory obligations and achieve your compliance goals. Map our pre-built controls and tests to your custom frameworks using our control library and test library to save time on evidence collection and control monitoring.

ISO 9001 is an international standard built to provide a structured framework for organizations to establish and maintain a Quality Management System (QMS).