Frameworks Glossary
Browse our list of common security, privacy, and compliance frameworks and standards
APRA Prudential Standard CPS 234
Prudential Standard CPS 234 is a regulatory framework established by the Australian Prudential Regulation Authority (APRA) to enhance cybersecurity in the financial services industry.
Learn moreAustralian Cyber Security Centre (ACSC) Essential Eight
Developed and recommended by the Australian Cyber Security Centre (ACSC), the Essential Eight framework offers a foundational set of mitigation strategies designed to prevent malware attacks, unauthorized access, and data exfiltration.
Learn moreAustralian Privacy Act
The Privacy Act promotes and protects the privacy of individuals in Australia. It regulates the handling of personal information by organizations in the federal public sector and in the private sector.
Learn moreBSI IT-Grundschutz
The BSI IT-Grundschutz offers a systematic approach to information security management, providing both methodology and a catalog of security measures tailored to different aspects of IT environments.
Learn moreBuilding Security In Maturity Model (BSIMM)
The Building Security In Maturity Model (BSIMM) is a data-driven model that provides an in-depth view of software security initiatives. BSIMM is not a standard or a checklist but rather a reflection of current practices observed in real-world software security programs. By assessing the software security initiatives of multiple organizations, BSIMM offers a benchmark for comparing and guiding software security practices.
Learn moreCOSO Enterprise Risk Management Framework (COSO ERM)
The COSO Enterprise Risk Management (ERM) Framework, often just referred to as COSO ERM, is a widely accepted and utilized framework for designing, implementing, conducting, and improving enterprise risk management in organizations. It aligns risk management with business strategy, driving performance.
Learn moreCOSO Internal Control Framework
The COSO Internal Control Framework, often referred to simply as COSO, is a widely recognized framework designed to enhance an organization's ability to achieve its objectives through the effective application of internal controls. This framework provides guidance for organizations in designing and evaluating the effectiveness of internal control systems.
Learn moreCenter for Internet Security (CIS)
The Center for Internet Security (CIS) Controls and CIS Benchmarks are a set of best practices designed to help organizations bolster their security posture. These controls, which have been developed by a community of IT experts, focus on a series of prioritized actions that form the foundation of any good cybersecurity program, assisting organizations in safeguarding their systems and data against the most pervasive cyber threats.
Learn moreCloud Security Alliance (CSA)
The Cloud Security Alliance (CSA) is a non-profit organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment. Through its various initiatives, research projects, and working groups, CSA provides comprehensive guidance to businesses and individuals leveraging cloud services.
Learn moreControl Objectives for Information and Related Technologies (COBIT)
Control Objectives for Information and Related Technologies (COBIT) is a comprehensive framework designed for the development, implementation, monitoring, and improvement of IT governance and management practices. It provides an end-to-end business perspective for IT governance that links business goals to IT goals.
Learn moreCriminal Justice Information Services (CJIS)
The Criminal Justice Information Services (CJIS) Security Policy is a set of stringent standards that govern the creation, viewing, modification, transmission, dissemination, storage, and destruction of Criminal Justice Information (CJI). These standards ensure that CJI remains available, confidential, and integral.
Learn moreCritical Information Infrastructure Protection (CIIP)
Critical Information Infrastructure Protection (CIIP) pertains to measures, strategies, and activities aimed at ensuring the security, reliability, and resilience of critical information infrastructures. These infrastructures, often regarded as the backbone of nations' essential services and functions, require special protection from various cyber threats to ensure societal and economic well-being.
Learn moreCyber Essentials (UK)
Cyber Essentials is a UK government-backed scheme aimed at helping organizations protect themselves against common cyber threats. It offers a set of basic technical controls that organizations can implement to significantly reduce their vulnerability to cyberattacks.
Learn moreCybersecurity Capability Maturity Model (C2M2)
The Cybersecurity Capability Maturity Model (C2M2) is a framework designed to assess and enhance the cybersecurity capabilities of organizations. Its focus is on the implementation and management of cybersecurity practices associated with information technology (IT), operations technology (OT), and information assets and environments.
Learn moreCybersecurity and Infrastructure Security Agency Transportation Systems Sector (CISA TSS)
The Transportation Systems Sector (TSS) represents a vast, interconnected, and complex network of systems and assets that facilitate movement of passengers and cargo. Recognizing the critical nature of this sector in the country's daily operations and economy, the Cybersecurity and Infrastructure Security Agency (CISA) has designated the TSS as one of the nation's critical infrastructure sectors.
Learn moreData Protection Act 2018
The Data Protection Act 2018(DPA) provides individuals with rights regarding their personal information and also establishes requirements that the government and organizations must follow when collecting and processing this data.
Learn moreENISA National Cybersecurity Strategies Guidelines
The Network and Information Security Directive, which entered into force in 2016, requires EU Member States to develop and adopt a national cybersecurity strategy (NCSS) to meet current and emerging cybersecurity threats. To support the efforts of these member states, the European Union Agency for Cybersecurity (ENISA) provides guidelines on how to develop, implement and update a NCSS.
Learn moreESTI EN 303 645
ETSI EN 303 645 is a cybersecurity standard that establishes a security baseline for internet-connected consumer products and provides the foundation for future IoT certification schemes. Developed by the European Telecommunications Standards Institute (ETSI), this standard aims to address widespread concerns about the security of Internet of Things (IoT) devices.
Learn moreETSI ISG SAI (Security for Artificial Intelligence)
ETSI's Industry Specification Group on Securing Artificial Intelligence (ISG SAI) focuses on securing AI from both a usage and an adversarial perspective, aiming to build a standardized foundation for robust and secure AI deployments.
Learn moreFIPS 199
The Federal Information Processing Standards Publication 199 (FIPS 199) is a set of standards for categorizing information and information systems collected or maintained by or on behalf of federal agencies.
Learn moreFTC Safeguards Rule
The Federal Trade Commission's Standards for Safeguarding Customer Information is a regulatory framework aimed at ensuring the security and confidentiality of customer information held by financial institutions and other entities.
Learn moreFedRAMP®
The Federal Risk and Authorization Management Program (FedRAMP) is designed to promote the adoption of secure cloud services across the federal government. It provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud technologies.
Learn moreFederal Information Security Management Act (FISMA)
The Federal Information Security Management Act (FISMA) is United States legislation that defines a comprehensive framework to protect government information, operations, and assets against natural or man-made threats.
Learn moreHITRUST CSF
HITRUST, which stands for Health Information Trust Alliance, is a privately held company that collaborated with healthcare, technology, and information security leaders to establish the HITRUST Common Security Framework. The HITRUST CSF is a comprehensive and certifiable security framework used by healthcare organizations to efficiently manage regulatory compliance and risk management.
Learn moreICT Accessibility 508 Standards and 255 Guidelines
The Information and Communication Technology (ICT) Accessibility 508 Standards and 255 Guidelines are a set of guidelines and requirements established to ensure that the information and communication technology of federal agencies is accessible to individuals with physical, sensory, or cognitive disabilities. These standards are designed to promote inclusivity and equal access to digital information and communication tools, making it possible for all individuals, regardless of their disabilities, to fully participate in the digital world.
Learn moreISA/IEC 62443
ISA/IEC 62443 is a series of standards that provide a flexible framework to address and mitigate current and future security vulnerabilities in industrial automation and control systems (IACS). These standards have been developed by both the International Electrotechnical Commission (IEC) and the International Society of Automation (ISA).
Learn moreISO 13485
ISO 13485 is an internationally recognized standard that sets out the requirements for a quality management system specific to the medical devices industry. It is designed to be used by organizations involved in the design, production, installation, and servicing of medical devices and related services.
Learn moreISO 14040
ISO 14040 is an internationally recognized standard that focuses on the principles and framework for life cycle assessment (LCA) of products and services. This LCA encompasses all stages from raw material extraction through processing, distribution, use, repair, and maintenance, to final disposal or recycling.
Learn moreISO 14044
ISO 14044 is an internationally accepted standard that elaborates on specific requirements and guidelines for life cycle assessment (LCA) related to the environmental performance of products, taking into account all stages from raw material extraction to final disposal or recycling. It builds on the principles established in ISO 14040.
Learn moreISO 20121
ISO 20121 is an international standard that specifies requirements of an event sustainability management system to improve the sustainability of events.
Learn moreISO 22000
ISO 22000 is an international standard for food safety management systems. It provides a comprehensive approach for food producers to identify and control food safety hazards.
Learn moreISO 26000
ISO 26000 is an international standard developed to provide guidance on social responsibility. It offers organizations a comprehensive framework for understanding and implementing socially responsible practices and principles, fostering sustainability, and contributing positively to society.
Learn moreISO 9001
ISO 9001 is an internationally recognized quality management framework designed to help organizations consistently meet the needs and expectations of their customers as well as applicable statutory and regulatory requirements, while continuously improving their processes and overall performance.
Learn moreISO/IEC 11179
ISO/IEC 11179 is an international standard for metadata registries. It provides a framework for the representation of metadata in order to facilitate the correct and proper use and interpretation of data.
Learn moreISO/IEC 11801
ISO/IEC 11801 is an international standard that specifies general-purpose telecommunication cabling systems (structured cabling) that are suitable for a wide range of applications (analog and ISDN telephony, various data communication standards, building control systems, factory automation). It covers both balanced copper cabling and optical fiber cabling.
Learn moreISO/IEC 15288
ISO/IEC 15288 is a globally recognized standard for systems and software engineering. It offers a comprehensive framework for the life cycle processes of systems, which includes both software and hardware components.
Learn moreISO/IEC 15408
ISO/IEC 15408, popularly known as the Common Criteria (CC), is an international standard that provides a framework for evaluating the security properties of Information Technology (IT) products and systems.
Learn moreISO/IEC 15415
ISO/IEC 15415 is an international standard that specifies the quality parameters and methodologies to assess the optical characteristics of two-dimensional (2D) bar code symbols, such as QR codes, Data Matrix, and PDF417.
Learn moreISO/IEC 17025
ISO/IEC 17025 is a global standard for testing and calibration laboratories. It outlines the general requirements for the competence, impartiality, and consistent operation of laboratories.
Learn moreISO/IEC 17025
ISO/IEC 17025 is a global standard for testing and calibration laboratories. It outlines the general requirements for the competence, impartiality, and consistent operation of laboratories.
Learn moreISO/IEC 19770
ISO/IEC 19770 is an international standard that specifies requirements for the establishment, implementation, maintenance, and improvement of an IT asset management system.
Learn moreISO/IEC 27018
ISO/IEC 27018 provides guidelines and controls for protecting personally identifiable information (PII) in the public cloud computing environment.
Learn moreIoTSF Security Compliance Framework
The Internet of Things Security Foundation (IoTSF) Security Compliance Framework is a set of guidelines and best practices aimed at ensuring the secure design, development, and deployment of IoT (Internet of Things) devices and their associated ecosystems.
Learn moreMITRE ATT&CK Framework
MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) Framework is a globally accessible knowledge base of adversary tactics and techniques based on real-world observations. It serves as a foundation for the development of specific threat models and methodologies in the private sector, government, and the cybersecurity product and service community.
Learn moreNIST 800-115
NIST Special Publication 800-115, "Technical Guide to Information Security Testing and Assessment," provides guidelines for organizations on how to conduct security testing and assessments of their information systems. It covers various methodologies, techniques, and processes related to security assessments.
Learn moreNIST 800-137
NIST Special Publication 800-137, “Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations,” provides guidance and best practices for establishing, implementing, and maintaining a continuous monitoring program for information security in federal agencies and organizations.
Learn moreNIST 800-30
NIST Special Publication 800-30, "Guide for Conducting Risk Assessments," provides guidance for organizations to conduct risk assessments of federal information systems and organizations. It amplifies the guidance in NIST Special Publication 800-39, which describes the organizational risk management process.
Learn moreNYDFS Cybersecurity Regulation
The New York State Department of Financial Services (NYDFS) Cybersecurity Regulation is a set of guidelines and requirements designed to enhance the cybersecurity posture of financial institutions operating in the state of New York.
Learn moreOWASP ASVS
The OWASP Application Security Verification Standard (ASVS) Project provides a framework for the security of web applications and web services. It establishes a security control baseline for web applications in their design, development, and testing phases, providing developers, testers, and architects with a clear roadmap for creating secure applications.
Learn morePersonal Information Protection and Electronic Documents Act (PIPEDA)
The Personal Information Protection and Electronic Documents Act (PIPEDA) is a Canadian federal privacy law that governs how private sector organizations collect, use, and disclose personal information in the course of commercial activities.
Learn moreSOC 1
SOC 1® is designed to provide specific users with information about a service organization’s controls relevant to their clients’ internal control over financial reporting. A SOC 1 report is often requested by a service organization's clients and their auditors.
Learn moreSOC 3
SOC 3® is designed to provide general users with a concise and high-level report on a service organization’s controls related to security, availability, processing integrity, confidentiality, or privacy
Learn moreSarbanes-Oxley Act (SOX)
The Sarbanes-Oxley Act, often abbreviated as SOX, is a United States federal law passed in 2002 in response to corporate failures and fraud that resulted in substantial financial losses to institutional and individual investors in the early 2000s. SOX was designed to enhance transparency and accountability in financial reporting and to protect investors and the public from fraudulent financial practices within publicly traded companies.
Learn moreTexas Risk Assessment and Management Program (TX-RAMP)
TX-RAMP was established by the Texas Department of Information Resources to provide a standardized approach for security assessment, authorization, and continuous monitoring of cloud computing services that process, store, or transmit the data of a state agency.
Learn moreUL 2900
The UL 2900 series of standards, often referred to as the UL 2900 Framework, was developed by Underwriters Laboratories (UL) to provide a basis for evaluating and certifying the security of connected products. This series focuses on assessing the software vulnerabilities and weaknesses in network-connectable devices, considering both the product and the organizational environment.
Learn more