Compliance Framework Catalog
Database-managed framework catalog covering security, privacy, industry, and regional compliance programs.
Showing 216 of 216 frameworks
security(52)
SOC 2 Type II
Service trust criteria for security, availability, processing integrity, confidentiality, and privacy.
ISO/IEC 27001
Information Security Management System (ISMS) requirements.
FIPS 140-3
Security requirements for cryptographic modules used in regulated systems.
FedRAMP
Federal authorization program for cloud services in US government.
CMMC
Cybersecurity maturity requirements for defense contractors.
ISO/IEC 42001
AI management system requirements for trustworthy AI governance.
NIST AI Risk Management Framework
Framework for identifying and managing AI risks.
NIST SP 800-161
Supply chain risk management practices for systems and organizations.
NIST Cybersecurity Framework 2.0
Govern, Identify, Protect, Detect, Respond, Recover cybersecurity outcomes.
NIST SP 800-53 Rev.5
Security and privacy controls for federal information systems.
NIST SP 800-171
Protection of Controlled Unclassified Information in nonfederal systems.
FISMA
Federal Information Security Modernization Act requirements.
CSA Cloud Controls Matrix
Cloud security control framework and assurance model.
CIS Controls v8
Prioritized cybersecurity best practices for enterprise defense.
SOC 3
General-use report over trust services criteria for public assurance.
AICPA Trust Services Criteria
Control criteria framework underlying SOC reporting.
CIS Benchmarks
Secure configuration baselines for systems and cloud services.
CNSSI 1253
Security control selection guidance for US national security systems.
CSA STAR
Cloud assurance and transparency registry program.
Cyber Essentials
UK baseline cyber hygiene certification requirements.
Cyber Essentials Plus
Enhanced UK cyber hygiene certification with independent technical verification.
DoD Cloud SRG
Cloud security requirements guide for Department of Defense workloads.
DoD Zero Trust Strategy
US DoD zero trust target architecture and implementation activities.
Essential Eight
Australian baseline cybersecurity mitigation strategies.
FIPS 199
Standards for security categorization of federal information and systems.
FIPS 200
Minimum security requirements for federal information and information systems.
GovRAMP
Government RAMP continuous assurance profile used by state and local public-sector buyers.
ISO 22301
Business continuity management system requirements.
ISO 22316
Organizational resilience principles and indicators for disruption readiness.
ISO 22317
Business impact analysis guidance for continuity and recovery planning.
ISO 22320
Emergency management and incident response command and control requirements.
ISO 31000
Risk management principles and guidelines for enterprises.
ISO/IEC 27002
Information security controls catalogue supporting ISO 27001 implementation.
ISO/IEC 27005
Information security risk management guidance for risk identification and treatment.
ISO/IEC 27017
Cloud security controls guideline for cloud service providers and customers.
ISO/IEC 27035
Information security incident management lifecycle requirements and practices.
ISO/IEC 27036
Supplier relationship security controls for third-party and supply-chain risk.
ISO/IEC 29147
Vulnerability disclosure framework and communication controls.
ISO/IEC 30111
Vulnerability handling process requirements.
NIST Risk Management Framework
Risk management lifecycle for system authorization and operation.
NIST SP 800-171A
Assessment procedures for evaluating NIST 800-171 requirements.
NIST SP 800-172
Enhanced security requirements for high value CUI environments.
NIST SP 800-30
Guide for conducting risk assessments.
NIST SP 800-61
Computer security incident handling guidance.
NIST SSDF
Secure software development framework controls.
NIST Zero Trust Architecture
Zero trust principles and reference architectures.
OWASP ASVS
Application security verification requirements and checklist.
OWASP SAMM
Software assurance maturity model for secure SDLC governance.
SLSA
Supply-chain levels for software artifact integrity and provenance.
SOC for Cybersecurity
AICPA reporting framework for enterprise cybersecurity risk management.
StateRAMP
Security authorization framework for state and local governments.
TX-RAMP
Texas risk and authorization management program for cloud services.
privacy(53)
HIPAA Security Rule
Safeguards for electronic protected health information.
GDPR
General Data Protection Regulation for EU personal data protection.
GLBA
Financial privacy and safeguards requirements.
FERPA
Student education record privacy requirements.
PPRA
Protection of Pupil Rights Amendment requirements for US educational institutions.
COPPA
Children's Online Privacy Protection Act requirements for online services directed to children.
SOPIPA
Student Online Personal Information Protection Act obligations for edtech vendors.
CCPA
California consumer privacy rights and disclosure obligations.
CPRA
California privacy rights expansion with sensitive data obligations.
ISO/IEC 27701
Privacy Information Management System (PIMS) extension to ISO 27001.
42 CFR Part 2
US confidentiality protections for substance use disorder patient records.
Australia Privacy Act 1988
Australian privacy principles and data handling obligations.
Colorado Privacy Act
Colorado privacy obligations for controllers and processors.
Connecticut CTDPA
Connecticut data privacy controls and rights handling obligations.
Delaware DPDPA
Delaware personal data privacy act controls and requirements.
EU-US Data Privacy Framework
Cross-border data transfer commitments and safeguards.
GDPR DPIA Program
Data protection impact assessment operational framework.
Hong Kong PDPO
Personal data privacy ordinance compliance obligations.
India DPDP Act
Digital personal data protection requirements in India.
Indiana Consumer Data Protection Act
Indiana privacy governance and consumer rights controls.
Iowa Consumer Data Protection Act
Iowa privacy law obligations for covered entities.
ISO/IEC 27018
Protection of personally identifiable information (PII) in public cloud environments.
Japan APPI
Act on the Protection of Personal Information requirements.
Kentucky Consumer Data Protection Law
Kentucky privacy controls for controllers and processors.
Korea PIPA
Korean personal information protection obligations.
LGPD
Brazilian general data protection law obligations.
Malaysia PDPA
Personal data protection act requirements for commercial entities.
Maryland Online Data Privacy Act
Maryland privacy law with heightened data minimization requirements.
Minnesota Consumer Data Privacy Law
Minnesota privacy compliance requirements for data handling.
Montana Consumer Data Privacy Act
Montana privacy obligations for data controllers and processors.
Nebraska Data Privacy Act
Nebraska personal data governance and rights obligations.
New Hampshire Privacy Law
State privacy controls for transparency and consumer rights.
New Jersey Data Privacy Act
New Jersey consumer privacy requirements and obligations.
New Zealand Privacy Act 2020
New Zealand privacy principles and breach reporting controls.
NIST Privacy Framework
Risk-based privacy engineering and governance outcomes.
Oregon Consumer Privacy Act
Oregon privacy controls for consumer requests and data governance.
Philippines Data Privacy Act
Data privacy governance and breach reporting requirements.
PIPEDA
Canadian federal privacy law for personal information protection.
Quebec Law 25
Quebec privacy modernization obligations and governance controls.
Rhode Island Data Transparency and Privacy
Rhode Island privacy requirements for regulated entities.
Saudi PDPL
Saudi personal data protection law obligations and transfer restrictions.
Singapore PDPA
Singapore personal data protection obligations and accountability.
South Africa POPIA
Protection of personal information act governance and safeguards.
Swiss FADP
Swiss federal data protection obligations and transfer controls.
Tennessee Information Protection Act
Tennessee privacy framework and affirmative defense controls.
Texas TDPSA
Texas data privacy and security act obligations.
Thailand PDPA
Thailand data privacy law for collection, use, and disclosure controls.
TRUSTe Privacy Program
Privacy program assurance and accountability controls.
Turkey KVKK
Turkish data protection law compliance requirements.
UAE PDPL
UAE personal data protection law requirements and safeguards.
UK GDPR
United Kingdom data protection regime based on GDPR principles.
Utah UCPA
Utah consumer privacy law compliance requirements.
Virginia CDPA
Virginia privacy law with controller and processor obligations.
industry(86)
PCI DSS
Payment card data security requirements.
PCI PIN Security
PIN processing and key management requirements for payment systems.
PCI P2PE
Point-to-point encryption standard for secure payment acceptance.
PCI Software Security Framework
Secure software and lifecycle standards for payment applications.
ITAR
International Traffic in Arms Regulations export control requirements for defense articles and technical data.
DFARS 252.204-7012
Safeguarding covered defense information and cyber incident reporting clause.
DFARS 252.204-7021
Cybersecurity maturity model certification requirements for defense suppliers.
SOX
Sarbanes-Oxley corporate governance and financial control requirements.
COSO Internal Control Framework
Internal control and enterprise risk management framework aligned with SOX governance expectations.
FFIEC CAT
Cybersecurity assessment tool for financial institutions.
SWIFT CSCF
SWIFT customer security controls framework baseline and mandatory controls.
NYDFS 23 NYCRR 500
Cybersecurity regulation for financial services entities in New York.
NYDFS Part 200 (BitLicense)
New York virtual currency business activity licensing and compliance controls.
AML/KYC Program
Anti-money laundering and customer due diligence controls.
CryptoCurrency Security Standard (CCSS)
Security controls for cryptocurrency systems, key management, and operational resilience.
HITRUST CSF
Certifiable framework harmonizing healthcare and security requirements.
FDA 21 CFR Part 11
Electronic records and signatures requirements for life sciences.
TISAX
Automotive information security assessment framework.
NERC CIP
Critical infrastructure protection requirements for bulk electric systems.
CPNI
Customer Proprietary Network Information safeguards for telecommunications carriers.
Gaming Control Board Standards
Jurisdictional controls for online gaming operations, AML, responsible gaming, and audit trails.
GLI-19 Interactive Gaming Systems
Technical standards for interactive gaming systems and security controls.
FINRA
Broker-dealer supervisory and compliance obligations.
SOC 1 Type II
Controls relevant to internal control over financial reporting for service organizations.
APRA CPS 234
Information security prudential standard for APRA-regulated entities.
AS9100
Aerospace quality and risk controls.
Automotive SPICE
Process capability model for automotive software and systems development.
Bank Secrecy Act
US anti-money laundering and recordkeeping requirements.
Basel III Operational Risk
Capital and risk management requirements for financial institutions.
CJIS Security Policy
Criminal Justice Information Services security policy requirements.
CMS MIPS Program
Quality payment program reporting and performance obligations.
COBIT 2019
Enterprise IT governance and management objectives.
EAR
Export Administration Regulations for dual-use items and technology export controls.
ETSI EN 303 645
Cybersecurity baseline for consumer IoT devices and services.
FATF Travel Rule
Virtual asset transfer information-sharing obligations.
FDA eCTD
Electronic common technical document submission requirements.
FFIEC IT Handbook
Guidance for IT risk management and cybersecurity examinations.
GAMP 5
Risk-based validation guidance for automated systems in life sciences.
GMP
Good manufacturing practice quality requirements.
GxP
Good practice quality guidelines for regulated life sciences.
HKMA TRM
Hong Kong monetary authority technology risk management requirements.
IATF 16949
Automotive quality management system requirements.
ICH E6(R2) Good Clinical Practice
International GCP standard for clinical trial governance and data integrity.
IEC 61508
Functional safety of electrical/electronic/programmable safety-related systems.
IEC 62304
Medical device software lifecycle process requirements.
IEC 62443
Industrial automation and control systems cybersecurity standards.
IEC 81001-5-1
Health software and health IT systems security requirements.
IRS Publication 1075
Tax information security safeguards for federal tax data.
ISO 13485
Quality management for medical device lifecycle and compliance.
ISO 14001
Environmental management system controls and compliance obligations.
ISO 14971
Medical device risk management and hazard control practices.
ISO 26262
Road vehicle functional safety requirements for automotive systems.
ISO 28000
Security management system for supply chains and logistics operations.
ISO 28001
Supply chain security management and resilience best practices.
ISO 31030
Travel risk management guidance for duty-of-care and operational safety.
ISO 37001
Anti-bribery management system requirements for corruption risk controls.
ISO 37301
Compliance management system standard with auditable governance and controls.
ISO 45001
Occupational health and safety management system requirements.
ISO 50001
Energy management system standard for efficiency and energy governance.
ISO 55001
Asset management system standard for critical infrastructure and lifecycle governance.
ISO 9001
Quality management systems with governance and process controls.
ISO/IEC 17020
Requirements for operation of inspection bodies and independent assessments.
ISO/IEC 17025
Laboratory competence requirements for testing and calibration facilities.
ISO/IEC 20000-1
IT service management system requirements.
ISO/IEC 38500
Corporate governance of IT with board-level accountability and oversight controls.
ISO/SAE 21434
Road vehicle cybersecurity engineering lifecycle controls.
MAS TRM Guidelines
Technology risk management guidelines for financial institutions in Singapore.
Maturity Model for Cybersecurity in Acquisition Ecosystems (MCIAE)
Acquisition ecosystem cybersecurity maturity controls for defense supply chains.
Nacha Operating Rules
ACH network operating rules for payments, returns, and data security.
NAIC Model Laws
Insurance cybersecurity and privacy model law obligations.
NCQA Accreditation
Healthcare quality and accreditation requirements for managed care and plans.
NIST SP 800-82
Industrial control systems security guidance.
OFAC Sanctions Compliance
Sanctions screening and blocked-party transaction controls.
Open Banking UK Security Profile
Security profile and API controls for open banking participants.
Open Finance Brazil
Brazil open finance security and consent obligations.
OSFI B-13
Canadian financial sector technology and cyber risk management guideline.
Outside Counsel Guidelines (OCG)
Client-imposed legal and security obligations for law firms and legal technology providers.
PCI Secure Software Standard
Secure software lifecycle controls for payment applications.
SAE J3061
Cybersecurity process framework for automotive systems engineering.
SAMA Cybersecurity Framework
Saudi central bank cybersecurity framework for financial institutions.
SEC Cyber Disclosure Rule
Cyber incident and risk governance disclosure obligations for public issuers.
SR 11-7 Model Risk Management
Model risk governance and validation expectations.
SSAE 18
Attestation standards for service organization control examinations.
SWIFT CSP
Security control framework for SWIFT-connected institutions.
UNECE R155
Vehicle cybersecurity management system requirements.
UNECE R156
Software update management system requirements for vehicles.
regional(25)
EU MiCA
Markets in Crypto-Assets regulation for crypto asset service providers in EU.
EU AI Act
Risk-based regulatory regime for AI systems in the European Union.
EU MDR 2017/745
Medical device regulation requirements in the European Union.
EU IVDR 2017/746
In vitro diagnostic medical devices regulation for EU market access.
EU DORA
Digital operational resilience requirements for financial entities in EU.
Canada AIDA
Artificial Intelligence and Data Act obligations for high-impact AI systems.
eIDAS
Electronic identification and trust services regulation in EU.
eIDAS 2.0
EU digital identity wallet and trust service evolution requirements.
EU AI Liability Directive
Proposed liability framework impacting AI documentation and traceability.
EU Cyber Resilience Act
Cybersecurity requirements for products with digital elements.
EU Data Act
Data access and sharing obligations for connected products and services.
EU Data Governance Act
Framework for data sharing services and altruism intermediaries.
GDPR + NIS2 Combined Program
Integrated privacy and cyber operations program for EU entities.
MiFID II
Financial market conduct, recordkeeping, and governance controls.
NIS Directive
Legacy EU cybersecurity directive obligations.
NIS2 Directive
EU network and information security obligations for essential entities.
NIS2 Supply Chain Program
Supplier and third-party cybersecurity governance under NIS2.
PSD2
Payment services directive with strong customer authentication controls.
Section 508
US federal accessibility requirements for ICT products and services.
SEPA Rulebooks
European payments rulebooks for credit transfer and direct debit schemes.
Singapore AI Verify
AI governance testing and process controls framework.
Solvency II
Insurance governance and risk management requirements in EU.
UK AI Governance Principles
UK cross-sector principles for safe AI deployment and governance.
UK NIS Regulations
UK network and information systems obligations for essential services.
WCAG 2.2
Web content accessibility guidelines for inclusive digital services.
Need a framework that's not listed?
We continuously expand the catalog. Request additions and we'll prioritize based on regulatory impact.