Compliance Frameworks48
Browse compliance frameworks and regulatory requirement sets, with direct links to individual requirement guides.
- C2M278 requirementsThe U.S. Department of Energy's Cybersecurity Capability Maturity Model for evaluating and improving cybersecurity posture across energy sector operations, organized by domain and maturity indicator level.
- CIS AWS Foundations43 requirementsPrescriptive configuration baselines from the Center for Internet Security for securing core AWS account, IAM, logging, and networking services.
- CIS V8153 requirementsThe Center for Internet Security Critical Security Controls v8 — a prioritized set of safeguards covering asset management, access control, data protection, and incident response.
- Client Communications & Marketing Compliance54 requirementsRules governing broker-dealer and investment adviser communications with the public, including SEC marketing rules, FINRA advertising standards, and related recordkeeping obligations.
- Client Onboarding & Suitability17 requirementsSEC rules governing Regulation Best Interest obligations for retail customer recommendations, including care, disclosure, conflict of interest, and compliance requirements.
- Client Onboarding & Suitability Compliance7 requirementsInvestor onboarding, suitability, and Reg BI obligations imposed on broker-dealers and investment advisers under SEC and FINRA oversight.
- CMMC110 requirementsThe U.S. Department of Defense's Cybersecurity Maturity Model Certification for contractors in the Defense Industrial Base handling Federal Contract Information and Controlled Unclassified Information.
- COBIT40 requirementsISACA's governance framework for enterprise IT, linking business goals to IT processes, controls, and performance objectives.
- COSO68 requirementsThe Committee of Sponsoring Organizations' Internal Control – Integrated Framework, widely used to design and evaluate internal controls over financial reporting and operations.
- Data Security & Technology Compliance23 requirementsCybersecurity, incident disclosure, and electronic recordkeeping rules that apply to SEC registrants under Regulations S-K and S-P and related guidance.
- DORA64 requirementsThe EU's Digital Operational Resilience Act, establishing unified ICT risk management, incident reporting, testing, and third-party oversight requirements for financial entities.
- FedRAMP10 requirementsThe Federal Risk and Authorization Management Program baseline for standardized security assessment, authorization, and continuous monitoring of cloud services used by U.S. federal agencies.
- FedRAMP Moderate323 requirementsThe FedRAMP Moderate baseline controls (derived from NIST SP 800-53 Rev 5) required for cloud services handling federal data whose loss would cause serious adverse effects.
- FINRA Communications Supervision39 requirementsFINRA rules and regulatory notices governing supervision, review, and approval of firm communications with the public, including social media and digital channels.
- GDPR99 requirementsThe EU General Data Protection Regulation — lawful basis, data subject rights, cross-border transfer, breach notification, and accountability obligations for processing personal data of EU residents.
- HICP98 requirementsHealth Industry Cybersecurity Practices (HICP / 405(d)) — voluntary, threat-informed cybersecurity practices for healthcare organizations of varying sizes.
- HIPAA69 requirementsThe U.S. Health Insurance Portability and Accountability Act Security and Privacy Rules governing administrative, physical, and technical safeguards for protected health information.
- HITRUST12 requirementsThe HITRUST Common Security Framework, a certifiable control set harmonizing HIPAA, NIST, ISO, PCI, and other authoritative sources for regulated industries.
- HITRUST CSF156 requirementsHITRUST CSF v11 control requirements, spanning information protection program governance, technical safeguards, and third-party assurance.
- Investment Management Operations21 requirementsSEC and Investment Company Act rules governing registered investment advisers and investment companies — including custody, distribution fees, codes of ethics, and derivatives use.
- Investment Management Operations & Asset Protection12 requirementsInvestment Advisers Act, FINRA, and related custody and asset-protection obligations applicable to advisers and broker-dealers managing client assets.
- ISO 2000010 requirementsThe ISO/IEC 20000 service management standard, defining requirements for establishing, implementing, maintaining, and continually improving an IT service management system.
- ISO 2230163 requirementsThe ISO 22301 business continuity management system standard, covering policy, risk assessment, business impact analysis, and continuity and recovery procedures.
- ISO 2700193 requirementsThe ISO/IEC 27001 information security management system standard, including Annex A controls for governance, risk treatment, and operational security.
- ISO 2701710 requirementsISO/IEC 27017 cloud-services-specific security controls that extend ISO/IEC 27002 for cloud customers and providers.
- ISO 2701810 requirementsISO/IEC 27018 controls protecting personally identifiable information in public cloud environments acting as PII processors.
- ISO 2770110 requirementsISO/IEC 27701 privacy information management extensions to ISO/IEC 27001 for PII controllers and processors.
- ISO 4200110 requirementsISO/IEC 42001 requirements for an AI management system, covering responsible development, deployment, and oversight of artificial intelligence.
- ISO 900186 requirementsThe ISO 9001 quality management system standard, covering leadership, planning, operations, evaluation, and continual improvement.
- ISO/IEC 20000-145 requirementsISO/IEC 20000-1:2018 clauses specifying service management system requirements for planning, delivering, and improving IT services.
- ISO/IEC 2701744 requirementsISO/IEC 27017:2015 cloud-specific controls (CLD.*) supplementing ISO/IEC 27002 for cloud customer and provider responsibilities.
- ISO/IEC 2701841 requirementsISO/IEC 27018:2019 Annex A controls for protecting PII in public clouds, aligned with cloud processor obligations.
- ISO/IEC 2770149 requirementsISO/IEC 27701:2019 privacy information management clauses and control enhancements for PII controllers and processors.
- ISO/IEC 4200165 requirementsISO/IEC 42001 Annex A controls for AI management system governance, including risk, impact, lifecycle, and third-party AI oversight.
- NIS 246 requirementsThe EU NIS 2 Directive's cybersecurity risk-management, incident reporting, and supply chain requirements for essential and important entities across critical sectors.
- NIST AI RMF72 requirementsNIST's AI Risk Management Framework — voluntary guidance for governing, mapping, measuring, and managing risks across the AI system lifecycle.
- NIST CSF 2.0106 requirementsNIST Cybersecurity Framework 2.0 — outcome-based categories and subcategories across the Govern, Identify, Protect, Detect, Respond, and Recover functions.
- NIST SP 800-171130 requirementsNIST SP 800-171 requirements for protecting Controlled Unclassified Information in nonfederal systems and organizations, commonly mandated for federal contractors.
- NIST SP 800-531196 requirementsNIST SP 800-53 Rev 5 catalog of security and privacy controls for federal information systems, organized across 20 control families.
- NIST SP 800-6138 requirementsNIST SP 800-61 Rev 2 Computer Security Incident Handling Guide — preparation, detection and analysis, containment, eradication, and post-incident activity.
- PCI DSS 4.0262 requirementsPayment Card Industry Data Security Standard v4.0.1 requirements for organizations that store, process, or transmit cardholder data.
- SEC Marketing Content Analysis38 requirementsSEC Marketing Rule (Advisers Act Rule 206(4)-1) and recordkeeping requirements governing investment adviser advertising, testimonials, endorsements, and performance claims.
- SOC 18 requirementsAICPA SSAE 18 (AT-C 320) attestation on a service organization's controls relevant to user entities' internal control over financial reporting.
- SOC 2 - Trust Services Criteria (2017)55 requirementsAICPA SOC 2 Trust Services Criteria (2017, with points of focus) covering security, availability, processing integrity, confidentiality, and privacy.
- SOX74 requirementsSarbanes–Oxley Act provisions governing public company corporate governance, auditor independence, and internal control over financial reporting.
- State & Specialized Regulations22 requirementsSelected state and specialized federal securities rules affecting advisers and broker-dealers, including custody, Form PF, and net capital provisions.
- Supervision & Governance Compliance17 requirementsFINRA and Investment Advisers Act supervision and compliance program requirements, including written procedures, testing, and escalation.
- TISAX58 requirementsTrusted Information Security Assessment Exchange — the automotive industry assessment built on VDA ISA for shared supplier information security assurance.