Adopt and Manage Multiple Risk Management and Compliance Frameworks at Scale

As your company’s needs change, your compliance needs evolve. Hyperproof’s extensive risk management and compliance framework library of over 100 framework templates with requirements and controls can be fully customized to your organization. 

Hyperproof’s Supported Risk Management and Compliance Frameworks

Americans with Disabilities Act (ADA) with the Web Content Accessibility Guidelines (WCAG) Programs
The Americans with Disabilities Act (ADA) and Web Content Accessibility Guidelines (WCAG) v2.2

This program combines Title I and Title III of the Americans with Disabilities Act (ADA) with the Web Content Accessibility Guidelines (WCAG) v2.2. Title I of the ADA prohibits employment discrimination against qualified individuals with disabilities (EEOC). Title III of the ADA prohibits discrimination based on disability in places of public accommodation.

Australian Government Information Security (ISM)
Australian Government Information Security Manual (ISM) for IRAP and ASD by ACSC

Australian ISM by the Australian Cyber Security Centre (ACSC) is for TOP SECRET systems, including sensitive compartmented information systems, security assessments can be undertaken by ASD assessors or their delegates.

Adobe CCF v4
Adobe Common Controls Framework (CCF) v4

Adobe Common Controls Framework assists in the protection of infrastructure, applications, and services, helping companies comply with a number of industry-accepted best practices, standards, regulations and security certifications. It features Adobe-specific controls that map to approximately a dozen industry standards.

The Brazilian General Data Protection Law (LGPD)
The Brazilian General Data Protection Law (LGPD)

The LGPD is a comprehensive data protection regulation for processing personal data of individuals located in Brazil, sending data to places in Brazil where it is collected, or where the data is used to offer goods or services to individuals in Brazil, and establish individuals’ rights regarding their personal information.

BSI Cloud Computing Compliance Controls Catalog (C5)
BSI Cloud Computing Compliance Controls Catalog (C5)

The C5 is a cybersecurity framework developed by the German Federal Office for Information Security (BSI) that helps organizations demonstrate operational security against common cyber-attacks when using cloud services.

C4 CryptoCurrency Security Standard (CCSS)
C4 CryptoCurrency Security Standard (CCSS)

CCSS is a security standard that helps secure all information systems that make use of cryptocurrencies.

CA Browser Forum Network Security Controls v1.3
CA Browser Forum Network Security Controls v1.3

The CA Browser Forum Network Security Controls v1.3 is a set of security requirements and guidelines established by the CA/Browser Forum to enhance the security of Certificate Authorities (CAs) and ensure the integrity and trustworthiness of digital certificates used in web browsing and communication. These Network and Certificate System Security Requirements (Requirements) apply to all publicly trusted Certification Authorities (CAs).

The California Consumer Privacy Act (CCPA)
The California Consumer Privacy Act (CCPA)

Learn More

Canadian Personal Information Protection and Electronic Documents Act (PIPEDA)
Canadian Personal Information Protection and Electronic Documents Act (PIPEDA)

The Personal Information Protection and Electronic Documents Act is a Canadian data privacy law that governs how private sector organizations collect, use, and disclose personal information in the course of commercial business.

China Cybersecurity Law - Personal information (PI) security specification
China Cybersecurity Law – Personal information (PI) security specification

The China Cybersecurity Law lays down principles and security requirements relating to the processing of PI, including collection, storage, use, sharing, transfer, and public disclosure.

CIS Critical Security Controls v8
CIS Critical Security Controls v8

Learn More

The Cisco Cloud Controls Framework (CCF)
The Cisco Cloud Controls Framework (CCF)

CCF is a rationalized framework developed by Cisco Systems with comprehensive control requirements taken from numerous, globally accepted, security compliance frameworks and certifications, helping organizations ensure the security, compliance, and governance of their cloud environments.

CMS Acceptable Risk Safeguards 5.0x
CMS Acceptable Risk Safeguards 5.0x and Information Systems Security and Privacy Policy (IS2P2) v3.0

This policy defines the framework for protecting and controlling the confidentiality, integrity, and availability of CMS information and information systems.

ACA - CMS Minimum Acceptable Risk Safeguards for Exchanges (MARS-E)
CMS Minimum Acceptable Risk Safeguards for Exchanges (MARS-E) Harmonized Security Privacy Framework v2.2

This framework defines a structure for managing the security and privacy requirements of systems deployed to administer the provisions of the Affordable Care Act (ACA) that ensure affordable healthcare for all Americans. The centerpiece of the framework is the streamlined and tailored selection of security and privacy controls for Exchanges.

Cybersecurity Maturity Model Certification (CMMC) v2
Cybersecurity Maturity Model Certification (CMMC) v2

Learn More

Control Objectives for Information and Related Technologies (COBIT) 2019
Control Objectives for Information and Related Technologies (COBIT) 2019

COBIT 2019 is a framework that provides a comprehensive set of principles, practices, and guidelines for the governance and management of enterprise information and technology, aimed at the whole enterprise.

CSA Cloud Controls Matrix (CCM) v4
The CSA Cloud Controls Matrix (CCM) v4

Learn More

Cyber Risk Institute (CRI) Profile
Cyber Risk Institute (CRI) Profile

The CRI Profile is based on the National Institute of Standards and Technology’s (NIST) “Framework for Improving Critical Infrastructure Cybersecurity,” and is a streamlined approach to cybersecurity risk management.

Department of Homeland Security (DHS) 4300A - Sensitive Systems Handbook
Department of Homeland Security (DHS) 4300A – Sensitive Systems Handbook

The DHS 4300A serves as the foundation on which Department of Homeland Security (DHS) Components are to develop, build, and implement their information security programs.

The Digital Operational Resilience Act (DORA)
The Digital Operational Resilience Act (DORA)

The Digital Operational Resilience Act (DORA) is a European Union (EU) regulation that aims to ensure that all participants in the financial system have the necessary safeguards in place to mitigate cyber-attacks and other risks.

The EU - US Data Privacy Framework (DPF)
The EU – US Data Privacy Framework (DPF)

The Data Privacy Framework (DPF) program, previously known as Privacy Shield, is administered by the International Trade Administration (ITA) within the U.S. Department of Commerce. This framework enables eligible US-based organizations to self-certify their compliance pursuant to the EU-US DPF and, as applicable, the UK Extension to the EU-US DPF, and/or the Swiss-US DPF. Once such an organization self-certifies to the ITA and publicly declares its commitment to adhere to the DPF Principles, that commitment is enforceable under U.S. law.

The Classified Protection of Cybersecurity (DJCP) or Multi-Level Protection Scheme (MLPS)
The Classified Protection of Cybersecurity (DJCP) or Multi-Level Protection Scheme (MLPS)

The DJCP/MLPS is a regulatory scheme designed to protect the cyber security of networks and systems in China, setting forth requirements and measures to protect classified data from unauthorized access, disclosure, and manipulation through a multi-level security approach.

ETSI EN 319 401 V2.2.1
ETSI EN 319 401 V2.2.1

The ETSI EN 319 401 V2.2.1 is a technical specification developed by the European Telecommunications Standards Institute (ETSI) that specifies general policy requirements relating to Trust Service Providers (TSPs) that are independent of the type of TSP.

The Spanish National Security Scheme (ENS) 2022
The Spanish National Security Scheme (ENS) 2022

The National Security Scheme (ENS) regulation regulates the National Security Framework in Spain and applies to both public and private sector entities. The ENS regulation aims to protect the confidentiality, integrity, availability, and authenticity of information in public entities and organizations.

Family Educational Rights and Privacy Act of 1974 (FERPA)
The Family Educational Rights and Privacy Act of 1974 (FERPA) with PTAC Guidance

FERPA is a federal law in the United States that helps protect the privacy of student education records and provides the right to inspect and review education records, seek to amend them, and to limit disclosure of information from the records.

The Federal Bureau of Investigations (FBI) CJIS Security Policy
The Federal Bureau of Investigations (FBI) CJIS Security Policy

The FBI CJIS Security Policy protects and safeguards criminal justice data by providing criminal and noncriminal justice agencies with a minimum set of security requirements in order to access the FBI’s Criminal Justice Information Services Division systems.

FDA Electronic Records; Electronic Signatures (21 CFR Part 11)
FDA Electronic Records; Electronic Signatures (21 CFR Part 11)

21 CFR Part 11 is a regulation issued by the U.S. Food and Drug Administration (FDA) that establishes the criteria under which electronic records and electronic signatures are considered trustworthy, reliable, and equivalent to paper records in FDA-regulated industries.

The Israeli Protection of Privacy Law and Regulations
The Israeli Protection of Privacy Law and Regulations

The Israeli privacy laws establish a robust legal framework designed to protect the privacy and personal data of individuals.

The Federal Risk and Authorization Management Program (FedRAMP)
The Federal Risk and Authorization Management Program (FedRAMP)

Learn More

The Florida Information Protection Act (FIPA)
The Florida Information Protection Act (FIPA)

Learn More

France ASIP HDS - HDH Certification - v1.1
France ASIP HDS – HDH Certification – v1.1

France ASIP HDS – HDH Certification – v1.1 constitutes the certification reference system applicable to hosts wishing to obtain certification for the scope of “physical infrastructure provider” or “IT managed services provider” of personal health data in France.

The General Data Protection Regulation (GDPR)
The General Data Protection Regulation (GDPR)

Learn More

The Gramm-Leach-Bliley Act (GLBA) and FTC Safeguard Rule
The Gramm-Leach-Bliley Act (GLBA) and FTC Safeguard Rule

The Gramm-Leach-Bliley Act requires financial institutions – companies that offer consumers financial products or services like loans, financial or investment advice, or insurance – to explain their information-sharing practices to their customers and to safeguard sensitive data.

IBM Cloud Framework for Financial Services
IBM Cloud Framework for Financial Services

IBM Cloud Framework for Financial Services is designed to help address the needs of financial services institutions with regulatory compliance, security, and resiliency during the initial deployment phase and with ongoing operations.

Health Insurance Portability and Accountability Act of 1996 (HIPAA)
Health Insurance Portability and Accountability Act of 1996 (HIPAA)

Learn More

ISO 14001:2015
ISO 14001:2015

ISO 14001:2015 is an international standard that provides organizations with a framework to protect the environment and respond to changing environmental conditions in balance with socioeconomic needs.

ISO 17025:2017
ISO 17025:2017

ISO/IEC 17025:2017 specifies the general requirements for the competence, impartiality and consistent testing, calibration, and operation of laboratories. This program is applicable to all organizations performing laboratory activities, regardless of the number of personnel.

ISO 20000
ISO 20000

This framework specifies requirements for an organization to establish, implement, maintain and continually improve a service management system (SMS) to meet service requirements and deliver value.

ISO
ISO 21434

ISO 21434 is an international standard that addresses the cybersecurity perspective in cybersecurity engineering of electrical and electronic (E/E) systems within road vehicles. By ensuring  appropriate consideration of cybersecurity, this framework aims to enable the engineering of E/E systems to keep up with state-of-the-art technology and evolving attack methods.

ISO 22301:2019
ISO 22301:2019

ISO 22301:2019 is an international standard that specifies requirements to implement, maintain and improve business continuity management systems to protect against, reduce the likelihood of the occurrence of, prepare for, respond to and recover from disruptions when they arise.

ISO 27001:2013
ISO 27001:2013

Learn More

ISO 27001
ISO 27001:2022

Learn More

ISO 27002:2022
ISO 27002:2022

ISO 27002 is an international standard that provides a reference set of generic information security controls and guidance designed to be used by organizations within the context of ISO 27001 and based on internationally recognized best practices.

ISO
ISO 27017:2015

ISO 27017:2015 is an international standard for information security controls based on ISO/IEC 27002 for cloud services that provides guidance on the information security aspects of cloud computing, recommending the implementation of cloud-specific information security controls that supplement the guidance of the ISO/IEC 27002 and ISO/IEC 27001 standards.

ISO
ISO 27018:2019

ISO 27018:2019 is a code of practice that focuses on protection of personal data in public clouds acting as PII processors. It is based on ISO/IEC information security standard 27002 and provides implementation guidance on ISO/IEC 27002 controls applicable to public cloud Personally Identifiable Information (PII).

ISO
ISO 27701:2019

ISO 27701:2019 Security techniques is an extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management. It’s an international standard that specifies requirements and guidelines to establish and continuously improve the Privacy Information Management System (PIMS), including processing of Personally Identifiable Information (PII).

ISO
ISO 27799:2016

ISO 27799:2016 is an international standard that provides guidance to healthcare organizations and other custodians of personal health information on how best to protect the confidentiality, integrity and availability of such information.

ISO
ISO 28000:2022

ISO 28000:2022 is an international standard that provides guidelines and requirements for implementing effective security management systems in organizations involved in the global supply chain.

ISO 42001 AI Management System
ISO 42001 AI Management System

ISO/IEC 42001 is an international standard that provides a framework for organizations to manage the ethical development, deployment, and governance of Artificial Intelligence (AI) systems.

ISO
ISO 45001:2018

ISO 45001:2018 is an international standard that sets out the requirements for occupational health and safety management systems (OH&S) for health and safety at work developed by national and international standards committees independent of government.

ISO
ISO 9001:2015

ISO 9001:2015 is the international standard that specifies requirements for quality management systems (QMS), which organizations use to demonstrate the ability to consistently provide products and services that meet customer and regulatory requirements.

ITSG-33 Government of Canada Controls Catalogue
ITSG-33 Government of Canada Controls Catalogue

ITSG-33 is a comprehensive framework, including PBMM controls, that provides a framework of security controls and guidelines to protect the information and IT assets of the Canadian government.

International Traffic in Arms Regulations (ITAR) Compliance Program Guidelines
International Traffic in Arms Regulations (ITAR) Compliance Program Guidelines

This framework contains information on the elements of an effective ITAR Compliance Program (ICP) and how to design and implement an ICP for organizations that manufacture, export, broker, or temporarily import defense articles and defense services described on the United States Munitions List (USML).

Japanese Information System Security Management and Assessment Program (ISMAP)
Japanese Information System Security Management and Assessment Program (ISMAP)

The ISMAP is a framework established by the Japanese government that establishes guidelines and procedures for evaluating and managing information system security in organizations within Japan.

Korean Personal Information & Information Security Management System (ISMS-P)
Korean Personal Information & Information Security Management System (ISMS-P)

The ISMS-P is a Korean integrated certification system to ensure the protection of personal information and the overall information security of organizations in South Korea that consolidates PIMS certification and ISMS certification into one certification system, both of which were operated separately.

MAS Technology Risk Management Guidelines (TRM)
MAS Technology Risk Management Guidelines (TRM)

The MAS Technology Risk Management (TRM) Guidelines are regulatory guidelines issued by the Monetary Authority of Singapore (MAS) that outline the expectations and best practices for managing technology risks in financial institutions operating in Singapore.

Microsoft Supplier Privacy & Assurance Standards (SSPA DPR v7)
Microsoft Supplier Privacy & Assurance Standards (SSPA DPR v7)

Microsoft’s SSPA requires suppliers who handle personal data and Microsoft Confidential Data to meet a strict set of security and privacy standards.

AI Risk Management Framework (AI RMF)
NIST AI Risk Management Framework

The AI Risk Management Framework (AI RMF ) improves the ability to incorporate trustworthiness considerations into the design, development, use, and evaluation of AI products, services, and systems. 

Learn More

NIST SP 800-161
NIST SP 800-161

NIST SP 800-161 Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations – Rev 1 provides guidelines and recommendations for protecting the confidentiality, integrity, and availability of supply chain information and systems within federal agencies.

NIST
NIST SP 800-171

Learn More

NIST
NIST SP 800-218

NIST 800-218 Secure Software Development Framework (SSDF) v1.1 provides guidelines and best practices for managing and mitigating cybersecurity risks associated with the supply chain of information and communication technology (ICT) products and services.

NIST
NIST SP 800-82

This framework provides guidance on how to secure operational technology (OT) while addressing their unique performance, reliability, and safety requirements, like guidance on industrial control systems, building automation systems, transportation systems, physical access control systems, physical environment monitoring systems, and physical environment measurement systems. It provides an overview of OT and typical system topologies, identifies common threats and vulnerabilities to these systems, and provides recommended security countermeasures to mitigate the associated risks.

NIST
NIST SP 800-53

Learn More

NIST
NIST Cybersecurity Framework (CSF) 1.1

Learn More

NIST
NIST Privacy Framework

Learn More

NIST
NIST Cybersecurity Framework (CSF) 2.0

Learn More

NISTIR 8374 Ransomware Risk Management
NISTIR 8374 Ransomware Risk Management

NISTIR 8374 Ransomware Risk Management can help organizations gauge their level of readiness to counter threats, deal with the potential consequences of events, and identify opportunities for improvement.

New York Department of Financial Services (NYDFS) Part 500 Cybersecurity Requirements for Financial Services Companies
NY Department of Financial Services (NYDFS) Part 500 Cybersecurity Requirements for Financial Services

NYDFS Part 500 is a framework that mandates financial institutions to implement comprehensive cybersecurity programs to protect sensitive customer data and ensure the resilience of their systems against cyber threats.

OWASP Application Security Verification Standard (ASVS) v4.0.3
OWASP Application Security Verification Standard (ASVS) v4.0.3

The OWASP ASVS Project is a widely recognized industry standard that provides guidelines and requirements for verifying the security of web applications, ensuring they meet essential security controls and best practices.

Payment Card Industry Data Security Standard (PCI DSS) 3.2.1
Payment Card Industry Data Security Standard (PCI DSS) 3.2.1 (Retired framework available for reference)
PCI DSS
Payment Card Industry Data Security Standard (PCI DSS) 4.0

Learn More

SASB ESG
SASB ESG

This supplement provides an overview of SASB’s approach to greenhouse gas emissions and related topics in the SASB Standards and offers guidance for reporting entities that wish to disclose Scope 1, 2, or 3 emissions.

Saudi Arabia Essential Cybersecurity Controls
The Saudi Arabia Essential Cybersecurity Controls (ECC) 2018

The Saudi Arabia Essential Cybersecurity Controls (ECC) are guidelines for enhancing cybersecurity across organizations in Saudi Arabia. They cover risk management, asset management, access control, and more, applicable to government entities, critical infrastructure operators, and key private sector organizations.

SEC 17 CFR Part 240 15c: Rules Relating to Over-the-Counter Markets (§§ 240.15c-2 and 240.1c-3)
SEC 17 CFR Part 240 15c: Rules Relating to Over-the-Counter Markets (§§ 240.15c-2 and 240.1c-3)

SEC 17 CFR Part 240 15c is a subsection of the United States Code of Federal Regulations that outlines the regulations and requirements for broker-dealers in relation to risk assessment, customer disclosures, and various aspects of securities transactions.

SEC
SEC 17 CFR PART 240 17a: Preservation of Records and Reports of Stabilizing Activities (§§ 240.17a-1 – 240.17f-2)

SEC 17 CFR Part 240 17a is a specific subsection of the United States Code of Federal Regulations that outlines the recordkeeping and financial responsibility requirements for broker-dealers registered with the U.S. Securities and Exchange Commission (SEC).

Secure Controls Framework (SCF)
Secure Controls Framework (SCF)

The SCF is a comprehensive framework that provides a structured approach for designing, implementing, and assessing cybersecurity controls to protect organizations against various threats and vulnerabilities.

Sarbanes–Oxley Act (SOX)
Sarbanes–Oxley Act (SOX)

SOX is a U.S. federal law enacted in 2002 designed to protect shareholders and the general public from accounting errors and fraudulent practices used by businesses and to improve the accuracy of corporate disclosures. Hyperproof’s SOX program includes templates for internal controls over financial reporting (ICFR) and general control activities over technology (ITGC).

StateRAMP
StateRAMP

StateRAMP is a program that aims to standardize and streamline the cybersecurity assessment and authorization process for cloud service providers (CSPs) working with U.S. state, local, tribal, and territorial governments, ensuring secure and reliable cloud solutions.

SOC 2
SOC 2

Learn More

Task Force on Climate-Related Financial Disclosures (TCFD)
Task Force on Climate-Related Financial Disclosures (TCFD)

The TCFD is an initiative that promotes voluntary and consistent reporting of climate-related risks and opportunities by organizations, enabling better-informed decision-making and more transparent disclosure of climate impacts on financial performance.

Trusted Information Security Assessment Exchange (TISAX)
Trusted Information Security Assessment Exchange (TISAX)

TISAX is a standardized framework and assessment process established by the German Association of the Automotive Industry (VDA) specifically designed for the automotive industry, ensuring the secure exchange of sensitive information through a common set of security requirements and assessment criteria.

Texas Risk and Authorization Management Program (TX-RAMP)
Texas Risk and Authorization Management Program (TX-RAMP)

TX-RAMP is a state-level initiative that establishes standardized cybersecurity requirements and procedures for evaluating and authorizing cloud service providers (CSPs) working with Texas state agencies, ensuring secure and compliant cloud solutions.

UK Cyber Essentials: Requirements for IT infrastructure
UK Cyber Essentials: Requirements for IT infrastructure

UK Cyber Essentials is a certification scheme that sets out basic cybersecurity controls and guidelines for organizations in the UK to mitigate common cyber threats and enhance the overall security of their IT systems.

Webtrust for CAs – Extended Validation SSL v1.6.8
Webtrust for CAs – Extended Validation SSL v1.6.8

Webtrust for CAs – Extended Validation SSL is a certification program that sets specific criteria and rigorous auditing processes to ensure the security, reliability, and adherence to industry standards of Certificate Authorities offering Extended Validation SSL certificates.

Webtrust
Webtrust for CAs – PTCSC v1.0.1

WebTrust for CAs – PTCSC v1.0.1 is a certification program that establishes specific criteria and procedures for evaluating the security, availability, and processing integrity of Certification Authorities (CAs) in the Public Key Infrastructure (PKI), ensuring the trustworthiness of digital certificates and related services.

Webtrust
Webtrust for CAs – SSL Baseline with Network Security v2.4.1

Webtrust for CAs – SSL Baseline with Network Security sets out criteria to be used as a basis for an auditor to conduct a SSL Baseline Requirements and Network and Certificate Systems Security Requirements audit.

Webtrust
Webtrust for Certification Authorities – Principles and Criteria for Certification Authorities – Version 2.2.2

The WebTrust for Certification Authorities – Engagement Applicability Matrix provides information about the relevant assurance requirements based on current CA/Browser Forum and other requirements.

Webtrust
WebTrust Principles and Criteria for Registration Authorities v1.0

WebTrust Principles and Criteria for Registration Authorities is a set of standards and guidelines that define the requirements and best practices for Registration Authorities (RAs) involved in issuing digital certificates, ensuring trust, security, and reliability in the digital certificate ecosystem.

Webtrust
Webtrust for CAs – Code Signing

The CA/Browser Forum Baseline Requirements for the Issuance and Management of Publicly-Trusted Code Signing Certificates enables efficient and secure electronic communication while addressing user concerns about the trustworthiness of Code Signing Certificates.

Webtrust
Webtrust for CAs – “S/MIME”

The Baseline Requirements for the Issuance and Management of S/MIME Certificates enables efficient and secure electronic communication while addressing user concerns about the trustworthiness of Certificates. The Requirements also serve to inform users and help them to make informed decisions when relying on Certificates.

Ready to see
Hyperproof in action?

G2 Crowd Leader
G2 Crowd Best Estimated ROI
G2 Crowd Best Customer Support Enterprise
G2 Crowd Fastest Implementation
G2 Crowd Momentum Leader