The Largest Framework Library on the Market

As your company’s needs change, your compliance needs evolve. Hyperproof’s extensive risk management and compliance framework library of over 118 framework templates with requirements and controls can be fully customized to your organization. 

See Framework Library
  • NIST CSF
  • Hitrust
  • HIPPA
  • ISO 27001
  • PCI DSS
  • SOC2
  • Arkansas
  • NIST Privacy
  • CCM
  • GDPR
  • SOX
  • FedRamp
  • CSA
  • DORA
  • CCPA
  • CIS Controls
  • CMS
  • NIST SP 800-171
  • COPPA
  • FDA
  • ISO 45001
  • FFIEC
  • FISMA
  • ISO 27799
  • NIST SP 800-53
  • TISAX

    • Hyperproof’s Supported Risk Management and Compliance Frameworks

    A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
    Americans with Disabilities Act (ADA) with the Web Content Accessibility Guidelines (WCAG) Programs
    Americans with Disabilities Act (ADA) and Web Content Accessibility Guidelines (WCAG) v2.2

    This program combines Title I and Title III of the Americans with Disabilities Act (ADA) with the Web Content Accessibility Guidelines (WCAG) v2.2. Title I of the ADA prohibits employment discrimination against qualified individuals with disabilities (EEOC). Title III of the ADA prohibits discrimination based on disability in places of public accommodation.

    APRA
    APRA CPS 234

    APRA CPS 234 is an information security regulation issued by the Australian Prudential Regulation Authority, requiring financial institutions to establish and maintain security measures that protect critical data and IT systems. It mandates proactive risk management, secure outsourcing arrangements, incident response planning, and governance structures to ensure resilience against cyber threats and unauthorized data access.

    Australian Government Information Security (ISM)
    Australian Government Information Security Manual (ISM) for IRAP and ASD by ACSC

    Australian ISM by the Australian Cyber Security Centre (ACSC) is for TOP SECRET systems, including sensitive compartmented information systems, security assessments can be undertaken by ASD assessors or their delegates.

    Adobe CCF v4
    Adobe Common Controls Framework (CCF) v4

    Adobe Common Controls Framework assists in the protection of infrastructure, applications, and services, helping companies comply with a number of industry-accepted best practices, standards, regulations and security certifications. It features Adobe-specific controls that map to approximately a dozen industry standards.

    AWS
    AWS Well-Architected Framework

    The AWS Well-Architected Framework is a comprehensive guide designed to help cloud architects build secure, high-performing, resilient, and efficient infrastructure for their applications and workloads.

    The Bank Secrecy Act Compliance Program (BSA)
    Bank Secrecy Act Compliance Program (BSA)

    The Bank Secrecy Act Compliance Program (BSA) framework includes regulations and illustrative controls covering selected regulations from Title 31 Chapter X and Title 12 Chapter I. It includes regulations addressing Customer Identification Program (CIP), Customer Due Diligence (CDD), Anti-money Laundering (AML), Enhanced Due Diligence (EDD), Currency Transaction Reports (CTR), Suspicious Activity Reporting (SAR), and others.

    Belgium Cyber Fundamentals
    Belgium Cyber Fundamentals

    CyFun translates the NIST Cybersecurity Framework into a practical Belgian context and adds clear, measurable controls drawn from ISO 27001, CIS Controls and IEC 62443. The framework offers four assurance levels—Small, Basic, Important and Essential—so organizations of any size can select a proportional starting point and earn a nationally recognized CyFun label.

    The Brazilian General Data Protection Law (LGPD)
    Brazilian General Data Protection Law (LGPD)

    The LGPD is a comprehensive data protection regulation for processing personal data of individuals located in Brazil, sending data to places in Brazil where it is collected, or where the data is used to offer goods or services to individuals in Brazil, and establish individuals’ rights regarding their personal information.

    BSI Cloud Computing Compliance Controls Catalog (C5)
    BSI Cloud Computing Compliance Controls Catalog (C5)

    The C5 is a cybersecurity framework developed by the German Federal Office for Information Security (BSI) that helps organizations demonstrate operational security against common cyber-attacks when using cloud services.

    C4 CryptoCurrency Security Standard (CCSS)
    C4 CryptoCurrency Security Standard (CCSS)

    CCSS is a security standard that helps secure all information systems that make use of cryptocurrencies.

    CA Browser Forum Network Security Controls v1.3
    CA Browser Forum Network Security Controls v1.3

    The CA Browser Forum Network Security Controls v1.3 is a set of security requirements and guidelines established by the CA/Browser Forum to enhance the security of Certificate Authorities (CAs) and ensure the integrity and trustworthiness of digital certificates used in web browsing and communication. These Network and Certificate System Security Requirements (Requirements) apply to all publicly trusted Certification Authorities (CAs).

    Canadian OSFI B-13
    Canadian OSFI B-13

    The OSFI Guideline B-13 provides comprehensive cybersecurity risk management standards for federally regulated financial institutions in Canada.

    The California Consumer Privacy Act (CCPA)
    California Consumer Privacy Act (CCPA)

    Learn More

    Canadian Personal Information Protection and Electronic Documents Act (PIPEDA)
    Canadian Personal Information Protection and Electronic Documents Act (PIPEDA)

    The Personal Information Protection and Electronic Documents Act is a Canadian data privacy law that governs how private sector organizations collect, use, and disclose personal information in the course of commercial business.

    China Cybersecurity Law - Personal information (PI) security specification
    China Cybersecurity Law – Personal information (PI) security specification

    The China Cybersecurity Law lays down principles and security requirements relating to the processing of PI, including collection, storage, use, sharing, transfer, and public disclosure.

    CIS Critical Security Controls v8
    CIS Critical Security Controls v8.1

    Learn More

    The Cisco Cloud Controls Framework (CCF)
    Cisco Cloud Controls Framework (CCF)

    CCF is a rationalized framework developed by Cisco Systems with comprehensive control requirements taken from numerous, globally accepted, security compliance frameworks and certifications, helping organizations ensure the security, compliance, and governance of their cloud environments.

    CMS Acceptable Risk Safeguards 5.0x
    CMS Acceptable Risk Safeguards 5.0x and Information Systems Security and Privacy Policy (IS2P2) v3.0

    This policy defines the framework for protecting and controlling the confidentiality, integrity, and availability of CMS information and information systems.

    ACA - CMS Minimum Acceptable Risk Safeguards for Exchanges (MARS-E)
    CMS Minimum Acceptable Risk Safeguards for Exchanges (MARS-E) Harmonized Security Privacy Framework v2.2

    This framework defines a structure for managing the security and privacy requirements of systems deployed to administer the provisions of the Affordable Care Act (ACA) that ensure affordable healthcare for all Americans. The centerpiece of the framework is the streamlined and tailored selection of security and privacy controls for Exchanges.

    Cybersecurity Maturity Model Certification (CMMC) v2
    Cybersecurity Maturity Model Certification (CMMC) v2

    Learn More

    Cybersecurity Maturity Model Certification (CMMC) v2
    Cybersecurity Maturity Model Certification (CMMC v1.02)

    The Cybersecurity Maturity Model Certification (CMMC v1.02) is a DoD certification process that measures a DIB sector company’s ability to protect FCI and CUI.

    Control Objectives for Information and Related Technologies (COBIT) 2019
    Control Objectives for Information and Related Technologies (COBIT) 2019

    COBIT 2019 is a framework that provides a comprehensive set of principles, practices, and guidelines for the governance and management of enterprise information and technology, aimed at the whole enterprise.

    CSA Cloud Controls Matrix (CCM) v4
    CSA Cloud Controls Matrix (CCM) v4

    Learn More

    Cyber Risk Institute (CRI) Profile
    Cyber Risk Institute (CRI) Profile

    The CRI Profile is based on the National Institute of Standards and Technology’s (NIST) “Framework for Improving Critical Infrastructure Cybersecurity,” and is a streamlined approach to cybersecurity risk management.

    Cyber Risk Institute (CRI) Profile
    Cyber Risk Institute Profile 2.0 (CRI)

    The Cyber Risk Institute Profile 2.0 is designed to help financial institutions manage and mitigate cyber risks.

    Cybersecurity Capability Maturity Model (C2M2)
    Cybersecurity Capability Maturity Model (C2M2)

    The Cybersecurity Capability Maturity Model (C2M2) enables organizations to evaluate their cybersecurity capabilities and optimize security investments.

    NIS2
    Digital Services Act (DSA)

    The DSA regulates online intermediaries and platforms such as marketplaces, social networks, content-sharing platforms, app stores, and online travel and accommodation platforms. Its main goal is to prevent illegal and harmful activities online and the spread of disinformation.

    Department of Homeland Security (DHS) 4300A - Sensitive Systems Handbook
    Department of Homeland Security (DHS) 4300A – Sensitive Systems Handbook

    The DHS 4300A serves as the foundation on which Department of Homeland Security (DHS) Components are to develop, build, and implement their information security programs.

    The Digital Operational Resilience Act (DORA)
    Digital Operational Resilience Act (DORA)

    The Digital Operational Resilience Act (DORA) is a European Union (EU) regulation that aims to ensure that all participants in the financial system have the necessary safeguards in place to mitigate cyber-attacks and other risks.

    The Classified Protection of Cybersecurity (DJCP) or Multi-Level Protection Scheme (MLPS)
    Classified Protection of Cybersecurity (DJCP) or Multi-Level Protection Scheme (MLPS)

    The DJCP/MLPS is a regulatory scheme designed to protect the cyber security of networks and systems in China, setting forth requirements and measures to protect classified data from unauthorized access, disclosure, and manipulation through a multi-level security approach.

    EASA Part-IS
    EASA Part-IS

    EASA Part-IS establishes a mandatory information-security-risk-management system within the EASA regulatory framework, requiring organizations and competent authorities to identify, assess and mitigate information-security risks that could impact aviation safety.

    EU AI Act
    EU AI Act

    The EU AI Act is a pioneering regulation aiming to ensure the safe and ethical use of artificial intelligence across the European Union. It categorizes AI systems based on risk levels — ranging from minimal to unacceptable — and imposes strict requirements on high-risk applications to safeguard human rights, privacy, and safety.

    The EU - US Data Privacy Framework (DPF)
    EU – US Data Privacy Framework (DPF)

    The Data Privacy Framework (DPF) program, previously known as Privacy Shield, is administered by the International Trade Administration (ITA) within the U.S. Department of Commerce. This framework enables eligible US-based organizations to self-certify their compliance pursuant to the EU-US DPF and, as applicable, the UK Extension to the EU-US DPF, and/or the Swiss-US DPF. Once such an organization self-certifies to the ITA and publicly declares its commitment to adhere to the DPF Principles, that commitment is enforceable under U.S. law.

    EU Cyber Resilience Act
    EU Cyber Resilience Act

    The EU Cyber Resilience Act (Regulation (EU) 2024/2847) establishes uniform cybersecurity requirements for products with digital elements across the European Union. Adopted on October 23, 2024, and effective from June 2025, it mandates that manufacturers integrate security measures throughout a product’s lifecycle, including design, development, and maintenance phases.

    ETSI EN 319 401 V2.2.1
    ETSI EN 319 401 V2.2.1

    The ETSI EN 319 401 V2.2.1 is a technical specification developed by the European Telecommunications Standards Institute (ETSI) that specifies general policy requirements relating to Trust Service Providers (TSPs) that are independent of the type of TSP.

    The Spanish National Security Scheme (ENS) 2022
    Spanish National Security Scheme (ENS) 2022

    The National Security Scheme (ENS) regulation regulates the National Security Framework in Spain and applies to both public and private sector entities. The ENS regulation aims to protect the confidentiality, integrity, availability, and authenticity of information in public entities and organizations.

    Family Educational Rights and Privacy Act of 1974 (FERPA)
    Family Educational Rights and Privacy Act of 1974 (FERPA) with PTAC Guidance

    FERPA is a federal law in the United States that helps protect the privacy of student education records and provides the right to inspect and review education records, seek to amend them, and to limit disclosure of information from the records.

    The Federal Bureau of Investigations (FBI) CJIS Security Policy
    Federal Bureau of Investigations (FBI) CJIS Security Policy

    The FBI CJIS Security Policy protects and safeguards criminal justice data by providing criminal and noncriminal justice agencies with a minimum set of security requirements in order to access the FBI’s Criminal Justice Information Services Division systems.

    FDA Electronic Records; Electronic Signatures (21 CFR Part 11)
    FDA Electronic Records; Electronic Signatures (21 CFR Part 11)

    21 CFR Part 11 is a regulation issued by the U.S. Food and Drug Administration (FDA) that establishes the criteria under which electronic records and electronic signatures are considered trustworthy, reliable, and equivalent to paper records in FDA-regulated industries.

    The Federal Risk and Authorization Management Program (FedRAMP)
    Federal Risk and Authorization Management Program (FedRAMP)

    Learn More

    The Florida Information Protection Act (FIPA)
    Florida Information Protection Act (FIPA)

    Learn More

    FFIEC
    FFIEC Cybersecurity Assessment Tool (CAT)

    The FFIEC Cybersecurity Assessment Tool (CAT), developed by the Federal Financial Institutions Examination Council (FFIEC) on behalf of its members, helps institutions identify their risks and determine their cybersecurity maturity.

    France ASIP HDS - HDH Certification - v1.1
    France ASIP HDS – HDH Certification – v1.1

    France ASIP HDS – HDH Certification – v1.1 constitutes the certification reference system applicable to hosts wishing to obtain certification for the scope of “physical infrastructure provider” or “IT managed services provider” of personal health data in France.

    French ANSSI SecNumCloud v3.2
    French ANSSI SecNumCloud v3.2

    ANSSI SecNumCloud v3.2 is France’s top-tier “trusted-cloud” qualification, published on 8 March 2022. It applies to SaaS, PaaS, CaaS and IaaS offerings and asks providers to satisfy 360-plus prescriptive controls grouped under 14 security domains that extend ISO 27001.

    The General Data Protection Regulation (GDPR)
    General Data Protection Regulation (GDPR)

    Learn More

    The Gramm-Leach-Bliley Act (GLBA) and FTC Safeguard Rule
    Gramm-Leach-Bliley Act (GLBA) and FTC Safeguard Rule

    The Gramm-Leach-Bliley Act requires financial institutions – companies that offer consumers financial products or services like loans, financial or investment advice, or insurance – to explain their information-sharing practices to their customers and to safeguard sensitive data.

    Hyperproof Common Control Framework (CCF)

    The Hyperproof Common Control Framework is a modern set of cybersecurity and privacy controls, each distilled from key elements found in established frameworks such as NIST 800-53, AICPA SOC 2, ISO 27001, CIS, GDPR, and PCI DSS. This framework facilitates organizational compliance by standardizing processes to effectively address cybersecurity, privacy, and information system risks.

    Health Insurance Portability and Accountability Act of 1996 (HIPAA)
    Health Insurance Portability and Accountability Act of 1996 (HIPAA)

    Learn More

    IATF 16949
    IATF 16949

    IATF 16949 is an international quality management standard specifically designed for the automotive industry, emphasizing defect prevention, continual improvement, and reduction of waste across the automotive supply chain. It integrates ISO 9001 requirements with automotive-specific criteria to enhance customer satisfaction, product safety, and reliability.

    The Israeli Protection of Privacy Law and Regulations
    Israeli Protection of Privacy Law and Regulations

    The Israeli privacy laws establish a robust legal framework designed to protect the privacy and personal data of individuals.

    Italian ACN
    Italian ACN

    Italian ACN is a comprehensive framework that aims to protect national cyberspace, promote digital autonomy, and ensure compliance with cybersecurity regulations. It plays a central role in developing and implementing the National Cybersecurity Strategy, overseeing the National Cybersecurity Perimeter, and acting as the National Competent Authority for NIS2. 

    IBM Cloud Framework for Financial Services
    IBM Cloud Framework for Financial Services

    IBM Cloud Framework for Financial Services is designed to help address the needs of financial services institutions with regulatory compliance, security, and resiliency during the initial deployment phase and with ongoing operations.

    IEC
    IEC 62443 4-1

    IEC 62443 4-1 outlines practices and procedures for developing and maintaining secure products, addressing aspects from specification and design to maintenance.

    IEC
    IEC 62443 4-2

    IEC 62443 4-2 specifies how to secure components against unauthorized access and misuse, thereby ensuring the resilience and integrity of industrial operations.

    ISO 14001:2015
    ISO 14001:2015

    ISO 14001:2015 is an international standard that provides organizations with a framework to protect the environment and respond to changing environmental conditions in balance with socioeconomic needs.

    ISO 17025:2017
    ISO 17025:2017

    ISO/IEC 17025:2017 specifies the general requirements for the competence, impartiality and consistent testing, calibration, and operation of laboratories. This program is applicable to all organizations performing laboratory activities, regardless of the number of personnel.

    ISO 20000
    ISO 20000

    This framework specifies requirements for an organization to establish, implement, maintain and continually improve a service management system (SMS) to meet service requirements and deliver value.

    ISO
    ISO 21434

    ISO 21434 is an international standard that addresses the cybersecurity perspective in cybersecurity engineering of electrical and electronic (E/E) systems within road vehicles. By ensuring  appropriate consideration of cybersecurity, this framework aims to enable the engineering of E/E systems to keep up with state-of-the-art technology and evolving attack methods.

    ISO 22301:2019
    ISO 22301:2019

    ISO 22301:2019 is an international standard that specifies requirements to implement, maintain and improve business continuity management systems to protect against, reduce the likelihood of the occurrence of, prepare for, respond to and recover from disruptions when they arise.

    ISO 26262
    ISO 26262

    ISO 26262 is an international standard that ensures the functional safety of electrical and electronic systems in road vehicles throughout the entire safety lifecycle, from concept to production.

    ISO 27001:2013
    ISO 27001:2013

    Learn More

    ISO 27001:2013
    ISO 27001:2019

    Security techniques — Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management — Requirements and guidelines.

    ISO 27001
    ISO 27001:2022

    Learn More

    ISO 27002:2022
    ISO 27002:2022

    ISO 27002 is an international standard that provides a reference set of generic information security controls and guidance designed to be used by organizations within the context of ISO 27001 and based on internationally recognized best practices.

    ISO
    ISO 27017:2015

    ISO 27017:2015 is an international standard for information security controls based on ISO/IEC 27002 for cloud services that provides guidance on the information security aspects of cloud computing, recommending the implementation of cloud-specific information security controls that supplement the guidance of the ISO/IEC 27002 and ISO/IEC 27001 standards.

    ISO
    ISO 27018:2019

    ISO 27018:2019 is a code of practice that focuses on protection of personal data in public clouds acting as PII processors. It is based on ISO/IEC information security standard 27002 and provides implementation guidance on ISO/IEC 27002 controls applicable to public cloud Personally Identifiable Information (PII).

    ISO
    ISO 27701:2019

    ISO 27701:2019 Security techniques is an extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management. It’s an international standard that specifies requirements and guidelines to establish and continuously improve the Privacy Information Management System (PIMS), including processing of Personally Identifiable Information (PII).

    ISO
    ISO 27799:2016

    ISO 27799:2016 is an international standard that provides guidance to healthcare organizations and other custodians of personal health information on how best to protect the confidentiality, integrity and availability of such information.

    ISO
    ISO 28000:2022

    ISO 28000:2022 is an international standard that provides guidelines and requirements for implementing effective security management systems in organizations involved in the global supply chain.

    ISO 42001 AI Management System
    ISO 42001 AI Management System

    ISO/IEC 42001 is an international standard that provides a framework for organizations to manage the ethical development, deployment, and governance of Artificial Intelligence (AI) systems.

    ISO
    ISO 45001:2018

    ISO 45001:2018 is an international standard that sets out the requirements for occupational health and safety management systems (OH&S) for health and safety at work developed by national and international standards committees independent of government.

    ISO
    ISO 9001:2015

    ISO 9001:2015 is the international standard that specifies requirements for quality management systems (QMS), which organizations use to demonstrate the ability to consistently provide products and services that meet customer and regulatory requirements.

    ITSG-33 Government of Canada Controls Catalogue
    ITSG-33 Government of Canada Controls Catalogue

    ITSG-33 is a comprehensive framework, including PBMM controls, that provides a framework of security controls and guidelines to protect the information and IT assets of the Canadian government.

    International Traffic in Arms Regulations (ITAR) Compliance Program Guidelines
    International Traffic in Arms Regulations (ITAR) Compliance Program Guidelines

    This framework contains information on the elements of an effective ITAR Compliance Program (ICP) and how to design and implement an ICP for organizations that manufacture, export, broker, or temporarily import defense articles and defense services described on the United States Munitions List (USML).

    Japanese Information System Security Management and Assessment Program (ISMAP)
    Japanese Information System Security Management and Assessment Program (ISMAP)

    The ISMAP is a framework established by the Japanese government that establishes guidelines and procedures for evaluating and managing information system security in organizations within Japan.

    Korean Personal Information & Information Security Management System (ISMS-P)
    Korean Personal Information & Information Security Management System (ISMS-P)

    The ISMS-P is a Korean integrated certification system to ensure the protection of personal information and the overall information security of organizations in South Korea that consolidates PIMS certification and ISMS certification into one certification system, both of which were operated separately.

    MAS Technology Risk Management Guidelines (TRM)
    MAS Technology Risk Management Guidelines (TRM)

    The MAS Technology Risk Management (TRM) Guidelines are regulatory guidelines issued by the Monetary Authority of Singapore (MAS) that outline the expectations and best practices for managing technology risks in financial institutions operating in Singapore.

    Microsoft Supplier Privacy & Assurance Standards (SSPA DPR v7)
    Microsoft SSPA v.10

    Microsoft’s SSPA requires suppliers who handle personal data and Microsoft Confidential Data to meet a strict set of security and privacy standards. This version of the framework includes controls and crosswalks to support Hyperproof’s Jumpstart feature.

    Microsoft Supplier Privacy & Assurance Standards (SSPA DPR v7)
    Microsoft Supplier Privacy & Assurance Standards (SSPA DPR v7)

    Microsoft’s SSPA requires suppliers who handle personal data and Microsoft Confidential Data to meet a strict set of security and privacy standards.

    NERC
    NERC Critical Infrastructure Protection (CIP)

    NERC Critical Infrastructure Protection (CIP) is a set of regulatory standards focused on protecting critical cyber assets, physical infrastructure, and personnel from threats, vulnerabilities, and risks that could disrupt the operation of power grids.

    NIS2
    NIS2

    The NIS2 Directive revises the European Union’s Network and Information Security Directive, expanding its scope to include additional sectors and services such as health, energy, and digital infrastructure.

    AI Risk Management Framework (AI RMF)
    NIST AI Risk Management Framework

    The AI Risk Management Framework (AI RMF ) improves the ability to incorporate trustworthiness considerations into the design, development, use, and evaluation of AI products, services, and systems. 

    Learn More

    NIST SP 800-161
    NIST SP 800-161

    NIST SP 800-161 Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations – Rev 1 provides guidelines and recommendations for protecting the confidentiality, integrity, and availability of supply chain information and systems within federal agencies.

    NIST
    NIST SP 800-171

    Learn More

    NIST
    NIST 800-171 Rev2

    NIST 800-171 Rev2 provides a catalog of security and privacy controls for information systems and organizations to protect organizational operations and assets, individuals, other organizations, and the Nation from a diverse set of threats and risks, including hostile attacks, human errors, natural disasters, structural failures, foreign intelligence entities, and privacy risks.

    NIST
    NIST 800-171 Rev3

    NIST 800-171 Rev3 provides federal agencies with recommended security requirements for protecting the confidentiality of Controlled Unclassified Information (CUI) when the information is resident in nonfederal systems and organizations.

    NIST
    NIST SP 800-218

    NIST 800-218 Secure Software Development Framework (SSDF) v1.1 provides guidelines and best practices for managing and mitigating cybersecurity risks associated with the supply chain of information and communication technology (ICT) products and services.

    NIST
    NIST SP 800-82

    This framework provides guidance on how to secure operational technology (OT) while addressing their unique performance, reliability, and safety requirements, like guidance on industrial control systems, building automation systems, transportation systems, physical access control systems, physical environment monitoring systems, and physical environment measurement systems. It provides an overview of OT and typical system topologies, identifies common threats and vulnerabilities to these systems, and provides recommended security countermeasures to mitigate the associated risks.

    NIST
    NIST SP 800-53

    Learn More

    NIST
    NIST SP 800-53 Rev5

    NIST 800-171 Rev2 is the Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. Revision 2, February 2020.

    NIST
    NIST SP 800-53 Rev5 Selectable Baseline

    NIST SP 800-53 Rev5 Selectable Baseline provides a catalog of security and privacy controls for information systems and organizations to protect organizational operations and assets, individuals, other organizations, and the Nation from a diverse set of threats and risks, including hostile attacks, human errors, natural disasters, structural failures, foreign intelligence entities, and privacy risks.

    NIST
    NIST Cybersecurity Framework (CSF) 1.1

    Learn More

    NIST
    NIST Privacy Framework

    Learn More

    NIST
    NIST Cybersecurity Framework (CSF) 2.0

    Learn More

    NISTIR 8374 Ransomware Risk Management
    NISTIR 8374 Ransomware Risk Management

    NISTIR 8374 Ransomware Risk Management can help organizations gauge their level of readiness to counter threats, deal with the potential consequences of events, and identify opportunities for improvement.

    New York Department of Financial Services (NYDFS) Part 500 Cybersecurity Requirements for Financial Services Companies
    NY Department of Financial Services (NYDFS) Part 500 Cybersecurity Requirements for Financial Services

    NYDFS Part 500 is a framework that mandates financial institutions to implement comprehensive cybersecurity programs to protect sensitive customer data and ensure the resilience of their systems against cyber threats.

    OWASP Application Security Verification Standard (ASVS) v4.0.3
    OWASP Application Security Verification Standard (ASVS) v4.0.3

    The OWASP ASVS Project is a widely recognized industry standard that provides guidelines and requirements for verifying the security of web applications, ensuring they meet essential security controls and best practices.

    Payment Card Industry Data Security Standard (PCI DSS) 3.2.1
    Payment Card Industry Data Security Standard (PCI DSS) 3.2.1 (Retired framework available for reference)
    PCI DSS
    Payment Card Industry Data Security Standard (PCI DSS) 4.0

    Learn More

    Payment Card Industry Data Security Standard (PCI DSS)
    Payment Card Industry Data Security Standard (PCI DSS) 4.0.1

    The Payment Card Industry Data Security Standard (PCI DSS) v4.0.1 was developed to encourage and enhance cardholder data security and facilitate the broad adoption of consistent data security measures globally.

    SASB ESG
    SASB ESG

    This supplement provides an overview of SASB’s approach to greenhouse gas emissions and related topics in the SASB Standards and offers guidance for reporting entities that wish to disclose Scope 1, 2, or 3 emissions.

    Saudi Arabia Essential Cybersecurity Controls
    Saudi Arabia Essential Cybersecurity Controls (ECC) 2018

    The Saudi Arabia Essential Cybersecurity Controls (ECC) are guidelines for enhancing cybersecurity across organizations in Saudi Arabia. They cover risk management, asset management, access control, and more, applicable to government entities, critical infrastructure operators, and key private sector organizations.

    SEC 17 CFR Part 240 15c: Rules Relating to Over-the-Counter Markets (§§ 240.15c-2 and 240.1c-3)
    SEC 17 CFR Part 240 15c: Rules Relating to Over-the-Counter Markets (§§ 240.15c-2 and 240.1c-3)

    SEC 17 CFR Part 240 15c is a subsection of the United States Code of Federal Regulations that outlines the regulations and requirements for broker-dealers in relation to risk assessment, customer disclosures, and various aspects of securities transactions.

    SEC
    SEC 17 CFR PART 240 17a: Preservation of Records and Reports of Stabilizing Activities (§§ 240.17a-1 – 240.17f-2)

    SEC 17 CFR Part 240 17a is a specific subsection of the United States Code of Federal Regulations that outlines the recordkeeping and financial responsibility requirements for broker-dealers registered with the U.S. Securities and Exchange Commission (SEC).

    Secure Controls Framework (SCF)
    Secure Controls Framework (SCF)

    The SCF is a comprehensive framework that provides a structured approach for designing, implementing, and assessing cybersecurity controls to protect organizations against various threats and vulnerabilities.

    Secure Controls Framework (SCF)
    Secure Control Framework v. December 2024

    The SCF is a comprehensive framework that provides a structured approach for designing, implementing, and assessing cybersecurity controls to protect organizations against various threats and vulnerabilities. The December 2024 version incudes controls and crosswalks to support Hyperproof’s Jumpstart feature.

    Sarbanes–Oxley Act (SOX)
    Sarbanes–Oxley Act (SOX)

    SOX is a U.S. federal law enacted in 2002 designed to protect shareholders and the general public from accounting errors and fraudulent practices used by businesses and to improve the accuracy of corporate disclosures. Hyperproof’s SOX program includes templates for internal controls over financial reporting (ICFR) and general control activities over technology (ITGC).

    StateRAMP
    StateRAMP Rev. 5

    StateRAMP is a program that aims to standardize and streamline the cybersecurity assessment and authorization process for cloud service providers (CSPs) working with U.S. state, local, tribal, and territorial governments, ensuring secure and reliable cloud solutions.

    SOC 2
    SOC 2

    Learn More

    SWIFT CSCF
    SWIFT CSCF

    The Swift Customer Security Controls Framework (CSCF) v2024 outlines a comprehensive set of mandatory and advisory security controls for institutions using the SWIFT network. This framework is designed to protect against fraud and cyber threats by enforcing rigorous standards around user access, security policies, and incident response.

    Task Force on Climate-Related Financial Disclosures (TCFD)
    Task Force on Climate-Related Financial Disclosures (TCFD)

    The TCFD is an initiative that promotes voluntary and consistent reporting of climate-related risks and opportunities by organizations, enabling better-informed decision-making and more transparent disclosure of climate impacts on financial performance.

    Trusted Information Security Assessment Exchange (TISAX)
    Trusted Information Security Assessment Exchange (TISAX)

    TISAX is a standardized framework and assessment process established by the German Association of the Automotive Industry (VDA) specifically designed for the automotive industry, ensuring the secure exchange of sensitive information through a common set of security requirements and assessment criteria.

    Texas Risk and Authorization Management Program (TX-RAMP)
    Texas Risk and Authorization Management Program (TX-RAMP)

    TX-RAMP is a state-level initiative that establishes standardized cybersecurity requirements and procedures for evaluating and authorizing cloud service providers (CSPs) working with Texas state agencies, ensuring secure and compliant cloud solutions.

    UK Cyber Essentials: Requirements for IT infrastructure
    UK Cyber Essentials: Requirements for IT infrastructure

    UK Cyber Essentials is a certification scheme that sets out basic cybersecurity controls and guidelines for organizations in the UK to mitigate common cyber threats and enhance the overall security of their IT systems.

    Webtrust
    WebTrust Principles and Criteria

    WebTrust Principles and Criteria provides a cohesive and adaptable compliance framework that organizations can adopt to ensure the integrity and trustworthiness of their public key infrastructure (PKI) operations. It includes foundational guidance for Certification Authorities (CAs) to establish sound governance, certificate lifecycle management, and operational controls.

    Ready to see
    Hyperproof in action?

    G2 Crowd Leader
    G2 Crowd Best Estimated ROI
    G2 Crowd Best Customer Support Enterprise
    G2 Crowd Fastest Implementation
    G2 Crowd Momentum Leader