The Largest Framework Library on the Market

As your business evolves, so do your compliance needs. Hyperproof supports 160+ pre-built frameworks, giving you the flexibility to align with the standards that fit your industry, customers, and maturity. Explore our framework library to find the right fit.

Hyperproof’s Supported Risk Management and Compliance Frameworks

A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
Americans with Disabilities Act (ADA) with the Web Content Accessibility Guidelines (WCAG) Programs
Americans with Disabilities Act (ADA) and Web Content Accessibility Guidelines (WCAG) v2.2

This program combines Title I and Title III of the Americans with Disabilities Act (ADA) with the Web Content Accessibility Guidelines (WCAG) v2.2. Title I of the ADA prohibits employment discrimination against qualified individuals with disabilities (EEOC). Title III of the ADA prohibits discrimination based on disability in places of public accommodation.

APRA
APRA CPS 234

APRA CPS 234 is an information security regulation issued by the Australian Prudential Regulation Authority, requiring financial institutions to establish and maintain security measures that protect critical data and IT systems. It mandates proactive risk management, secure outsourcing arrangements, incident response planning, and governance structures to ensure resilience against cyber threats and unauthorized data access.

Australian Government Information Security (ISM)
Australian Government Information Security Manual (ISM) for IRAP and ASD by ACSC

Australian ISM by the Australian Cyber Security Centre (ACSC) is for TOP SECRET systems, including sensitive compartmented information systems, security assessments can be undertaken by ASD assessors or their delegates.

Australian Government Information Security (ISM)
Australia ISM for IRAP and ASD by ACSC, December 2025

Australian Government Information Security Manual (ISM). For TOP SECRET systems, including sensitive compartmented information systems, security assessments can be undertaken by ASD assessors (or their delegates). While for SECRET and below systems, security assessments can be undertaken by an organisation’s own assessors or Infosec Registered Assessors Program (IRAP) assessors.

Adobe CCF v4
Adobe Common Controls Framework (CCF) v4

Adobe Common Controls Framework assists in the protection of infrastructure, applications, and services, helping companies comply with a number of industry-accepted best practices, standards, regulations and security certifications. It features Adobe-specific controls that map to approximately a dozen industry standards.

AWS
AWS Well-Architected Framework

The AWS Well-Architected Framework is a comprehensive guide designed to help cloud architects build secure, high-performing, resilient, and efficient infrastructure for their applications and workloads.

The Bank Secrecy Act Compliance Program (BSA)
Bank Secrecy Act Compliance Program (BSA)

The Bank Secrecy Act Compliance Program (BSA) framework includes regulations and illustrative controls covering selected regulations from Title 31 Chapter X and Title 12 Chapter I. It includes regulations addressing Customer Identification Program (CIP), Customer Due Diligence (CDD), Anti-money Laundering (AML), Enhanced Due Diligence (EDD), Currency Transaction Reports (CTR), Suspicious Activity Reporting (SAR), and others.

Belgium Cyber Fundamentals
Belgium Cyber Fundamentals

CyFun translates the NIST Cybersecurity Framework into a practical Belgian context and adds clear, measurable controls drawn from ISO 27001, CIS Controls and IEC 62443. The framework offers four assurance levels—Small, Basic, Important and Essential—so organizations of any size can select a proportional starting point and earn a nationally recognized CyFun label.

The Brazilian General Data Protection Law (LGPD)
Brazilian General Data Protection Law (LGPD)

The LGPD is a comprehensive data protection regulation for processing personal data of individuals located in Brazil, sending data to places in Brazil where it is collected, or where the data is used to offer goods or services to individuals in Brazil, and establish individuals’ rights regarding their personal information.

BSI Cloud Computing Compliance Controls Catalog (C5)
BSI Cloud Computing Compliance Controls Catalog (C5)

The C5 is a cybersecurity framework developed by the German Federal Office for Information Security (BSI) that helps organizations demonstrate operational security against common cyber-attacks when using cloud services.

BSI Cloud Computing Compliance Controls Catalog (C5)
BSI Cloud Computing Compliance Controls Catalog (C5) 2020

Cloud Computing Compliance Controls Catalog (C5) is a German Government-backed attestation scheme introduced in Germany by the Federal Office for Information Security (BSI). C5 helps organizations demonstrate operational security against common cyber-attacks when using cloud services within the context of the German Government’s “Security Recommendations for Cloud Providers”.

BSI Cloud Computing Compliance Controls Catalog (C5)
BSI Cloud Computing Compliance Controls Catalog (C5) 2026

Cloud Computing Compliance Controls Catalog (C5) is a German Government-backed attestation scheme introduced in Germany by the Federal Office for Information Security (BSI). C5 helps organizations demonstrate operational security against common cyber-attacks when using cloud services within the context of the German Government’s “Security Recommendations for Cloud Providers”.

C4 CryptoCurrency Security Standard (CCSS)
C4 CryptoCurrency Security Standard (CCSS)

CCSS is a security standard that helps secure all information systems that make use of cryptocurrencies.

CA Browser Forum Network Security Controls v1.3
CA Browser Forum Network Security Controls v1.3

The CA Browser Forum Network Security Controls v1.3 is a set of security requirements and guidelines established by the CA/Browser Forum to enhance the security of Certificate Authorities (CAs) and ensure the integrity and trustworthiness of digital certificates used in web browsing and communication. These Network and Certificate System Security Requirements (Requirements) apply to all publicly trusted Certification Authorities (CAs).

Canadian OSFI B-13
Canadian OSFI B-13

The OSFI Guideline B-13 provides comprehensive cybersecurity risk management standards for federally regulated financial institutions in Canada.

California Privacy Rights Act (CPRA)
California Privacy Rights Act (CPRA)

The California Privacy Rights Act (CPRA) is a California state privacy law that expands and amends the California Consumer Privacy Act (CCPA), strengthening consumer rights and tightening rules on how businesses collect, use, and share personal information. It adds protections for sensitive personal information and established the California Privacy Protection Agency to help regulate and enforce the law.

CA Browser Forum Baseline Requirements v2.2.6
CA Browser Forum Baseline Requirements v2.2.6

This describes an integrated set of technologies, protocols, identity-proofing, lifecycle management, and auditing requirements that are necessary (but not sufficient) for the issuance and management of Publicly-Trusted TLS Server Certificates; Certificates that are trusted by virtue of the fact that their corresponding Root Certificate is distributed in widely-available application software. The requirements are not mandatory for Certification Authorities unless and until they become adopted and enforced by relying-party Application Software Suppliers.

The California Consumer Privacy Act (CCPA)
California Consumer Privacy Act (CCPA)
Chilean Personal Data Protection Law (PDPL)
Chilean Personal Data Protection Law (PDPL) – Law No. 19.628

Chile’s updated Personal Data Protection Law is a modernized privacy framework that aligns the country with global standards like the GDPR by establishing stricter consent rules, a dedicated enforcement agency, and enhanced rights for individuals. Scheduled for full enforcement in December 2026, it requires both domestic and foreign businesses targeting Chilean residents to implement rigorous compliance measures such as impact assessments and breach notifications or face millions of dollars in potential fines.

China Cybersecurity Law - Personal information (PI) security specification
China Cybersecurity Law – Personal information (PI) security specification

The China Cybersecurity Law lays down principles and security requirements relating to the processing of PI, including collection, storage, use, sharing, transfer, and public disclosure.

China Cybersecurity Law - Personal information (PI) security specification
China Cybersecurity Law – Personal information (PI) security specification

The China Cybersecurity Law lays down principles and security requirements relating to the processing of PI, including collection, storage, use, sharing, transfer, and public disclosure.

CIS Critical Security Controls v8
CIS Critical Security Controls v8.1
The Cisco Cloud Controls Framework (CCF)
Cisco Cloud Controls Framework (CCF)

CCF is a rationalized framework developed by Cisco Systems with comprehensive control requirements taken from numerous, globally accepted, security compliance frameworks and certifications, helping organizations ensure the security, compliance, and governance of their cloud environments.

CMS Acceptable Risk Safeguards 5.0x
CMS Acceptable Risk Safeguards 5.0x and Information Systems Security and Privacy Policy (IS2P2) v3.0

This policy defines the framework for protecting and controlling the confidentiality, integrity, and availability of CMS information and information systems.

CMS Acceptable Risk Safeguards 5.0x
Centers for Medicare & Medicaid Services (CMS) Acceptable Risk Controls for Affordable Care Act (ACA), Medicaid, and Partner Entities (ARC-AMPE) v1.0.2

ARC-AMPE is the CMS framework by which ARC-AMPE users may or must (as applicable) manage the security and privacy of the information systems they deploy to administer end-to-end operations throughout the health coverage eligibility and enrollment lifecycle. ARC-AMPE Volume I provides high-level guidance for adhering to the framework. ARC-AMPE Volume II establishes the minimum-level security and privacy controls for ARC-AMPE users to implement the framework to protect information within information systems. Information systems include all systems that have or are applying to have an authorized connection to the CMS Federal Data Services Hub (hereafter “the Hub”) and/or access to PII contained within or PII derived from28F 29 the Exchange repositories.

ACA - CMS Minimum Acceptable Risk Safeguards for Exchanges (MARS-E)
CMS Minimum Acceptable Risk Safeguards for Exchanges (MARS-E) Harmonized Security Privacy Framework v2.2

This framework defines a structure for managing the security and privacy requirements of systems deployed to administer the provisions of the Affordable Care Act (ACA) that ensure affordable healthcare for all Americans. The centerpiece of the framework is the streamlined and tailored selection of security and privacy controls for Exchanges.

Cybersecurity Maturity Model Certification (CMMC) v2
Cybersecurity Maturity Model Certification (CMMC) v2
Cybersecurity Maturity Model Certification (CMMC) v2
Cybersecurity Maturity Model Certification (CMMC v1.02)

The Cybersecurity Maturity Model Certification (CMMC v1.02) is a DoD certification process that measures a DIB sector company’s ability to protect FCI and CUI.

Cybersecurity Maturity Model Certification (CMMC) v2
CMMC 2.0 Selectable Level with DFARS 252.204 and NIST 800-53 NFO

The Cybersecurity Maturity Model Certification (CMMC) program is designed to verify that defense contractors adequately protect Controlled Unclassified Information (CUI) within the Defense Industrial Base. Organizations can be assessed at Level 1 (Basic), Level 2 (Advanced), or Level 3 (Expert), depending on the sensitivity of the Department of Defense (DoD) information they handle. While Level 2 is grounded in the 110 controls of NIST SP 800-171 Rev 2, Level 3 incorporates a subset of enhanced security requirements from NIST SP 800-172 to defend against Advanced Persistent Threats (APTs). The program integrates DFARS 252.204 regulatory requirements (including 7012 and 7021) and mandates the implementation of NIST SP 800-53 Rev 5 NFO (Non-Federal Organization) controls, which are adapted from NIST SP 800-171 Rev 2 to ensure a consistent, comprehensive security posture across the entire supply chain.

Control Objectives for Information and Related Technologies (COBIT) 2019
Control Objectives for Information and Related Technologies (COBIT) 2019

COBIT 2019 is a framework that provides a comprehensive set of principles, practices, and guidelines for the governance and management of enterprise information and technology, aimed at the whole enterprise.

CSA Cloud Controls Matrix (CCM) v4
CSA Cloud Controls Matrix (CCM) v4
CSA Consensus Assessments Initiative Questionnaire (CAIQ) v4.1
CSA Consensus Assessments Initiative Questionnaire (CAIQ) v4

The Consensus Assessments Initiative Questionnaire (CAIQ) for Cloud Controls Matrix (CCM) 4.0 is a standardized questionnaire designed to assess cloud providers’ security and compliance capabilities. It consists of a set of yes/no questions that align with the Cloud Security Alliance’s CCM, covering domains such as data security, identity management, and risk management. The CAIQ enables cloud customers to evaluate the security posture of potential cloud service providers, ensuring alignment with best practices and regulatory requirements.

CSA Consensus Assessments Initiative Questionnaire (CAIQ) v4.1
CSA Consensus Assessments Initiative Questionnaire (CAIQ) v4.1

The Consensus Assessments Initiative Questionnaire (CAIQ) for Cloud Controls Matrix (CCM) 4.1 is a standardized questionnaire designed to assess cloud providers’ security and compliance capabilities. It consists of a set of yes/no questions that align with the Cloud Security Alliance’s CCM, covering domains such as data security, identity management, and risk management. The CAIQ enables cloud customers to evaluate the security posture of potential cloud service providers, ensuring alignment with best practices and regulatory requirements.

Cloud Security Alliance (CSA) AI Controls Matrix (AICM) v 1.03
Cloud Security Alliance (CSA) AI Controls Matrix (AICM) v 1.03

The AI Controls Matrix (AICM) v 1.03, published by the Cloud Security Alliance (CSA), is a framework for cloud-based AI systems. Organizations can use the AICM to develop, implement, and operate AI technologies in a secure and responsible manner. Developed by industry experts, the AICM builds on CSA’s Cloud Controls Matrix (CCM) and incorporates the latest AI security best practices.

Cyber Risk Institute (CRI) Profile
Cyber Risk Institute (CRI) Profile

The CRI Profile is based on the National Institute of Standards and Technology’s (NIST) “Framework for Improving Critical Infrastructure Cybersecurity,” and is a streamlined approach to cybersecurity risk management.

Cyber Risk Institute (CRI) Profile
Cyber Risk Institute Profile 2.0 (CRI)

The Cyber Risk Institute Profile 2.0 is designed to help financial institutions manage and mitigate cyber risks.

Cybersecurity Capability Maturity Model (C2M2)
Cybersecurity Capability Maturity Model (C2M2)

The Cybersecurity Capability Maturity Model (C2M2) enables organizations to evaluate their cybersecurity capabilities and optimize security investments.

NIS2
Digital Services Act (DSA)

The DSA regulates online intermediaries and platforms such as marketplaces, social networks, content-sharing platforms, app stores, and online travel and accommodation platforms. Its main goal is to prevent illegal and harmful activities online and the spread of disinformation.

Department of Homeland Security (DHS) 4300A - Sensitive Systems Handbook
Department of Homeland Security (DHS) 4300A – Sensitive Systems Handbook

The DHS 4300A serves as the foundation on which Department of Homeland Security (DHS) Components are to develop, build, and implement their information security programs.

The Digital Operational Resilience Act (DORA)
Digital Operational Resilience Act (DORA)

The Digital Operational Resilience Act (DORA) is a European Union (EU) regulation that aims to ensure that all participants in the financial system have the necessary safeguards in place to mitigate cyber-attacks and other risks.

The Classified Protection of Cybersecurity (DJCP) or Multi-Level Protection Scheme (MLPS)
Classified Protection of Cybersecurity (DJCP) or Multi-Level Protection Scheme (MLPS)

The DJCP/MLPS is a regulatory scheme designed to protect the cyber security of networks and systems in China, setting forth requirements and measures to protect classified data from unauthorized access, disclosure, and manipulation through a multi-level security approach.

EASA Part-IS
EASA Part-IS

EASA Part-IS establishes a mandatory information-security-risk-management system within the EASA regulatory framework, requiring organizations and competent authorities to identify, assess and mitigate information-security risks that could impact aviation safety.

EU AI Act
EU AI Act

The EU AI Act is a pioneering regulation aiming to ensure the safe and ethical use of artificial intelligence across the European Union. It categorizes AI systems based on risk levels — ranging from minimal to unacceptable — and imposes strict requirements on high-risk applications to safeguard human rights, privacy, and safety.

EU Regulation 2019/1020 on market surveillance and compliance of products
EU Regulation 2019/1020 on market surveillance and compliance of products

The EU Regulation 2019/1020 on market surveillance and compliance of products is the legal framework with an objective to improve the functioning of the internal market by strengthening the market surveillance of products covered by the Union harmonisation legislation with a view to ensuring that only compliant products that fulfil requirements providing a high level of protection of public interests, such as health and safety in general, health and safety in the workplace, the protection of consumers, the protection of the environment and public security and any other public interests protected by that legislation, are made available on the Union market. This Regulation lays down rules and procedures for economic operators regarding products subject to certain Union harmonisation legislation and establishes a framework for cooperation with economic operators. This Regulation also provides a framework for controls on products entering the Union market.

EU Data Act - EU Regulation
EU Data Act – EU Regulation 2023/2854

The EU Data Act is the legal framework that governs fairness in the allocation of value from data among actors in the data economy and fostering fair access to and use of data in order to contribute to establishing a genuine internal market for data, cannot be sufficiently achieved by the Member States but can rather, by reason of the scale or effects of the action and cross-border use of data, be better achieved at Union level, the Union may adopt measures, in accordance with the principle of subsidiarity as set out in Article 5 of the Treaty on European Union. This act establishes a harmonized framework for fair access to and use of data within the European Union. Its primary objective is to foster a genuine internal market for data by balancing data value allocation and removing barriers to data sharing.

The EU - US Data Privacy Framework (DPF)
EU – US Data Privacy Framework (DPF)

The Data Privacy Framework (DPF) program, previously known as Privacy Shield, is administered by the International Trade Administration (ITA) within the U.S. Department of Commerce. This framework enables eligible US-based organizations to self-certify their compliance pursuant to the EU-US DPF and, as applicable, the UK Extension to the EU-US DPF, and/or the Swiss-US DPF. Once such an organization self-certifies to the ITA and publicly declares its commitment to adhere to the DPF Principles, that commitment is enforceable under U.S. law.

EU Cyber Resilience Act
EU Cyber Resilience Act

The EU Cyber Resilience Act (Regulation (EU) 2024/2847) establishes uniform cybersecurity requirements for products with digital elements across the European Union. Adopted on October 23, 2024, and effective from June 2025, it mandates that manufacturers integrate security measures throughout a product’s lifecycle, including design, development, and maintenance phases.

ETSI EN 319 401 V2.2.1
ETSI EN 319 401 V2.2.1

The ETSI EN 319 401 V2.2.1 is a technical specification developed by the European Telecommunications Standards Institute (ETSI) that specifies general policy requirements relating to Trust Service Providers (TSPs) that are independent of the type of TSP.

ETSI EN 319 401 V2.2.1
ETSI EN 319 411-1 V1.5.1

The ETSI EN 319 411-1 V1.5.1 (2025-04) is an European standard that outlines policy and security requirements for Trust Service Providers (TSPs) that issue public key certificates. The present document is part 1 of a multi-part deliverable covering the Policy and security requirements for TSPs issuing certificates. This standard is designed to foster international confidence in electronic commerce by ensuring that TSPs implement robust protective measures to mitigate operational and financial risks. It achieves this by defining seven distinct certificate policies—ranging from Lightweight (LCP) to Extended Validation (EVCP)—to suit different levels of assurance and regulatory needs, including alignment with EU Regulation No 910/2014 and CA/Browser Forum guidelines.

ETSI EN 319 401 V2.2.1
ETSI EN 319 401 V3.2.1

ETSI EN 319 401 version 3.2.1 is a European standard that provides the general requirements for Trust Service Providers (TSPs) offering electronic trust services, such as digital signatures, time-stamping, and electronic seals. This standard forms the foundational framework within the ETSI 319 series and outlines the baseline security requirements, operational practices, and procedures that TSPs must adhere to, ensuring the reliability, integrity, and trustworthiness of their services. Version 3.2.1 includes updated guidelines for risk management, incident handling, and compliance with legal and regulatory obligations, ensuring that TSPs operate in a secure and trustworthy manner, in alignment with the latest technological advancements and security practices.

The Spanish National Security Scheme (ENS) 2022
Spanish National Security Scheme (ENS) 2022

The National Security Scheme (ENS) regulation regulates the National Security Framework in Spain and applies to both public and private sector entities. The ENS regulation aims to protect the confidentiality, integrity, availability, and authenticity of information in public entities and organizations.

Family Educational Rights and Privacy Act of 1974 (FERPA)
Family Educational Rights and Privacy Act of 1974 (FERPA) with PTAC Guidance

FERPA is a federal law in the United States that helps protect the privacy of student education records and provides the right to inspect and review education records, seek to amend them, and to limit disclosure of information from the records.

The Federal Bureau of Investigations (FBI) CJIS Security Policy
Federal Bureau of Investigations (FBI) CJIS Security Policy

The FBI CJIS Security Policy protects and safeguards criminal justice data by providing criminal and noncriminal justice agencies with a minimum set of security requirements in order to access the FBI’s Criminal Justice Information Services Division systems.

FDA Electronic Records; Electronic Signatures (21 CFR Part 11)
FDA Electronic Records; Electronic Signatures (21 CFR Part 11)

21 CFR Part 11 is a regulation issued by the U.S. Food and Drug Administration (FDA) that establishes the criteria under which electronic records and electronic signatures are considered trustworthy, reliable, and equivalent to paper records in FDA-regulated industries.

The Federal Risk and Authorization Management Program (FedRAMP)
Federal Risk and Authorization Management Program (FedRAMP)
The Florida Information Protection Act (FIPA)
Florida Information Protection Act (FIPA)
FFIEC
FFIEC Cybersecurity Assessment Tool (CAT)

The FFIEC Cybersecurity Assessment Tool (CAT), developed by the Federal Financial Institutions Examination Council (FFIEC) on behalf of its members, helps institutions identify their risks and determine their cybersecurity maturity.

France ASIP HDS - HDH Certification - v1.1
France ASIP HDS – HDH Certification – v1.1

France ASIP HDS – HDH Certification – v1.1 constitutes the certification reference system applicable to hosts wishing to obtain certification for the scope of “physical infrastructure provider” or “IT managed services provider” of personal health data in France.

French ANSSI SecNumCloud v3.2
French ANSSI SecNumCloud v3.2

ANSSI SecNumCloud v3.2 is France’s top-tier “trusted-cloud” qualification, published on 8 March 2022. It applies to SaaS, PaaS, CaaS and IaaS offerings and asks providers to satisfy 360-plus prescriptive controls grouped under 14 security domains that extend ISO 27001.

The General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR)
The Gramm-Leach-Bliley Act (GLBA) and FTC Safeguard Rule
Gramm-Leach-Bliley Act (GLBA) and FTC Safeguard Rule

The Gramm-Leach-Bliley Act requires financial institutions – companies that offer consumers financial products or services like loans, financial or investment advice, or insurance – to explain their information-sharing practices to their customers and to safeguard sensitive data.

Hyperproof Common Control Framework (CCF)

The Hyperproof Common Control Framework is a modern set of cybersecurity and privacy controls, each distilled from key elements found in established frameworks such as NIST 800-53, AICPA SOC 2, ISO 27001, CIS, GDPR, and PCI DSS. This framework facilitates organizational compliance by standardizing processes to effectively address cybersecurity, privacy, and information system risks.

Health Insurance Portability and Accountability Act of 1996 (HIPAA)
Health Insurance Portability and Accountability Act of 1996 (HIPAA)
IATF 16949
IATF 16949

IATF 16949 is an international quality management standard specifically designed for the automotive industry, emphasizing defect prevention, continual improvement, and reduction of waste across the automotive supply chain. It integrates ISO 9001 requirements with automotive-specific criteria to enhance customer satisfaction, product safety, and reliability.

The Israeli Protection of Privacy Law and Regulations
Israeli Protection of Privacy Law and Regulations

The Israeli privacy laws establish a robust legal framework designed to protect the privacy and personal data of individuals.

Italian ACN
Italian ACN

Italian ACN is a comprehensive framework that aims to protect national cyberspace, promote digital autonomy, and ensure compliance with cybersecurity regulations. It plays a central role in developing and implementing the National Cybersecurity Strategy, overseeing the National Cybersecurity Perimeter, and acting as the National Competent Authority for NIS2. 

IBM Cloud Framework for Financial Services
IBM Cloud Framework for Financial Services

IBM Cloud Framework for Financial Services is designed to help address the needs of financial services institutions with regulatory compliance, security, and resiliency during the initial deployment phase and with ongoing operations.

IEC
IEC 62443 4-1

IEC 62443 4-1 outlines practices and procedures for developing and maintaining secure products, addressing aspects from specification and design to maintenance.

IEC
IEC 62443 4-2

IEC 62443 4-2 specifies how to secure components against unauthorized access and misuse, thereby ensuring the resilience and integrity of industrial operations.

ISO 14001:2015
ISO 14001:2015

ISO 14001:2015 is an international standard that provides organizations with a framework to protect the environment and respond to changing environmental conditions in balance with socioeconomic needs.

ISO 17025:2017
ISO 17025:2017

ISO/IEC 17025:2017 specifies the general requirements for the competence, impartiality and consistent testing, calibration, and operation of laboratories. This program is applicable to all organizations performing laboratory activities, regardless of the number of personnel.

ISO 20000
ISO 20000

This framework specifies requirements for an organization to establish, implement, maintain and continually improve a service management system (SMS) to meet service requirements and deliver value.

ISO
ISO 21434

ISO 21434 is an international standard that addresses the cybersecurity perspective in cybersecurity engineering of electrical and electronic (E/E) systems within road vehicles. By ensuring  appropriate consideration of cybersecurity, this framework aims to enable the engineering of E/E systems to keep up with state-of-the-art technology and evolving attack methods.

ISO 22301:2019
ISO 22301:2019

ISO 22301:2019 is an international standard that specifies requirements to implement, maintain and improve business continuity management systems to protect against, reduce the likelihood of the occurrence of, prepare for, respond to and recover from disruptions when they arise.

ISO 26262
ISO 26262

ISO 26262 is an international standard that ensures the functional safety of electrical and electronic systems in road vehicles throughout the entire safety lifecycle, from concept to production.

ISO 27001:2013
ISO 27001:2013
ISO 27001:2013
ISO 27001:2019

Security techniques — Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management — Requirements and guidelines.

ISO 27001
ISO 27001:2022
ISO 27002:2022
ISO 27002:2022

ISO 27002 is an international standard that provides a reference set of generic information security controls and guidance designed to be used by organizations within the context of ISO 27001 and based on internationally recognized best practices.

ISO
ISO 27017:2015

ISO 27017:2015 is an international standard for information security controls based on ISO/IEC 27002 for cloud services that provides guidance on the information security aspects of cloud computing, recommending the implementation of cloud-specific information security controls that supplement the guidance of the ISO/IEC 27002 and ISO/IEC 27001 standards.

ISO
ISO 27018:2019

ISO 27018:2019 is a code of practice that focuses on protection of personal data in public clouds acting as PII processors. It is based on ISO/IEC information security standard 27002 and provides implementation guidance on ISO/IEC 27002 controls applicable to public cloud Personally Identifiable Information (PII).

ISO
ISO 27701:2019

ISO 27701:2019 Security techniques is an extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management. It’s an international standard that specifies requirements and guidelines to establish and continuously improve the Privacy Information Management System (PIMS), including processing of Personally Identifiable Information (PII).

ISO
ISO 27799:2016

ISO 27799:2016 is an international standard that provides guidance to healthcare organizations and other custodians of personal health information on how best to protect the confidentiality, integrity and availability of such information.

ISO
ISO 28000:2022

ISO 28000:2022 is an international standard that provides guidelines and requirements for implementing effective security management systems in organizations involved in the global supply chain.

ISO 42001 AI Management System
ISO 42001 AI Management System

ISO/IEC 42001 is an international standard that provides a framework for organizations to manage the ethical development, deployment, and governance of Artificial Intelligence (AI) systems.

ISO
ISO 45001:2018

ISO 45001:2018 is an international standard that sets out the requirements for occupational health and safety management systems (OH&S) for health and safety at work developed by national and international standards committees independent of government.

ISO
ISO 9001:2015

ISO 9001:2015 is the international standard that specifies requirements for quality management systems (QMS), which organizations use to demonstrate the ability to consistently provide products and services that meet customer and regulatory requirements.

ITSG-33 Government of Canada Controls Catalogue
ITSG-33 Government of Canada Controls Catalogue

ITSG-33 is a comprehensive framework, including PBMM controls, that provides a framework of security controls and guidelines to protect the information and IT assets of the Canadian government.

International Traffic in Arms Regulations (ITAR) Compliance Program Guidelines
International Traffic in Arms Regulations (ITAR) Compliance Program Guidelines

This framework contains information on the elements of an effective ITAR Compliance Program (ICP) and how to design and implement an ICP for organizations that manufacture, export, broker, or temporarily import defense articles and defense services described on the United States Munitions List (USML).

Japanese Information System Security Management and Assessment Program (ISMAP)
Japanese Information System Security Management and Assessment Program (ISMAP)

The ISMAP is a framework established by the Japanese government that establishes guidelines and procedures for evaluating and managing information system security in organizations within Japan.

Korean Personal Information & Information Security Management System (ISMS-P)
Korean Personal Information & Information Security Management System (ISMS-P)

The ISMS-P is a Korean integrated certification system to ensure the protection of personal information and the overall information security of organizations in South Korea that consolidates PIMS certification and ISMS certification into one certification system, both of which were operated separately.

MAS Technology Risk Management Guidelines (TRM)
MAS Technology Risk Management Guidelines (TRM)

The MAS Technology Risk Management (TRM) Guidelines are regulatory guidelines issued by the Monetary Authority of Singapore (MAS) that outline the expectations and best practices for managing technology risks in financial institutions operating in Singapore.

MAS Technology Risk Management Guidelines (TRM)
Singapore Financial Services and Markets Act 2022

Singapore Financial Services and Markets Act 2022 is an Act to provide for a financial sector-wide regulation of financial services and markets, the exercise of control over and the resolution of financial institutions and their related entities, the licensing and regulation of digital token service providers, and other incidental and connected matters, to make related and consequential amendments to certain other Acts, and to amend a provision of the Income Tax Act 1947 consequent upon the operation of the Financial Holding Companies Act 2013.

Microsoft Supplier Privacy & Assurance Standards (SSPA DPR v7)
Microsoft SSPA v.10

Microsoft’s SSPA requires suppliers who handle personal data and Microsoft Confidential Data to meet a strict set of security and privacy standards. This version of the framework includes controls and crosswalks to support Hyperproof’s Jumpstart feature.

Microsoft Supplier Privacy & Assurance Standards (SSPA DPR v7)
Microsoft Supplier Privacy & Assurance Standards (SSPA DPR v7)

Microsoft’s SSPA requires suppliers who handle personal data and Microsoft Confidential Data to meet a strict set of security and privacy standards.

NERC
NERC Critical Infrastructure Protection (CIP)

NERC Critical Infrastructure Protection (CIP) is a set of regulatory standards focused on protecting critical cyber assets, physical infrastructure, and personnel from threats, vulnerabilities, and risks that could disrupt the operation of power grids.

NIS2
NIS2

The NIS2 Directive revises the European Union’s Network and Information Security Directive, expanding its scope to include additional sectors and services such as health, energy, and digital infrastructure.

Learn More

NIS 2 Directive (EU) 2022/2555 with 2024/2690 and Member State Implementation
NIS 2 Directive (EU) 2022/2555 with 2024/2690 and Member State Implementation

The NIS 2 compliance program establishes a unified cybersecurity baseline across the European Union by mandating that essential and important entities implement the technical and methodological requirements specified in Commission Implementing Regulation (EU) 2024/2690. This program focuses on strengthening critical sectors—such as energy, health, and digital infrastructure—through comprehensive risk-management measures including incident handling, supply chain security, and multi-factor authentication. These requirements are strategically mapped to international standards like ISO/IEC 27001, allowing organizations to leverage existing frameworks to meet EU-wide security objectives and facilitate compliance audits. Individual Member States execute these requirements through national laws and dedicated registration portals, such as Denmark’s virk.dk or Italy’s ACN platform, while enforcing a strict incident notification regime that demands an early warning within 24 hours of discovery. By combining standardized EU-level controls with management-body liability and national oversight, the framework ensures a resilient defense for the Union’s most vital economic and societal functions.

AI Risk Management Framework (AI RMF)
NIST AI Risk Management Framework

The AI Risk Management Framework (AI RMF ) improves the ability to incorporate trustworthiness considerations into the design, development, use, and evaluation of AI products, services, and systems. 

NIST SP 800-161
NIST SP 800-161

NIST SP 800-161 Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations – Rev 1 provides guidelines and recommendations for protecting the confidentiality, integrity, and availability of supply chain information and systems within federal agencies.

NIST
NIST SP 800-171
NIST
NIST 800-171 Rev2

NIST 800-171 Rev2 provides a catalog of security and privacy controls for information systems and organizations to protect organizational operations and assets, individuals, other organizations, and the Nation from a diverse set of threats and risks, including hostile attacks, human errors, natural disasters, structural failures, foreign intelligence entities, and privacy risks.

NIST
NIST 800-171 Rev3

NIST 800-171 Rev3 provides federal agencies with recommended security requirements for protecting the confidentiality of Controlled Unclassified Information (CUI) when the information is resident in nonfederal systems and organizations.

NIST
NIST SP 800-218

NIST 800-218 Secure Software Development Framework (SSDF) v1.1 provides guidelines and best practices for managing and mitigating cybersecurity risks associated with the supply chain of information and communication technology (ICT) products and services.

NIST
NIST SP 800-82

This framework provides guidance on how to secure operational technology (OT) while addressing their unique performance, reliability, and safety requirements, like guidance on industrial control systems, building automation systems, transportation systems, physical access control systems, physical environment monitoring systems, and physical environment measurement systems. It provides an overview of OT and typical system topologies, identifies common threats and vulnerabilities to these systems, and provides recommended security countermeasures to mitigate the associated risks.

NIST
NIST SP 800-53
NIST
NIST SP 800-53 Rev5

NIST 800-171 Rev2 is the Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. Revision 2, February 2020.

NIST
NIST SP 800-53 Rev5 Selectable Baseline

NIST SP 800-53 Rev5 Selectable Baseline provides a catalog of security and privacy controls for information systems and organizations to protect organizational operations and assets, individuals, other organizations, and the Nation from a diverse set of threats and risks, including hostile attacks, human errors, natural disasters, structural failures, foreign intelligence entities, and privacy risks.

NIST
NIST 800-53 Rev 5.2.0 – All Controls & Supplemental

NIST 800-53 Rev 5.2.0 is a cybersecurity and privacy framework from NIST that defines security controls for federal information systems. It helps organizations manage security and privacy risks, ensuring compliance with federal requirements and improving resilience. The framework covers key areas like access control, risk management, and incident response, with controls that can be tailored to different environments. Rev 5.2.0 mainly provides clarifications, corrections, and refinements to existing controls without major structural changes. This revision focuses on improving the security and reliability of software updates and patches in response to Executive Order 14306 on strengthening the Nation’s cybersecurity.

NIST
NIST Cybersecurity Framework (CSF) 1.1
NIST
NIST Privacy Framework
NIST
NIST Cybersecurity Framework (CSF) 2.0
NISTIR 8374 Ransomware Risk Management
NISTIR 8374 Ransomware Risk Management

NISTIR 8374 Ransomware Risk Management can help organizations gauge their level of readiness to counter threats, deal with the potential consequences of events, and identify opportunities for improvement.

New York Department of Financial Services (NYDFS) Part 500 Cybersecurity Requirements for Financial Services Companies
NY Department of Financial Services (NYDFS) Part 500 Cybersecurity Requirements for Financial Services

NYDFS Part 500 is a framework that mandates financial institutions to implement comprehensive cybersecurity programs to protect sensitive customer data and ensure the resilience of their systems against cyber threats.

New York Privacy Act Bill
New York Privacy Act Bill

The New York Privacy Act, as proposed in Senate Bill S3044, would create broad consumer privacy rights in New York, including rights to know how personal data is used, opt out of certain processing, access and correct their data, delete it, and require opt-in consent for processing sensitive data. It would also impose duties on businesses, processors, third parties, and data brokers—including registration requirements for brokers—and authorize enforcement by the New York Attorney General.

OWASP Application Security Verification Standard (ASVS) v4.0.3
OWASP Application Security Verification Standard (ASVS) v4.0.3

The OWASP ASVS Project is a widely recognized industry standard that provides guidelines and requirements for verifying the security of web applications, ensuring they meet essential security controls and best practices.

Payment Card Industry Data Security Standard (PCI DSS) 3.2.1
Payment Card Industry Data Security Standard (PCI DSS) 3.2.1 (Retired framework available for reference)
PCI DSS
Payment Card Industry Data Security Standard (PCI DSS) 4.0
Payment Card Industry Data Security Standard (PCI DSS)
Payment Card Industry Data Security Standard (PCI DSS) 4.0.1

The Payment Card Industry Data Security Standard (PCI DSS) v4.0.1 was developed to encourage and enhance cardholder data security and facilitate the broad adoption of consistent data security measures globally.

Personal Information Protection Act (PIPA) and its Regulation - Alberta, Canada
Personal Information Protection Act (PIPA) and its Regulation – Alberta, Canada

The Personal Information Protection Act is a law implemented in Alberta, Canada that governs the collection, use, and disclosure of personal information by organizations, balancing individual privacy rights with the reasonable needs of organizations.

Personal Information Protection Act (PIPA) - British Columbia, Canada
Personal Information Protection Act (PIPA) – British Columbia, Canada

The Personal Information Protection Act is a law implemented in British Columbia, Canada that governs the collection, use, and disclosure of personal information by organizations. The Act balances an individual’s right to protect their personal information with an organization’s need to collect, use, or disclose information for appropriate purposes.

SASB ESG
SASB ESG

This supplement provides an overview of SASB’s approach to greenhouse gas emissions and related topics in the SASB Standards and offers guidance for reporting entities that wish to disclose Scope 1, 2, or 3 emissions.

Saudi Arabia Essential Cybersecurity Controls
Saudi Arabia Essential Cybersecurity Controls (ECC) 2018

The Saudi Arabia Essential Cybersecurity Controls (ECC) are guidelines for enhancing cybersecurity across organizations in Saudi Arabia. They cover risk management, asset management, access control, and more, applicable to government entities, critical infrastructure operators, and key private sector organizations.

SEC 17 CFR Part 240 15c: Rules Relating to Over-the-Counter Markets (§§ 240.15c-2 and 240.1c-3)
SEC 17 CFR Part 240 15c: Rules Relating to Over-the-Counter Markets (§§ 240.15c-2 and 240.1c-3)

SEC 17 CFR Part 240 15c is a subsection of the United States Code of Federal Regulations that outlines the regulations and requirements for broker-dealers in relation to risk assessment, customer disclosures, and various aspects of securities transactions.

SEC
SEC 17 CFR PART 240 17a: Preservation of Records and Reports of Stabilizing Activities (§§ 240.17a-1 – 240.17f-2)

SEC 17 CFR Part 240 17a is a specific subsection of the United States Code of Federal Regulations that outlines the recordkeeping and financial responsibility requirements for broker-dealers registered with the U.S. Securities and Exchange Commission (SEC).

Secure Controls Framework (SCF)
Secure Controls Framework (SCF)

The SCF is a comprehensive framework that provides a structured approach for designing, implementing, and assessing cybersecurity controls to protect organizations against various threats and vulnerabilities.

Secure Controls Framework (SCF)
Secure Control Framework v. December 2024

The SCF is a comprehensive framework that provides a structured approach for designing, implementing, and assessing cybersecurity controls to protect organizations against various threats and vulnerabilities. The December 2024 version incudes controls and crosswalks to support Hyperproof’s Jumpstart feature.

Secure Controls Framework (SCF)
Secure Controls Framework (SCF) – January 2026

The Secure Controls Framework (SCF) is a comprehensive, industry-agnostic framework designed to help organizations implement and maintain robust cybersecurity and privacy controls. It consolidates requirements from various laws, regulations, and standards into a unified set of controls, simplifying compliance and risk management. SCF promotes a proactive security approach by integrating best practices across multiple domains, including data protection, governance, and risk assessment. Its flexible, scalable nature makes it suitable for organizations of all sizes and industries aiming for strong security and regulatory alignment.

Sarbanes–Oxley Act (SOX)
Sarbanes–Oxley Act (SOX)

SOX is a U.S. federal law enacted in 2002 designed to protect shareholders and the general public from accounting errors and fraudulent practices used by businesses and to improve the accuracy of corporate disclosures. Hyperproof’s SOX program includes templates for internal controls over financial reporting (ICFR) and general control activities over technology (ITGC).

GovRAMP
GovRAMP

GovRAMP is a program that aims to standardize and streamline the cybersecurity assessment and authorization process for cloud service providers (CSPs) working with U.S. state, local, tribal, and territorial governments, ensuring secure and reliable cloud solutions.

SOC 2
SOC 2
SWIFT CSCF
SWIFT CSCF

The Swift Customer Security Controls Framework (CSCF) v2024 outlines a comprehensive set of mandatory and advisory security controls for institutions using the SWIFT network. This framework is designed to protect against fraud and cyber threats by enforcing rigorous standards around user access, security policies, and incident response.

Task Force on Climate-Related Financial Disclosures (TCFD)
Task Force on Climate-Related Financial Disclosures (TCFD)

The TCFD is an initiative that promotes voluntary and consistent reporting of climate-related risks and opportunities by organizations, enabling better-informed decision-making and more transparent disclosure of climate impacts on financial performance.

Trusted Information Security Assessment Exchange (TISAX)
Trusted Information Security Assessment Exchange (TISAX)

TISAX is a standardized framework and assessment process established by the German Association of the Automotive Industry (VDA) specifically designed for the automotive industry, ensuring the secure exchange of sensitive information through a common set of security requirements and assessment criteria.

Trusted Information Security Assessment Exchange (TISAX)
TISAX VDA ISA 6.0.3

The VDA Information Security Assessment (VDA ISA) is an information security requirements catalogue based on key aspects of the international standard ISO/IEC 27001. It is used by companies both for internal purposes as well as assessments by suppliers and service providers who process sensitive information from their respective companies.

Texas Risk and Authorization Management Program (TX-RAMP)
Texas Risk and Authorization Management Program (TX-RAMP)

TX-RAMP is a state-level initiative that establishes standardized cybersecurity requirements and procedures for evaluating and authorizing cloud service providers (CSPs) working with Texas state agencies, ensuring secure and compliant cloud solutions.

UK Cyber Essentials: Requirements for IT infrastructure
UK Cyber Essentials: Requirements for IT infrastructure

UK Cyber Essentials is a certification scheme that sets out basic cybersecurity controls and guidelines for organizations in the UK to mitigate common cyber threats and enhance the overall security of their IT systems.

UK Financial Conduct Authority (FCA) Handbook, Act (FSMA), and Regulated Order (RAO)
UK Financial Conduct Authority (FCA) Handbook, Act (FSMA), and Regulated Order (RAO)

The FCA compliance program provides a structured framework for UK financial services compliance managers to identify, interpret, implement, and monitor obligations arising from the FCA Handbook, the Financial Services and Markets Act 2000 (FSMA), and The Financial Services and Markets Act 2000 (Regulated Activities) Order 2001 (RAO). The program supports governance, control design, regulatory change management, risk assessment, monitoring, evidence collection, and reporting activities needed to demonstrate ongoing compliance with applicable UK financial services conduct, prudential, permissions, perimeter, consumer protection, and supervisory requirements.

UK Economic Crime and Corporate Transparency Act 2023 (ECCTA)
UK Economic Crime and Corporate Transparency Act 2023 (ECCTA)

The ECCTA’s core operational pillar is the “Failure to Prevent Fraud” offence, which holds large organizations strictly liable for fraudulent acts committed by “associated persons” unless the firm can prove it had “reasonable procedures” in place. Beyond fraud prevention, you are now responsible for ensuring that all directors and Persons with Significant Control (PSCs) have completed mandatory identity verification with Companies House—a transition period that is currently reaching its deadline for existing entities. With Companies House now acting as an active gatekeeper rather than a passive registrar, your role has shifted from simple administrative filing to rigorous data integrity and proactive risk management of the company’s “senior managers,” whose actions can now more easily trigger corporate criminal liability.

Webtrust
WebTrust Principles and Criteria

WebTrust Principles and Criteria provides a cohesive and adaptable compliance framework that organizations can adopt to ensure the integrity and trustworthiness of their public key infrastructure (PKI) operations. It includes foundational guidance for Certification Authorities (CAs) to establish sound governance, certificate lifecycle management, and operational controls.

Ready to see
Hyperproof in action?

G2Crowd Leader Enterprise
G2Crowd Leader Mid-Market
G2Crowd High Performer Enteprise
G2Crowd Momentum Leader
G2Crowd Users Love Us