Streamline and follow the most rigorous security and privacy standards
Secureframe enables compliance with the most in-demand frameworks to accelerate sales cycles and make it easy to prove your security posture. Each supported framework includes control mapping to framework requirements, automated control testing that collects compliance evidence from integrated technologies, and built-in Secureframe tools such as policy management as required by each framework.
Commercial security frameworks
SOC 2
SOC 2 is a cybersecurity compliance framework developed for service and technology providers that handle customer data. SOC 2 drives organizations to build strong, continuous security processes to protect their customer data.
ISO 27001:2022
ISO 27001 is a universal standard built for organizations around the globe to establish, maintain, and continually improve their information security management system (ISMS).
PCI DSS
Merchants or service providers that process, store, transmit, or impact credit card data need to meet the 300+ PCI DSS requirements to safeguard cardholder data.
Cyber Essentials
Cyber Essentials is a certificate required for organizations working with the UK government to protect against common online threats by implementing a baseline of five essential security controls and best practices.
NYDFS NYCRR 500
The New York Department of Financial Services (NYDFS) requires covered entities to uphold cybersecurity requirements related to protecting sensitive customer data and the overall security of systems and personnel within your NYDFS scope.
FTC Safeguards Rule
Financial institutions that are under the jurisdiction of the Federal Trade Commission (FTC) need to meet the Safeguards Rule to protect the security of customer data.
ISO 27017
ISO 27017 is an international standard providing guidelines for information security controls applicable to cloud services. It addresses both cloud service providers and customers, ensuring security and compliance in cloud environments through additional controls and best practices tailored to the unique aspects of cloud computing.
Microsoft SSPA
Suppliers that are part of Microsoft's information supply chain need to comply with Microsoft’s Supplier Privacy and Assurance Standards (SSPA) and complete an assessment against Microsoft’s Data Protection Requirements (DPR).
NIS2
NIS2 is an updated EU directive aimed at enhancing cybersecurity across all member states by improving national capabilities, cooperation, and risk management practices among key sectors and digital service providers.
Essential 8
The Essential Eight is a set of cybersecurity strategies recommended by the Australian Cyber Security Centre (ACSC) to help organizations mitigate cyber threats and protect their systems against a range of cyber attacks.
CIS
Center for Internet Security (CIS) enforces the Critical Security Controls (CSCs), a set of best practices and guidelines designed to safeguard organizations against cyber threats. CIS is a comprehensive approach to cybersecurity, including regular updates and audits, to ensure adherence to industry-standard security measures and enhance overall cyber defense capabilities.
SOX ITGC
SOX ITGC refers to the Information Technology General Controls under the Sarbanes-Oxley Act, which are internal controls IT departments must implement to support the integrity of financial reporting.
EU DORA
EU Digital Operational Resilience Act (DORA) is a regulation aimed at enhancing the operational resilience of financial institutions in the European Union in order to withstand and recover from various disruptions and threats.
TISAX
TISAX (Trusted Information Security Assessment Exchange) is a European standard for information security assessments, required for companies in the automotive industry—such as suppliers and service providers—that handle sensitive information to ensure compliance with stringent data protection standards.
Federal security frameworks
NIST 800-53 - High
NIST 800-53 - High includes the greatest amount of controls to help federal agencies and their supporting contractors protect their data and systems and comply with the Federal Information Security Modernization Act (FISMA). Organizations should comply with NIST 800-53 - High if the loss of sensitive data would have a severe or catastrophic impact on their business.
NIST 800-53 - Moderate
NIST 800-53 - Moderate includes controls to help federal agencies and their supporting contractors protect their data and systems and comply with the Federal Information Security Modernization Act (FISMA). Organizations should comply with NIST 800-53 - Moderate if the loss of sensitive data would have a sufficient, but not catastrophic, impact on their business.
NIST 800-53 - Low
NIST 800-53 - low includes the least amount of controls to help federal agencies and their supporting contractors protect their data and systems and comply with the Federal Information Security Modernization Act (FISMA). Organizations should comply with NIST 800-53 - Low if the loss of sensitive data would have a minor impact on their business.
NIST 800-171
Contractors and subcontractors working with federal or state agencies that handle Controlled Unclassified Information (CUI) must comply with NIST 800-171.
NIST CSF 2.0
The NIST Cybersecurity Framework (NIST CSF 2.0) is required for any organization that works with the US federal government, institutions supported by federal grants, or within the supply chain for a federal agency. NIST CSF 2.0 helps organizations understand risk and improve their cybersecurity programs.
CJIS
The Criminal Justice Information Services (CJIS) framework is for government entities that access or manage sensitive information from the US Justice Department. CJIS is designed to ensure data security in law enforcement.
CMMC 2.0
The Cybersecurity Maturity Model Certification (CMMC) 2.0 is an evolving model that contractors working with the Department of Defense (DoD) and other federal agencies must meet.
TX-RAMP
TX-RAMP (Texas Risk and Authorization Management Program) is a framework that standardizes the risk management and authorization process for cloud services used by Texas state agencies and institutions. Organizations need to comply with TX-RAMP to ensure they meet the state's security and privacy requirements, facilitating secure and efficient cloud service usage within the public sector.
Data privacy frameworks
HIPAA
Modern healthcare plans, providers, insurers, clearinghouses, biotech organizations, and pharmaceutical organizations must achieve and maintain compliance with the Health Insurance Portability and Accountability Act (HIPAA).
ISO 27701
ISO 27701 is the data privacy extension of ISO 27001. ISO 27001 is for organizations around the globe to establish, maintain, and continually improve their information security management system (ISMS).
GDPR
Organizations that handle European Union (EU) and United Kingdom (UK) customer data must uphold the various privacy and security requirements to comply with the General Data Protection Regulation (GDPR).
CCPA
Businesses that target or collect the personal data of California residents need to achieve and maintain compliance with the California Consumer Protection Act (CCPA).
CPRA
The California Privacy Rights Act (CPRA) amends CCPA's consumer rights by introducing new requirements for businesses to protect customer data and includes an enforcement agency, the California Privacy Protection Agency (CPPA).
AI frameworks
NIST AI RMF
For organizations that are incorporating AI into their products and processes, Secureframe helps with NIST AI RMF compliance and risk management associated with AI systems.
ISO 42001
For organizations that are incorporating AI into their products and processes, Secureframe helps organizations comply with ISO 42001, and manage responsible development and use of AI systems.
Additional frameworks
Custom
Use Secureframe to create custom frameworks based on your unique requirements, industry standards, and regulatory obligations and achieve your compliance goals. Map our pre-built controls and tests to your custom frameworks using our control library and test library to save time on evidence collection and control monitoring.
ISO 9001
ISO 9001 is an international standard built to provide a structured framework for organizations to establish and maintain a Quality Management System (QMS).
“Secureframe was instrumental in helping us get SOC 2 and ISO 27001 certified. We always felt like we were talking to experts in the field. Compared to other competitors, choosing Secureframe is a no brainer.”
Secureframe Resources
Explore our blog, hubs, and compliance resources to get insights, curated best practices, and tools that will help you understand and comply with the most rigorous security and privacy standards.
Blog
Get expert insights, best practices, and the latest news for achieving and maintaining privacy and security compliance.
Learn moreCompliance Hubs
Find everything you need to know about achieving and maintaining compliance with major security frameworks.
Learn moreResource Library
Browse our library of ebooks, policy templates, audit readiness checklists, and more free tools to simplify and streamline compliance.
Learn more