Frameworks Glossary
Browse our list of common security, privacy, and compliance frameworks and standards
APRA Prudential Standard CPS 234
Prudential Standard CPS 234 is a regulatory framework established by the Australian Prudential Regulation Authority (APRA) to enhance cybersecurity in the financial services industry.
Learn moreAustralian Cyber Security Centre (ACSC) Essential Eight
Developed and recommended by the Australian Cyber Security Centre (ACSC), the Essential Eight framework offers a foundational set of mitigation strategies designed to prevent malware attacks, unauthorized access, and data exfiltration.
Learn moreAustralian Privacy Act
The Privacy Act promotes and protects the privacy of individuals in Australia. It regulates the handling of personal information by organizations in the federal public sector and in the private sector.
Learn moreBSI IT-Grundschutz
The BSI IT-Grundschutz offers a systematic approach to information security management, providing both methodology and a catalog of security measures tailored to different aspects of IT environments.
Learn moreBuilding Security In Maturity Model (BSIMM)
The Building Security In Maturity Model (BSIMM) is a data-driven model that provides an in-depth view of software security initiatives. BSIMM is not a standard or a checklist but rather a reflection of current practices observed in real-world software security programs. By assessing the software security initiatives of multiple organizations, BSIMM offers a benchmark for comparing and guiding software security practices.
Learn moreCOSO Enterprise Risk Management Framework (COSO ERM)
The COSO Enterprise Risk Management (ERM) Framework, often just referred to as COSO ERM, is a widely accepted and utilized framework for designing, implementing, conducting, and improving enterprise risk management in organizations. It aligns risk management with business strategy, driving performance.
Learn moreCOSO Internal Control Framework
The COSO Internal Control Framework, often referred to simply as COSO, is a widely recognized framework designed to enhance an organization's ability to achieve its objectives through the effective application of internal controls. This framework provides guidance for organizations in designing and evaluating the effectiveness of internal control systems.
Learn moreCenter for Internet Security (CIS)
The Center for Internet Security (CIS) Controls and CIS Benchmarks are a set of best practices designed to help organizations bolster their security posture. These controls, which have been developed by a community of IT experts, focus on a series of prioritized actions that form the foundation of any good cybersecurity program, assisting organizations in safeguarding their systems and data against the most pervasive cyber threats.
Learn moreCloud Security Alliance (CSA)
The Cloud Security Alliance (CSA) is a non-profit organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment. Through its various initiatives, research projects, and working groups, CSA provides comprehensive guidance to businesses and individuals leveraging cloud services.
Learn moreControl Objectives for Information and Related Technologies (COBIT)
Control Objectives for Information and Related Technologies (COBIT) is a comprehensive framework designed for the development, implementation, monitoring, and improvement of IT governance and management practices. It provides an end-to-end business perspective for IT governance that links business goals to IT goals.
Learn moreCriminal Justice Information Services (CJIS)
The Criminal Justice Information Services (CJIS) Security Policy is a set of stringent standards that govern the creation, viewing, modification, transmission, dissemination, storage, and destruction of Criminal Justice Information (CJI). These standards ensure that CJI remains available, confidential, and integral.
Learn moreCritical Information Infrastructure Protection (CIIP)
Critical Information Infrastructure Protection (CIIP) pertains to measures, strategies, and activities aimed at ensuring the security, reliability, and resilience of critical information infrastructures. These infrastructures, often regarded as the backbone of nations' essential services and functions, require special protection from various cyber threats to ensure societal and economic well-being.
Learn moreCyber Essentials (UK)
Cyber Essentials is a UK government-backed scheme aimed at helping organizations protect themselves against common cyber threats. It offers a set of basic technical controls that organizations can implement to significantly reduce their vulnerability to cyberattacks.
Learn moreCybersecurity Capability Maturity Model (C2M2)
The Cybersecurity Capability Maturity Model (C2M2) is a framework designed to assess and enhance the cybersecurity capabilities of organizations. Its focus is on the implementation and management of cybersecurity practices associated with information technology (IT), operations technology (OT), and information assets and environments.
Learn moreCybersecurity Maturity Model Certification (CMMC)
CMMC is a framework introduced by the United States Department of Defense (DoD). It is a unified standard for implementing cybersecurity across the Defense Industrial Base (DIB), which consists of over 300,000 companies in the supply chain for the DoD.
Learn moreCybersecurity and Infrastructure Security Agency Transportation Systems Sector (CISA TSS)
The Transportation Systems Sector (TSS) represents a vast, interconnected, and complex network of systems and assets that facilitate movement of passengers and cargo. Recognizing the critical nature of this sector in the country's daily operations and economy, the Cybersecurity and Infrastructure Security Agency (CISA) has designated the TSS as one of the nation's critical infrastructure sectors.
Learn moreData Protection Act 2018
The Data Protection Act 2018(DPA) provides individuals with rights regarding their personal information and also establishes requirements that the government and organizations must follow when collecting and processing this data.
Learn moreENISA National Cybersecurity Strategies Guidelines
The Network and Information Security Directive, which entered into force in 2016, requires EU Member States to develop and adopt a national cybersecurity strategy (NCSS) to meet current and emerging cybersecurity threats. To support the efforts of these member states, the European Union Agency for Cybersecurity (ENISA) provides guidelines on how to develop, implement and update a NCSS.
Learn moreESTI EN 303 645
ETSI EN 303 645 is a cybersecurity standard that establishes a security baseline for internet-connected consumer products and provides the foundation for future IoT certification schemes. Developed by the European Telecommunications Standards Institute (ETSI), this standard aims to address widespread concerns about the security of Internet of Things (IoT) devices.
Learn moreETSI ISG SAI (Security for Artificial Intelligence)
ETSI's Industry Specification Group on Securing Artificial Intelligence (ISG SAI) focuses on securing AI from both a usage and an adversarial perspective, aiming to build a standardized foundation for robust and secure AI deployments.
Learn moreETSI MEC
The ETSI MEC (European Telecommunications Standards Institute Mobile Edge Computing) framework is a standardization framework that enables IT service environment capabilities at the edge of mobile networks. This framework aims to bring cloud-computing capabilities into the Radio Access Network (RAN) and enable efficient deployment of new applications and services.
Learn moreETSI NFV
ETSI NFV (Network Functions Virtualization) is a conceptual framework proposed by the European Telecommunications Standards Institute. It aims to transform the way network services are deployed on telecommunication networks by utilizing standard IT virtualization technology.
Learn moreETSI Quantum Safe Cryptography
ETSI's work in quantum-safe cryptography involves researching and developing standards that are resistant to the potential cryptographic threats posed by quantum computing. This field of cryptography focuses on creating algorithms and protocols that would remain secure even in the era of quantum computers, which could potentially break many of the cryptographic systems currently in use.
Learn moreETSI TC Cyber
ETSI TC Cyber is a Technical Committee within the European Telecommunications Standards Institute (ETSI) that focuses on standardization in the area of cybersecurity. Its work involves developing standards, technical specifications, and reports to ensure high levels of security for Information and Communication Technology (ICT) services, equipment, and infrastructures.
Learn moreETSI TS 103 645
ETSI TS 103 645 is a European Standard (Telecommunications Standardization Sector) that provides a set of baseline security requirements for consumer Internet of Things (IoT) devices. It is one of the first standards aimed specifically at ensuring a minimum level of security for IoT products intended for consumer use.
Learn moreEssential 8
The Essential 8 is a set of baseline cybersecurity strategies and controls developed by the Australian Cyber Security Centre (ACSC). It is designed to help organizations protect their systems against a wide range of cyber threats by prioritizing and implementing essential mitigation strategies.
Learn moreFIPS 199
The Federal Information Processing Standards Publication 199 (FIPS 199) is a set of standards for categorizing information and information systems collected or maintained by or on behalf of federal agencies.
Learn moreFTC Safeguards Rule
The Federal Trade Commission's Standards for Safeguarding Customer Information is a regulatory framework aimed at ensuring the security and confidentiality of customer information held by financial institutions and other entities.
Learn moreFactor Analysis of Information Risk (FAIR)
FAIR (Factor Analysis of Information Risk) is a risk management framework specifically designed for understanding, analyzing, and quantifying information risk in financial terms. It is unlike traditional qualitative risk assessment methods and focuses on risk quantification in terms of probable frequency and probable magnitude of future loss.
Learn moreFedRAMP®
The Federal Risk and Authorization Management Program (FedRAMP) is designed to promote the adoption of secure cloud services across the federal government. It provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud technologies.
Learn moreFederal Information Security Management Act (FISMA)
The Federal Information Security Management Act (FISMA) is United States legislation that defines a comprehensive framework to protect government information, operations, and assets against natural or man-made threats.
Learn moreHITRUST CSF
HITRUST, which stands for Health Information Trust Alliance, is a privately held company that collaborated with healthcare, technology, and information security leaders to establish the HITRUST Common Security Framework. The HITRUST CSF is a comprehensive and certifiable security framework used by healthcare organizations to efficiently manage regulatory compliance and risk management.
Learn moreICT Accessibility 508 Standards and 255 Guidelines
The Information and Communication Technology (ICT) Accessibility 508 Standards and 255 Guidelines are a set of guidelines and requirements established to ensure that the information and communication technology of federal agencies is accessible to individuals with physical, sensory, or cognitive disabilities. These standards are designed to promote inclusivity and equal access to digital information and communication tools, making it possible for all individuals, regardless of their disabilities, to fully participate in the digital world.
Learn moreIETF (Internet Engineering Task Force) Best Current Practices
The Internet Engineering Task Force (IETF) Best Current Practices (BCP) are a series of documents that capture the consensus of the IETF on a range of technical and organizational matters. They are intended to provide guidance, explanations, and recommendations on best practices to facilitate the smooth operation of the Internet and to inform users and technicians about preferred operational norms.
Learn moreISA/IEC 62443
ISA/IEC 62443 is a series of standards that provide a flexible framework to address and mitigate current and future security vulnerabilities in industrial automation and control systems (IACS). These standards have been developed by both the International Electrotechnical Commission (IEC) and the International Society of Automation (ISA).
Learn moreISO 13485
ISO 13485 is an internationally recognized standard that sets out the requirements for a quality management system specific to the medical devices industry. It is designed to be used by organizations involved in the design, production, installation, and servicing of medical devices and related services.
Learn moreISO 14040
ISO 14040 is an internationally recognized standard that focuses on the principles and framework for life cycle assessment (LCA) of products and services. This LCA encompasses all stages from raw material extraction through processing, distribution, use, repair, and maintenance, to final disposal or recycling.
Learn moreISO 14044
ISO 14044 is an internationally accepted standard that elaborates on specific requirements and guidelines for life cycle assessment (LCA) related to the environmental performance of products, taking into account all stages from raw material extraction to final disposal or recycling. It builds on the principles established in ISO 14040.
Learn moreISO 20121
ISO 20121 is an international standard that specifies requirements of an event sustainability management system to improve the sustainability of events.
Learn moreISO 22000
ISO 22000 is an international standard for food safety management systems. It provides a comprehensive approach for food producers to identify and control food safety hazards.
Learn moreISO 22301
ISO/IEC 22301 is an international standard that specifies the requirements for establishing, implementing, maintaining, and continually improving a documented business continuity management system (BCMS). This standard is designed to help organizations protect against, reduce the likelihood of, and ensure their business recovers from disruptive incidents.
Learn moreISO 26000
ISO 26000 is an international standard developed to provide guidance on social responsibility. It offers organizations a comprehensive framework for understanding and implementing socially responsible practices and principles, fostering sustainability, and contributing positively to society.
Learn moreISO 28000
ISO 28000 is an international standard that specifies the requirements for a security management system, particularly for the supply chain. It is designed to assist organizations in managing security risks, threats, and vulnerabilities in the supply chain, including logistics.
Learn moreISO 31000
ISO 31000 is an international standard that provides principles, a framework, and a process for managing risk. It offers guidelines on risk management principles and the implementation of risk management strategies, aiming to help organizations identify, assess, and manage risks across various aspects of their operations.
Learn moreISO 37001
ISO 37001 is an international standard that specifies the requirements and provides guidance for establishing, implementing, maintaining, reviewing, and improving an anti-bribery management system. This standard is designed to help organizations in the prevention, detection, and response to bribery, fostering a culture of integrity, transparency, and compliance.
Learn moreISO 50001
ISO 50001 is an international standard that specifies requirements for establishing, implementing, maintaining, and improving an energy management system (EnMS). The standard aims to enable organizations to follow a systematic approach in achieving continual improvement of energy performance, including energy efficiency, use, and consumption.
Learn moreISO 8601
ISO 8601 is an international standard that specifies the format for representing dates and times. It aims to provide a clear and consistent way to express dates and times across different countries and cultures, avoiding ambiguity and misinterpretation.
Learn moreISO 9001
ISO 9001 is an internationally recognized quality management framework designed to help organizations consistently meet the needs and expectations of their customers as well as applicable statutory and regulatory requirements, while continuously improving their processes and overall performance.
Learn moreISO/IEC 11179
ISO/IEC 11179 is an international standard for metadata registries. It provides a framework for the representation of metadata in order to facilitate the correct and proper use and interpretation of data.
Learn moreISO/IEC 11801
ISO/IEC 11801 is an international standard that specifies general-purpose telecommunication cabling systems (structured cabling) that are suitable for a wide range of applications (analog and ISDN telephony, various data communication standards, building control systems, factory automation). It covers both balanced copper cabling and optical fiber cabling.
Learn moreISO/IEC 15288
ISO/IEC 15288 is a globally recognized standard for systems and software engineering. It offers a comprehensive framework for the life cycle processes of systems, which includes both software and hardware components.
Learn moreISO/IEC 15408
ISO/IEC 15408, popularly known as the Common Criteria (CC), is an international standard that provides a framework for evaluating the security properties of Information Technology (IT) products and systems.
Learn moreISO/IEC 15415
ISO/IEC 15415 is an international standard that specifies the quality parameters and methodologies to assess the optical characteristics of two-dimensional (2D) bar code symbols, such as QR codes, Data Matrix, and PDF417.
Learn moreISO/IEC 17025
ISO/IEC 17025 is a global standard for testing and calibration laboratories. It outlines the general requirements for the competence, impartiality, and consistent operation of laboratories.
Learn moreISO/IEC 19770
ISO/IEC 19770 is an international standard that specifies requirements for the establishment, implementation, maintenance, and improvement of an IT asset management system.
Learn moreISO/IEC 2000-1
ISO/IEC 20000-1 is an international standard that specifies requirements for the establishment, implementation, maintenance, and continuous improvement of a service management system.
Learn moreISO/IEC 20243-1
ISO/IEC 20243-1, also known as the Open Trusted Technology Provider™ Standard (O-TTPS), is an international standard designed to mitigate the risk of tainted and counterfeit products entering the supply chain. It focuses on the integrity of commercial off-the-shelf (COTS) Information and Communication Technology (ICT) products and provides a set of guidelines for organizational best practices in manufacturing, sourcing, and product integrity.
Learn moreISO/IEC 24734
ISO/IEC 24734 is an international standard that specifies the method for testing and measuring the productivity of digital printing devices, including single-function and multi-function printers, regardless of technology (e.g., inkjet, laser). It provides a set of standardized test documents, test setup procedures, and the reporting requirements for the test results.
Learn moreISO/IEC 24748
ISO/IEC 24748 is a series of international standards providing guidance on life cycle management, including terms and definitions, process, and conceptual models. It is part of the systems and software engineering suite of standards and is closely related to the processes defined in ISO/IEC/IEEE 15288 and ISO/IEC/IEEE 12207.
Learn moreISO/IEC 27003
ISO/IEC 27003 is part of the ISO/IEC 27000 family of standards, which is known for providing best practice recommendations on information security management within an organization. Specifically, ISO/IEC 27003 focuses on the guidelines for implementing an information security management system (ISMS) as outlined in ISO/IEC 27001, providing additional details to assist in the design and implementation process.
Learn moreISO/IEC 27004
ISO/IEC 27004 is an international standard that provides guidelines intended to assist organizations in evaluating the performance and the effectiveness of an Information Security Management System (ISMS) that is implemented based on ISO/IEC 27001. It offers guidance on measurement and evaluation of information security within the organization.
Learn moreISO/IEC 27005
ISO/IEC 27005 is an international standard dedicated to information security risk management. It provides guidelines for information security risk management in an organization, supporting the requirements of an Information Security Management System (ISMS) defined in ISO/IEC 27001.
Learn moreISO/IEC 27017
ISO/IEC 27017 provides guidelines on the information security aspects of cloud computing, recommending information security controls for cloud service providers and customers. It builds on the existing controls in ISO/IEC 27002 with additional implementation guidance specific to cloud services.
Learn moreISO/IEC 27018
ISO/IEC 27018 provides guidelines and controls for protecting personally identifiable information (PII) in the public cloud computing environment.
Learn moreISO/IEC 27037
ISO/IEC 27037 is an international standard providing guidelines for identifying, collecting, acquiring, and preserving electronic evidence, which is part of the digital evidence recovery process. This framework is crucial for ensuring the integrity and authenticity of digital evidence, which can be used in legal proceedings.
Learn moreISO/IEC 27400
ISO/IEC 27400, titled "Internet of Things (IoT) – Security and privacy for the IoT," is an international standard that provides guidelines for IoT security and privacy, including considerations for the design, development, implementation, and use of IoT systems and services.
Learn moreISO/IEC 29147
ISO/IEC 29147 is an international standard that provides guidelines for vulnerability disclosure processes. It sets out recommendations for how organizations should inform vendors of potential vulnerabilities in their products and how vendors should process and manage these disclosures.
Learn moreISO/IEC 30111
ISO/IEC 30111 is an international standard that outlines the proper handling of potential vulnerability information in products. It provides a framework for how organizations should manage the process of receiving, investigating, and resolving issues regarding vulnerabilities in a product or online service.
Learn moreISO/IEC 38500
ISO/IEC 38500 is an international standard providing a framework for effective corporate governance of information technology (IT). It aims to assist organizations in understanding and fulfilling their legal, regulatory, and ethical obligations concerning their IT use.
Learn moreISO/IEC 42001
ISO/IEC 42001 is a groundbreaking international standard designed to ensure the responsible development, deployment, and management of artificial intelligence (AI) systems. It provides organizations with a comprehensive framework to address the ethical, legal, and operational risks associated with AI, fostering trust and transparency in AI technologies.
Learn moreISO/IEC/IEEE 29119
The purpose of ISO/IEC/IEEE 29119 is to define an internationally agreed set of standards for software testing that can be used by any organization involved in software development. It covers aspects such as test processes, test documentation, test techniques, and test management, aiming to provide a comprehensive guide for effective and efficient software testing.
Learn moreISO/SAE 21434
ISO/SAE 21434, "Road vehicles — Cybersecurity engineering," is a standard that establishes guidelines and best practices for cybersecurity risk management regarding the engineering of road vehicle systems. It addresses the growing concern for the cybersecurity of vehicles in the context of increasingly connected and automated automotive technology.
Learn moreInformation Technology General Controls (ITGC)
Information Technology General Controls (ITGC) are critical controls that support the reliability of systems and information within an organization. They typically encompass a range of policies and procedures that ensure the effective and secure operation of an organization’s IT systems and safeguard data integrity.
Learn moreIoTSF Security Compliance Framework
The Internet of Things Security Foundation (IoTSF) Security Compliance Framework is a set of guidelines and best practices aimed at ensuring the secure design, development, and deployment of IoT (Internet of Things) devices and their associated ecosystems.
Learn moreMITRE ATT&CK Framework
MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) Framework is a globally accessible knowledge base of adversary tactics and techniques based on real-world observations. It serves as a foundation for the development of specific threat models and methodologies in the private sector, government, and the cybersecurity product and service community.
Learn moreNIS2 Directive
NIS2 is an updated version of the Network and Information Systems (NIS) Directive, a key piece of European Union (EU) legislation aimed at enhancing cybersecurity across the EU. It establishes measures to achieve a high common level of cybersecurity across member states to improve the resilience of critical infrastructure and essential services.
Learn moreNIST 800-115
NIST Special Publication 800-115, "Technical Guide to Information Security Testing and Assessment," provides guidelines for organizations on how to conduct security testing and assessments of their information systems. It covers various methodologies, techniques, and processes related to security assessments.
Learn moreNIST 800-137
NIST Special Publication 800-137, “Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations,” provides guidance and best practices for establishing, implementing, and maintaining a continuous monitoring program for information security in federal agencies and organizations.
Learn moreNIST 800-145
NIST Special Publication 800-145, "The NIST Definition of Cloud Computing," provides a comprehensive framework for understanding and defining cloud computing. It serves as a valuable resource for organizations navigating the cloud landscape.
Learn moreNIST 800-172
NIST 800-172 provides enhanced security requirements for protecting Controlled Unclassified Information (CUI) in non-federal systems and organizations. It outlines enhanced security measures to safeguard sensitive information that is not classified but still requires protection.
Learn moreNIST 800-30
NIST Special Publication 800-30, "Guide for Conducting Risk Assessments," provides guidance for organizations to conduct risk assessments of federal information systems and organizations. It amplifies the guidance in NIST Special Publication 800-39, which describes the organizational risk management process.
Learn moreNIST AI Risk Management Framework
The NIST AI Risk Management Framework (AI RMF) is a comprehensive set of guidelines and best practices designed to help organizations manage the risks associated with artificial intelligence (AI) systems. It aims to improve the trustworthiness, fairness, transparency, and accountability of AI technologies.
Learn moreNIST Cybersecurity Framework
The NIST Cybersecurity Framework (CSF) is a comprehensive set of guidelines and best practices designed to help organizations manage and reduce cybersecurity risks. It provides a common language for understanding, managing, and expressing cybersecurity risk both internally and externally.
Learn moreNYDFS NYCRR 500
The New York Department of Financial Services (NYDFS) NYCRR 500 is a set of guidelines and requirements designed to enhance the cybersecurity posture of financial institutions operating in the state of New York.
Learn moreOWASP ASVS
The OWASP Application Security Verification Standard (ASVS) Project provides a framework for the security of web applications and web services. It establishes a security control baseline for web applications in their design, development, and testing phases, providing developers, testers, and architects with a clear roadmap for creating secure applications.
Learn morePersonal Information Protection and Electronic Documents Act (PIPEDA)
The Personal Information Protection and Electronic Documents Act (PIPEDA) is a Canadian federal privacy law that governs how private sector organizations collect, use, and disclose personal information in the course of commercial activities.
Learn moreSOC 1
SOC 1® is designed to provide specific users with information about a service organization’s controls relevant to their clients’ internal control over financial reporting. A SOC 1 report is often requested by a service organization's clients and their auditors.
Learn moreSOC 3
SOC 3® is designed to provide general users with a concise and high-level report on a service organization’s controls related to security, availability, processing integrity, confidentiality, or privacy
Learn moreSarbanes-Oxley Act (SOX)
The Sarbanes-Oxley Act, often abbreviated as SOX, is a United States federal law passed in 2002 in response to corporate failures and fraud that resulted in substantial financial losses to institutional and individual investors in the early 2000s. SOX was designed to enhance transparency and accountability in financial reporting and to protect investors and the public from fraudulent financial practices within publicly traded companies.
Learn moreStateRAMP
StateRAMP is designed to help state and local governments and public institutions partner with cloud service providers that have enacted strong information security and data privacy practices.
Learn moreTexas Risk Assessment and Management Program (TX-RAMP)
TX-RAMP was established by the Texas Department of Information Resources to provide a standardized approach for security assessment, authorization, and continuous monitoring of cloud computing services that process, store, or transmit the data of a state agency.
Learn moreTrusted Information Security Assessment Exchange (TISAX)
Trusted Information Security Assessment Exchange(TISAX) is a framework tailored for the automotive industry to ensure the confidentiality, integrity, and availability of sensitive information. It provides a standardized method for assessing and exchanging information security in the automotive supply chain.
Learn moreUL 2900
The UL 2900 series of standards, often referred to as the UL 2900 Framework, was developed by Underwriters Laboratories (UL) to provide a basis for evaluating and certifying the security of connected products. This series focuses on assessing the software vulnerabilities and weaknesses in network-connectable devices, considering both the product and the organizational environment.
Learn more