🗂️ Resources Open a Ticket

    Home

    7. Compliance & Regulatory Management

    Information Security Frameworks

    1. Essential 8
    • Description: A set of cybersecurity strategies developed by the Australian Cyber Security Centre (ACSC) to help organizations mitigate cyber threats.
    • Countries/Industries: Australia; commonly adopted across various industries.
    • Readiness Time: Varies, typically 6-12 months.
    • Audit Period: Annual self-assessment.
    • Audit Type: Self-assessment.
    • Certification: No formal certification.
    • Renewal: Annual self-assessment required.


    2. AWS FTR (Foundational Technical Review)
    • Description: A review process by AWS to ensure that partner solutions meet AWS best practices for security, reliability, and operational excellence.
    • Countries/Industries: Global; used by AWS partners.
    • Readiness Time: 1-3 months.
    • Audit Period: No formal audit period.
    • Audit Type: AWS partner review.
    • Certification: AWS badge upon completion.
    • Renewal: Continuous compliance required.


    3. CCPA (California Consumer Privacy Act)
    • Description: A California state law that enhances privacy rights and consumer protection for residents of California, USA.
    • Countries/Industries: United States, specifically California; applicable to all industries handling personal data of California residents.
    • Readiness Time: 6-12 months.
    • Audit Period: No formal audit period; compliance reviews recommended.
    • Audit Type: Self-assessment or third-party review.
    • Certification: No formal certification.
    • Renewal: Continuous compliance required.


    4. FedRAMP (Federal Risk and Authorization Management Program)
    • Description: A U.S. government program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud services.
    • Countries/Industries: United States; applicable to federal agencies and cloud service providers.
    • Readiness Time: 6-18 months.
    • Audit Period: Annual security assessments.
    • Audit Type: Third-party assessment organization (3PAO).
    • Certification: FedRAMP Authorization.
    • Renewal: Annual assessment required.


    5. GDPR (General Data Protection Regulation)
    • Description: A regulation in EU law on data protection and privacy in the European Union and the European Economic Area.
    • Countries/Industries: European Union; applicable to all industries handling EU residents’ personal data.
    • Readiness Time: 6-18 months.
    • Audit Period: No formal audit period; regular reviews recommended.
    • Audit Type: Can be audited by Data Protection Authorities (DPAs).
    • Certification: No formal certification by GDPR itself; some third-party certifications exist.
    • Renewal: Continuous compliance required.


     6. HIPAA (Health Insurance Portability and Accountability Act)
    • Description: A U.S. law designed to provide privacy standards to protect patients’ medical records and other health information provided to health plans, doctors, hospitals, and other healthcare providers.
    • Countries/Industries: United States; applicable to healthcare providers, payers, and business associates.
    • Readiness Time: 6-12 months.
    • Audit Period: No formal audit period; compliance reviews by HHS.
    • Audit Type: Self-assessment and potential HHS audits.
    • Certification: No formal certification; third-party certifications available.
    • Renewal: Continuous compliance required.


     7. ISO 27001:2022
    • Description: An international standard for information security management systems (ISMS).
    • Countries/Industries: Global; widely used across various industries including finance, healthcare, IT, and government.
    • Readiness Time: 6-12 months.
    • Audit Period: Annual surveillance audits; full recertification audit every 3 years.
    • Audit Type: Independent auditor.
    • Certification: Yes, certification is awarded.
    • Renewal: Recertification audit every 3 years.
    •  Basecamp List : ISO 27001:2022
    •  Basecamp Document: ISO 27001 & 27002




     8. ISO 27017

     • Description: An international standard for cloud security, providing guidelines for information security controls applicable to cloud services.
     • Countries/Industries: Global; applicable to cloud service providers.
     • Readiness Time: 6-12 months.
     • Audit Period: Annual surveillance audits.
     • Audit Type: Independent auditor.
     • Certification: Yes, certification is awarded.
     • Renewal: Annual audit required.


     9. ISO 27018

     • Description: An international standard for protecting personal data in the cloud.
     • Countries/Industries: Global; applicable to cloud service providers handling personal data.
     • Readiness Time: 6-12 months.
     • Audit Period: Annual surveillance audits.
     • Audit Type: Independent auditor.
     • Certification: Yes, certification is awarded.
     • Renewal: Annual audit required.


     10. ISO 27701

     • Description: An extension to ISO 27001 and ISO 27002 for privacy information management.
     • Countries/Industries: Global; used by organizations to enhance privacy information management systems.
     • Readiness Time: 6-12 months.
     • Audit Period: Annual surveillance audits.
     • Audit Type: Independent auditor.
     • Certification: Yes, certification is awarded.
     • Renewal: Annual audit required.


     11. ISO 42001

     • Description: An international standard for business continuity management systems (BCMS).
     • Countries/Industries: Global; applicable to business continuity management.
     • Readiness Time: 6-12 months.
     • Audit Period: Annual surveillance audits.
     • Audit Type: Independent auditor.
     • Certification: Yes, certification is awarded.
     • Renewal: Annual audit required.


     12. MSFT SSPA (Microsoft Supplier Security and Privacy Assurance)

     • Description: A compliance program by Microsoft to ensure suppliers meet security and privacy requirements.
     • Countries/Industries: Global; applicable to Microsoft suppliers.
     • Readiness Time: 3-6 months.
     • Audit Period: Annual reviews.
     • Audit Type: Self-assessment or third-party review.
     • Certification: Microsoft compliance status.
     • Renewal: Annual review required.


     13. MVSP (Minimum Viable Secure Product)

     • Description: A set of minimum security requirements for products to ensure baseline security.
     • Countries/Industries: Global; widely applicable to tech products.
     • Readiness Time: 3-6 months.
     • Audit Period: Varies; typically self-assessment.
     • Audit Type: Self-assessment.
     • Certification: No formal certification.
     • Renewal: Continuous compliance required.


     14. NIST 800-171

     • Description: A NIST Special Publication providing guidelines for protecting Controlled Unclassified Information (CUI) in non-federal systems.
     • Countries/Industries: United States; applicable to federal contractors handling CUI.
     • Readiness Time: 6-12 months.
     • Audit Period: No formal audit period; self-assessment.
     • Audit Type: Self-assessment or third-party assessment.
     • Certification: No formal certification.
     • Renewal: Continuous compliance required.


     15. NIST 800-53

     • Description: A NIST Special Publication providing guidelines for security and privacy controls for federal information systems and organizations.
     • Countries/Industries: United States; applicable to federal agencies and contractors.
     • Readiness Time: 6-12 months.
     • Audit Period: No formal audit period; compliance assessments recommended.
     • Audit Type: Self-assessment or third-party assessment.
     • Certification: No formal certification.
     • Renewal: Continuous compliance required.


     16. NIST AI RMF (Artificial Intelligence Risk Management Framework)

     • Description: A NIST framework to help organizations manage risks related to AI.
     • Countries/Industries: United States; applicable to organizations using AI.
     • Readiness Time: Varies.
     • Audit Period: No formal audit period; self-assessment.
     • Audit Type: Self-assessment.
     • Certification: No formal certification.
     • Renewal: Continuous compliance required.


     17. NIST CSF (Cybersecurity Framework)

     • Description: A NIST framework to help organizations manage and reduce cybersecurity risk.
     • Countries/Industries: United States; widely adopted by various industries.
     • Readiness Time: 6-12 months.
     • Audit Period: No formal audit period; self-assessment.
     • Audit Type: Self-assessment or third-party assessment.
     • Certification: No formal certification.
     • Renewal: Continuous compliance required.
     18. NIST CSF 2.0
     • Description : Updated version of the NIST Cybersecurity Framework with additional guidance and improvements.
    - Countries/Industries: United States; widely adopted by various industries.
    - Readiness Time: 6-12 months.
    - Audit Period: No formal audit period; self-assessment.
    - Audit Type: Self-assessment or third-party assessment.
    - Certification: No formal certification.
    - Renewal: Continuous compliance required.


     19. OFDSS (Open FAIR™ Data Security Standard)

     • Description: A standard for quantifying information risk and improving data security management.
     • Countries/Industries: Global; widely applicable to risk management.
     • Readiness Time: Varies.
     • Audit Period: No formal audit period.
     • Audit Type: Self-assessment.
     • Certification: No formal certification.
     • Renewal: Continuous compliance required.


     20. PCI DSS 4.0 (Payment Card Industry Data Security Standard)

     • Description: A security standard for organizations that handle branded credit cards from major card schemes.
     • Countries/Industries: Global; applicable to organizations handling payment card information.
     • Readiness Time: 6-12 months.
     • Audit Period: Annual assessments.
     • Audit Type: Independent Qualified Security Assessor (QSA) or self-assessment for smaller organizations.
     • Certification: Compliance report provided.
     • Renewal: Annual audit required.


     21. SOC 2 (Service Organization Control)

     • Description: A framework for managing and safeguarding customer data based on five trust service principles: security, availability, processing integrity, confidentiality, and privacy.
     • Countries/Industries: Predominantly United States; widely used by technology and cloud service providers.
     • Readiness Time: 3-6 months.
     • Audit Period: Annual audits.
     • Audit Type: Independent auditor.
     • Certification: Attestation report provided.
     • Renewal: Annual audit required.


     22. SOX ITGC (Sarbanes-Oxley Act Information Technology General Controls)

     • Description: Controls implemented to ensure the integrity and security of financial reporting systems, as required by the Sarbanes-Oxley Act.
     • Countries/Industries: United States; applicable to publicly traded companies.
     • Readiness Time: 6-12 months.
     • Audit Period: Annual audits.
     • Audit Type: Independent auditor.
     • Certification: Compliance attestation.
     • Renewal: Annual audit required.


     23. UK Cyber Essentials

     • Description: A UK government-backed certification scheme that sets out basic cybersecurity controls to protect against common threats.
     • Countries/Industries: United Kingdom; applicable to all industries.
     • Readiness Time: 3-6 months.
     • Audit Period: Annual self-assessment.
     • Audit Type: Self-assessment or third-party assessment for Cyber Essentials Plus.
     • Certification: Yes, certification is awarded.
     • Renewal: Annual assessment required.


     24. US Data Privacy

     • Description: A general term covering various data privacy laws and regulations in the United States, such as CCPA and HIPAA.
     • Countries/Industries: United States; applicable to all industries handling personal data.
     • Readiness Time: 6-12 months.
     • Audit Period: No formal audit period; regular reviews recommended.
     • Audit Type: Self-assessment or third-party review.
     • Certification: Varies by specific regulation.
     • Renewal: Continuous compliance required.


     25. HITRUST CSF (Health Information Trust Alliance Common Security Framework)

     • Description: A certifiable framework that provides organizations with a comprehensive, flexible, and efficient approach to regulatory compliance and risk management.
     • Countries/Industries: United States; primarily used in healthcare.
     • Readiness Time: 6-12 months.
     • Audit Period: Annual audits.
     • Audit Type: Independent auditor.
     • Certification: Yes, certification is awarded.
     • Renewal: Annual audit required.


     26. ISO 9001

     • Description: An international standard that specifies requirements for a quality management system (QMS).
     • Countries/Industries: Global; applicable to any organization, regardless of its size or industry.
     • Readiness Time: 6-12 months.
     • Audit Period: Annual surveillance audits; full recertification audit every 3 years.
     • Audit Type: Independent auditor.
     • Certification: Yes, certification is awarded.
     • Renewal: Recertification audit every 3 years.

    Related