CISO Assistant

+54 frameworks included and support for custom ones

Supporting a wide range of frameworks covering multiple standards, industries and regulations from all over the world.
If you notice that one is missing, let us know and we will add it for free, if it's an open and free standard 😊.

Hero Image

Frameworks

The list is constantly growing thanks to community requests and contributions 🙏! We add any missing open standard or regulation for free, just ask 🚀

ISO/IEC 27001:2022
ISO/IEC

Description

ISO/IEC 27001 is the world's best-known standard for information security management systems (ISMS). It defines requirements an ISMS must meet. The ISO/IEC 27001 standard provides companies of any size and from all sectors of activity with guidance for establishing, implementing, maintaining and continually improving an information security management system. Conformity with ISO/IEC 27001 means that an organization or business has put in place a system to manage risks related to the security of data owned or handled by the company, and that this system respects all the best practices and principles enshrined in this International Standard.

Cyber Security Framework
NIST

Description

The NIST CSF is a framework designed to help organizations improve their cybersecurity practices and manage cybersecurity risks effectively. It is structured around six core functions: Identify, Govern, Protect, Detect, Respond, and Recover, providing a comprehensive approach to cybersecurity. NIST CSF is one of the most used frameworks in Cyber Security programs all over the world.

CyberFundamentals Framework
CCB

Description

The CyberFundamentals Framework, initiated by the Centre for Cybersecurity Belgium (CCB), offers a structured set of guidelines aimed at enhancing cybersecurity within both public and private sectors. The framework is distinguished by its structure across four escalating levels of cybersecurity measures: Small, Basic, Important, and Essential. Starting from the Small level, designed for organizations with limited technical expertise, it progresses to the Essential level, aimed at counteracting advanced cyber threats.

Cybersecurity Maturity Model Certification (CMMC)
DoD (US)

Description

CMMC 2.0 outlines three progressive levels of cybersecurity requirements designed to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) shared with contractors and subcontractors through DoD acquisition programs. These levels range from foundational cybersecurity practices to advanced measures against sophisticated threats, aligning closely with well-established National Institute of Standards and Technology (NIST) cybersecurity standards, specifically NIST SP 800-171 for the "Advanced" level and a subset of NIST SP 800-172 requirements for the "Expert" level, which is still under development.

NYDFS 500 / NYCRR
NEW YORK STATE

Description

The New York Department of Financial Services (NYDFS) Cybersecurity Regulation, officially designated as 23 NYCRR Part 500, is a pioneering set of regulations established to fortify the cybersecurity posture of financial services companies operating within New York State. Enacted on March 1, 2017, and subsequently amended, these regulations set forth stringent requirements designed to protect financial institutions' information systems and nonpublic information from cyber threats​​. The regulation encompasses a broad range of cybersecurity requirements, including but not limited to the establishment of a comprehensive cybersecurity program, the designation of a Chief Information Security Officer (CISO), penetration testing and vulnerability assessments, the management of third-party service providers, and the development of an incident response plan​.

Digital Operational Resilience Act (DORA)
European Union

Description

The Digital Operational Resilience Act (DORA) represents the European Union's comprehensive approach to enhancing the digital operational resilience of its financial sector. Recognizing the pivotal role that information and communication technology (ICT) systems play in the financial industry, DORA aims to safeguard the EU's financial entities from ICT risks, ensuring that they remain resilient in the face of operational disruptions. It was adopted on December 14, 2022, and published in the Official Journal of the European Union on December 27, 2022, marking a significant step toward harmonizing digital operational resilience across the EU.

Essential Eight Maturity Model
Australian Government

Description

The Australian Signals Directorate (ASD) has developed prioritised mitigation strategies, in the form of the Strategies to Mitigate Cyber Security Incidents, to help organisations protect themselves against various cyber threats. The most effective of these mitigation strategies are the Essential Eight. The Essential Eight Maturity Model, first published in June 2017 and updated regularly, supports the implementation of the Essential Eight. It is based on ASD’s experience in producing cyber threat intelligence, responding to cyber security incidents, conducting penetration testing and assisting organisations to implement the Essential Eight.

General Data Protection Regulation (GDPR)
European Union

Description

The General Data Protection Regulation (GDPR) is a comprehensive data protection law that came into effect in the European Union (EU) on May 25, 2018. Designed to strengthen privacy rights and data protection for individuals within the EU, the GDPR imposes strict guidelines on how organizations collect, store, process, and manage personal data. It introduces principles such as data minimization, where only necessary data can be processed, and consent, requiring clear and affirmative agreement from individuals before their data is used. The regulation applies to all organizations operating within the EU and those outside the EU that offer goods or services to, or monitor the behavior of, EU residents. Non-compliance can result in hefty fines, up to 4% of annual global turnover or €20 million, whichever is greater. The GDPR has set a global standard, influencing many countries to revise their own data protection laws to align with its stringent requirements, thereby reshaping the landscape of global data privacy.

Référentiel Hébergeur de Données de Santé (HDS)
Agence du Numérique en Santé

Description

Le dĂ©cret n° 2018-137 du 26 fĂ©vrier 2018 sur l’hĂ©bergement de donnĂ©es de santĂ© Ă  caractĂšre personnel a introduit la certification HDS pour assurer la sĂ©curitĂ© de ces donnĂ©es en France, un pilier clĂ© de la rĂ©gulation numĂ©rique dans le domaine de la santĂ©. Cinq ans aprĂšs son lancement, la DĂ©lĂ©gation du NumĂ©rique en SantĂ© et l’Agence du NumĂ©rique en SantĂ© ont initiĂ© en dĂ©but 2022 une rĂ©vision du rĂ©fĂ©rentiel HDS. Cette rĂ©vision a impliquĂ© la CNIL, le HFDS du ministĂšre de la santĂ©, ainsi que divers acteurs industriels et organismes certificateurs. AprĂšs une consultation publique fin 2022 et plus de 250 contributions analysĂ©es, la CNIL a approuvĂ© le projet de rĂ©fĂ©rentiel rĂ©visĂ© le 13 juillet 2023.

Description

The AirCyber framework by BoostAeroSpace aims to elevate cybersecurity across the European Aerospace and Defense Supply Chain by standardizing and harmonizing IT and IS security. Developed with contributions from aerospace leaders like Airbus, Dassault Aviation, Safran, and Thales, AirCyber offers a suite of services, including maturity assessments, a catalog of cybersecurity solutions, and an encryption portal. This initiative addresses the pressing need for robust cybersecurity measures among smaller suppliers, often more vulnerable to cyber-attacks. Through disseminating advanced security practices and the AirCyber Maturity Standard, BoostAeroSpace facilitates a collective uplift in cyber resilience within the aerospace and defense sectors.

TIBER-EU
ECB

Description

TIBER-EU is a European framework for threat intelligence-based ethical red-teaming. It provides comprehensive guidance on how authorities, entities, and threat intelligence and red-team providers should collaborate to test and improve entities' cyber resilience by conducting controlled cyberattacks.TIBER-EU tests mimic the tactics, techniques, and procedures of real-life attackers based on bespoke threat intelligence. They are tailor-made to simulate an attack on the critical functions of an entity and its underlying systems, i.e., its people, processes, and technologies. The outcome is not a pass or fail; instead, the test is intended to reveal the strengths and weaknesses of the tested entity, enabling it to reach a higher level of cyber maturity.

Cyber Essentials
NCSC

Description

Cyber Essentials is an effective, Government backed scheme that will help you to protect your organisation, whatever its size, against a whole range of the most common cyber attacks. Cyber attacks come in many shapes and sizes, but the vast majority are very basic in nature, carried out by relatively unskilled individuals. They’re the digital equivalent of a thief trying your front door to see if it’s unlocked. Our advice is designed to prevent these attacks.

Application Security Verification Standard (ASVS)
OWASP

Description

The OWASP Application Security Verification Standard (ASVS) is a framework by the Open Web Application Security Project (OWASP) designed to standardize the approach to web application security. It categorizes security controls into three levels of rigor, offering a comprehensive guide for developers, testers, and security professionals to ensure the security of web applications. Covering aspects from authentication to data protection, the ASVS serves as a benchmark for developing, testing, and evaluating the security of web applications, reflecting the latest in security challenges and best practices.

IT-Grundschutz-Kompendium
BSI

Description

The IT-Grundschutz-Kompendium is a comprehensive framework developed by the German Federal Office for Information Security (BSI) to help organizations implement robust information security measures. It provides detailed guidelines and best practices for protecting IT systems, covering various aspects such as risk management, security policies, and technical controls. The compendium aims to make cybersecurity accessible and manageable, offering modular and scalable solutions suitable for organizations of all sizes and sectors. Its systematic approach ensures that security measures are both effective and aligned with international standards.

Cadre Conformité Cyber France (3CF) v1 2021
DGAC/DSAC

Description

En septembre 2021, la direction de la sĂ©curitĂ© de l’aviation civile a publiĂ© le Cadre ConformitĂ© Cyber France (3CF), qui a pour objectif de regrouper les diffĂ©rentes dispositions rĂ©glementaires propres Ă  l’aviation civile en matiĂšre de cybersĂ©curitĂ©. le 3CF est inspirĂ© des bonnes pratiques telles que les guides et mĂ©thodes de l’Agence Nationale de la SĂ©curitĂ© des SystĂšmes d’Information (ANSSI), et la norme ISO 27001 et prĂ©sente un ensemble d'exigences rĂ©glementaires dans le secteur de l'aviation civile.

Cadre Conformité Cyber France (3CF) v2 2024
DGAC/DSAC

Description

Dans cette 2nde version, le 3CFv2 constitue dĂ©sormais un rĂ©fĂ©rentiel unique de dispositions visant Ă  accompagner les organismes Ă  se conformer aux : RĂšglement d’exĂ©cution (UE) 2015/1998 modifiĂ© par le rĂšglement d’exĂ©cution (UE) 2019/1583 de la commission du 25 septembre 2019 fixant des mesures dĂ©taillĂ©es pour la mise en Ɠuvre des normes de base communes dans le domaine de la sĂ»retĂ© de l'aviation civile, en ce qui concerne les mesures de cybersĂ©curitĂ© ; et/ou ; RĂšglements Part-IS (Information Security) : RĂšglement dĂ©lĂ©guĂ© (UE) 2022/1645 de la commission du 14 juillet 2022 portant modalitĂ©s d’application du rĂšglement (UE) 2018/1139 du Parlement europĂ©en et du Conseil en ce qui concerne les exigences relatives Ă  la gestion des risques liĂ©s Ă  la sĂ©curitĂ© de l’information susceptibles d’avoir une incidence sur la sĂ©curitĂ© aĂ©rienne ; RĂšglement d’exĂ©cution (UE) 2023/203 de la commission du 27 octobre 2022 portant modalitĂ©s d’application du rĂšglement (UE) 2018/1139 du Parlement europĂ©en et du Conseil en ce qui concerne les exigences en matiĂšre de gestion des risques liĂ©s Ă  la sĂ©curitĂ© de l’information susceptibles d’avoir une incidence sur la sĂ©curitĂ© aĂ©rienne.

Cloud Controls Matrix (CCM)
CSA*

Description

The Cloud Controls Matrix (CCM) from the Cloud Security Alliance (CSA) is a comprehensive cybersecurity framework specifically tailored for cloud computing environments. It provides a detailed set of security controls that are aligned with industry-accepted security standards, regulations, and control frameworks, such as ISO 27001/27002, ISACA COBIT, and NIST. The CCM is designed to aid organizations in assessing the overall security risk of cloud providers and to help ensure that adequate security measures are in place. The matrix covers fundamental security principles across different domains, including compliance, data security, infrastructure security, identity management, and incident response, making it a crucial tool for companies leveraging cloud technology for their operations. * This framework requires one extra manual step, given its license terms.

California Consumer Privacy Act (CCPA)
State Of California

Description

The California Consumer Privacy Act (CCPA) is a state law that enhances privacy rights and consumer protection for residents of California. Enacted in 2018 and effective from January 1, 2020, it gives California consumers more control over the personal information that businesses collect about them. The CCPA requires businesses to disclose their data collection and sharing practices, allows consumers to request deletion of their personal information, opt out of the sale of their data, and provides them the right to non-discrimination for exercising their CCPA rights. It applies to for-profit entities doing business in California that meet specific criteria related to revenue or data processing volume.

CIS Controls v8
CIS*

Description

The CIS Critical Security Controls are a set of prioritized guidelines designed to help organizations bolster their cybersecurity posture. Developed by the Center for Internet Security, these controls are widely recognized for their effectiveness in mitigating the most common and impactful cyber threats. The framework consists of several key controls, including inventory and control of hardware and software assets, continuous vulnerability management, controlled use of administrative privileges, secure configuration of hardware and software, and the implementation of a security awareness and training program. By following these controls, organizations can significantly enhance their defensive capabilities against cyberattacks, improve their security management processes, and protect their sensitive information and systems. * This framework requires one extra manual step, given its license terms.

CJIS Security Policy
FBI

Description

The Criminal Justice Information Services (CJIS) Security Policy is a comprehensive set of guidelines and requirements established by the Federal Bureau of Investigation (FBI) to ensure the security and integrity of criminal justice information. This policy outlines the security measures that must be adhered to by any agency that accesses or handles criminal justice information, encompassing data encryption, secure access, audit trails, and personnel training. The CJIS Security Policy aims to protect the privacy and civil liberties of individuals by ensuring that sensitive information, such as biometric data, criminal history, and identity information, is handled with the utmost security and confidentiality.

Cyber Resilience Act (CRA)
European Union

Description

The Cyber Resilience Act (CRA) is a legislative proposal by the European Union aimed at enhancing the overall cybersecurity posture of products with digital elements sold within the EU market. The act focuses on ensuring that these products meet stringent cybersecurity standards from the design phase to the end of their lifecycle, thereby reducing risks and vulnerabilities that could lead to cyber-attacks. It applies to a broad range of products, including connected devices and software, with the objective of protecting consumers and businesses from cyber threats. The CRA mandates manufacturers to adhere to specified cybersecurity requirements, conduct thorough assessments of their products' cyber risks, and take appropriate measures to manage those risks effectively. Additionally, the act emphasizes transparency and accountability by requiring manufacturers to report significant cyber incidents. Through these measures, the CRA aims to foster trust and security in the digital marketplace, contributing to the resilience of the EU's digital economy against cyber threats.

Autoévaluation de gestion de crise cyber
ANSSI

Description

L'ANSSI a publié un outil d'autoévaluation de gestion de crise cyber pour aider les organisations à évaluer leur préparation face aux crises liées à la cybersécurité. Cet outil, développé en collaboration avec le Club des directeurs de sécurité des entreprises, propose 57 questions réparties sur cinq thématiques, permettant de mesurer les compétences depuis un niveau novice jusqu'à l'état de l'art. Les résultats aident à identifier les points à améliorer et orienter les étapes suivantes pour renforcer les capacités en gestion de crise.

Directive Nationale de la Sécurité des SystÚmes d'Information (DNSSI)
DGSSI

Description

La Directive Nationale de la Sécurité des SystÚmes d'Information (DNSSI) du Maroc est un cadre réglementaire établi par la Direction Générale de la Sécurité des SystÚmes d'Information (DGSSI) marocaine. Elle vise à renforcer la cybersécurité des administrations et des infrastructures critiques du pays. La DNSSI définit les exigences et les bonnes pratiques en matiÚre de sécurité informatique, couvrant des aspects tels que la gouvernance, la gestion des risques, la protection des données, et la gestion des incidents. Ce cadre est conçu pour améliorer la résilience cyber du Maroc et aligner ses pratiques sur les normes internationales de sécurité de l'information.

Essential Cybersecurity Controls
NCA

Description

The ECC (Essential Cybersecurity Controls) framework, developed by the National Cybersecurity Authority (NCA) of Saudi Arabia, serves as a minimum cybersecurity standard aimed at protecting sensitive government data and technology assets within the country. This framework is a result of a thorough examination of various national and international cybersecurity frameworks and standards. It is structured around 114 cybersecurity controls distributed across 29 subdomains and five main domains: Cybersecurity Governance, Cybersecurity Defense, Cybersecurity Resilience, Third-party & Cloud Computing Cybersecurity, and Industrial Control Systems Cybersecurity. These controls are designed to help organizations build robust defenses against cybersecurity risks, ensuring the confidentiality, integrity, and availability of critical government assets and data. While primarily applicable to government organizations, critical infrastructure, and companies handling sensitive data in Saudi Arabia, all organizations are encouraged to adopt the ECC framework to bolster their cybersecurity measures.

Esquema Nacional de Seguridad (ENS)
Spanish government

Description

The Esquema Nacional de Seguridad (ENS) is a framework established by the Spanish government to ensure the security of information and services provided by public administrations and entities that interact with them. Its main goal is to protect the confidentiality, integrity, availability, and authenticity of the information systems. The ENS defines a series of principles, minimum requirements, and security measures that must be followed, aiming to create a more robust and resilient digital infrastructure in Spain, complying with European standards for cybersecurity.

Federal Act on Data Protection
Confédération suisse

Description

The Federal Act on Data Protection (FADP) from Switzerland is a key legislative framework designed to protect the privacy and fundamental rights of individuals regarding the processing of their personal data. Set to be fully effective from September 2023 with substantial revisions, the updated FADP aligns more closely with global data protection standards, such as the EU's GDPR. It emphasizes the principles of transparency, purpose limitation, and data minimization, alongside introducing stricter consent requirements and enhanced rights for data subjects, such as the right to be forgotten and the right to data portability. The act also imposes rigorous obligations on data controllers and processors, including requirements for data security and for conducting impact assessments for high-risk processing activities. This makes the FADP a crucial component of the regulatory landscape for both domestic and international organizations operating within Switzerland.

GSA FedRAMP rev5
GSA

Description

The Federal Risk and Authorization Management Program (FedRAMP) is a government-wide program that promotes the adoption of secure cloud services across the Federal Government by providing a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. Managed by the General Services Administration (GSA), FedRAMP simplifies the process for federal agencies to use commercially available cloud solutions by ensuring they meet rigorous security requirements. This framework helps agencies save time and cost in cloud deployments, enhances transparency between government and cloud service providers, and fosters trust in the security of cloud technologies.

5G Security Controls Matrix
ENISA

Description

The ENISA 5G Security controls matrix is a comprehensive and dynamic matrix of security controls and best practices for 5G networks, to support the national authorities in the EU Member States with implementing the technical measures of the EU’s 5G Cybersecurity Toolbox.

Recommandations de sĂ©curitĂ© pour un systĂšme d’IA gĂ©nĂ©rative
ANSSI

Description

Le guide de recommandations de sĂ©curitĂ© pour un systĂšme d’IA gĂ©nĂ©rative de l’ANSSI s’intĂ©resse Ă  la sĂ©curisation d’une architecture de systĂšme d’IA gĂ©nĂ©rative. Il vise Ă  sensibiliser les administrations et entreprises aux risques liĂ©s Ă  l’IA gĂ©nĂ©rative ainsi qu’à promouvoir les bonnes pratiques Ă  mettre en Ɠuvre depuis la phase de conception et d’entrainement d’un modĂšle d’IA jusqu’à la phase de dĂ©ploiement et d’utilisation en production.

Guide d’hygiùne informatique
ANSSI

Description

Le guide d'hygiĂšne informatique de l'ANSSI, publiĂ© le 23 janvier 2017, constitue une ressource essentielle pour les responsables de la sĂ©curitĂ© des systĂšmes d'information. Il propose 42 mesures clĂ©s destinĂ©es Ă  renforcer la protection des donnĂ©es et le fonctionnement sĂ©curisĂ© des systĂšmes informatiques. En mettant l'accent sur la sensibilisation et la formation en cybersĂ©curitĂ©, ce guide vise Ă  Ă©tablir un socle de pratiques fondamentales, allant de la gestion des risques liĂ©s Ă  l'infogĂ©rance Ă  la mise en Ɠuvre d'un contrĂŽle rigoureux des accĂšs. Cette initiative reflĂšte l'engagement de l'ANSSI Ă  promouvoir une culture de la sĂ©curitĂ© informatique adaptĂ©e aux enjeux actuels.

Health Insurance Portability and Accountability Act (HIPAA)
HHS/NIST

Description

The Health Insurance Portability and Accountability Act (HIPAA), enacted in 1996, is a significant regulatory framework designed to safeguard medical information in the United States. It sets the standard for protecting sensitive patient data, requiring healthcare providers, plans, and clearinghouses to implement physical, network, and process security measures. HIPAA encompasses a range of rules, including the Privacy Rule, which controls the use and disclosure of Protected Health Information (PHI), and the Security Rule, which mandates the secure handling of electronic PHI. Compliance with HIPAA is essential for healthcare entities to ensure the confidentiality, integrity, and availability of patient data, providing a foundation for trust in the healthcare system's handling of personal health information.

Agile Security Framework (ASF) Baseline
intuitem

Description

The Agile Security Framework is an open standard made by intuitem, offering an incremental and iterative approach to cybersecurity. The baseline version helps cyber security consultants establish a holistic posture during rapid assessment and can also serve as a starting point for custom frameworks and security checklists.

ISO/IEC 27001:2013
ISO/IEC

Description

ISO 27001:2013 was an international standard for information security management systems (ISMS), published by the International Organization for Standardization (ISO). It provided a framework for organizations to establish, implement, maintain, and continually improve their information security management. The standard outlined requirements for assessing and treating information security risks, implementing security controls, and monitoring the ISMS's performance. However, it's important to note that ISO 27001:2013 is now obsolete, having been replaced by ISO 27001:2022, which includes updates to address modern cybersecurity challenges and align with other ISO management system standards.

Loi de Programmation Militaire (LPM)
Gouvernement Français

Description

La Loi de Programmation Militaire (LPM) est un dispositif lĂ©gislatif adoptĂ© par plusieurs pays pour planifier et organiser les dĂ©penses de dĂ©fense sur une pĂ©riode donnĂ©e, gĂ©nĂ©ralement de cinq Ă  six ans. En France, par exemple, la LPM dĂ©finit les grandes orientations et les moyens financiers allouĂ©s aux forces armĂ©es, englobant l'acquisition d'Ă©quipements, le dĂ©veloppement de nouvelles technologies de dĂ©fense, ainsi que le soutien Ă  l'innovation et Ă  la recherche militaire. Elle vise Ă  assurer la prĂ©paration et l'adaptation des armĂ©es aux dĂ©fis contemporains et futurs, en Ă©quilibrant les besoins en matiĂšre de dĂ©fense avec les contraintes budgĂ©taires de l'État. La LPM est cruciale pour la stratĂ©gie de dĂ©fense d'un pays, reflĂ©tant ses ambitions militaires, ses engagements internationaux et sa volontĂ© de protĂ©ger sa souverainetĂ© et la sĂ©curitĂ© de ses citoyens.

Description

The AI Act aims to provide AI developers and deployers with precise requirements and obligations regarding specific uses of AI. At the same time, the regulation seeks to reduce administrative and financial burdens on businesses, particularly small and medium-sized enterprises (SMEs). The AI Act is the first-ever comprehensive legal framework on AI worldwide. The new rules aim to foster trustworthy AI in Europe and beyond by ensuring that AI systems respect fundamental rights and safety principles and addressing the ethical risks of compelling and impactful AI models.

Mobile Application Security Verification Standard (MASVS)
OWASP

Description

The OWASP MASVS (Mobile Application Security Verification Standard) is the industry standard for mobile app security. It can be used by mobile software architects and developers who want to develop secure mobile applications and by security testers to ensure completeness and consistency. It's the foundation of the OWASP MASTG, where all the tests are associated with MASVS's controls.

Operational Technology Cybersecurity Controls
NCA

Description

The Saudi National Cybersecurity Authority (NCA) has established guidelines for Operational Technology (OT) cybersecurity controls to protect critical infrastructure and industrial systems in Saudi Arabia. These controls focus on securing industrial control systems, SCADA networks, and other OT environments from cyber threats. The NCA's framework emphasizes risk assessment, access control, network segmentation, continuous monitoring, and incident response specifically tailored for OT environments. By implementing these controls, organizations aim to enhance the resilience of their industrial operations against cyberattacks and ensure the continuity of critical services.

Cyber Assessment Framework (CAF)
NCSC

Description

The NCSC Cyber Assessment Framework (CAF) is a tool developed by the UK's National Cyber Security Centre to help organizations assess and improve their cyber resilience. It provides a systematic method for evaluating an organization's cyber security posture across 14 key principles, grouped into four objectives: managing security risk, protecting against cyber attack, detecting cybersecurity events, and minimizing the impact of incidents. The CAF is particularly useful for organizations responsible for vital services and infrastructure, helping them identify areas for improvement and demonstrate compliance with relevant regulations.

Network and Information Security (NIS2)
European Union

Description

The NIS2 Directive, an evolution of the European Union's pioneering Network and Information Systems (NIS) Directive, represents a significant step forward in strengthening cybersecurity across the EU. Enacted to address the growing threats in the digital space, NIS2 broadens the scope of its predecessor by covering a wider range of sectors deemed critical, including energy, transport, banking, and digital infrastructure, among others. It mandates stricter security requirements, incident reporting protocols, and enhanced supervisory measures, including substantial fines for non-compliance. NIS2's primary goal is to bolster the overall resilience and security of network and information systems within the EU, ensuring a unified and high level of cybersecurity preparedness, response, and collaboration among Member States, thereby protecting the internal market and the citizens of the EU from cyber threats.

AI Risk Management Framework (AI RMF)
NIST

Description

The NIST's AI Risk Management Framework (AI RMF) is a comprehensive guideline aimed at fostering trustworthy and responsible development, deployment, and use of artificial intelligence (AI) systems. Developed through extensive collaboration with stakeholders from government, academia, and industry, the AI RMF provides a flexible and voluntary framework to help organizations manage risks associated with AI technologies, including ethical considerations, fairness, accountability, transparency, and the impact on privacy and civil liberties. It emphasizes the importance of incorporating robust risk assessment and management practices throughout the AI lifecycle, from design to deployment and monitoring, to ensure AI systems are reliable, safe, and aligned with societal values and norms. The framework is part of NIST's broader effort to build confidence in AI technologies and to support the development of AI systems that are innovative and beneficial while minimizing harm and unintended consequences.

Description

Part-IS (EU Regulation 2023/203) introduces requirements for identifying and managing information security risks that could affect information and communication technology systems and data used for civil aviation purposes. It sets requirements for detecting information security events, identifying those that are considered information security incidents, and responding to and recovering from those information security incidents to a level commensurate with their impact on aviation safety.

Payment Card Industry Data Security Standard
PCI Security Standards Council

Description

The Payment Card Industry Data Security Standard (PCI-DSS) is a globally recognized security standard designed to ensure that all entities that process, store, or transmit credit card information maintain a secure environment, thereby reducing credit card fraud. Established by major credit card brands, it sets forth a comprehensive set of requirements including network security, data protection measures, vulnerability management programs, access control measures, and monitoring and testing networks. Compliance with PCI-DSS is mandatory for all such entities and is aimed at protecting sensitive cardholder data throughout the transaction process. The standard not only helps in building trust with customers but also minimizes the risk of data breaches and non-compliance penalties. With its regular updates, PCI-DSS adapts to emerging threats and technologies, ensuring that the payment ecosystem remains secure against evolving cybersecurity challenges.

NIST Privacy Framework
NIST

Description

The NIST Privacy Framework is a voluntary tool developed to help organizations identify and manage privacy risks and enhance individuals' privacy protections. It is designed to be compatible with various privacy laws and regulations and aims to facilitate ethical decision-making regarding data privacy. This framework is structured similarly to the NIST Cybersecurity Framework, consisting of three main parts: Core, Profiles, and Implementation Tiers, which assist organizations in developing and refining their privacy management programs. Through its adaptable approach, the NIST Privacy Framework supports organizations across different sectors and jurisdictions in achieving better compliance and privacy outcomes.

Protective Security Policy Framework
Australian Government

Description

The Protective Security Policy Framework (PSPF) is an Australian Government initiative designed to assist federal government agencies in protecting their people, information, and assets, both at home and overseas. Established to provide a comprehensive set of security guidelines and principles, the PSPF ensures that government operations are conducted securely and with integrity. It encompasses various security measures, including governance, information security, personnel security, and physical security. The framework mandates agencies to implement specific security protocols to safeguard sensitive information and resources against potential threats and vulnerabilities. By standardizing security practices across all government entities, the PSPF aims to foster a resilient and trustworthy government sector, ensuring the continuous and effective delivery of government services to the Australian public and protecting national interests.

Référentiel Général de Sécurité
ANSSI

Description

Le Référentiel Général de Sécurité (RGS) élaboré par l'Agence Nationale de la Sécurité des SystÚmes d'Information (ANSSI) en France, est un cadre normatif destiné à assurer la sécurité des systÚmes d'information des administrations. Mis en place pour répondre aux exigences croissantes de protection des données au sein du secteur public, le RGS définit les rÚgles et les niveaux de sécurité obligatoires pour la protection des informations sensibles gérées par les entités gouvernementales. Il couvre divers aspects de la sécurité informatique, incluant la gestion des risques, la sécurisation des échanges électroniques, la protection de l'infrastructure, ainsi que la conformité des produits et systÚmes de sécurité. En établissant des standards de sécurité stricts, le RGS vise à renforcer la confiance dans les services publics numériques et à garantir la continuité et l'intégrité des services gouvernementaux, tout en protégeant les données personnelles et sensibles contre les cybermenaces.

SecNumCloud
ANSSI

Description

La qualification SecNumCloud de l’ANSSI s’adresse aux prestataires de services cloud souhaitant dĂ©montrer un niveau de sĂ©curitĂ© parmi les plus Ă©levĂ©s du marchĂ©. Cette qualification est en phase avec les attentes des Organismes d’Importance Vitale. LiĂ©e Ă  un Visa de SĂ©curitĂ©, elle est la prestation d’excellence des services cloud. BasĂ©e sur la structure de la norme ISO/IEC 27001, ce rĂ©fĂ©rentiel s’inscrit dans la stratĂ©gie nationale française pour un cloud de confiance et le Cybersecurity Act de l'Union EuropĂ©enne.

Secure Controls Framework (SCF)
SCF Council

Description

The Secure Controls Framework (SCF) is a comprehensive cybersecurity and privacy control framework designed to help organizations manage their security and compliance efforts. It provides a unified set of controls that can be mapped to various industry standards, regulations, and best practices. The SCF aims to simplify the process of implementing and maintaining a robust security program by offering a centralized repository of controls that can be tailored to an organization's specific needs, regardless of its size or industry sector.

SOC2-2017 Trust Services Criteria
AICPA

Description

Service Organization Control 2 (SOC 2) is a framework for managing data privacy and security, tailored for service providers storing customer data in the cloud. Developed by the American Institute of CPAs (AICPA), SOC 2 focuses on five key trust service principles: security, availability, processing integrity, confidentiality, and privacy. Unlike its predecessor SOC 1, which is centered on financial reporting controls, SOC 2 is specifically designed to address the needs of technology and cloud computing entities in securing their information systems. Compliance with SOC 2 involves a rigorous audit process, where an independent auditor assesses the extent to which a service provider adheres to these principles based on the design and operational effectiveness of its controls. This certification is crucial for technology companies as it assures clients and stakeholders of the organization's commitment to maintaining a high standard of security and data protection in its operations.

SP 800-53 revision 5
NIST

Description

Special Publication 800-53, developed by the National Institute of Standards and Technology (NIST), is a cornerstone document that provides a comprehensive set of security and privacy controls for federal information systems and organizations in the United States. Part of the Federal Information Processing Standards (FIPS) Publication 200, SP 800-53 is designed to help ensure that federal information systems meet the stringent requirements necessary to protect governmental operations, assets, and individuals against a wide range of threats and risks. The document categorizes security controls into families, such as access control, incident response, and risk assessment, offering a structured approach to selecting and implementing measures based on the system's impact level. Regularly updated to address evolving cybersecurity challenges, SP 800-53 plays a crucial role in guiding federal agencies and their contractors in the development of robust, secure, and resilient information technology infrastructures, thereby safeguarding critical government functions and sensitive data.

SP 800-171 revision 2
NIST

Description

NIST 800-171 Rev 2, developed by the National Institute of Standards and Technology (NIST), is a publication that provides guidelines on protecting Controlled Unclassified Information (CUI) in non-federal systems and organizations. This document is particularly crucial for contractors and subcontractors serving the U.S. federal government, as it outlines the requirements for safeguarding sensitive federal information. The guidelines are structured around 14 security requirement families, including access control, incident response, and system and information integrity. NIST 800-171 Rev 2 aims to ensure that sensitive federal information remains confidential and resilient against cyber threats while stored in or transmitted through third-party systems. This standard is pivotal in maintaining the trust and integrity of the supply chain involved in federal operations.

SP 800-171 revision 3
NIST

Description

On May 14, 2024, the National Institute of Standard and Technology (NIST) published the final versions of Special Publication (SP) 800-171 Revision 3, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations and its companion assessment guide, NIST SP 800-171A, Revision 3 (collectively, “Rev. 3 Final Version”). While the Department of Defense (DoD) is not requiring contractors who handle Controlled Unclassified Information (CUI) to implement Rev. 3 for now, it is expected that DoD will eventually incorporate Rev. 3 into both DFARS 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting (DFARS 7012) as well as the forthcoming Cyber Maturity Model Certification (CMMC) program.

Secure Software Development Framework (SSDF)
NIST

Description

The National Institute of Standards and Technology (NIST) Special Publication 800-218, known as the Secure Software Development Framework (SSDF), provides guidelines for implementing secure software development practices. It aims to reduce software vulnerabilities from the design phase through deployment and maintenance. The SSDF outlines a set of high-level practices designed to help organizations integrate security into their software development lifecycle, addressing factors such as risk assessment, design, implementation, testing, and response to vulnerabilities. The framework is intended to be adaptable across different organizations and development environments, serving as a universal guideline to enhance the security of software systems.

TISAX
ENX

Description

TISAX (Trusted Information Security Assessment Exchange) is a standardized protocol for information security assessments within the automotive industry, developed and governed by the ENX Association. It was designed to ensure a uniform level of information security, data protection, and compliance among automotive manufacturers, suppliers, and service providers. TISAX enables companies to undergo a single assessment that is recognized across the board, thereby reducing the need for multiple audits and fostering a culture of transparency and trust within the industry. This assessment covers a wide range of information security measures, including the protection of sensitive and proprietary data, and aims to facilitate secure collaboration and data exchange. By adhering to TISAX, organizations can demonstrate their commitment to upholding stringent information security standards, thereby gaining a competitive edge and building stronger partnerships within the automotive sector.

CyberSecurity Framework (CSF)
NIST

Description

It is kept for legacy purposes, as many organizations have structured their program on top of the CSF 1.1 version. The NIST Cybersecurity Framework (CSF) , developed by the NIST, is an updated guide to improve cybersecurity practices for organizations across all sectors. Building on the original framework, CSF 1.1 provides a flexible and voluntary structure composed of standards, guidelines, and best practices to manage cybersecurity-related risk. It introduces refinements to its core functions—Identify, Protect, Detect, Respond, and Recover—enhancing its applicability to a broader range of cybersecurity threats and business environments. The update emphasizes the importance of cybersecurity risk management within supply chain security and clarifies the usage of authentication, authorization, and identity proofing. By adopting CSF 1.1, organizations can better align their cybersecurity efforts with business needs, manage risks effectively, and foster a proactive cybersecurity culture.

Want to simplify your GRC?

Check out CISO Assistant and see how it can help you manage your cybersecurity and compliance program.

Stay informed with intuitem's blog

View all posts »

Explore our collection of articles, guides, and tutorials on development, cyber security, AI, program management and so much more.

Understanding DORA Metrics: An Executive Summary

Understanding DORA Metrics: An Executive Summary

In the modern era, understanding software delivery and operational performance is paramount for business leaders. One toolset that has gained immense popularity is the suite of metrics introduced by the DevOps Research and Assessment (DORA) team.