Frameworks &
Standards
A working reference library of security, risk, compliance, and privacy frameworks — key requirements, control numbers, and official sources in one place.
No frameworks match your search.
Cybersecurity Framework v2.0 — NIST
Voluntary framework organized around six core functions: Govern, Identify, Protect, Detect, Respond, Recover. GV function added in v2.0 addresses governance explicitly. Primary vocabulary for any GRC program.
Guide for Conducting Risk Assessments — NIST
Defines the threat × vulnerability × impact risk model. 4-step process: Prepare, Conduct, Communicate, Maintain. The methodology behind every NIST-based risk assessment.
Risk Management Framework — NIST
7-step RMF lifecycle: Prepare, Categorize, Select, Implement, Assess, Authorize, Monitor. The ATO process for federal systems. Step 6 produces the authorization decision.
Information Security Risk Management — ISO/IEC
Risk treatment options: Modify, Retain, Avoid, Share. Requires named risk owners and documented treatment decisions. Companion to ISO 27001.
AI Risk Management Framework v1.0 — NIST
4 functions: Govern, Map, Measure, Manage. Voluntary framework for managing risks unique to AI systems. Mirrors NIST CSF structure.
Security and Privacy Controls for Information Systems — NIST
20 control families, ~1,000+ controls and enhancements. Low, Moderate, and High baselines. The primary control catalog for FedRAMP, FISMA, and NIST-aligned programs.
Control Baselines for Information Systems — NIST
Low (~125), Moderate (~325), High (~425) control baselines derived from FIPS 199 categorization. Reference after categorization to determine which controls apply.
Assessing Security and Privacy Controls — NIST
Procedures for assessing whether controls are implemented correctly. 3 assessment methods: Examine, Interview, Test. Defines what evidence satisfies each control.
Critical Security Controls v8 — CIS
18 controls, 153 safeguards across 3 implementation groups. IG1 (56 safeguards) = essential hygiene for all organizations. Prioritized, practical, maps to NIST CSF.
Protecting CUI in Nonfederal Systems — NIST
110 security requirements across 17 families for protecting Controlled Unclassified Information. Required for DoD contractors. Basis for CMMC Level 2.
Secure Software Development Framework (SSDF) — NIST
4 practice groups: Prepare, Protect, Produce, Respond. Referenced in EO 14028. Required for software sold to federal agencies.
Guide to Operational Technology Security — NIST
Security guidance for ICS, SCADA, DCS, and industrial control systems. Covers IT/OT integration risks with SP 800-53 tailoring guidance for OT environments.
Information Security Management Systems — ISO/IEC
International certifiable ISMS standard. 93 Annex A controls across 4 themes. Clause 5 requires top management involvement. SoA documents which controls apply and why.
Information Security Controls — ISO/IEC
Implementation guidance for all 93 ISO 27001 Annex A controls. Not certifiable — use as a reference when implementing or documenting specific controls.
Payment Card Industry Data Security Standard — PCI SSC
12 requirements across 6 goals. Mandatory for merchants and service providers handling cardholder data. Segmentation reduces scope. Non-compliance after breach can end card processing.
Security Rule — ePHI Protection — HHS OCR
Administrative (§164.308), Physical (§164.310), and Technical (§164.312) safeguards for electronic PHI. Applies to covered entities and business associates.
Cybersecurity Maturity Model Certification — DoD
3 levels. Level 1: 17 practices. Level 2: 110 practices (SP 800-171). Level 3: 110+ practices. Required for DoD contractors handling CUI. C3PAO assessment at Level 2+.
Federal Risk and Authorization Management Program — GSA
Standardizes cloud security authorization for federal agency use. 3 impact levels mapping to SP 800-53 baselines. Moderate (~325 controls) is the most common baseline.
Service Organization Control 2 — AICPA
5 Trust Service Criteria: Security (required), Availability, Processing Integrity, Confidentiality, Privacy. Type II covers a period of at least 6 months. Common SaaS vendor requirement.
Security Categorization of Federal Information — NIST
Defines Low, Moderate, High impact levels across Confidentiality, Integrity, and Availability. High water mark rule: system category equals the highest individual value.
General Data Protection Regulation — EU/EDPB
99 articles. 7 processing principles (Art. 5). 6 lawful bases (Art. 6). 72-hour breach notification (Art. 33). Fines up to €20M or 4% global annual turnover. Extraterritorial scope.
California Consumer Privacy Act — California DOJ
Rights: know, delete, correct, opt-out of sale/sharing, limit use of sensitive PI. CPRA added CPPA enforcement agency. De facto US privacy baseline for multi-state operations.
Children’s Online Privacy Protection Act — FTC
Verifiable parental consent required for children under 13. Applies to operators of websites or online services directed at children or with actual knowledge of child users.
Privacy Information Management — ISO/IEC
Extends ISO 27001/27002 with privacy-specific controls for PII controllers and processors. Certifiable. Maps to GDPR. Practical entry point for a structured privacy program.
Protection of PII in Public Clouds — ISO/IEC
Extends ISO 27002 with cloud-specific PII controls. Covers consent, transparency, data minimization, and sub-processor obligations. Good starting baseline before GDPR gap analysis.
Privacy Framework v1.0 — NIST
Voluntary framework for managing privacy risk. 5 core functions: Identify-P, Govern-P, Control-P, Communicate-P, Protect-P. Companion to NIST CSF. Aligns with GDPR principles.
Privacy Guidelines — OECD
8 principles: Collection Limitation, Data Quality, Purpose Specification, Use Limitation, Security Safeguards, Openness, Individual Participation, Accountability. Foundational to GDPR.
Generally Accepted Privacy Principles — AICPA
10 principles including Management, Notice, Choice & Consent, Collection, Use/Retention/Disposal, Access, Disclosure, Security, Quality, and Monitoring. Underpins SOC 2 Privacy TSC.
Digital Identity Guidelines (Parent) — NIST
Defines the digital identity model and 3 independent assurance dimensions: IAL, AAL, FAL. Each assigned separately based on risk. Parent document for the 800-63 suite.
Enrollment and Identity Proofing — NIST
IAL1: no proofing. IAL2: remote/in-person + documentary evidence. IAL3: in-person + biometrics. Defines how to verify identity before issuing credentials.
Authentication and Lifecycle Management — NIST
AAL1/2/3. No mandatory password rotation unless compromised. Min 8 chars, check breach lists. Cite this against legacy 90-day rotation policies. Most-referenced 800-63 document.
Federation and Assertions — NIST
FAL1/2/3 for federated identity. Covers SAML, OIDC, and OAuth assertion requirements. FAL2 commonly required for federal systems handling sensitive data.
Control Objectives for Information and Related Technologies — ISACA
40 governance and management objectives. Bridges business objectives and IT controls. Used by auditors and governance professionals. Aligns with ISO 38500, ITIL, TOGAF.
IT Infrastructure Library v4 — Axelos
34 management practices organized around a Service Value System. Change management and incident management practices intersect with CM and IR control families in SP 800-53.
