Framework hubs

SOC 2 is a cybersecurity compliance framework for service and technology providers that handle customer data, driving continuous security processes to protect customer data.

ISO 27001 is a universal standard for organizations to establish, maintain, and continually improve their information security management system (ISMS).

Merchants or service providers that process, store, transmit, or impact cardholder data must meet PCI DSS requirements to safeguard cardholder data.

UK government baseline certificate: five essential security controls and best practices against common online threats.

New York Department of Financial Services cybersecurity requirements for protecting sensitive customer data and systems in scope.

Financial institutions under FTC jurisdiction must meet the Safeguards Rule to protect customer information security.

Guidelines for information security controls applicable to cloud services for providers and customers.

Microsoft Supplier Privacy and Assurance Standards for suppliers in Microsoft’s information supply chain, assessed against Data Protection Requirements (DPR).

EU directive enhancing cybersecurity capabilities, cooperation, and risk management for essential and important entities.

Australian Cyber Security Centre strategies to mitigate cyber threats and protect systems against common attacks.

Center for Internet Security Critical Security Controls — best practices and guidelines to safeguard organizations against cyber threats.

Information Technology General Controls under Sarbanes-Oxley supporting integrity of financial reporting.

Digital Operational Resilience Act — operational resilience for EU financial institutions to withstand and recover from disruptions.

Germany BSI Cloud Computing Compliance Criteria Catalogue — baseline for secure cloud services combining ISO 27001, CSA CCM, and German regulatory requirements.

Trusted Information Security Assessment Exchange for automotive industry suppliers handling sensitive information.

Minimum Viable Secure Product — minimal security checklist for B2B software and BPO suppliers.

Cybersecurity Maturity Model Certification for DoD and federal agency contractors handling federal contract information and CUI.

Greatest control baseline for federal agencies and contractors when loss of sensitive data would have severe or catastrophic impact.

Moderate control baseline when loss of sensitive data would have sufficient but not catastrophic business impact.

Lowest control baseline when loss of sensitive data would have minor business impact.

Protecting Controlled Unclassified Information (CUI) for federal and state agency contractors and subcontractors.

NIST Cybersecurity Framework helping organizations understand risk and improve cybersecurity programmes.

Federal Risk and Authorization Management Program for cloud service providers working with US federal government or federal data.

Standardized cloud security for state, local, tribal, territorial governments and public institutions (formerly StateRAMP).

Criminal Justice Information Services security policy for entities accessing US Justice Department sensitive information.

Texas Risk and Authorization Management Program for cloud services used by Texas state agencies and institutions.

Health Insurance Portability and Accountability Act for plans, providers, insurers, and organizations handling PHI.

Privacy extension to ISO 27001 for establishing and improving a privacy information management system (PIMS).

General Data Protection Regulation for organizations handling EU and UK personal data.

California Consumer Privacy Act for businesses collecting personal data of California residents.

California Privacy Rights Act amending CCPA with enhanced consumer rights and CPPA enforcement.

NIST AI Risk Management Framework for organizations incorporating AI into products and processes.

Management system standard for responsible development and use of AI systems.

EU risk-based framework for AI systems with strict rules for high-risk use to ensure safety, ethics, and fundamental rights.

Tailored control sets mapped to your contractual, industry, and regulatory obligations using HLD’s control library and evidence programme.

Quality Management System (QMS) standard providing a structured framework for organizational quality.