Compliance Framework Library

Trust Services Criteria for security, availability, processing integrity, confidentiality, and privacy. The standard for SaaS and technology companies demonstrating operational security to customers.

• Security (Common Criteria)33 controls

  Logical and physical access controls, system operations, change management, and risk mitigation.

• Availability9 controls

  System uptime commitments, disaster recovery, incident response, and capacity planning.

• Processing Integrity8 controls

  Completeness, accuracy, timeliness, and authorization of system processing.

• Confidentiality7 controls

  Protection of information designated as confidential throughout its lifecycle.

• Privacy12 controls

  Collection, use, retention, disclosure, and disposal of personal information.

International standard for information security management systems (ISMS). Provides a systematic approach to managing sensitive information through risk assessment and treatment.

• Organizational Controls37 controls

  Policies, roles, responsibilities, segregation of duties, threat intelligence, and supplier management.

• People Controls8 controls

  Screening, employment terms, awareness, training, disciplinary processes, and remote working.

• Physical Controls14 controls

  Security perimeters, physical entry, office/facility security, and equipment protection.

• Technological Controls34 controls

  Endpoint devices, access rights, authentication, cryptography, secure development, and monitoring.

EU regulation on data protection and privacy. Applies to any organization processing personal data of EU residents regardless of the organization's location.

• Lawfulness and Consent10 controls

  Legal bases for processing, consent management, and purpose limitation.

• Data Subject Rights12 controls

  Right of access, rectification, erasure, portability, and restriction of processing.

• Data Protection by Design8 controls

  Privacy impact assessments, data minimization, and pseudonymization.

• Data Transfers6 controls

  Cross-border transfer mechanisms, adequacy decisions, and standard contractual clauses.

• Accountability and Governance9 controls

  Data protection officers, records of processing, and breach notification.

• Security of Processing7 controls

  Technical and organizational measures to ensure appropriate security of personal data.

U.S. federal law establishing standards for electronic healthcare transactions and national identifiers, and security and privacy of health data (PHI).

• Administrative Safeguards22 controls

  Security management, workforce security, information access, security awareness, and contingency planning.

• Physical Safeguards10 controls

  Facility access, workstation security, and device/media controls.

• Technical Safeguards14 controls

  Access control, audit controls, integrity mechanisms, and transmission security.

• Organizational Requirements6 controls

  Business associate agreements, group health plan requirements, and policies.

• Breach Notification Rule5 controls

  Individual notification, media notification, HHS notification, and breach risk assessment.

A certifiable framework that provides a comprehensive, prescriptive, and scalable security and privacy controls framework. Commonly adopted in healthcare and increasingly in other regulated industries.

• Information Protection Program18 controls

  Program governance, risk management, and information protection policies.

• Endpoint Protection12 controls

  Malware protection, mobile device security, and removable media controls.

• Portable Media Security6 controls

  Encryption, tracking, and disposal of portable storage and devices.

• Access Control22 controls

  User registration, privilege management, password policies, and session controls.

• Audit Logging and Monitoring10 controls

  Event logging, monitoring, clock synchronization, and log protection.

• Network Protection14 controls

  Network segmentation, firewall management, and intrusion detection.

• Transmission Protection8 controls

  Encryption of data in transit, secure messaging, and remote access.

• Vulnerability Management10 controls

  Vulnerability scanning, patch management, and penetration testing.

• Configuration Management9 controls

  Baseline configurations, change control, and system hardening.

• Business Continuity11 controls

  BCP/DR planning, backup and recovery, and crisis communication.

• Privacy Practices15 controls

  Notice, consent, data minimization, retention, and individual rights.

• Third-Party Assurance8 controls

  Vendor risk assessment, contracts, and ongoing monitoring.

Voluntary framework from NIST to help organizations manage risks associated with AI systems throughout their lifecycle. Structured around four core functions: Govern, Map, Measure, and Manage.

• Govern14 controls

  Policies, processes, accountability structures, and organizational culture for responsible AI.

• Map12 controls

  Context establishment, stakeholder identification, risk framing, and AI system categorization.

• Measure11 controls

  Metrics, methods, and tools for assessing AI risks including bias, fairness, and reliability.

• Manage10 controls

  Risk treatment, response, monitoring, and continuous improvement for AI systems.

International standard specifying requirements for establishing, implementing, maintaining, and continually improving an AI management system (AIMS) within organizations.

• Context of the Organization6 controls

  Understanding the organization, interested parties, scope, and AIMS boundaries.

• Leadership5 controls

  Top management commitment, AI policy, and organizational roles and responsibilities.

• Planning8 controls

  Actions to address risks/opportunities, AI objectives, and impact assessments.

• Support7 controls

  Resources, competence, awareness, communication, and documented information.

• Operation12 controls

  AI system lifecycle processes, data management, and third-party considerations.

• Performance Evaluation6 controls

  Monitoring, measurement, analysis, internal audit, and management review.

• Improvement4 controls

  Nonconformity, corrective action, and continual improvement of the AIMS.

Build your own compliance framework tailored to your organization's unique regulatory landscape, internal policies, or client requirements. Map custom requirements to existing controls.

• Framework Definition0 controls

  Define your framework name, version, applicability scope, and ownership.

• Requirement Authoring0 controls

  Create requirements, group them into domains, and set maturity levels.

• Control Mapping0 controls

  Map custom requirements to existing controls or create new control definitions.

• Evidence Configuration0 controls

  Define evidence types, collection methods, and testing cadences per requirement.

• Reporting Setup0 controls

  Configure readiness scoring, gap analysis views, and export templates.