Security & Governance Frameworks

SOC 2 is the leading security compliance framework for SaaS companies selling to US enterprises. This guide covers Type I vs Type II, trust service criteria, costs, and the audit process.

ISO 27001 is the international gold standard for information security management. This guide covers everything from scoping to certification, with real costs, timelines, and practical implementation advice.

The NIST Cybersecurity Framework provides a flexible, risk-based approach to managing cybersecurity risk. Learn how CSF 2.0 helps organizations of all sizes improve their security posture.

CMMC 2.0 is the DoD's framework for verifying cybersecurity practices among defense contractors. Learn about the three certification levels and how to prepare for assessment.

CIS Critical Security Controls provide a prioritized set of 18 cybersecurity best practices. Learn how to implement CIS Controls v8.1 based on your organization's size and resources.

COBIT 2019 is a leading IT governance framework that aligns IT with business objectives. Learn how its 40 governance and management objectives improve enterprise IT performance.

COSO Internal Control - Integrated Framework is the standard for designing and evaluating internal controls, especially for SOX compliance. Learn its five components and 17 principles.

Cyber Essentials is the UK government-backed certification covering five essential cybersecurity controls. Learn about basic and Plus certification levels and their requirements.

DORA establishes ICT risk management and resilience requirements for EU financial entities. Learn how to comply with this regulation covering testing, incidents, and third-party risk.

The Essential Eight is Australia's prioritized cybersecurity mitigation strategies from ASD. Learn how to implement these eight controls across four maturity levels.

IRAP is Australia's framework for assessing ICT systems handling government data. Learn how IRAP assessments work and what cloud providers need to serve Australian government clients.

ISO 22301 is the international standard for business continuity management systems. Learn how to build organizational resilience through structured continuity planning and testing.

ISO 27002 provides detailed implementation guidance for the 93 information security controls referenced by ISO 27001. Learn how to use it as your control selection and implementation companion.

ISO 27017 provides cloud-specific security controls and implementation guidance for cloud service providers and customers. Learn how it extends ISO 27001 for cloud environments.

ISO 27018 sets controls for protecting personally identifiable information in public cloud services. Learn how it helps cloud providers demonstrate PII protection compliance.

ISO 27701 extends ISO 27001 with a privacy information management system (PIMS). Learn how it helps organizations demonstrate GDPR compliance and manage personal data responsibly.

ISO 31000 provides universal risk management principles and guidelines applicable to any organization. Learn how to implement a structured approach to identifying and treating risks.

NIS2 is the EU directive expanding cybersecurity obligations to more sectors and introducing stricter incident reporting. Learn who it affects and what compliance requires.

NIST SP 800-171 defines 110 security requirements for protecting CUI in nonfederal systems. Essential reading for any organization handling controlled unclassified information.

NIST SP 800-53 Rev 5 defines over 1,000 security and privacy controls for federal systems and organizations. Learn how to navigate control baselines and implement effectively.

SOC 1 (SSAE 18) examines controls at service organizations relevant to financial reporting. Learn when you need a SOC 1 report versus SOC 2 and what the audit involves.

SOC 3 is the publicly shareable version of SOC 2, providing a general-use trust services report. Learn when SOC 3 adds value and how it differs from SOC 2.