Skip to content
Cyber Compliance

Cybersecurity Frameworks & Standards

Browse ISO 27001, SOC 2, NIST CSF, CIS Controls and more — every control mapped to its equivalents across other frameworks and regulations.

ISO 27001

VoluntaryISO/IEC

ISO/IEC 27001:2022

Any organization, of any size or sector, that wants to certify its information security management system. Certification is voluntary but is frequently required contractually by enterprise customers and partners.

Any sectorInternationalCertifiable

9 Annex A Controls · International · 2022

SOC 2

ContractualAICPA

SOC 2 (AICPA Trust Services Criteria)

Service organizations — especially SaaS and cloud providers — that store or process customer data and are asked to demonstrate security through an independent auditor's report. Driven by customer and procurement requirements rather than law.

SaaS & cloudService organizationsUS-centric

6 Trust Services Criteria · US · 2017

NIST CSF 2.0

VoluntaryNIST

NIST Cybersecurity Framework 2.0

Any organization seeking a common language to assess and manage cybersecurity risk. Voluntary, but widely adopted by US critical-infrastructure operators and referenced by regulators and contracts worldwide.

Any sectorUS critical infrastructureInternational

8 Subcategories · US · 2024

CIS Controls v8

VoluntaryCIS

CIS Critical Security Controls v8

Any organization wanting a prioritised, practical security baseline. Scales by implementation group (IG1–IG3), so small businesses and large enterprises can adopt a right-sized subset.

Any sectorSMB to enterpriseInternational

8 Safeguards · International · 2021

NIST 800-53

MandatoryNIST

NIST SP 800-53 Rev. 5

Mandatory for US federal information systems under FISMA and for many federal contractors; widely reused worldwide as the reference control catalog that underpins FedRAMP, CMMC and other programs.

US federalFederal contractorsInternational (reference)

10 Controls · US · 2020

NIST 800-171

MandatoryNIST

NIST SP 800-171 Rev. 2

Contractors and subcontractors that store, process or transmit Controlled Unclassified Information (CUI) for the US government, enforced for the defense sector through DFARS clauses and CMMC.

US defense supply chainFederal contractorsHandles CUI

7 Requirements · US · 2020

Essential Eight

VoluntaryACSC

ACSC Essential Eight

Recommended for all Australian organizations and mandatory for non-corporate Commonwealth entities. A pragmatic baseline measured across maturity levels ML1 to ML3.

AustraliaGovernment mandatedAny sector

8 Mitigation Strategies · AU · 2017

Cyber Essentials

VoluntaryNCSC / IASME

UK Cyber Essentials

Any UK organization wanting a certified baseline against common internet threats. Required to bid for certain UK government contracts, especially those handling personal or sensitive information.

UKSMB-friendlyGov supplier requirement

5 Technical Controls · UK · 2014

PCI DSS

ContractualPCI SSC

PCI DSS v4.0

Any organization worldwide that stores, processes or transmits payment card data, and any entity that can affect the security of cardholder data. Enforced by the card brands through acquiring banks, not by law.

Card paymentsGlobalHandles cardholder data

8 Requirements · International · 2022