So, what are frameworks?
Essentially, a framework provides structure for achieving and maintaining compliance; each framework defines the requirements (e.g. controls, documents, evidence, and practices) an organization must follow to meet a specific law, regulation, or security standard. ControlMap supports 50+ cybersecurity compliance frameworks for you to choose from.
How do you know which framework(s) apply for your clients? This depends on several factors, such as their region, industry, business size, and goals.
For example:
• If your client serves or stores data on citizens of the UK, they should be compliant with GDPR (General Data Protection Regulation).
• If your client handles personal healthcare data, they should be compliant with HIPAA (Health Insurance Portability and Accountability Act of 1996).
For a comprehensive overview of ControlMap's supported frameworks, as well as their purposes and relevant industries, check out the tables below.
| Note: For specific guidance regarding frameworks, reach out to your compliance advisor. |
👏🏻 Most Popular
Most Popular | ||
| Framework | Industries | Purpose |
| CIS Controls v8.1 | Government, energy, healthcare, finance, and education | Provide prioritized, prescriptive cybersecurity practices that organizations can implement quickly. Defend against the most common and pervasive cyberattacks (phishing, ransomware, credential theft, insider threats). |
| CMMC 2.0 | Department of Defence (DoD). | Ensure contractors have baseline cybersecurity hygiene and sufficient protections for FCI and CUI. Provide assurance to DoD that supply-chain partners meet minimum security requirements before contract award. |
| FTC Safeguards | Finance companies. | Protect nonpublic personal information (NPI) of consumers. Standardize minimum cybersecurity practices across non-bank financial institutions. |
| GDPR (General Data Protection Regulation) | Tech, e-comm, SaaS, and finance. | Strengthen individual rights over their personal data. Harmonize data protection laws across the EU. |
| HIPAA Breach Notification Rule | Hospitals, clinics, doctors, pharmacies, health insurance companies, and health plans. | HIPAA stands for the Health Insurance Portability and Accountability Act of 1996. HIPAA outlines the permissible use and disclosure of protected health information (PHI) in the USA as set forth by HHS guidelines. HIPAA compliance is absolutely crucial for all healthcare businesses and anyone who handles personal health data for customers and clients. |
| HIPAA Privacy Rule | ||
| HIPAA Security Rule | ||
| ISO 27001:2022 | Tech, finance manufacturing, and global enterprises. | Establish a systematic approach to managing sensitive data (confidentiality, integrity, availability). Protect against cybersecurity threats, data breaches, and insider risks. Manage cybersecurity, privacy, and information security risks through a risk-based methodology. |
| NIST CSF 2.0 | Government contractors, critical infrastructure, and mid-size enterprises. | Provide a common language for managing cybersecurity risk. Offer a risk-based, flexible, and scalable approach adaptable to organizations of all sizes. |
| PCI DSS v4.0 | Retail, e-commerce, banking, healthcare, utilities, and hospitality. | Protect cardholder data (CHD) and sensitive authentication data (SAD). Enhance security against modern cyber threats (e.g. ransomware, phishing, cloud risks). |
| SOC 2 | SaaS, cloud, fintech, healthcare, energy, utilities, e-commerce, and oil and gas. | Provide independent assurance to clients that their vendor is managing sensitive data securely. Reduce the need for multiple vendor audits (SOC 2 report is reusable evidence). |
🇦🇺 Australia
Australia | ||
| Framework | Industries | Purpose |
| Australia Energy (AESCSF) | Electricity, gas, oil, and energy retail. | Provide a sector-specific cybersecurity framework for energy companies. Help organizations identify, manage, and reduce cyber risks. |
| Essential Eight 2021 | Energy and utilities, financial services, healthcare providers, education and research. | Reduce cybersecurity risks and limit the impact of common cyber threats through a small set of prioritized, measurable, and cost-effective mitigation strategies. |
| Essential Eight 2023 | Energy and utilities, financial services, healthcare providers, education and research. | Provide a minimum baseline of cyber resilience that addresses the most common, high-impact threats Offer a maturity model (0–3) so organizations can progressively improve. |
| Prudential Standard CPS 234 | Banking and finance, insurance, and superannuation. | Strengthen information security resilience across Australia’s financial sector. Ensure regulated entities protect critical and sensitive information from cyber threats. |
| PSPF (Protective Security Policy Framework) | Defense, law enforcement, tax, healthcare, and cloud providers. | Protect people, information, and physical assets of the Australian Government. Enhance resilience against insider threats, espionage, terrorism, and cyberattacks. |
🇨🇦 Canada
Canada | ||
| Framework | Industries | Purpose |
| Canada Cybersecurity Small Business v1.2 | Professional services, healthcare practices, retail and eCommerce. | Protect SMEs against the most common cyber threats (phishing, ransomware, data theft). Encourage a culture of security awareness in businesses without large IT/security teams. |
| Cybersecure Canada 2024 | Professional services, healthcare providers, retail and eCommerce, technology startups, and SaaS providers. | Provide an affordable, clear path to baseline cybersecurity maturity. Improve customer and partner confidence by offering government-backed certification. Strengthen Canada’s national cyber resilience by raising the security posture of SMEs in all sectors. |
🇪🇺 European Union
European Union | ||
| Framework | Industries | Purpose |
| DORA 2022 | Banking and credit institutions, insurance and reinsurance, credit rating agencies. | Create a single, harmonized EU-wide framework for ICT risk management in finance. Replace the patchwork of national rules, which led to inconsistent resilience levels. |
| GDPR (General Data Protection Regulation) | Tech, e-comm, SaaS, and finance. | Strengthen individual rights over their personal data. Harmonize data protection laws across the EU. |
| NIS2 Directive | Energy, transport, banking, and health. | Increase EU-wide cybersecurity resilience. Protect essential services and supply chains from cyber threats. |
🇪🇺 European Union, 🇬🇧 United Kingdom, and 🌐 Commonwealth countries
European Union, United Kingdom, and Commonwealth countries | ||
| Framework | Industries | Purpose |
| Cyber Baseline Question Set - Version: Aylard | IT services, finance and insurance, healthcare, and government contractors. | To provide a practical, easy-to-use framework for assessing and improving cybersecurity posture, especially for smaller organizations that lack the resources for complex certifications. |
🇳🇿 New Zealand
New Zealand | ||
| Framework | Industries | Purpose |
| NZ Security Information Security Manual | Defense, health, police, cloud providers, and critical infrastructure | Provide a baseline standard for securing government ICT systems. Protect classified and sensitive government information against cyber and physical threats. |
🇬🇧 United Kingdom
United Kingdom | ||
| Framework | Industries | Purpose |
| NYDFS (23 NYCRR 500) | IT service providers. | Make practical, proportional cyber assurance accessible to SMEs; provide a credible, auditable statement of controls; help organizations demonstrate GDPR/data-protection alignment and cyber resilience. |
| Privacy Accountability Framework (UK ICO) | Healthcare, finance, energy, retail, government, and education. | Provide a structured approach to embedding data protection into organizational governance. Ensure organizations can prove compliance, not just claim it. |
| UK Cyber Essentials | Government, healthcare, education, SMEs, energy, finance, and charities. | Protect organizations against common cyber threats like phishing, malware, ransomware, and password attacks. Build trust with customers and partners by showing a verified cybersecurity baseline. Ensure suppliers to the UK government have minimum cybersecurity controls. |
🇺🇸 United States
United States | ||
| Framework | Industries | Purpose |
| CCPA (California Consumer Privacy Act) | Technology, retail, finance, healthcare, utilities, and energy. | Give California residents control over their personal information. Enhance transparency in how businesses collect and use data. |
| CJIS 2022 | Law enforcement and public safety, courts and judicial systems, government IT providers, and private sector vendors. | Protect sensitive criminal justice data against breaches, insider threats, and cyberattacks. Define standardized security requirements across all U.S. states and agencies. |
| CMMC 2.0 | Department of Defence (DoD). | Ensure contractors have baseline cybersecurity hygiene and sufficient protections for FCI and CUI. Provide assurance to DoD that supply-chain partners meet minimum security requirements before contract award. |
| Fedramp High Baseline | Government, IT, education, data services, and SaaS cloud service providers. | Prevent compromise of mission-critical or national security data. Implement advanced access controls, encryption, redundancy, and monitoring. Minimize impact from cyberattacks, breaches, or outages that could disrupt essential services. |
| Fedramp Low Baseline | Government, IT, education, data services, and SaaS cloud service providers. | Ensure even low-risk cloud systems are protected to a consistent minimum standard. Reduce redundancy: cloud providers don’t need separate security authorizations for each agency. |
| Fedramp Moderate Baseline | Government, IT, education, data services, and SaaS cloud service providers. | Standardize cloud security across all U.S. federal agencies. Promote cloud adoption within government agencies through a trusted security framework. |
| Fedramp (Rev5) High Baseline | Defense contractors and aerospace, healthcare, financial services, and energy and utilities. | Protect sensitive federal data in the cloud at the highest assurance level. Reduce supply chain risk by embedding Rev 5 controls for insider threats, cyber resiliency, and privacy. |
| Fedramp (Rev5) Low Baseline | Technology/SaaS providers, education/research data platforms, healthcare and financial services. | Provide a standardized minimum security baseline for public/non-sensitive cloud services. Build a trust framework for federal agencies, even with low-impact systems. |
| Fedramp (Rev5) Moderate Baseline | Technology/SaaS providers, healthcare, financial services, and energy and utilities. | Protect sensitive federal data with a standardized, reusable baseline. Reduce duplication: “do once, use many times” across multiple agencies. |
| FFIEC Cybersecurity Assessment | Financial sector. | Give institutions a common language and structured method to understand inherent risk vs maturity. Provide examiners a consistent artifact to discuss cyber preparedness. |
| FINRA Checklist 2023 | Securities industry. | Provide a structured starting point for small/medium financial firms to strengthen cybersecurity. Facilitate board/executive discussions about cybersecurity investment. |
| FTC Safeguards | Finance companies. | Protect nonpublic personal information (NPI) of consumers. Standardize minimum cybersecurity practices across non-bank financial institutions. |
| HIPAA Breach Notification Rule | Hospitals, clinics, doctors, pharmacies, health insurance companies, and health plans. | HIPAA stands for the Health Insurance Portability and Accountability Act of 1996. HIPAA outlines the permissible use and disclosure of protected health information (PHI) in the USA as set forth by HHS guidelines. HIPAA compliance is absolutely crucial for all healthcare businesses and anyone who handles personal health data for customers and clients. |
| HIPAA Privacy Rule | ||
| HIPAA Security Rule | ||
| Minimum Acceptable Risk Standards | Government and defense, finance and banking, healthcare and life sciences, energy, and technology and cloud services. | Define a baseline of cybersecurity and risk controls required for any supplier or partner. Provide a clear risk threshold: if a supplier cannot meet MARS, they cannot process or access critical data. |
| NYDFS (23 NYCRR 500) | Banking, insurance, fintech, crypto, and investment. | Protect consumer financial data and maintain trust. Establish minimum cybersecurity standards for all regulated firms. |
| SOC 1 Type 2 controls | Payroll providers, claims processors, and financial SaaS/cloud vendors. | Provide assurance to user entities and their financial auditors that a service organization’s controls are effective and reliable. Reduce financial misstatement risk caused by outsourced functions. |
| NIST AI | Healthcare, finance, energy, retail, government, and tech. | Embed trustworthiness characteristics (e.g., validity, reliability, safety, security/resilience, explainability, accountability, privacy-enhancement, fairness with harmful bias managed) into AI programs.Provide a shared language and repeatable process for risk-based AI governance across the lifecycle. |
| NIST 800-171r2 | Defense Industrial Base (DIB), energy, manufacturing, healthcare, and technology and cloud providers. | Protect CUI confidentiality when it leaves federal system. Create a standardized baseline for contractors and subcontractors. |
| TX-RAMP 2022 | Cloud, SaaS, education, healthcare, utilities, and public safety. | Ensure Texas state agencies only use secure, vetted cloud services. Provide a standardized cybersecurity baseline for cloud service providers (CSPs). |
🌎 Global
Global | ||
| Framework | Industries | Purpose |
| CIS Controls v8.1 | Government, energy, healthcare, finance, and education | Provide prioritized, prescriptive cybersecurity practices that organizations can implement quickly. Defend against the most common and pervasive cyberattacks (phishing, ransomware, credential theft, insider threats). |
| COBIT 2019 | Financial services/banking, healthcare, government and public sector, manufacturing, retail, technology, and telecom. | Provide a structured governance model for IT decision-making. Help organizations manage risk, optimize resources, and deliver IT value. |
| CSA-CCM v3.0.1 | Energy and utilities, oil and gas, power generation, financial services, healthcare, government and defense, retail and eCommerce, and technology/SaaS. | Provide a baseline set of security controls tailored for cloud environments. Enable standardized assessments of cloud providers by customers, auditors, and regulators. |
| CSA-CCM v4.03 | Energy and utilities, oil and gas, power generation, financial services, healthcare, government and Defense, retail and eCommerce, technology/SaaS. | Provide a comprehensive, cloud-specific set of security controls and an assessment standard that reduces ambiguity in cloud security expectations. |
| CRI Profile ver.2.0 | Banks, insurers, asset managers, and FinTechs. | To simplify cybersecurity compliance by unifying multiple frameworks and regulations into one profile. To provide a risk-based, scalable cybersecurity framework suitable for all financial entities, from small credit unions to large multinational banks. |
| GTIA Trustmark | IT service providers. | Give customers an easily verifiable signal that an IT service provider follows industry-accepted cybersecurity controls and a mature risk program. |
| ISO 27001:2022 | Tech, finance manufacturing, and global enterprises. | Establish a systematic approach to managing sensitive data (confidentiality, integrity, availability). Protect against cybersecurity threats, data breaches, and insider risks. Manage cybersecurity, privacy, and information security risks through a risk-based methodology. |
| ISO 27001:2013 | Energy, financial services, healthcare, IT and cloud providers, and telecom. | Protect confidentiality, integrity, and availability (CIA triad) of information. Build customer and regulator trust by achieving certification. |
| ISO 27701: Privacy Information Management | Technology and cloud service providers, healthcare, finance and banking, e-commerce, and retail. | Extend ISO 27001 to include privacy management for PII controllers and processors. Provide a structured approach to comply with global privacy laws (GDPR, CCPA, LGPD, PDPA, etc.). |
| ISO/IEC 27017:2015 | Energy, financial services, healthcare, e-commerce and retail, IT, and telecom. | Provide additional, cloud-specific security controls beyond ISO 27002. Protect data in multi-tenant environments. Reduce risk of cloud-specific threats: data leakage, insecure APIs, insider abuse, lack of portability/interoperability. |
| ISO/IEC 27018:2019 | Energy, financial services, healthcare, e-commerce, retail, and IT. | Help CSPs demonstrate compliance with data protection laws (e.g. GDPR, CCPA). Build customer trust by showing cloud providers implement privacy by design. |
| ISO/IEC 42001 | Energy, financial services, healthcare, IT, manufacturing and industry. | Ensure responsible and ethical AI deployment. Provide a structured framework for AI governance. |
| Microsoft DPR | Cloud, SaaS, managed services, healthcare, finance, and retail. | Ensure consistent, contractually enforceable data protection across Microsoft’s supplier ecosystem; reduce third-party risk; require operational controls for confidentiality, integrity and availability; add AI governance and transfer/subprocessor controls. |
| Motion Picture Association | Film studios, streaming services, broadcasting companies, advertising and marketing firms, and vendors handling distribution. | Prevent leakage of unreleased movies and TV shows. Ensure secure collaboration across a global supply chain of vendors. |
| NIST 800-171 R3 | Defense Industrial Base (DIB), energy, manufacturing, healthcare, technology, and cloud providers. | Protect Controlled Unclassified Information (CUI) from theft, espionage, or loss. Provide a standardized set of cybersecurity requirements for all contractors. |
| NIST CSF 1.1 | Energy, finance, healthcare, defense, manufacturing, and IT. | Provide a common language for managing cybersecurity risk. Help organizations identify, protect, detect, respond, and recover from cyber incidents. |
| NIST CSF 2.0 | Government contractors, critical infrastructure, and mid-size enterprises. | Provide a common language for managing cybersecurity risk. Offer a risk-based, flexible, and scalable approach adaptable to organizations of all sizes. |
| Nist Privacy Framework V1.0 | Healthcare, finance, energy, retail, government, and tech. | Provide a common language between technical, legal, and executive teams. Help organizations manage privacy risk through better governance and accountability. |
| NIST SP 800-161r1 | Defense, energy, healthcare, and telecom sectors. | Help organizations address risks of counterfeit, compromised, or malicious components. Support compliance with federal acquisition regulations. |
| PCI DSS v3.2 | Retail, e-commerce, payment processors, and hospitality. | Reduce risk of fraud, data breaches, and financial theft. Standardize security practices for all entities handling card data. |
| PCI DSS v4.0 | Retail, e-commerce, banking, healthcare, utilities, and hospitality. | Protect cardholder data (CHD) and sensitive authentication data (SAD). Enhance security against modern cyber threats (e.g. ransomware, phishing, cloud risks). |
| SCF v2022.2 | Finance, healthcare, retail, energy, government, and cloud. | Provide one comprehensive, unified control catalog that supports both security and privacy (not just security). Reduce reinventing controls per regulation by offering mapped crosswalks to many compliance regimes. |
| SCF v2023.2 | Finance, healthcare, retail, energy, government, and cloud. | Provide a unified control set for organizations managing multiple compliance obligations. Reduce duplication and complexity by mapping one control to many frameworks. Enable organizations to demonstrate due diligence and due care to regulators, customers, and auditors. |
| SCF v2025.1 | Finance, healthcare, retail, energy, government, and cloud. | Instead of maintaining separate control sets for each standard, you maintain one SCF control set and show mappings to all required frameworks. Streamlines evidence collection and reduces audit fatigue by re-using mapped controls and evidence across assessments |
| SOC 2 | SaaS, cloud, fintech, healthcare, energy, utilities, e-commerce, and oil and gas. | Provide independent assurance to clients that their vendor is managing sensitive data securely. Reduce the need for multiple vendor audits (SOC 2 report is reusable evidence). |
| TISAX v5.1 | Automotive sector, logistics, and supply chain companies. | Establish a unified and trusted information security assessment system for the automotive industry. |
| TISAX v6.0 | Automotive sector, logistics and supply chain companies. | Ensure consistent, standardized information security assessments across the automotive supply chain. Build trust among OEMs, suppliers, and service providers. |
| Any questions? Reach out to our friendly, neighborhood support team by submitting a support ticket. |