on this page
Overview
The RiskOptics products provide a range of frameworks to assist you in effective risk management and compliance. Remember, the choice of frameworks should align with your organization's unique objectives and compliance needs. By evaluating these key aspects, you can make informed decisions about which frameworks to incorporate to effectively manage risk and compliance. Consider the following factors to determine which frameworks to include:
For a full list of available frameworks, scroll to the various sections within this article (Traditional Cyber/Security Standards, Privacy Related Standards, and Other/Non-Traditional Standards).
Regulatory Compliance: Operate in a heavily regulated industry? Handle sensitive data subject to specific regulations?
Consider: CIS Critical Security Controls, NIST Cybersecurity Framework
Data Privacy and Protection: Manage personal data or personally identifiable information (PII)? Subject to international data protection regulations (e.g., GDPR)?
Consider: GDPR, NIST Privacy Framework, ISO 27701:2019
Cloud Security: Utilize cloud services for data storage or processing? Need to secure cloud-based assets?
Consider: CSA CAIQ v4.0.2, CSA CCM - v4.0.5, FedRAMP (High, Low, Moderate Baselines)
Government and High-Impact Data: Handle government contracts or controlled unclassified information (CUI)? Involved in critical infrastructure sectors?
Consider: NIST 800-171 R2 Full, NIST 800-53 R5 Full, Cybersecurity Maturity Model Certification (CMMC) - v2.0
Quality and Service Management: Focus on maintaining high-quality products and services? Enhance overall service management system?
Consider: ISO 9001:2015, ISO/IEC 20000-1.
Healthcare Data Handling: Part of the healthcare industry or handle health-related data? Need Health Insurance Portability and Accountability Act (HIPAA) compliance?
Consider: HIPAA (Health Insurance Portability and Accountability Act)
Artificial Intelligence Related Standards
ISO/IEC 42001- Information Technology Artificial Intelligence Management System
Provides requirements for establishing, implementing, maintaining, and continuously improving an AI management system. A voluntary framework that organizations can certify to demonstrate responsible AI development.
Learn more: https://www.iso.org/standard/81230.html
NIST AI Risk Management Framework (AI 100-1)
Guidelines to help manage the risks associated with AI systems and promote the responsible development of AI. A voluntary framework that guides organizations through responsible and trustworthy AI development.
Learn more: https://www.nist.gov/publications/artificial-intelligence-risk-management-framework-ai-rmf-10
Traditional Cyber/Security Standards
Center for Internet Security (CIS) Critical Security Controls (CSC) V8
Published by the Center for Internet Security, the Critical Security Controls Version 8 is a set of 20 prioritized cybersecurity actions that organizations can take to improve their cyber defense. The controls are designed to help organizations effectively defend against cyber threats and enhance their overall security posture.
Learn more: https://www.cisecurity.org/controls/cis-controls-list/
CSA CAIQ v4.0.2
The Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM) Consensus Assessments Initiative Questionnaire (CAIQ) version 4.0.2 is a comprehensive list of security-focused questions that cloud service providers can use to demonstrate their security capabilities. It aids in assessing the security of cloud services and assists organizations in making informed decisions about their cloud providers.
Learn more: https://cloudsecurityalliance.org/artifacts/cloud-controls-matrix-v4-0-2/
CSA CCM - v4.0.5
The Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM) version 4.0.5 is a framework that provides a structured, standardized, and comprehensive catalog of cloud-specific security controls. It helps organizations assess the security risks associated with cloud computing and ensures that proper security measures are in place.
Learn more: https://cloudsecurityalliance.org/artifacts/cloud-controls-matrix-v4-0-5/
Cybersecurity Maturity Model Certification (CMMC) - v2.0
The Cybersecurity Maturity Model Certification (CMMC) version 2.0 is a standard developed by the U.S. Department of Defense (DoD) to enhance the cybersecurity posture of companies in the Defense Industrial Base (DIB). It defines a framework with multiple levels of cybersecurity maturity, ensuring contractors implement appropriate security controls to protect sensitive information.
Learn more: https://www.acq.osd.mil/cmmc/draft.html
FedRAMP
The Federal Risk and Authorization Management Program (FedRAMP) - HIGH Baseline establishes a set of security controls for cloud service providers to meet stringent security requirements when handling high-impact federal data. It ensures the confidentiality, integrity, and availability of federal information in cloud environments. MODERATE Baseline defines security controls for cloud service providers handling moderate-impact federal data. It ensures the protection of personally identifiable information and other sensitive data in cloud-based systems. LOW Baseline sets the security controls for cloud service providers hosting low-impact federal data. It helps protect sensitive but unclassified government information while utilizing cloud services.
Learn more: https://www.fedramp.gov/resources/templates-and-attachments/
Health Insurance Portability and Accountability Act (HIPAA)
HIPAA is a federal law that regulates the security and privacy of protected health information (PHI). Organizations in the healthcare industry must comply with HIPAA requirements to safeguard patient data and ensure the confidentiality, integrity, and availability of PHI.
Learn more: https://www.hhs.gov/hipaa/index.html
ISO 27001- Information Security Management System — Requirements and Annex A Controls
ISO/IEC 27001 is an international standard that sets the requirements for establishing, implementing, maintaining, and continually improving an Information Security Management System (ISMS). It ensures that organizations systematically manage information security risks. ISO 27001:2022 is an updated version of the international standard that specifies the requirements for an Information Security Management System (ISMS). It incorporates the latest best practices and guidance for managing information security effectively.
Learn more: https://www.iso.org/standard/54534.html
ISO 27017:2015 - Cloud Services
ISO/IEC 27017:2015 is an international standard that provides guidelines and implementation recommendations for information security controls in cloud computing environments. It focuses on cloud-specific threats and risks, assisting cloud service providers and cloud customers in ensuring secure cloud operations.
Learn more: https://www.iso.org/standard/43757.html
ISO 27018:2019 - Information Technology Security Techniques
ISO/IEC 27018:2019 is an international code of practice for the protection of personally identifiable information (PII) in public clouds acting as PII processors. This standard establishes commonly accepted control objectives, controls, and guidelines for implementing security measures. In particular, this document specifies guidelines based on ISO/IEC 27002, taking into consideration the regulatory requirements for the protection of PII which can be applicable within the context of the information security risk environment(s) of a provider of public cloud services.
Learn more: https://www.iso.org/standard/76559.html
ISO 27701:2019 - Privacy Information Management - Requirements and Guidelines
ISO/IEC 27701:2019 is an extension to ISO/IEC 27001 and ISO/IEC 27002, providing additional requirements and guidance for establishing, implementing, maintaining, and continuously improving a Privacy Information Management System (PIMS). It assists organizations in achieving compliance with various privacy regulations.
Learn more: https://www.iso.org/standard/71670.html
NIST 800-171 R2 Full
NIST Special Publication 800-171 Revision 2 provides security requirements for protecting Controlled Unclassified Information (CUI) in non-federal systems and organizations. Compliance with these requirements is essential for contractors handling CUI on behalf of the U.S. government.
Learn more: https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final
NIST 800-53 R5 Full
NIST Special Publication 800-53 Revision 5 provides a comprehensive set of security controls for federal information systems and organizations. It assists in managing and mitigating risks to the confidentiality, integrity, and availability of information in federal agencies.
Learn more: https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/draft
NIST Cybersecurity Framework v1.1
The NIST Cybersecurity Framework (CSF) Version 1.1 is a voluntary framework developed by the National Institute of Standards and Technology (NIST) to help organizations manage and reduce cybersecurity risks. It consists of guidelines, standards, and best practices for improving cybersecurity resilience.
Learn more: https://www.nist.gov/cyberframework
PCI DSS
The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards that organizations must follow to protect cardholder data during payment card transactions. Compliance with PCI DSS is essential for businesses handling credit card data.
Learn more: https://www.pcisecuritystandards.org/document_library
SOC 1® - SOC for Service Organizations: Internal Control over Financial Reporting (ICFR)
The SOC 1® framework developed by the American Institute of Certified Public Accountants (AICPA), assesses controls at a Service Organization relevant to its internal control over financial reporting. The content is specifically intended to meet the needs of entities that use service organizations (user entities) and the CPAs that audit the user entities’ financial statements (user auditors), in evaluating the effect of the controls at the service organization on the user entities’ financial statements.
Learn more: https://us.aicpa.org/interestareas/frc/assuranceadvisoryservices/aicpasoc1report
SOC 2® - SOC for Service Organizations: Trust Services Criteria - 2017 with March 2020 Updates
The SOC 2® framework, developed by the American Institute of Certified Public Accountants (AICPA), assesses service organizations' controls related to security, availability, processing integrity, confidentiality, and privacy. It provides assurance about the effectiveness of controls in a service organization's systems.
Learn more: https://www.aicpa.org/interestareas/frc/assuranceadvisoryservices/aicpasoc2report.html
Privacy Related Standards
Colorado Privacy Act (SB 21-190)
The Colorado Privacy Act (CPA) is a state privacy law that sets guidelines for businesses in Colorado on how they collect, use, and protect consumers' personal data. It grants individuals certain rights and imposes obligations on businesses for the handling of personal information.
Learn more: https://leg.colorado.gov/bills/sb21-190
EU-U.S. and Swiss-U.S. Privacy Shield Frameworks
The EU-U.S. and Swiss-U.S. Privacy Shield Frameworks were designed by the U.S. Department of Commerce and the European Commission and Swiss Administration to provide companies with a mechanism to comply with data protection requirements when transferring personal data from the European Union and Switzerland to the United States in support of transatlantic commerce. The Privacy Shield Principles comprise a set of seven commonly recognized privacy principles combined with 16 equally binding supplemental principles, which explain and augment the first seven.
Learn more: https://www.privacyshield.gov/welcome
General Data Protection Regulation (GDPR) - 2016
The General Data Protection Regulation (GDPR) is a comprehensive data protection and privacy law that applies to the European Union (EU) and the European Economic Area (EEA). It governs the processing of personal data and gives individuals greater control over their data.
Learn more: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32016R0679
NIST Privacy Framework - Version 1.0 (01/16/2020)
The NIST Privacy Framework is a voluntary tool developed by the National Institute of Standards and Technology (NIST) to help organizations manage privacy risks related to the collection, use, storage, and sharing of personal data. It complements the NIST Cybersecurity Framework.
Learn more: https://www.nist.gov/privacy-framework
Virginia Consumer Data Protection Act (Chapter 53)
The Virginia Consumer Data Protection Act (VCDPA) is a state privacy law that provides Virginia residents with certain rights over their personal data. It applies to businesses that process personal data of a certain scale and includes requirements for data protection and individual rights.
Learn more: https://law.lis.virginia.gov/vacodepopularnames/virginia-consumer-data-protection-act/
Other/Non-Traditional Standards
C5 2020 - Compliance Controls Catalogue (C5) Program
The Cloud Computing Compliance Criteria Catalogue also referred to as C5:2020, was developed by the German Federal Office for Information Security (BSI) as a way to assess the information security of cloud services that leverage internationally recognized security standards like ISO/IEC 27001 to set a consistent audit baseline that helps establish a framework of trust between cloud providers and their customers.
Learn more: https://cloud.google.com/security/compliance/bsi-c5
Gramm-Leach Bililey Act (GLBA): 2021 Part 314
The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data. Part 314, which implements sections 501 and 505(b)(2) of GLBA, sets forth standards for developing, implementing, and maintaining reasonable administrative, technical, and physical safeguards to protect customer information's security, confidentiality, and integrity.
Learn more: https://www.ftc.gov/business-guidance/privacy-security/gramm-leach-bliley-act
ISO 14001:2015- Environmental Management Systems
ISO 14001:2015 enables businesses to achieve a balance between the environment, society, and the economy to meet the needs of the present without compromising the ability of future generations to meet their needs. The standard emphasizes the importance of adopting a systematic approach to environmental management by implementing environmental management systems with the aim of contributing to the environmental pillar of sustainability.
Learn more: https://www.iso.org/iso-14001-environmental-management.html
ISO 20000-1 - Service Management System Requirements
ISO/IEC 20000-1 is an international standard that defines requirements for establishing, implementing, maintaining, and continually improving a Service Management System (SMS). While not privacy-specific, it is relevant as it encompasses the management of services, which may involve handling personal data.
Learn more: https://www.iso.org/standard/60555.html
ISO 27005:2022 - Guidance on Managing Information Security Risks
ISO/IEC 27005:2022 provides guidance on conducting information security risk management. Though not solely focused on privacy, it helps organizations assess and address privacy risks related to the processing and handling of sensitive information.
Learn more: https://www.iso.org/standard/84514.html
ISO 9001:2015 - Quality Management System
ISO 9001:2015 is an international standard that specifies requirements for a Quality Management System (QMS). While not privacy-specific, it can be relevant for organizations that process personal data and aim to ensure the quality and security of their products and services.
Learn more: https://www.iso.org/standard/62085.html
North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP)
The NERC CIP requirements were designed to ensure the security of North American bulk electric systems (BES) and consist of 12 standards covering security management controls, personnel and training, system security management, electronic security perimeters, disaster recovery planning, and configuration change management. To comply with these regulations, utilities must collect and produce detailed information about digital assets and analyze whether these devices are deployed and accessed securely. This is available in ROAR only.
Learn more: https://www.nerc.com/pa/CI/Pages/Transition-Program.aspx
New York State Department of Financial Services (NYDFS) 23 NYCRR 500- Cybersecurity Requirements for Financial Services
The New York State Department of Financial Services (DFS) identified certain regulatory minimum cybersecurity standards that, while warranted, are not being overly prescriptive so that cybersecurity programs can match the relevant risks and keep pace with technological advances. Accordingly, this regulation is designed to promote the protection of customer information as well as the information technology systems of regulated entities. This regulation requires each company to assess its specific risk profile and design a program that addresses its risks in a robust fashion.
Learn more: https://www.dfs.ny.gov/industry_guidance/cybersecurity
Trusted Partner Network (TPN v5.1)
TPN defines the MPA Content Security Best Practices to increase security awareness, preparedness, and capabilities to secure content throughout the content lifecycle. Assessments are performed using MPA’s standardized Content Security Best Practices. The MPA Content Security Best Practices establish a single benchmark of minimum-security preparedness for all Service Providers and runs an assessment program against the Best Practices to determine a Service Provider’s security status. By creating a single, global registry of “Trusted Partner” Service Providers and their security status, Content Owners can make independent, risk-based business decisions
Learn more: https://www.ttpn.org/links-resources/
US DOJ / FBI - Criminal Justice Information Services (CJIS) Security Policy
Law enforcement needs timely and secure access to services that provide data wherever and
whenever for stopping and reducing crime. In response to these needs, the Advisory Policy Board (APB) recommended to the Federal Bureau of Investigation (FBI) that the Criminal Justice Information Services (CJIS) Division authorize the expansion of the existing security management structure in 1998. Administered through a shared management philosophy, the CJIS Security Policy contains information security requirements, guidelines, and agreements reflecting the will of law enforcement and criminal justice agencies for protecting the sources, transmission, storage, and generation of Criminal Justice Information (CJI).
Learn more: https://www.fbi.gov/services/cjis/cjis-security-policy-resource-center
