Secureframe enables compliance with the most in-demand frameworks to accelerate sales cycles and make it easy to prove your security posture. Each supported framework includes control mapping to framework requirements, automated control testing that collects compliance evidence from integrated technologies, and built-in Secureframe tools such as policy management as required by each framework. 

Visit our full Framework page to learn more about each. https://secureframe.com/frameworks

View our Commercial security frameworks

• SOC 2 is a cybersecurity compliance framework developed for service and technology providers that handle customer data. SOC 2 drives organizations to build strong, continuous security processes to protect their customer data.
• ISO 27001:2022 is a universal standard built for organizations around the globe to establish, maintain, and continually improve their information security management system (ISMS).
• PCI DSS Merchants or service providers that process, store, transmit, or impact credit card data need to meet the 300+ PCI DSS requirements to safeguard cardholder data.
• Cyber Essentials is a certificate required for organizations working with the UK government to protect against common online threats by implementing a baseline of five essential security controls and best practices.
• NYDFS NYCRR 500 The New York Department of Financial Services (NYDFS) requires covered entities to uphold cybersecurity requirements related to protecting sensitive customer data and the overall security of systems and personnel within your NYDFS scope.
• FTC Safeguards Rule Financial institutions that are under the jurisdiction of the Federal Trade Commission (FTC) need to meet the Safeguards Rule to protect the security of customer data.
• ISO 27017 is an international standard providing guidelines for information security controls applicable to cloud services. It addresses both cloud service providers and customers, ensuring security and compliance in cloud environments through additional controls and best practices tailored to the unique aspects of cloud computing.
• Microsoft SSPA Suppliers that are part of Microsoft's information supply chain need to comply with Microsoft’s Supplier Privacy and Assurance Standards (SSPA) and complete an assessment against Microsoft’s Data Protection Requirements (DPR).
• NIS2 is an updated EU directive aimed at enhancing cybersecurity across all member states by improving national capabilities, cooperation, and risk management practices among key sectors and digital service providers.
• Essential 8 is a set of cybersecurity strategies recommended by the Australian Cyber Security Centre (ACSC) to help organizations mitigate cyber threats and protect their systems against a range of cyber attacks.
• Center for Internet Security (CIS) - Group 1-3 enforces the Critical Security Controls (CSCs), a set of best practices and guidelines designed to safeguard organizations against cyber threats. CIS is a comprehensive approach to cybersecurity, including regular updates and audits, to ensure adherence to industry-standard security measures and enhance overall cyber defense capabilities.
• SOX ITGC refers to the Information Technology General Controls under the Sarbanes-Oxley Act, which are internal controls IT departments must implement to support the integrity of financial reporting.
• EU DORA Digital Operational Resilience Act (DORA) is a regulation aimed at enhancing the operational resilience of financial institutions in the European Union in order to withstand and recover from various disruptions and threats.
• TISAX (Trusted Information Security Assessment Exchange) is a European standard for information security assessments, required for companies in the automotive industry—such as suppliers and service providers—that handle sensitive information to ensure compliance with stringent data protection standards.

View our Federal security frameworks

• NIST 800-53 - High includes the greatest amount of controls to help federal agencies and their supporting contractors protect their data and systems and comply with the Federal Information Security Modernization Act (FISMA). Organizations should comply with NIST 800-53 - High if the loss of sensitive data would have a severe or catastrophic impact on their business.

• NIST 800-53 - Moderate includes controls to help federal agencies and their supporting contractors protect their data and systems and comply with the Federal Information Security Modernization Act (FISMA). Organizations should comply with NIST 800-53 - Moderate if the loss of sensitive data would have a sufficient, but not catastrophic, impact on their business.

• NIST 800-53 - Low includes the least amount of controls to help federal agencies and their supporting contractors protect their data and systems and comply with the Federal Information Security Modernization Act (FISMA). Organizations should comply with NIST 800-53 - Low if the loss of sensitive data would have a minor impact on their business.

• NIST 800-171 (Revision 3) Contractors and subcontractors working with federal or state agencies that handle Controlled Unclassified Information (CUI) must comply with NIST 800-171.

• NIST CSF 2.0 Cybersecurity Framework (NIST CSF 2.0) is required for any organization that works with the US federal government, institutions supported by federal grants, or within the supply chain for a federal agency. NIST CSF 2.0 helps organizations understand risk and improve their cybersecurity programs.

• CJIS The Criminal Justice Information Services (CJIS) framework is for government entities that access or manage sensitive information from the US Justice Department. CJIS is designed to ensure data security in law enforcement.

• CMMC Level 2 The Cybersecurity Maturity Model Certification (CMMC) 2.0 is an evolving model that contractors working with the Department of Defense (DoD) and other federal agencies must meet.

• CMMC Level 3 The Cybersecurity Maturity Model Certification (CMMC) 3.0 is the highest and most stringent level of CMMC, adding an additional 24 requirements on top of Level 2.

• TX-RAMP (Texas Risk and Authorization Management Program) is a framework that standardizes the risk management and authorization process for cloud services used by Texas state agencies and institutions. Organizations need to comply with TX-RAMP to ensure they meet the state's security and privacy requirements, facilitating secure and efficient cloud service usage within the public sector.

• FedRAMP (The Federal Risk and Authorization Management Program) is required for any cloud service provider that works with the US federal government or handles federal data. FedRAMP standardizes security assessments, authorization, and continuous monitoring for cloud products and services, ensuring they meet strict cybersecurity requirements before being used by federal agencies.

• GovRAMP (formerly known as StateRAMP) is a security authorization framework modeled after FedRAMP, but designed for state, local, tribal, and territorial (SLTT) governments in the U.S. Secureframe offers both levels of GovRAMP, Moderate and Low.

View our Data privacy frameworks

• HIPAA Modern healthcare plans, providers, insurers, clearinghouses, biotech organizations, and pharmaceutical organizations must achieve and maintain compliance with the Health Insurance Portability and Accountability Act (HIPAA).

• ISO 27701 is the data privacy extension of ISO 27001. ISO 27001 is for organizations around the globe to establish, maintain, and continually improve their information security management system (ISMS).

• GDPR Organizations that handle European Union (EU) and United Kingdom (UK) customer data must uphold the various privacy and security requirements to comply with the General Data Protection Regulation (GDPR).

• CCPA Businesses that target or collect the personal data of California residents need to achieve and maintain compliance with the California Consumer Protection Act (CCPA).

• CPRA The California Privacy Rights Act (CPRA) amends CCPA's consumer rights by introducing new requirements for businesses to protect customer data and includes an enforcement agency, the California Privacy Protection Agency (CPPA).

View our all other frameworks

• NIST AI RMF For organizations that are incorporating AI into their products and processes, Secureframe helps with NIST AI RMF compliance and risk management associated with AI systems.

• ISO 42001 For organizations that are incorporating AI into their products and processes, Secureframe helps organizations comply with ISO 42001, and manage responsible development and use of AI systems.

• Custom Frameworks based on your unique requirements, industry standards, and regulatory obligations and achieve your compliance goals. Map our pre-built controls and tests to your custom frameworks using our control library and test library to save time on evidence collection and control monitoring.

• ISO-9001 is an international standard built to provide a structured framework for organizations to establish and maintain a Quality Management System (QMS).

Frequently Asked Questions (FAQ)

How do I add additional frameworks to my subscription? 

• Feel free to connect with your Account Manager at accountmanagement@secureframe.com or your Customer Success Manager at success@secureframe.com 

If I am 100% on SOC 2 and later add ISO 27001, will there be overlap? 

• Yes, absolutely. All Secureframe frameworks are already mapped to one another, so any work you have done that has overlap (including evidence) will be immediately recognized once that new framework is added.