Frameworks & Standards
Data Privacy
Here is a list of widely recognized data privacy frameworks that organizations use to protect personal information and ensure compliance with data protection laws:
GDPR is a comprehensive data protection regulation implemented by the European Union. It governs how organizations collect, store, and process the personal data of EU citizens. Key principles include data minimization, lawfulness, transparency, data subject rights, and data breach notifications.
CCPA is a U.S. law that grants California residents rights regarding the collection and use of their personal information. It requires businesses to disclose the types of data collected, gives consumers the right to access and delete their data, and allows them to opt-out of the sale of personal information.
HIPAA is a U.S. law that sets standards for the protection of healthcare data. It applies to covered entities (e.g., healthcare providers, insurers) and their business associates, requiring them to safeguard patient data and ensure confidentiality through administrative, physical, and technical safeguards.
Privacy Shield was a framework that allowed companies to legally transfer personal data from the EU to the U.S. for processing while ensuring adequate privacy protections. Although it was invalidated by the Schrems II decision in 2020, many companies continue to look for updated mechanisms like Standard Contractual Clauses (SCCs) for cross-border data transfers.
ISO/IEC 27701 builds on ISO 27001 and ISO 27002 by providing guidelines for establishing, implementing, maintaining, and improving a Privacy Information Management System (PIMS). It helps organizations ensure the protection of personally identifiable information (PII) and comply with data privacy regulations like GDPR and CCPA.
PIPEDA is a Canadian law that governs how private sector organizations collect, use, and disclose personal information in the course of commercial activities. It includes principles like accountability, consent, accuracy, and openness.
The LGPD is Brazil's data protection law, similar to the GDPR. It regulates the processing of personal data of individuals in Brazil and applies to any company that processes this data, regardless of where the company is located. It emphasizes transparency, data subject rights, and data security.
The APEC Privacy Framework provides principles for data protection and cross-border data flows among its member economies. It helps to balance privacy protections with the need for businesses to transfer data across borders for economic and commercial purposes.
Published by the National Institute of Standards and Technology (NIST), the NIST Privacy Framework is a voluntary tool that helps organizations manage privacy risks. It aligns with the NIST Cybersecurity Framework and focuses on building privacy into organizational practices through categories like governance, control, and communication.
FERPA is a U.S. federal law that protects the privacy of student education records. It applies to all schools that receive funding from the U.S. Department of Education, giving parents and eligible students the right to access, amend, and control the disclosure of educational records.
The ePrivacy Regulation, often called the "cookie law," complements the GDPR by specifically addressing privacy in electronic communications, including rules for cookies, electronic marketing, and confidentiality in online communications.
BCRs are internal rules adopted by multinational companies to allow the transfer of personal data within the corporate group across borders in compliance with GDPR. BCRs are subject to approval by EU data protection authorities.
COPPA is a U.S. law that imposes certain requirements on operators of websites and online services that are directed to children under 13 years of age. It aims to protect children’s personal data by requiring parental consent for data collection.
The SHIELD Act expands data breach notification laws in New York and mandates that businesses implement reasonable safeguards to protect the security, confidentiality, and integrity of private information.
Cyber Security
Here is a list of widely recognized cybersecurity frameworks that organizations use to safeguard their information systems, manage risks, and comply with regulatory requirements:
Published by the National Institute of Standards and Technology (NIST) , this framework provides a flexible approach to cybersecurity that includes five key functions: Identify, Protect, Detect, Respond, and Recover . It is widely adopted across industries for managing and reducing cybersecurity risks.
ISO/IEC 27001 is an international standard for information security management systems (ISMS) . It provides a systematic approach to managing sensitive company information, ensuring its confidentiality, integrity, and availability. It also helps organizations comply with regulatory and legal requirements.
The CIS Controls are a set of best practices for securing IT systems and data. These 20 critical security controls focus on key areas like secure configuration, continuous vulnerability management, and incident response to improve an organization’s cybersecurity posture.
Developed by ISACA , COBIT is a governance framework that helps organizations manage and govern their IT and cybersecurity risks. It focuses on aligning IT with business goals while ensuring compliance, security, and risk management.
The CMMC is a unified cybersecurity standard for companies working with the U.S. Department of Defense (DoD) . It establishes five maturity levels that assess the cybersecurity practices and processes of defense contractors and suppliers.
PCI DSS is a security standard designed to protect payment card information. It is required for any organization that handles credit card transactions and provides guidelines for securely processing, storing, and transmitting cardholder data.
This NIST framework provides security and privacy controls for federal information systems and organizations. It is widely adopted by the U.S. government and industry for managing information security risks across different sectors.
ISO/IEC 27032 focuses on cybersecurity and provides guidance on how organizations can secure their information systems from cyber threats. It complements other standards within the ISO 27000 family by specifically addressing cyber risks and attacks.
FedRAMP is a U.S. government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud services. It’s mandatory for cloud service providers working with federal agencies.
The HITRUST CSF is a framework that combines multiple regulatory requirements and standards, such as HIPAA and ISO 27001 , into a single comprehensive framework for healthcare organizations. It helps organizations manage compliance and cybersecurity risks.
FISMA mandates that federal agencies establish a cybersecurity program to protect government information systems. It is closely aligned with NIST SP 800-53 , providing a framework for securing federal information and managing risks.
While SOX is primarily a financial regulatory framework, it includes provisions to protect data related to financial reporting, such as ensuring the security of financial information systems. SOX compliance requires cybersecurity controls around financial data.
IEC 62443 is a set of standards focused on industrial control systems (ICS) , particularly in sectors like energy and manufacturing. It provides guidelines for securing critical infrastructure and industrial networks from cyber threats.
Technology
Here is a list of widely recognized technology operations and controls frameworks that organizations use to manage IT operations, mitigate risks, and ensure compliance with best practices:
COBIT is an IT governance and management framework developed by ISACA. It provides a comprehensive structure for aligning IT operations with business objectives while ensuring compliance and risk management. COBIT covers everything from IT strategy and governance to operational management and security.
ITIL is a widely used framework for managing IT services. It focuses on aligning IT services with business needs and improving efficiency. ITIL covers best practices for IT service management (ITSM), including areas such as service delivery, incident management, and continuous improvement.
Key Focus: Information security, risk management, and operational controls.
TOGAF is an enterprise architecture framework that provides a structured approach for designing, implementing, and managing enterprise technology architecture. It helps organizations align their IT infrastructure with business goals while ensuring operational efficiency and control.
Key Focus: Enterprise architecture, IT strategy, and alignment with business processes.
ISO/IEC 20000 is an international standard for IT service management. It defines the requirements for managing the lifecycle of IT services, ensuring they are effectively delivered, monitored, and continuously improved. It is closely aligned with ITIL and focuses on improving operational efficiency in IT service delivery.
Key Focus: IT service management, operational efficiency, and continual improvement.
Although primarily focused on financial controls, the COSO framework can also be applied to IT operations. It provides a structure for evaluating and improving internal controls, including IT controls, to ensure they support organizational objectives and manage risks effectively.
Key Focus: Internal controls, risk management, and operational integrity.
CMMI is a process improvement framework that provides organizations with best practices to improve their operations across various disciplines, including software development, service management, and product development. It helps organizations assess the maturity of their operational processes and identify areas for improvement.
Key Focus: Process improvement, operational excellence, and IT project management.
SOC 2 is a compliance framework designed for service providers that store or process customer data. It focuses on five trust service principles: security, availability, processing integrity, confidentiality, and privacy. SOC 2 ensures that an organization’s IT operations meet rigorous security and privacy standards.
Key Focus: Data security, operational controls, and customer data protection.
Business continuity frameworks focus on ensuring that critical IT operations can continue during and after a disruption. ISO 22301 is a well-known standard for business continuity management, helping organizations prepare for and recover from IT operational outages or disasters.
Key Focus: Continuity of IT operations, disaster recovery, and risk management.
Risk Management
Here is a list of widely recognized Risk Management Frameworks used by organizations to identify, assess, manage, and mitigate risks:
Developed by the Committee of Sponsoring Organizations of the Treadway Commission (COSO), this framework provides a comprehensive approach to enterprise risk management, integrating strategy and performance with risk management to improve decision-making and governance.
The ISO 31000 standard provides guidelines for risk management applicable to any organization, regardless of size or industry. It focuses on creating and protecting value through the identification, assessment, and treatment of risks.
The IRM Framework emphasizes practical guidance on risk management across various sectors and industries, providing tools for managing strategic, operational, and financial risks.
An Australian framework that aligns with ISO 31000 but offers additional guidance and strategies for implementing effective risk management in public and private sectors.
This is an earlier version of the ISO 31000 standard, still referenced in some regions, providing a structured approach to risk management for various industries.
Compliance
Here is a list of key compliance frameworks and standards, such as FCPA, Sanctions, and other regulations that guide organizations in maintaining legal and ethical business practices globally:
The FCPA is a U.S. law that prohibits U.S. individuals and entities from bribing foreign government officials to obtain or retain business. It also includes provisions related to accurate financial reporting and maintaining internal controls. Companies with global operations often implement anti-bribery compliance programs to ensure adherence to FCPA standards.
Key Focus: Anti-bribery and corruption, accurate financial record-keeping.
Office of Foreign Assets Control (OFAC) administers U.S. sanctions programs that restrict dealings with specific countries, individuals, and entities that are involved in terrorism, drug trafficking, or other illicit activities. EU and UN also administer their own sanctions regimes, and companies must comply with the applicable jurisdiction’s sanctions rules.
Key Focus: Ensuring compliance with global sanctions on specific countries, individuals, and organizations.
The UK Bribery Act is one of the strictest anti-corruption laws globally, prohibiting both public and private sector bribery. It also imposes strict liability on companies that fail to prevent bribery by associated persons. Businesses must have adequate procedures in place to mitigate bribery risks.
Key Focus: Global anti-bribery standards that apply to both public and private entities.
AML laws are designed to prevent financial institutions from facilitating money laundering activities. Key standards include the Bank Secrecy Act (BSA) in the U.S., EU AML Directives, andFinancial Action Task Force (FATF) recommendations. Compliance requires monitoring customer transactions, reporting suspicious activities, and performing due diligence.
Key Focus: Preventing and detecting money laundering and terrorist financing.
While primarily a data privacy regulation, GDPR has significant compliance requirements related to the processing of personal data. Businesses must implement internal processes to ensure data security, transparency, and compliance with individual rights. Fines for non-compliance can be significant.
Key Focus: Protecting personal data and ensuring privacy in the EU.
SOX mandates that public companies establish internal controls to ensure accurate financial reporting and prevent fraud. It requires management certification of financial reports and mandates independent audits to verify the adequacy of internal controls.
Key Focus: Corporate governance, financial reporting, and preventing fraud.
Enacted after the 2008 financial crisis, the Dodd-Frank Act includes provisions that require financial institutions to maintain enhanced risk management practices and transparency in financial reporting. It also established the Consumer Financial Protection Bureau (CFPB) to oversee compliance in the financial industry.
Key Focus: Financial reform, risk management, and consumer protection.
ISO 19600 provides guidelines for establishing and managing a compliance management system (CMS) based on risk management principles. It helps organizations integrate compliance into their overall governance framework and ensures they comply with laws, regulations, and internal standards.
Key Focus: Establishing an effective compliance management system.
Laws such as Dodd-Frank, SOX, and EU Whistleblowing Directive protect employees who report misconduct, fraud, or regulatory violations from retaliation. Companies must implement systems to encourage internal reporting and protect whistleblowers.
Key Focus: Protecting whistleblowers and encouraging the reporting of unethical or illegal activities.
The Wolfsberg Group provides principles for managing financial crime risks in banking, including money laundering, sanctions, and bribery. These principles guide global financial institutions in implementing effective AML compliance programs.
The OECD Anti-Bribery Convention aims to combat bribery of foreign public officials in international business transactions. Signatory countries are required to adopt laws that make it illegal to bribe foreign public officials.
Key Focus: Combatting corruption in international trade.
The Commodity Futures Trading Commission (CFTC) and Securities and Exchange Commission (SEC) regulate compliance in financial markets, including trading practices, transparency, and reporting requirements. These agencies oversee the enforcement of laws like SOX and Dodd-Frank in financial markets.
Key Focus: Regulatory compliance for securities and futures trading.
The USSG offers guidance on establishing an effective compliance and ethics program. It also provides incentives for organizations to implement programs that prevent criminal conduct and reduce penalties in case of regulatory violations.
Key Focus: Compliance program effectiveness and ethical corporate conduct.
HIPAA mandates compliance with data privacy and security regulations for healthcare organizations and those handling protected health information (PHI). It requires the implementation of controls to protect data integrity and patient privacy.
Key Focus: Protecting healthcare data privacy and security.
ITAR controls the export and import of defense-related articles and services in the U.S. Companies that manufacture or trade in military goods must comply with these regulations, ensuring that sensitive technology does not fall into the wrong hands.
Key Focus: Controlling the trade of military-related goods and services.
Know Your Customer (KYC) requirements are part of AML regulations that mandate companies (especially in financial services) to verify the identities of clients and assess their potential risks for illegal activities. It’s a crucial part of customer due diligence programs.
Key Focus: Ensuring the legitimacy of customer relationships to prevent financial crimes.
Financial Reporting
Here is a list of commonly used financial reporting controls frameworks that organizations utilize to ensure the accuracy, transparency, and compliance of their financial reporting:
Key Focus: Establishing a system of internal controls to prevent fraud and ensure financial statement accuracy.
Key Focus: Ensuring consistent and transparent reporting of financial performance across international borders.
Key Focus: Governing financial reporting and control standards for U.S.-based companies.
Key Focus: Ensuring that independent audits provide an accurate reflection of a company's financial health.
Key Focus: Internal controls related to financial risk, capital adequacy, and financial disclosures.
Key Focus: Ensuring IT systems support effective internal controls and financial reporting.
Key Focus: Merging financial and sustainability data to provide comprehensive reporting.
Key Focus: International standards for the audit and verification of financial reports and internal controls.
Key Focus: Strengthening corporate governance and financial reporting accuracy.