Compliance Framework Content Registry
ZenGRC comes with the content you need to be compliant.
Our solutions can support any framework and provides content for over 30 various standard and regulations. Using our pre-loaded content not only saves you time but also helps you quickly identify gaps and overlaps of running multiple programs at the same time. If you need to comply with a standard or regulation that is not listed here, it can be easily loaded into ZenGRC and managed through the application like the frameworks below.
Note: For select frameworks and standards, Illustrative Control and Risk templates are available.
Framework, Use Case/Description, & Useful Links
California Consumer Privacy Act (CCPA)
The California Consumer Privacy Act (CCPA) is a state statute intended to enhance privacy rights and consumer protection for residents of California, United States.
Compliance Controls Catalogue (C5)
The Cloud Computing Compliance Controls Catalogue (abbreviated “C5”) is intended primarily for professional cloud service providers, their auditors and customers of the cloud service providers. It is defined which requirements (also referred to as controls in this context) the cloud providers have to comply with or which minimum requirements the cloud providers should be obliged to meet.
CJIS
The Criminal Justice Information Services (CJIS) Security Policy provides requirements for criminal justice and associated agencies to use when accessing Criminal Justice Information (CJI). This Policy is also applicable to service providers who process CJI on behalf of criminal justice agencies.The policy prescribes safeguards that must be in place to secure CJI at rest and in transit. The policy integrates guidance from NIST with presidential and FBI directives, along with federal law and is audited periodically by the FBI for compliance. Failure to adhere to the policy may result in sanctions against non-compliant agencies.
COBIT
COBIT (Control Objectives for Information and Related Technologies) is a framework created by international professional association ISACA for IT management and governance. It is generic and useful for enterprises of all sizes and across sectors, including commercial, not-for-profit, and the public sector. The framework incorporates the latest thinking in enterprise governance and management techniques, and provides globally accepted principles, practices, analytical tools and models to help increase the trust in, and value from, information systems. It is meant to be a supportive tool for managers to bridge gaps among technical issues, business risks and control requirements.
COSO Internal Control–Integrated Framework
The Committee of Sponsoring Organizations of the Treadway Commission (COSO) provides non-prescriptive guidance on internal controls, enterprise risk management, and fraud deterrence. COSO Intergrated Control-Integrated Framework is recognized as leading guidance for designing and implementing internal controls and assessing their effectiveness. This framework is commonly used as basis for management’s evaluation of its internal controls over financial reporting for compliance with the Sarbanes-Oxley Act of 2002 (“SOX“).
CSA Cloud Controls Matrix
The Cloud Security Alliance Cloud Controls Matrix (CCM) is specifically designed to provide fundamental security principles to guide cloud vendors and to assist prospective cloud customers in assessing the overall security risk of a cloud provider. The CSA CCM provides a controls framework that gives detailed understanding of security concepts and principles that are aligned to the Cloud Security Alliance guidance in 13 domains.
CIS Controls
Sponsored by the Center for Internet Security (CIS), the CIS Controls is a prioritized list of recommended controls for cyber defense based on collective best practices and real-world risks, threats, and responses.
Cybersecurity Maturity Model Certification (CMMC)
The Cybersecurity Maturity Model Certification (CMMC) framework consists of maturity processes and cybersecurity best practices from multiple cybersecurity standards, frameworks, and other references, as well as inputs from the Defense Industrial Base (DIB) and Department of Defense (DoD) stakeholders. The model framework organizes these processes and practices into a set of domains and maps them across five levels. In order to provide additional structure, the framework also aligns the practices to a set of capabilities within each domain. The ensuing subsections provide additional information regarding each element of the model.
EU/US Privacy Shield
The EU-U.S. and Swiss-U.S. Privacy Shield Frameworks were designed by the U.S. Department of Commerce, and the European Commission and Swiss Administration, respectively, to provide companies on both sides of the Atlantic with a mechanism to comply with data protection requirements when transferring personal data from the European Union and Switzerland to the United States in support of transatlantic commerce.The Privacy Shield program enables U.S.-based organizations to join one or both of the Privacy Shield Frameworks in order to benefit from the adequacy determinations. To join either Privacy Shield Framework, a U.S.-based organization will be required to self-certify to the Department of Commerce (via this website) and publicly commit to comply with the Framework’s requirements. While joining the Privacy Shield is voluntary, once an eligible organization makes the public commitment to comply with the Framework’s requirements, the commitment will become enforceable under U.S. law. All organizations interested in self-certifying to the EU-U.S. Privacy Shield Framework or Swiss-U.S. Privacy Shield Framework should review the requirements in their entirety.
FedRAMP Low / Moderate / High
“The Federal Risk and Authorization Management Program, or FedRAMP, is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. This approach uses a ‘do once, use many times’ framework…” FedRAMP offers significant cost savings for US Federal Government agencies when using and securing of cloud services, and supports the compliance requirements in the Federal Information Security Management Act (FISMA).
- The Low/Moderate baselines are appropriate for systems with public or sensitive information, where a breach or loss of availability would have a limited, non-catastrophic impact.
- The High baseline is appropriate for systems with highly sensitive information, where a breach or loss of availability would have a severe and/or catastrophic impact.
General Data Protection Regulation (GDPR)
The General Data Protection Regulation (EU) 2016/679 (GDPR) is a regulation in EU law on data protection and privacy in the European Union (EU) and the European Economic Area (EEA). It also addresses the transfer of personal data outside the EU and EEA areas.
HIPAA
The Health Insurance Portability and Accountability act (HIPAA) defines rules for the security and privacy of healthcare information, called Protected/Personal Health Information (PHI). The US Department of Health & Human Services (HHS) is responsible for enforcement. You may be subject to HIPAA if you are a:
- Covered Entity: a business that generates or processes PHI
- Business Associate: a business supporting a Covered Entity
ISO 27001/2, 27017, 27018, 27701
The ISO/IEC 27000 family of standards helps organizations keep information assets secure. Within the ISO 27000 family of standards there are a variety of frameworks which focus on specific areas of information security.
- 27001:2013 is the best-known standard in the family providing requirements for an information security management system (ISMS).
- 27002:2013 contains guidelines for organizational information security standards and information security management practices. This includes the selection, implementation and management of controls taking into consideration the organization’s information security risk environment(s).
- 27017:2015 provides guidance for information security controls applicable to the provision and use of cloud services
- 27018:2014 establishes control objectives, controls and guidelines for protecting Personally Identifiable Information (PII) in accordance with the privacy principles in ISO/IEC 29100 for the public cloud computing environment
- 27701:2019 specifies requirements and provides guidance for establishing, implementing, maintaining and continually improving a Privacy Information Management System (PIMS) in the form of an extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy management within the context of the organization.
NIST CSF
In response to Executive Order 13636, “Improving Critical Infrastructure Cybersecurity,” the National Institute of Standards and Technology (NIST) published the Framework for Improving Critical Infrastructure Cybersecurity (Cybersecurity Framework or CSF). The CSF is designed to drive an organization’s cybersecurity efforts through a risk-based management process. It contains a set of requirements hierarchically structured into Functions, Categories, and Subcategories, as well as Informative References which point to other security frameworks such as ISO 27001, NIST SP 800-53, and COBIT.The overall framework is structured into three parts:
- The Framework Core: A set of cybersecurity requirements, desired outcomes, and the Informative References which guide implementation of security controls Framework
- Implementation Tiers: Describe a level of achievement in an organization’s approach to cybersecurity risk assessment and management, representing maturation from informal, reactive processes to risk-driven proactive ones. They range from Partial (Tier 1) to Adaptive (Tier 4).
- Framework Profile: Represents the state of an organization’s cybersecurity efforts based on analysis against the Framework Categories and Subcategories. A Current Profile is created to judge the organizations as-is state, and a Target Profile is created to identify gaps, opportunities, and the desired outcome of cybersecurity improvement efforts.
NIST SP 800-53
The Federal Information Security Modernization Act (FISMA) requires civilian agencies of the US Federal Government to report on the security posture of their information systems. Businesses supporting these government agencies may also be required to implement such controls, if they interconnect with or operate systems on behalf of the government. There are a variety of documents which guide the implementation and management of security controls for such systems, including the Federal Information Processing Standards (FIPS) and National Institute of Standards and Technology Special Publications (NIST SP).
- FIPS 199 & 200: Describes the security categorization of systems and controls needed based on that categorization
- NIST SP 800-53: The catalog of controls to choose from
NIST SP 800-53 has three risk-based baselines for controls: Low, Moderate, and High. Higher-risk systems require more controls, while lower-risk systems require less stringent levels of protection.
NIST SP 800-171
The purpose of NIST 800-171 is to provide agencies with recommended requirements for protecting the confidentiality of CUI: (i) when the CUI is resident in nonfederal information systems and organizations; (ii) when the information systems where the CUI resides are not used or operated by contractors of federal agencies or other organizations on behalf of those agencies; 8 and (iii) where there are no specific safeguarding requirements for protecting the confidentiality of CUI prescribed by the authorizing law, regulation, or governmentwide policy for the CUI category or subcategory listed in the CUI Registry. The requirements apply only to components 9 of nonfederal information systems that process, store, or transmit CUI, or that provide security protection for such components. The CUI requirements are intended for use by federal agencies in appropriate contractual vehicles or other agreements established between those agencies and nonfederal organizations. In CUI guidance and the CUI Federal Acquisition Regulation (FAR), 10 the CUI Executive Agent will address determining compliance with CUI requirements.
NY DFS
The New York Cybersecurity Regulation (NY DFS 23 NYCRR 500), released by the New York Department of Financial Services, mandates a set of cybersecurity requirements for financial services companies operating within the state. Title 23 NYCRR 500 is designed to promote the protection of customer information as well as the information technology systems of regulated entities. This regulation was created in response to the increasing threats posed to information and financial systems by nation-states, terrorist organizations, and independent criminal actors.
PCI-DSS
The Payment Card Industry Data Security Standard (PCI-DSS) was created by the major credit card brands in 2004 to encourage and enhance the security of credit card data. The use of the DSS, which is a prescriptive set of requirements for securing credit card data at rest and in transit, is mandated by the major card brands and is required of all organizations accepting credit card payment transactions, known as merchants.Merchants are assigned levels based on the number of transactions they process of various brands per year. These levels determine the type of annual compliance assessment that the merchant must perform, either a self-assessment or one by a third-party Qualified Security Assessor (QSA). Failure to comply with the PCI-DSS may result in fines from credit card acquirers or even loss of the ability to accept credit card transactions. The DSS and associated standards are managed by the PCI Security Standards Council and regularly updated as new threats emerge.
Secure Controls Framework (SCF)
The Secure Controls Framework (SCF) is a comprehensive catalog of controls that is designed to enable companies to design, build and maintain secure processes, systems and applications. The SCF addresses both cybersecurity and privacy, so that these principles are designed to be “baked in” at the strategic, operational and tactical levels.In developing the SCF, we identified and analyzed 100 statutory, regulatory and contractual frameworks. Through analyzing these thousands of requirements, we identified commonalities and this allows several thousand unique controls to be addressed by the less than 750 controls that makeup the SCF. For instance, a requirement to maintain strong passwords is not unique, since it is required by dozens of frameworks. This allows one well-worded SCF control to address multiple requirements. This focus on simplicity and sustainability is key to the SCF, since it can enable various teams to speak the same controls language, even though they may have entirely different statutory, regulatory or contractual obligations that they are working towards.
SOC 1
These reports, prepared in accordance with Statement on Standards for Attestation Engagements (SSAE) No. 18, Reporting on Controls at a Service Organization, are specifically intended to meet the needs of the managements of user entities and the user entities’ auditors, as they evaluate the effect of the controls at the service organization on the user entities’ financial statement assertions. These reports are important components of user entities’ evaluation of their internal controls over financial reporting for purposes of comply with laws and regulations such as the Sarbanes-Oxley Act and the user entities’ auditors as they plan and perform audits of the user entities’ financial statements. There are two types of reports for these engagements:
- Type 1 – report on the fairness of the presentation of management’s description of the service organization’s system and the suitability of the design of the controls to achieve the related control objectives included in the description as of a specified date.
- Type 2 – report on the fairness of the presentation of management’s description of the service organization’s system and the suitability of the design and operating effectiveness of the controls to achieve the related control objectives included in the description throughout a specified period.
The use of these reports are restricted to the management of the service organization, user entities of the service organization and user auditors.
SOC 2
SOC2 is intended to meet the needs of a broad range of users that need information and assurance about the controls at a service organization that affect the security, availability, and processing integrity of the systems the service organization uses to process users’ data and the confidentiality and privacy of the information processed by these systems. Examples of stakeholders who may need these reports are, management or those charged with governance of the user entities and of the service organization, customers of the service organization, regulators, business partners, suppliers, and others who have an understanding of the service organization and its controls.
SOX
Publicly-traded U.S. corporations must maintain compliance with provisions of the Sarbanes-Oxley Act of 2002 (SOX). The U.S. Securities and Exchange Commission (SEC) enforces this law directly and through oversight of the Public Company Accounting Oversight Board (PCAOB). Companies subject to SOX must establish and evaluate internal controls in accordance with other established controls frameworks such as COSO and COBIT. While there are high-level requirements, SOX is not prescriptive regarding the scope and approach to conducting a SOX assessment of internal controls. Corporate management establishes the design and evaluates the effectiveness of internal controls, which are also assessed externally by public accounting firms.