Streamline your controls compliance program by identifying gaps and redundant requirements across more than 25 frameworks and regulations. Risk Cloud’s Controls Repository creates a single source of truth for evaluating and visualizing risk across your entire enterprise.
Save time and remove data silos by mapping controls to over 25 security and privacy frameworks and regulations in one platform. Then, automatically collect evidence and calculate residual risk. Risk Cloud helps mature and scale your program by:
Risk Cloud streamlines your team’s approach to compliance by providing various controls content, pre-built assessment workflows, and automated evidence collection.
Secure Controls Framework (SCF) outlines cybersecurity and privacy common controls to help businesses prevent, detect, and correct security and privacy threats. It focuses on internal controls like cybersecurity and privacy-related policies, standards, and procedures.
The Cyber Risk Institute (CRI) Profile is a framework that provides the financial sector with an efficient approach to cybersecurity risk management that harmonize 2,500+ regulatory expectations.
The Gramm-Leach-Bliley Act (GLB Act or GLBA) is a United States federal law that requires financial institutions take appropriate action to keep customers’ private data confidential and secure.
The five controls covered in the Cyber Essentials certification represent the UK Government’s minimum baseline standard for cybersecurity - no matter your organization's size. Renew your certification annually to help prevent the most common internet-based cyber threats.
NIS2 aims to enhance the security of network and information systems within the European Union. Operators of critical infrastructure and essential services are required to implement appropriate security measures and report any incidents to the relevant authorities.
The Cloud Security Alliance’s Cloud Controls Matrix (CSA CCM) is a cybersecurity control framework designed to help organizations of all sizes securely implement, assess, and protect their cloud infrastructure. The framework features control objectives across 17 cloud-related domains, and is aligned to the CSA Security Guidance for Cloud Computing.
The NIST Secure Software Development Framework (SSDF), defined in NIST SP 800-218, helps you implement secure software development practices based on trusted guidance from organizations such as BSA, OWASP, and SAFECode.
The NIST Privacy Framework helps organizations identify and manage privacy risks when developing products and services to protect individuals’ privacy. The Framework consists of three parts — Core, Profiles, and Implementation Tiers.
Unified Compliance Framework (UCF) is used by organizations in every sector of business and government to help organizations make faster and more informed decisions, streamline compliance initiatives, and reduce compliance-related costs.
HITRUST Common Security Framework (CSF) helps organizations rationalize relevant regulations and standards into a single overarching security and privacy framework, ensuring data protection compliance and providing them cross-references to authoritative sources and regulations.
ISO 27001 defines standards to help organizations keep information assets secure. It is the central framework of the ISO 27000 series and specifies requirements for an information security management system (ISMS) and how to assess and treat information security risks.
ISO 27002 outlines guidelines for organizational information security standards and information security management practices. This includes the selection, implementation, and management of controls while taking into consideration the organization’s information security risk environments. It is intended to guide control selection through the process of implementing an ISMS based on ISO 27001.
ISO 27018 establishes commonly accepted control objectives, controls, and guidelines for implementing measures to protect personally identifiable information (PII) in accordance with the privacy principles in ISO 2900 for the public cloud computing environment.
ISO 27701 specifies requirements and guidelines for establishing, implementing, maintaining, and continually improving a Privacy Information Management System (PIMS) in relation to ISO 27001 and ISO 27002.
ISO 27017 details information security control guidelines applicable to the provision and use of cloud services in relation to ISO 27002.
Payment Card Industry (PCI) Data Security Standard, or PCI DSS, provides an actionable framework for developing a robust payment card data security process.
AICPA Trust Services Criteria (TSP Section 100), commonly referred to as SOC 2® TSC or SOC 2® TSP, defines five criteria to evaluate an organization’s internal security controls: security, availability, processing integrity, confidentiality, and privacy.
National Institute of Standards & Technology (NIST) Special Publication 800-53, or NIST 800-53, defines security and privacy controls for federal information systems/organizations.
The NIST AI Risk Management Framework (NIST AI RMF) helps organizations manage AI risks by providing guidance on designing, developing, deploying, and using AI systems.
National Institute of Standards and Technology (NIST) Special Publication 800-171, or NIST 800-171, provides guidance on how contractors and subcontractors of Federal agencies should manage and protect controlled unclassified information (CUI).
National Institute of Standards & Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity, or NIST Cybersecurity Framework, is a voluntary framework that provides standards, guidelines, and best practices on how to manage cybersecurity risk.
Federal Risk and Authorization Management Program, or FedRAMP, helps organizations implement NIST 800-53 in relation to cloud service providers (CSPs) at four levels: High Baseline, Moderate Baseline, Low Baseline, and LI-SaaS Baseline.
Cybersecurity Maturity Model Certification (CMMC) is a unified standard for implementing cybersecurity across DoD contractors. It is a new framework for ensuring that the more than 300,000 companies in the defense industrial base (DIB) supply chain are protecting sensitive defense information.
New York State Department of Financial Services 23 NYCRR 500 – Cybersecurity Requirements for Financial Services Companies, or NYDFS Cybersecurity Regulation, is a required certification for all New York insurance companies, banks, and other regulated financial services institutions, including agencies and branches of non-US banks licensed in the state of New York.
Health Insurance Portability and Accountability Act of 1996, or HIPAA, defines national standards for electronic health care transactions and code sets, unique health identifiers, and security. The HIPAA Security Rule (Subpart C) defines the security standards for appropriate administrative, physical and technical safeguards to ensure the protection of electronic protected health information.
General Data Protection Regulation (GDPR) gives control to individuals over their personal data and simplifies the regulatory environment for international business by unifying the regulation within the EU. It impacts European companies and businesses that target European individuals, and those that collect, use, or process the personal data of European individuals.
California Consumer Privacy Act of 2018, or CCPA Resolution AB-375, and CCPA regulations give California residents more control over the personal information that businesses collect about them. The CCPA applies to for-profit businesses that do business in California, including data brokers.
The Colorado Privacy Act provides Colorado consumers with new rights with respect to personal data and providing them with meaningful information about the collection and use of their data.
Center for Internet Security’s 20 CIS Controls are internationally-recognized cybersecurity best practices for defense against common threats. They are a consensus-developed resource that brings together expert insight about cyber threats, business technology, and security. The CIS Controls are broken down into three categories: Basic, Foundational, and Organizational.
Federal Financial Institutions Examination Council - Cybersecurity Assessment Tool (FFIEC CAT) was created by the FFIEC to help institutions identify their risks and determine their cybersecurity preparedness.
Australian Information Security Manual (ISM) Guidelines is a cybersecurity framework maintained by the Australian Cyber Security Centre (ACSC) that provides organizations with both strategic and practical guidance to protect against cyber threats and progress through five levels of maturity.
Digital Operational Resilience Act (Regulation (EU) 2022/2554) helps financial institutions improve operational resilience with rules for the protection, detection, containment, recovery, and repair capabilities against information and communication technology (ICT) related incidents.
Yes, you can import internal controls into Risk Cloud via a CSV file. From there, you can link internal controls to one or many control frameworks to further streamline control evaluation and management.
LogicGate’s team of GRC subject matter experts manages a specific subset of all available control framework content — prioritized by inputs like industry use cases and customer needs. If you would like to leverage a framework that is not pre-built within Risk Cloud, your LogicGate team can help you import the appropriate controls and related data.
LogicGate’s GRC Content Team provides updates related to the latest version of Risk Cloud Standards and Regulations Content provided to you, upon request, via spreadsheet within 120 days of a major release published by the authoritative source.
If requested, they will also make sure that this new version maps to the primary control set (e.g., Secure Controls Framework or HITRUST) to maintain relevant control mappings.
The Unified Compliance Framework (UCF) helps organizations map compliance requirements across multiple control frameworks via the largest available library of interconnected compliance documents. This leads to faster and more informed compliance decisions, streamlined compliance initiatives, and an estimated 40% to 50% net reduction in compliance-related costs.
The Secure Controls Framework (SCF) is a comprehensive catalog of cybersecurity and privacy controls that map across various statutory, regulatory, and contractual frameworks. By reducing thousands of frameworks down to 1,168 common controls, the SCF is a one-stop-shop that enables companies to maintain security and privacy across all of their processes, systems, and applications.
The HITRUST Common Security Framework (HITRUST CSF) is a prescriptive set of controls that meet the requirements of multiple regulations and standards (e.g., HIPAA, PCI) related to data management, information risk, and compliance. The HITRUST CSF harmonizes multiple frameworks, standards, regulations, and leading practices into a single framework to reduce the need for multiple reports.
The Health Information Trust Alliance (HITRUST) was founded in 2007 to help organizations effectively manage data, information risk, and compliance. While originally developed as a healthcare framework, HITRUST has become industry-agnostic to support organizations from all industries to effectively manage controls and evidence.
The Secure Controls Framework (SCF) specializes in cybersecurity and data privacy controls, mapping to over 100 laws, regulations, and frameworks. This community-built tool is regularly updated by the SCF’s council of cybersecurity experts to reflect the latest regulations and best practices.
The Unified Compliance Framework (UCF) is a great solution for organizations with compliance needs that extend beyond cybersecurity and data privacy — thanks to the breadth and depth of their framework mapping. UCF customers also benefit from timely requirement updates due to the UCF platform including an algorithm that automatically connects new requirements to the existing control library.
The Federal Risk and Authorization Management Program (FedRAMP®) was launched in 2011 to help standardize cloud security requirements within state and local agencies. If your organization is a cloud service provider (CSP), you will need to become FedRAMP certified in order to do business with Federal agencies.
A System Security Plan (SSP) is a key component of any FedRAMP Authorization Package — outlining your organization’s current risks and controls. Learn how you can automatically generate a FedRAMP-ready SSP that accurately reflects security control information with Risk Cloud.
ISO 27001 provides requirements for an entire information security management system while SOC 2® is more focused on specific data security controls. If you’re looking for a more rigorous assessment that applies across all industries and regions, ISO 27001 may be the right fit for your organization. SOC 2® is generally recommended for organizations that primarily do business in North America and are looking for a more targeted, industry-specific approach.
The EU General Data Protection Regulation (GDPR) led the charge into data privacy regulation in 2018 by enforcing institutional regulations to protect the personal information of European citizens. GDPR includes six lawful bases for processing that individuals must opt into. The California Consumer Privacy Act (CCPA) was introduced in 2018 and amended in 2020 with a similar goal — protecting personal data of California residents — but there is no opt-in system surrounding lawful processing. Instead, individuals must proactively opt-out of their information being sold by for-profit organizations.
The Cybersecurity Maturity Model Certification (CMMC) is a formal certification program required for organizations that do business with the Department of Defense. CMMC includes three levels of maturity — each aligning with widely accepted National Institute of Standards and Technology (NIST) cybersecurity standards.
The NIST Cybersecurity Framework (CSF) is voluntary and focused on five areas: Identify, Protect, Detect, Respond, and Recover. NIST has also produced special publications focused on specific control sets — like NIST 800-53 and NIST 800-171. These two special publications are required for federal agencies and defense contractors.
The short answer is yes — but it depends. If you plan to do business with U.S. government suppliers, at minimum you will need to be CMMC, NIST 800-53, and NIST 800-171 compliant. If you specifically offer a product or service that is cloud-based, you will need to add FedRAMP to your list! While a growing list of frameworks may feel overwhelming, the good news is that Risk Cloud can help you automate evidence collection, evaluate redundant controls, and shorten audit cycles.
SOC 1®, SOC 2® and SOC 3® are registered trademarks of the American Institute of Certified Public Accountants in the United States. The AICPA® Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy is copyrighted by the Association of International Certified Professional Accountants. All rights reserved.
