Streamline your controls compliance program by identifying gaps and redundant requirements across more than 25 frameworks and regulations. Risk Cloud’s Controls Repository creates a single source of truth for evaluating and visualizing risk across your entire enterprise.
Save time and remove data silos by mapping controls to over 25 security and privacy frameworks and regulations in one platform. Then, automatically collect evidence and calculate residual risk. Risk Cloud helps mature and scale your program by:
Risk Cloud streamlines your team’s approach to compliance by providing various controls content, pre-built assessment workflows, and automated evidence collection.
Secure Controls Framework (SCF) outlines cybersecurity and privacy common controls to help businesses prevent, detect, and correct security and privacy threats. It focuses on internal controls like cybersecurity and privacy-related policies, standards, and procedures.
Unified Compliance Framework (UCF) is used by organizations in every sector of business and government to help organizations make faster and more informed decisions, streamline compliance initiatives, and reduce compliance-related costs.
HITRUST Common Security Framework (CSF) helps organizations rationalize relevant regulations and standards into a single overarching security and privacy framework, ensuring data protection compliance and providing them cross-references to authoritative sources and regulations.
ISO 27001 defines standards to help organizations keep information assets secure. It is the central framework of the ISO 27000 series and specifies requirements for an information security management system (ISMS) and how to assess and treat information security risks.
ISO 27002 outlines guidelines for organizational information security standards and information security management practices. This includes the selection, implementation, and management of controls while taking into consideration the organization’s information security risk environments. It is intended to guide control selection through the process of implementing an ISMS based on ISO 27001.
ISO 27017 details information security control guidelines applicable to the provision and use of cloud services in relation to ISO 27002.
ISO 27018 establishes commonly accepted control objectives, controls, and guidelines for implementing measures to protect personally identifiable information (PII) in accordance with the privacy principles in ISO 2900 for the public cloud computing environment.
ISO 27701 specifies requirements and guidelines for establishing, implementing, maintaining, and continually improving a Privacy Information Management System (PIMS) in relation to ISO 27001 and ISO 27002.
Payment Card Industry (PCI) Data Security Standard, or PCI DSS, provides an actionable framework for developing a robust payment card data security process.
National Institute of Standards and Technology (NIST) Special Publication 800-171, or NIST 800-171, provides guidance on how contractors and subcontractors of Federal agencies should manage and protect controlled unclassified information (CUI).
National Institute of Standards & Technology (NIST) Special Publication 800-53, or NIST 800-53, defines security and privacy controls for federal information systems/organizations.
The NIST AI Risk Management Framework (NIST AI RMF) helps organizations manage AI risks by providing guidance on designing, developing, deploying, and using AI systems.
National Institute of Standards & Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity, or NIST Cybersecurity Framework, is a voluntary framework that provides standards, guidelines, and best practices on how to manage cybersecurity risk.
The NIST Privacy Framework helps organizations identify and manage privacy risks when developing products and services to protect individuals’ privacy. The Framework consists of three parts — Core, Profiles, and Implementation Tiers.
The NIST Secure Software Development Framework (SSDF), defined in NIST SP 800-218, helps you implement secure software development practices based on trusted guidance from organizations such as BSA, OWASP, and SAFECode.
Digital Operational Resilience Act (Regulation (EU) 2022/2554) helps financial institutions improve operational resilience with rules for the protection, detection, containment, recovery, and repair capabilities against information and communication technology (ICT) related incidents.
Cybersecurity Maturity Model Certification (CMMC) is a unified standard for implementing cybersecurity across DoD contractors. It is a new framework for ensuring that the more than 300,000 companies in the defense industrial base (DIB) supply chain are protecting sensitive defense information.
Federal Risk and Authorization Management Program, or FedRAMP, helps organizations implement NIST 800-53 in relation to cloud service providers (CSPs) at four levels: High Baseline, Moderate Baseline, Low Baseline, and LI-SaaS Baseline.
General Data Protection Regulation (GDPR) gives control to individuals over their personal data and simplifies the regulatory environment for international business by unifying the regulation within the EU. It impacts European companies and businesses that target European individuals, and those that collect, use, or process the personal data of European individuals.
AICPA Trust Services Criteria (TSP Section 100), commonly referred to as SOC 2® TSC or SOC 2® TSP, defines five criteria to evaluate an organization’s internal security controls: security, availability, processing integrity, confidentiality, and privacy.
Health Insurance Portability and Accountability Act of 1996, or HIPAA, defines national standards for electronic health care transactions and code sets, unique health identifiers, and security. The HIPAA Security Rule (Subpart C) defines the security standards for appropriate administrative, physical and technical safeguards to ensure the protection of electronic protected health information.
Federal Financial Institutions Examination Council - Cybersecurity Assessment Tool (FFIEC CAT) was created by the FFIEC to help institutions identify their risks and determine their cybersecurity preparedness.
California Consumer Privacy Act of 2018, or CCPA Resolution AB-375, and CCPA regulations give California residents more control over the personal information that businesses collect about them. The CCPA applies to for-profit businesses that do business in California, including data brokers.
The Cloud Security Alliance’s Cloud Controls Matrix (CSA CCM) is a cybersecurity control framework designed to help organizations of all sizes securely implement, assess, and protect their cloud infrastructure. The framework features control objectives across 17 cloud-related domains, and is aligned to the CSA Security Guidance for Cloud Computing.
Center for Internet Security’s 20 CIS Controls are internationally-recognized cybersecurity best practices for defense against common threats. They are a consensus-developed resource that brings together expert insight about cyber threats, business technology, and security. The CIS Controls are broken down into three categories: Basic, Foundational, and Organizational.
New York State Department of Financial Services 23 NYCRR 500 – Cybersecurity Requirements for Financial Services Companies, or NYDFS Cybersecurity Regulation, is a required certification for all New York insurance companies, banks, and other regulated financial services institutions, including agencies and branches of non-US banks licensed in the state of New York.
Australian Information Security Manual (ISM) Guidelines is a cybersecurity framework maintained by the Australian Cyber Security Centre (ACSC) that provides organizations with both strategic and practical guidance to protect against cyber threats and progress through five levels of maturity.
NIS2 aims to enhance the security of network and information systems within the European Union. Operators of critical infrastructure and essential services are required to implement appropriate security measures and report any incidents to the relevant authorities.
Yes, you can import internal controls into Risk Cloud via a CSV file. From there, you can link internal controls to one or many control frameworks to further streamline control evaluation and management.
LogicGate’s team of GRC subject matter experts manages a specific subset of all available control framework content — prioritized by inputs like industry use cases and customer needs. If you would like to leverage a framework that is not pre-built within Risk Cloud, your LogicGate team can help you import the appropriate controls and related data.
LogicGate’s GRC Content Team provides updates related to the latest version of Risk Cloud Standards and Regulations Content provided to you, upon request, via spreadsheet within 120 days of a major release published by the authoritative source.
If requested, they will also make sure that this new version maps to the primary control set (e.g., Secure Controls Framework or HITRUST) to maintain relevant control mappings.
The Unified Compliance Framework (UCF) helps organizations map compliance requirements across multiple control frameworks via the largest available library of interconnected compliance documents. This leads to faster and more informed compliance decisions, streamlined compliance initiatives, and an estimated 40% to 50% net reduction in compliance-related costs.
The Secure Controls Framework (SCF) is a comprehensive catalog of cybersecurity and privacy controls that map across various statutory, regulatory, and contractual frameworks. By reducing thousands of frameworks down to 1,168 common controls, the SCF is a one-stop-shop that enables companies to maintain security and privacy across all of their processes, systems, and applications.
The HITRUST Common Security Framework (HITRUST CSF) is a prescriptive set of controls that meet the requirements of multiple regulations and standards (e.g., HIPAA, PCI) related to data management, information risk, and compliance. The HITRUST CSF harmonizes multiple frameworks, standards, regulations, and leading practices into a single framework to reduce the need for multiple reports.
The Health Information Trust Alliance (HITRUST) was founded in 2007 to help organizations effectively manage data, information risk, and compliance. While originally developed as a healthcare framework, HITRUST has become industry-agnostic to support organizations from all industries to effectively manage controls and evidence.
The Secure Controls Framework (SCF) specializes in cybersecurity and data privacy controls, mapping to over 100 laws, regulations, and frameworks. This community-built tool is regularly updated by the SCF’s council of cybersecurity experts to reflect the latest regulations and best practices.
The Unified Compliance Framework (UCF) is a great solution for organizations with compliance needs that extend beyond cybersecurity and data privacy — thanks to the breadth and depth of their framework mapping. UCF customers also benefit from timely requirement updates due to the UCF platform including an algorithm that automatically connects new requirements to the existing control library.
The Federal Risk and Authorization Management Program (FedRAMP®) was launched in 2011 to help standardize cloud security requirements within state and local agencies. If your organization is a cloud service provider (CSP), you will need to become FedRAMP certified in order to do business with Federal agencies.
A System Security Plan (SSP) is a key component of any FedRAMP Authorization Package — outlining your organization’s current risks and controls. Learn how you can automatically generate a FedRAMP-ready SSP that accurately reflects security control information with Risk Cloud.
ISO 27001 provides requirements for an entire information security management system while SOC 2® is more focused on specific data security controls. If you’re looking for a more rigorous assessment that applies across all industries and regions, ISO 27001 may be the right fit for your organization. SOC 2® is generally recommended for organizations that primarily do business in North America and are looking for a more targeted, industry-specific approach.
The EU General Data Protection Regulation (GDPR) led the charge into data privacy regulation in 2018 by enforcing institutional regulations to protect the personal information of European citizens. GDPR includes six lawful bases for processing that individuals must opt into. The California Consumer Privacy Act (CCPA) was introduced in 2018 and amended in 2020 with a similar goal — protecting personal data of California residents — but there is no opt-in system surrounding lawful processing. Instead, individuals must proactively opt-out of their information being sold by for-profit organizations.
The Cybersecurity Maturity Model Certification (CMMC) is a formal certification program required for organizations that do business with the Department of Defense. CMMC includes three levels of maturity — each aligning with widely accepted National Institute of Standards and Technology (NIST) cybersecurity standards.
The NIST Cybersecurity Framework (CSF) is voluntary and focused on five areas: Identify, Protect, Detect, Respond, and Recover. NIST has also produced special publications focused on specific control sets — like NIST 800-53 and NIST 800-171. These two special publications are required for federal agencies and defense contractors.
The short answer is yes — but it depends. If you plan to do business with U.S. government suppliers, at minimum you will need to be CMMC, NIST 800-53, and NIST 800-171 compliant. If you specifically offer a product or service that is cloud-based, you will need to add FedRAMP to your list! While a growing list of frameworks may feel overwhelming, the good news is that Risk Cloud can help you automate evidence collection, evaluate redundant controls, and shorten audit cycles.
SOC 1®, SOC 2® and SOC 3® are registered trademarks of the American Institute of Certified Public Accountants in the United States. The AICPA® Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy is copyrighted by the Association of International Certified Professional Accountants. All rights reserved.
