Global Cross Sector Frameworks

• Establishes requirements for setting up, implementing, maintaining, and continuously improving an information security management system (ISMS).
  https://www.iso.org/standard/27001

• Provides guidelines and best practices for selecting and implementing information security controls to support ISO/IEC 27001.
  https://www.iso.org/standard/75652.html

• Extends ISO/IEC 27001 to incorporate privacy information management, helping organizations comply with global privacy regulations.
  https://www.iso.org/standard/71670.html

• Focuses on information security risk management, offering a structured approach to identifying, evaluating, and treating risks.
  https://www.iso.org/standard/80585.html

• Provides principles and guidelines for managing all types of organizational risks — not limited to cybersecurity.
  https://www.iso.org/standard/65694.html

• Defines requirements for a management system to protect against, reduce the likelihood of, and recover from disruptive incidents.
  https://www.iso.org/standard/75106.html

• Gives specific guidance on information security controls for cloud service providers and customers.
  https://www.iso.org/standard/43757.html

• Focuses on the protection of personally identifiable information (PII) in public cloud computing environments.
  https://www.iso.org/standard/76559.html

• Outlines best practices for integrating security throughout the lifecycle of application development and management.
  https://www.iso.org/standard/44378.html

• Establishes requirements for managing artificial intelligence systems responsibly, focusing on transparency, risk, and ethical use.
  https://www.iso.org/standard/81230.html

• Provides a comprehensive framework for managing and governing enterprise IT, aligning technology with business goals.
  https://www.isaca.org/resources/cobit

• A prioritized set of cyber defense best practices designed to mitigate the most common cyber threats.
  https://www.cisecurity.org/controls/v8

• Voluntary framework for managing cybersecurity risk, commonly used for critical infrastructure and enterprise cybersecurity.
  https://www.nist.gov/cyberframework

• Provides a comprehensive catalog of security and privacy controls for federal information systems and organizations.
  https://csrc.nist.gov/pubs/sp/800/53/r5/upd1/final

• Outlines the requirements for protecting CUI in non-federal systems and organizations, often required for government contractors.
  https://csrc.nist.gov/pubs/sp/800/171/r3/final

• Designed for organizations that impact their clients’ financial reporting; reports on internal controls over financial data.
  https://www.aicpa-cima.com/topic/audit-assurance/audit-and-assurance-greater-than-soc-1

• Evaluates service organizations on security, availability, processing integrity, confidentiality, and privacy controls.
  https://www.aicpa-cima.com/topic/audit-assurance/audit-and-assurance-greater-than-soc-2

• Enforces security requirements for all entities that store, process, or transmit cardholder data to protect against fraud and breaches.
  https://www.pcisecuritystandards.org/

• The European Union’s legal framework for protecting personal data and privacy of individuals within the EU and EEA.
  https://gdpr-info.eu/

• A certifiable framework that unifies multiple regulations (HIPAA, ISO, NIST) into one comprehensive compliance and risk management model for healthcare and beyond.
  https://hitrustalliance.net/hitrust-csf/

• A globally recognized framework covering information security governance, risk, compliance, and technical controls.
  https://www.securityforum.org/tool/the-standard-of-good-practice/
   

United States

HIPAA – Health Insurance Portability and Accountability Act

• U.S. law that protects the privacy and security of health information across healthcare providers, insurers, and related entities.
  https://www.hhs.gov/hipaa/for-professionals/index.html
   

FISMA – Federal Information Security Modernization Act

• Federal law requiring U.S. government agencies to implement and manage information security programs.
  https://www.cisa.gov/topics/cyber-threats-and-advisories/federal-information-security-modernization-act
   

GLBA – Gramm-Leach-Bliley Act

• Requires financial institutions to explain their data-sharing practices and safeguard sensitive customer data.
  https://www.ftc.gov/business-guidance/privacy-security/gramm-leach-bliley-act
   

SOX – Sarbanes-Oxley Act

• U.S. law mandating internal controls and data integrity for financial reporting in publicly traded companies.
  https://www.congress.gov/bill/107th-congress/house-bill/3763
   

CMMC – Cybersecurity Maturity Model Certification

• A tiered certification model for contractors working with the U.S. Department of Defense to ensure supply chain cybersecurity.
  https://dodcio.defense.gov/CMMC/About/
   

NIST SP 800-82 – ICS Security Guidelines

• Guidance for securing Industrial Control Systems (ICS), including SCADA and other operational technologies.
  https://csrc.nist.gov/publications/detail/sp/800-82/rev-3/final
   

TSA Pipeline Security Guidelines

• U.S. framework to strengthen physical and cyber protections for pipeline infrastructure.
  https://www.tsa.gov/sites/default/files/pipeline_security_guidelines.pdf
   

FERPA – Family Educational Rights and Privacy Act

• Federal law protecting student education records and privacy in U.S. schools and institutions.
  https://studentprivacy.ed.gov/ferpa
   

COPPA – Children’s Online Privacy Protection Act

• Protects the personal data of children under 13 online by regulating how companies collect and handle it.
  https://www.ftc.gov/legal-library/browse/rules/childrens-online-privacy-protection-rule-coppa
   

NIST IR 8403 – Blockchain Risk Management

• A NIST guide for assessing and mitigating risks in blockchain and distributed ledger technologies.
  https://csrc.nist.gov/publications/detail/nistir/8403/final
   

NIST SP 800-63-3 – Digital Identity Guidelines

• Technical standards for identity proofing, authentication, and federation in federal digital services.
  https://pages.nist.gov/800-63-3/
   

FAIR – Factor Analysis of Information Risk

• A quantitative model for understanding and analyzing cybersecurity risk in financial terms.
  https://www.fairinstitute.org/what-is-fair
   

PIPEDA – Personal Information Protection and Electronic Documents Act

• Canada’s primary federal privacy law governing how private-sector organizations handle personal data.
  https://www.priv.gc.ca/en/privacy-topics/privacy-laws-in-canada/the-personal-information-protection-and-electronic-documents-act-pipeda/
   

CPPA – Consumer Privacy Protection Act (Proposed)

• Proposed Canadian legislation to modernize PIPEDA, with stronger consumer rights and enforcement.
  https://ised-isde.canada.ca/site/innovation-better-canada/en/consumer-privacy-protection-act
   

CyberSecure Canada

• Voluntary national certification program for small and medium-sized businesses to implement baseline cybersecurity controls.
  https://ised-isde.canada.ca/site/cybersecure-canada/en
   

CPS 234 – Information Security (APRA)

• Mandates that APRA-regulated entities implement and maintain robust information security controls.
  https://www.apra.gov.au/cross-industry-prudential-standard-cps-234-information-security
   

CPS 230 – Operational Risk Management (APRA)

• Sets expectations for operational risk, business continuity, and resilience across regulated financial institutions.
  https://www.apra.gov.au/operational-risk-management
   

Essential Eight – Cyber Maturity Mitigation Strategies (ACSC)

• A set of prioritized cybersecurity strategies designed to help organizations protect against cyber threats.
  https://www.cyber.gov.au/resources-business-and-government/essential-cybersecurity/essential-eight
   

APPs – Australian Privacy Principles (OAIC)

• Thirteen principles outlining how Australian organizations must collect, use, and protect personal information.
  https://www.oaic.gov.au/privacy/australian-privacy-principles
   

NDB Scheme – Notifiable Data Breaches (OAIC)

• Requires organizations to notify individuals and regulators of eligible data breaches that may cause harm.
  https://www.oaic.gov.au/privacy/notifiable-data-breaches
   

NDIS Practice Standards – Disability Sector Privacy & Security (NDIS Commission)

• Defines mandatory information security and privacy controls for NDIS-registered service providers.
  https://www.ndiscommission.gov.au/rules-and-standards/ndis-practice-standards
   

My Health Records Act – Health Data Privacy

• Regulates the secure handling, storage, and access of Australians’ digital health records.
  https://www.legislation.gov.au/C2012A00063
   

BS 10012 – Personal Information Management System (PIMS)

• A UK standard for managing personal data in line with UK GDPR and other privacy laws.
  https://www.bsigroup.com/en-GB/bs-10012-personal-information-management/
   

Cyber Essentials – Baseline Cyber Hygiene Scheme

• Government-backed certification with basic technical controls to defend against common cyber threats.
  https://www.gov.uk/government/publications/cyber-essentials-scheme-overview
   

ICO Age Appropriate Design Code (Children’s Code)

• UK code of practice to ensure online services protect the privacy of children under 18.
  https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/childrens-information/childrens-code-guidance-and-resources/age-appropriate-design-a-code-of-practice-for-online-services/
   

GDPR – General Data Protection Regulation (EU 2016/679)

• The EU’s primary data protection law governing how personal data is collected, used, and stored.
  https://eur-lex.europa.eu/eli/reg/2016/679/oj/eng
   

EU AI Act – Artificial Intelligence Regulation (EU 2024/1689)

• A risk-based AI law introducing safety, transparency, and accountability requirements across the EU.
  https://eur-lex.europa.eu/eli/reg/2024/1689/oj/eng
   

Digital Services Regulation (DSA – EU 2022/2065)

• Regulates online platforms to increase transparency, reduce illegal content, and protect user rights.
  https://eur-lex.europa.eu/eli/reg/2022/2065/oj/eng
   

NIS Directive (NIS2 – EU 2022/2555)

• Strengthens cybersecurity requirements and reporting duties for critical and digital infrastructure providers in the EU.
  https://eur-lex.europa.eu/eli/dir/2022/2555/oj/eng
   

TISAX – Trusted Information Security Assessment Exchange

• A standardized security assessment model for automotive and manufacturing supply chains in Europe.
  https://portal.enx.com/en-US/TISAX/
   

OIC-CERT – Organisation of Islamic Cooperation CERT

• A regional cybersecurity body promoting collaboration and threat intelligence sharing among OIC member states.
  https://www.oic-cert.org/
   

Personal Data Protection Law No. 151 of 2020

• Governs personal data processing across sectors, including breach notification and DPO appointment requirements.
  https://mcit.gov.eg/en/Data_Protection_Law
   

NCA Essential Cybersecurity Controls (ECC-1:2022)

• National baseline cybersecurity requirements issued by Saudi Arabia’s National Cybersecurity Authority.
  https://nca.gov.sa/en/
   

Personal Data Protection Law (PDPL)

• Regulates personal data handling by all entities operating within Saudi Arabia.
  https://nca.gov.sa/en/regulations/pdpl
   

Federal Decree-Law No. 45 of 2021 on Personal Data Protection

• UAE’s first national privacy law, covering consent, data subject rights, and international data transfers.
  https://u.ae/en/about-the-uae/digital-uae/data/data-protection-law
   

UAE National Cybersecurity Strategy

• A national framework for securing critical infrastructure and boosting cybersecurity resilience.
  https://tdra.gov.ae/en/about-us/initiatives/national-cyber-security-strategy.aspx
   

DIFC Data Protection Law

• Applies to companies operating within the Dubai International Financial Centre (DIFC), aligning closely with GDPR.
  https://www.difc.ae/business/laws-regulations/data-protection/
   

Personal Data Privacy Protection Law (Law No. 13 of 2016)

• Sets legal requirements for data collection, processing, consent, and breach notification in Qatar.
  https://www.mot.gov.qa/en/Documents/Policies/QatarDataPrivacyLaw_English.pdf
   

Q-CERT – Qatar Computer Emergency Response Team

• National team responsible for cybersecurity incident response and coordination.
  http://www.qcert.org/
   

Electronic Transactions Law

• Establishes the legal framework for secure electronic records, signatures, and digital transactions.
  https://www.mtc.gov.om/ITAPortal/MediaCenter/NewsDetail.aspx?NID=141
   

OCERT – Oman National CERT

• Handles cybersecurity incidents, public awareness, and national cyber coordination.
  https://www.cert.gov.om
   

Personal Data Protection Law (Law No. 30 of 2018)

• Comprehensive privacy law applying to both public and private sectors, covering consent and processing rights.
  https://www.bahrainbusinesslaws.com/laws/Personal-Data-Protection-Law
   

Cybercrime Law No. 17 of 2023

• Criminalizes digital fraud, hacking, and other cyber-enabled offenses in Jordan.
  https://en.wikipedia.org/wiki/2023_cybercrime_law_in_Jordan
  
   

ASEAN Framework on Personal Data Protection (Non-binding)

• A model guideline to support harmonization of privacy regulations across ASEAN member states.
  https://asean.org/book/asean-framework-on-personal-data-protection/
   

India – Digital Personal Data Protection Act, 2023

• India’s national privacy law regulating digital personal data handling across sectors.
  https://www.meity.gov.in/content/digital-personal-data-protection-act-2023
   

China – Personal Information Protection Law (PIPL)

• Comprehensive national framework for protecting personal data of individuals in China.
  https://en.npc.gov.cn.cdurl.cn/2021-12/29/c_694559.htm
   

Japan – Act on the Protection of Personal Information (APPI)

• Japan’s core privacy legislation aligned with global standards like GDPR.
  https://www.ppc.go.jp/en/
   

South Korea – Personal Information Protection Act (PIPA)

• National law with stringent privacy protections and enforcement mechanisms.
  https://www.pipc.go.kr/eng/user/ltn/new/noticeDetail.do?bbsId=BBSMSTR_000000000001&nttId=2331
   

Singapore – Personal Data Protection Act 2012 (PDPA)

• Establishes obligations for organizations handling personal data in Singapore.
  https://sso.agc.gov.sg/Act/PDPA2012
   

Thailand – Personal Data Protection Act B.E. 2562 (2019)

• GDPR-aligned privacy law governing personal data processing across sectors.
  https://mdes.go.th/law/detail/3577-Personal-Data-Protection-Act-B-E--2562--2019-
   

Vietnam – Law on Cybersecurity (Law No. 24/2018/QH14)

• Covers personal data, national security, and critical information infrastructure.
  https://ais.gov.vn/uploads/Law_Cybersecurity_2018_162d7f6097.pdf
   

Indonesia – Personal Data Protection Law (Law No. 27 of 2022)

• First comprehensive privacy law in Indonesia, enforced by Kominfo.
  https://www.loc.gov/item/global-legal-monitor/2022-12-18/indonesia-personal-data-protection-act-enters-into-force/
   

Malaysia – Personal Data Protection Act 2010 (PDPA)

• Governs commercial personal data handling by Malaysian and foreign organizations.
  https://lom.agc.gov.my/act-detail.php?act=709&lang=BI&type=principal
   

Philippines – Data Privacy Act of 2012

• Sets requirements for lawful personal data collection, use, and protection.
  https://privacy.gov.ph/data-privacy-act/
   

Myanmar – Electronic Transactions Law

• Governs aspects of digital data use; lacks a standalone privacy law.
  https://www.myanmar-law-library.org/laws/view/electronic-transactions-law
   

Protection of Personal Information Act (POPIA)

• South Africa’s data protection law regulating how personal information is processed by public and private entities.
  https://www.gov.za/documents/protection-personal-information-act
   

Cybercrimes Act (Act No. 19 of 2020)

• Criminalizes cyber offenses such as unauthorized access, data interference, cyber fraud, and malware distribution.
  https://www.gov.za/documents/cybercrimes-act-19-2020-englishafrikaans-1-jun-2021-0000
   

National Cybersecurity Policy Framework (NCPF)

• South Africa’s strategic framework for strengthening national cybersecurity capabilities and coordination.
  https://www.gov.za/documents/national-cybersecurity-policy-framework-4-dec-2015-0000
   

Cybersecurity Hub

• The national CSIRT providing incident response coordination and public-private collaboration on cyber threats.
  https://www.cybersecurityhub.gov.za/
   

Privacy Act 2020

• New Zealand’s core privacy law requiring compliance with 13 Information Privacy Principles and mandatory breach notifications.
  https://www.legislation.govt.nz/act/public/2020/0031/latest/LMS23223.html
   

Protective Security Requirements (PSR)

• Mandatory security framework for NZ government agencies covering information, personnel, and physical security.
  https://www.protectivesecurity.govt.nz/
   

New Zealand Information Security Manual (NZISM)

• The official security manual detailing mandatory controls for protecting government information systems and infrastructure.
  https://www.gcsb.govt.nz/our-work/national-cyber-security-centre-ncsc/new-zealand-information-security-manual-nzism/

Protection of Personal Information Act (POPIA)

• South Africa’s national data protection law regulating the lawful processing of personal information across sectors.
  https://inforegulator.org.za/protection-of-personal-information-act/
   

Cybercrimes Act (Act No. 19 of 2020)

• Criminal law addressing cyber offenses such as hacking, data breaches, and malicious software distribution.
  https://www.gov.za/documents/cybercrimes-act-19-2020-englishafrikaans-1-jun-2021-0000
   

National Cybersecurity Policy Framework (NCPF)

• South Africa’s national strategy for strengthening cybersecurity in public and private sector systems.
  https://www.gov.za/documents/national-cybersecurity-policy-framework-4-dec-2015-0000
   

Cybersecurity Hub

• The national CSIRT responsible for incident coordination, threat awareness, and cyber response collaboration.
  https://www.cybersecurityhub.gov.za/
   

ISA/IEC 62443 – ICS Security

• A globally recognized series of standards developed by ISA and IEC to secure industrial automation and control systems (IACS) across their entire lifecycle. It offers a structured, defense-in-depth approach to managing risk in operational technology (OT) environments.
  Official Link – ISA/IEC 62443 Standards Series
   

NIST SP 800-82 – SCADA Security

• U.S. National Institute of Standards and Technology (NIST) guidance for securing Industrial Control Systems (ICS), including SCADA, DCS, and PLCs. It addresses the unique performance and safety requirements of industrial systems while promoting risk-based cybersecurity strategies.
  Official Link – NIST SP 800-82 Rev. 3
   

IEC 61508 – Functional Safety of Electrical/Electronic Systems

• An international standard providing a framework for the functional safety of electrical, electronic, and programmable electronic systems. It is widely used in sectors such as manufacturing, energy, transport, and chemical processing to ensure critical systems operate safely under defined conditions.
  Official Link – IEC Functional Safety Overview
   

TSA Pipeline Security Guidelines – Infrastructure Security

• Issued by the U.S. Transportation Security Administration, this guideline outlines best practices for physical and cybersecurity protections specific to pipeline systems. It includes controls for access, monitoring, incident response, and cyber resilience of critical energy infrastructure.
  Official Link – TSA Pipeline Security Guidelines PDF
   

CPS 234 – Information Security (Australia)

• Sets mandatory cybersecurity requirements for financial institutions regulated by APRA in Australia.
  https://www.apra.gov.au/sites/default/files/cps_234_july_2019_for_public_release.pdf
   

SOC 1 / SOC 2 – System and Organization Controls Reports

• Frameworks for auditing internal controls related to financial reporting (SOC 1) and trust-based criteria (SOC 2).
  https://www.aicpa-cima.com/topic/audit-assurance/audit-and-assurance-greater-than-soc-2
   

PCI DSS – Payment Card Industry Data Security Standard

• Global standard for protecting cardholder data in organizations that store, process, or transmit credit card information.
  https://www.pcisecuritystandards.org/
   

GLBA – Gramm-Leach-Bliley Act (USA)

• U.S. law requiring financial institutions to protect the privacy and security of consumer financial data.
  https://www.ftc.gov/business-guidance/privacy-security/gramm-leach-bliley-act
   

SOX – Sarbanes-Oxley Act (USA)

• U.S. law mandating internal controls and financial transparency for publicly traded companies.
  https://sarbanes-oxley-act.com/
   

Basel III – International Regulatory Framework for Banks

• Global banking standard to strengthen capital requirements, risk management, and market liquidity.
  https://www.bis.org/bcbs/basel3.htm
   

CSA STAR – Security, Trust & Assurance Registry

• A global registry documenting cloud providers' security and privacy practices.
  https://cloudsecurityalliance.org/star
   

ISO/IEC 27017 – Code of Practice for Cloud Services Security

• Provides security guidelines tailored for cloud service providers and customers.
  https://www.iso.org/standard/43757.html
   

ISO/IEC 27018 – Protection of PII in Public Cloud

• Sets controls for safeguarding personal data in cloud environments.
  https://www.iso.org/standard/61498.html
   

FedRAMP – Federal Risk and Authorization Management Program (USA)

• U.S. government framework for assessing and authorizing cloud products and services.
  https://www.fedramp.gov/
   

ENS – Esquema Nacional de Seguridad (Spain)

• Spain’s national framework for cybersecurity in public sector information systems.
  https://administracionelectronica.gob.es/pae_Home/pae_Estrategias/ENS.html

SIG Questionnaire – Standardized Information Gathering

• A widely used questionnaire to assess third-party risk and vendor security practices.
  https://sharedassessments.org/sig/
   

NIST SP 800-161 – Supply Chain Risk Management

• U.S. guidance for managing cybersecurity risks across federal and third-party supply chains.
  https://csrc.nist.gov/publications/detail/sp/800-161/rev-1/final
   

ISO 28000 – Supply Chain Security Management Systems

• International standard outlining security management requirements for global supply chains.
  https://www.iso.org/standard/44641.html
   

PAS 7000 – Supplier Risk Management

• A UK specification to support supplier prequalification and risk-based sourcing.
  https://www.bsigroup.com/en-GB/PAS-7000-Supply-Chain-Risk-Management/
   

TISAX – Trusted Information Security Assessment Exchange

• A standardized assessment process for information security in the automotive supply chain.
  https://enx.com/tisax/

ISO/TC 307 – Blockchain and Distributed Ledger Technologies

• International standards committee developing guidelines for secure and interoperable blockchain systems.
  https://www.iso.org/committee/6266604.html
   

MiCA – Markets in Crypto-Assets Regulation (EU)

• EU regulation establishing a legal framework for crypto-assets and related service providers.
  https://finance.ec.europa.eu/publications/proposal-regulation-markets-crypto-assets_en
   

FATF Crypto Guidance – Risk-Based Approach for Virtual Assets

• Global guidance for regulating virtual assets and service providers under anti-money laundering laws.
  https://www.fatf-gafi.org/publications/fatfrecommendations/documents/guidance-rba-virtual-assets.html
   

NIST IR 8403 – Blockchain Risk Management

• U.S. framework for identifying and mitigating risks related to blockchain-based systems.
  https://csrc.nist.gov/publications/detail/nistir/8403/final
   

BSI Flex 1000 – Digital Identity and Trust (UK)

• A flexible UK standard supporting secure, user-centric digital identity and trust services.
  https://www.bsigroup.com/en-GB/standards/bsi-flex-1000/
   

NZ Digital Trust Framework

• New Zealand’s official framework for governing digital identity providers and services.
  https://www.digital.govt.nz/standards-and-guidance/identity/digital-identity/digital-identity-trust-framework/
   

EUDI Wallet – European Digital Identity Wallet

• An EU initiative enabling citizens to securely store and share digital identity credentials across member states.
  https://ec.europa.eu/digital-strategy/our-policies/european-digital-identity_en
   

NIST SP 800-63-3 – Digital Identity Guidelines

• U.S. federal standards for digital identity assurance, authentication, and federation.
  https://pages.nist.gov/800-63-3/

ISO/IEC 27037 – Digital Evidence Identification & Preservation

• Provides guidelines for identifying, collecting, acquiring, and preserving digital evidence in a legally sound manner.
  https://www.iso.org/standard/44381.html
   

ISO/IEC 27041 – Assurance of Investigative Methods

• Offers best practices for validating the suitability and adequacy of digital forensic investigation processes.
  https://www.iso.org/standard/44404.html
   

ISO/IEC 27042 – Digital Evidence Analysis & Interpretation

• Covers techniques and principles for the analysis and interpretation of digital evidence.
  https://www.iso.org/standard/44405.html
   

SWGDE – Scientific Working Group on Digital Evidence

• U.S.-based group that develops best practice guidelines and technical standards for handling digital evidence.
  https://www.swgde.org/
   

ENFSI – European Network of Forensic Science Institutes

• A European body promoting quality standards and collaboration across forensic science disciplines, including digital forensics.
  https://enfsi.eu/
   

Lloyd’s Cyber Underwriting Model

• A cyber risk model developed by Lloyd’s to help insurers assess and price cyber exposure across portfolios.
  https://www.lloyds.com/news-and-insights/risk-insight/cyber-risk
   

Marsh Cyber Catalyst Framework

• A program where cybersecurity solutions are independently evaluated and endorsed by leading cyber insurers for risk reduction effectiveness.
  https://www.marsh.com/us/services/cyber-risk/cyber-catal