MSP Compliance Frameworks

50+ Cybersecurity Frameworks Supported

Hit the ground running on your compliance journey. ControlMap has connections between many of our supported frameworks so you don’t have to do the same work again and again.

Read ScalePad Lifecycle Manager reviews on G2

Standards to start with

No matter where you are in the world, get familiar with the most common cybersecurity compliance standards.

SOC 2 Type I & II

The five trust services criteria

Developed by The American Institute of Certified Public Accountants (AICPA), SOC 2 helps organizations safeguard customer data.

It includes five Trust Services Criteria: security, availability, processing integrity, confidentiality, and privacy.

ISO 27001 (2022)

Implement and maintain an ISMS

ISO 27001 is the internationally recognized standard for implementing and managing an Information Security Management System (ISMS). Not to be confused with ISO 27701, ISO 27017, or ISO 27018.

This standard is used to pass an audit, guaranteeing that a business’s security protocols are up-to-date.

HIPAA

Securing personal health info

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal standard specifically for protected health information (PHI).

Regulated by the Office for Civil Rights, HIPAA outlines the permissible use and disclosure of PHI in the USA as set forth by HHS guidelines.

GDPR

The European mega-mandate

Working in the EU? You need to know about GDPR. With 99 distinct articles, this set of data protection regulations is one of the world’s most comprehensive frameworks.

It’s designed to give people full control over information associated with them by limiting how organizations can use personal data.

CIS Controls

Cybersecurity best practices

The CIS Critical Security Controls (CIS Controls) are a globally implemented set of best practices used to boost an organization’s cybersecurity.

They’re continually updated as these controls prioritize and simplify the steps needed for a strong cybersecurity defense.

NIST CSF 2.0

The flexible add on

Updated in 2024, the National Institute of Standards and Technology (NIST) Cybersecurity 2.0 Framework is a comprehensive — yet flexible — set of standards, guidelines, and best practices.

It is meant to be implemented alongside existing security processes in any industry.

CMMC 2.0

For defense contractors

The U.S. Department of Defense’s Cybersecurity Maturity Model Certification (CMMC) was introduced to ensure that all defense contractors use security protocols to protect sensitive defense information.

Companies responsible for handling Controlled Unclassified Information (CUI) or Federal Contract Information (FCI) must meet the CMMC requirements to remain compliant.

FTC Safeguards Rule

Rules for financial institutions

The FTC Safeguards Rule ensures that entities covered by the Rule maintain safeguards to protect customer information.

It applies to financial institutions subject to the FTC’s jurisdiction that aren’t subject to the enforcement authority of another regulator under section 505 of the Gramm-Leach-Bliley Act, 15 U.S.C. § 6805.

International compliance standards and frameworks

Working worldwide? ControlMap can get you started on these global compliance standards.

COBIT 2019

Support for enterprise IT

COBIT 2019 (Control Objectives for Information and Related Technologies) is the most recent evolution of ISACA’s globally recognized and utilized COBIT framework.

This comprehensive framework was developed to support understanding, designing, and implementing the management and governance of enterprise IT.

CSA-CCM v4.03

Cloud computing industry standards

The Cloud Controls Matrix (CCM) and the Cloud Security Alliance Questionnaire (CAIQ) are a comprehensive set of security controls and practices.

Based on the CSA best practices, the CCM provides an industry-standard set of cybersecurity frameworks tailored specifically to cloud computing.

ISO/IEC 27017:2015

Security standards for cloud computing

ISO/IEC 27017:2015 offers rigorous guidance on the security of cloud computing. You’ll want to follow ISO/IEC 27002 and ISO/IEC 27001 standards in addition to specific information security controls.

This code of practice gives clear instructions for additional controls based on the cloud services being used.

ISO/IEC 27701

The data privacy framework

ISO/IEC 27701 helps organizations standardize how they handle Personally Identifiable Information (PII). By doing this, you’ll be set to comply with other data privacy regulations.

It includes guidelines on how to manage PII, making this a valuable tool for promoting data privacy within organizations.

ISO/IEC 27018:2019

PII and cloud computing foundations

Part of the larger ISO/IEC 27000 family, ISO/IEC 27018 is a vital first step for cloud service providers in assessing risk and implementing appropriate security measures for PII.

This industry-driven initiative creates a secure foundation for cloud computing services to protect Personally Identifiable Information (PII).

Microsoft DPR

For SSPA program participants

Microsoft Data Protection Regulations (DPR) are annual requirements that Microsoft suppliers enrolled in the SSPA program must abide by.

This is to ensure Personal Data and Confidential Data are properly processed. All Microsoft suppliers need to adhere to these regulations.

Motion Picture Association

The film industry framework

The MPA manages security assessments at entertainment vendor facilities on behalf of its member studios.

This set of Content Security Best Practices outlines standard controls to help secure content, production, post-production, marketing, and distribution.

PCI DSS

Securing credit card data

The Payment Card Industry Data Security Standard (PCI DSS) is essential for anyone handling credit card information. These standards are designed to protect and secure payment accounts throughout the transaction process.

All companies that accept, process, store, or transmit credit card data should be sure to abide by these standards.

SCF v2022.2 and v2023.2

Maximizing cybersecurity at all levels

Secure Controls Framework (SCF) provides organizations with a comprehensive approach to cybersecurity and privacy compliance across all operational levels.

This framework offers the guidance needed to implement and maintain internal controls in line with business objectives.

USA and state-specific compliance frameworks

Geographic location and industry standards that ControlMap supports for US-based MSPs.

CCPA

California’s privacy law

The Consumer Privacy Act of 2018 (CCPA) legislation grants Californian consumers more control over the personal information businesses collect from them.

The CCPA provides directions on how organizations can comply with the law. Legal obligations include handling consumer rights requests and providing customers with necessary notices related to their privacy policies.

CJIS

Protects criminal justice system information

Criminal Justice Information Services Security Policy (CJIS) is a set of security standards created by the FBI. CJIS provides the structure needed to handle sensitive criminal justice information.

This policy is mandatory for law enforcement agencies, courts, correctional facilities, and any third-party entities that access, store, or transmit this type of data.

FedRAMP

Government data in cloud storage

FedRAMP® was launched in 2011 to provide a cost-effective and risk-focused model for the federal government's use of cloud technology.

This program is essential for government operations as it ensures that cloud technologies are implemented securely and efficiently.

FFIEC Cybersecurity Assessment

Assessment for financial institutions

The Cybersecurity Assessment Tool helps financial institutions recognize potential risks and determine their cybersecurity preparedness.

Developed by the Federal Financial Institutions Examination Council developed with ideas from the FFIEC Information Technology Examination Handbook, NIST Cybersecurity Framework, and industry-established best practices.

MARS

For health, identification, and tax information

Minimum Acceptable Risk Standards (MARS) is designed to ensure the availability, confidentiality, and integrity of protected health information (PHI), personally identifiable information (PII), and federal tax information (FTI).

Developed by the Centers for Medicare and Medicaid Services, the standards are based on the National Institute of Standards and Technology (NIST) Special Publication 800-53.

NIST 800-171

Federal standard for DoD contractors

Similar to the CMMC 2,0, NIST Special Publication 800-171 (NIST 800-171) is a federal standard that establishes procedures for defense contractors and subcontractors.

Specifically, it’s for the management of Controlled Unclassified Information (CUI), like personal data, equipment specs, logistical plans and other defense-related information.

NIST Privacy Framework v1.0

Voluntary privacy framework

NIST created the Privacy Framework as a voluntary framework designed to help organizations protect individuals' privacy while also creating innovative products and services.

This gives organizations the tools to better identify and manage potential privacy-related risks.

TX-RAMP

Texas’ cloud computing requirements

TX-RAMP (Texas Department of Information Resources program) is a data security certification requirement for cloud computing services.

It provides "a standardized approach for security assessment, authorization, and continuous monitoring of cloud computing services that process the data of a state agency."

Canadian Compliance Frameworks

Cyber threats don’t slow down in the snow, so ControlMap supports these cybersecurity frameworks.

CyberSecure Canada

Canada’s cybersecurity best practices

This multi-faceted, government-led program aims to enhance cybersecurity measures across the country.

Launched by the Canadian Centre for Cyber Security in 2018, the certification is divided into five Organizational Controls and 13 Baseline Controls to address various components of cybersecurity best practices.

Baseline Cyber Security Controls for Small and Medium Organizations V1.2

Best for getting the basics

Created for small and medium organizations seeking to improve their cybersecurity resiliency.

This framework is designed to provide a baseline, not a comprehensive (and complicated) plan. Its goal is to provide 80% of the benefit from 20% of the effort, making it easily accessible to smaller businesses.

European Compliance Frameworks

In addition to GDPR, these standards provide the basics for enterprises and smaller businesses.

TISAX

Enterprise-level data protection

TISAX is an industry-standard method for assessing and exchanging information security for enterprises.

Companies use TISAX to simplify the process of evaluating supplier's level of data security and determine how to handle sensitive customer information.

UK Cyber Essentials

Two levels of proactive risk safeguards

UK Cyber Essentials is a government-supported program that provides organizations of any size an effective way to guard against common cyber attacks.

With two levels, Cyber Essentials and Cyber Essentials Plus, businesses can proactively protect themselves from security risks.

UK ICO

Privacy management essentials

This framework provides the essential elements of a successful privacy management program. It’s not comprehensive and isn’t a substitute for compliance with other data protection regulations.

Make sure to consider your specific needs, and consult GDPR when necessary.

IASME Cyber Baseline Framework

Compliance for small-and-medium enterprises (SMEs)

The IASME Cyber Baseline provides a structured approach to compliance for small and medium-sized organizations, including MSPs. This framework helps SMEs establish a strong foundation for cybersecurity compliance.

The IASME Cyber Baseline framework is recognized as one of the UK government's Cyber Essentials schemes, emphasizing their credibility and relevance in the cybersecurity domain.

IASME Cyber Assurance Framework

Compliance assurance for MSPs and their clients

IASME Cyber Assurance is designed for small and medium-sized organizations. It is a cost-effective standard that helps MSPs and their clients demonstrate the steps they are taking to protect sensitive information.

In order to implement this framework, organizations must first have a strong cybersecurity foundation and become compliant with the IASME Cyber Baseline Framework.

Compliance Frameworks for APAC

ControlMap supports these industry and government standards for Australia and New Zealand.

AESCSF - AEMO

Energy sector security

The Australian Energy Sector Cyber Security Framework (AESCSF) is the result of a collaborative effort between several government and industry stakeholders.

This framework is designed to ensure the highest level of security in the energy sector.

Essential Eight (ACSC)

A baseline for all organizations

Australian organizations of all sizes must defend themselves against malicious cyber threats. To assist organizations with defending against cyber threats, the Australian Cyber Security Centre (ACSC) created the Essential Eight.

This is a baseline of key mitigation strategies as defined by ACSC's Strategies to Mitigate Cyber Security Incidents.

Prudential Standard CPS 234

For APRA-regulated organizations

This Prudential Standard is designed to help ensure that APRA-regulated entities have the capability to safeguard themselves against information security incidents (including cyberattacks).

They are required to maintain information security that matches the threat posed by digital vulnerabilities.

PSPF

Guidance for Australian government organizations

The Protective Security Policy Framework (PSPF) outlines the Australian Government's protective security policy. It provides guidance on how to effectively implement the policy in four key areas: personnel, physical, governance, and information security.

With the PSPF, government organizations are able to ensure effective security measures.

New Zealand Information Security Manual (NZISM)

Protecting New Zealand’s government

The New Zealand Information Security Manual provides essential controls and processes necessary for protecting all New Zealand Government information and systems.

The manual also provides additional controls to help you exceed the minimum acceptable baseline levels.