Compliance Frameworks — Plain English Guides
Every major GRC framework explained by a practitioner who has worked inside them — not just read about them.
Not sure which one you need? → Take the 2-minute quizSOC 2
System and Organisation Controls 2
The security standard US enterprise buyers require. Covers your systems, controls, and data handling.
ISO 27001
ISO/IEC 27001:2022
The global information security standard. The most recognised security certification in India, EU, and APAC markets.
dpdp
Digital Personal Data Protection Act 2023
India's data protection law. Mandatory for any company processing personal data of Indian residents.
SEBI CSCRF
SEBI Cybersecurity and Cyber Resilience Framework 2024
Mandatory for all SEBI-regulated entities. Covers stockbrokers, AMCs, depositories, and their technology providers.
ISO 42001
ISO/IEC 42001:2023
The world's first AI governance standard. Required by EU AI Act-aligned buyers. First-mover advantage still available.
FedRAMP
Federal Risk and Authorization Management Program
Required for cloud vendors selling to US federal agencies. Intensive 18–24 month process.
NIST CSF 2.0
NIST Cybersecurity Framework 2.0
The US cybersecurity risk management framework. Non-certifiable but widely used for internal governance and government-adjacent sales.
GDPR
General Data Protection Regulation
The most stringent privacy law globally. Mandatory for any company processing personal data of EU/UK residents.
HIPAA
Health Insurance Portability and Accountability Act
Mandatory US regulation for protecting sensitive patient health information (PHI) from disclosure.
HITRUST
HITRUST CSF (Common Security Framework)
The gold standard for healthcare security and compliance. A highly rigorous, certifiable framework.
USDP
US State Data Privacy Laws (CCPA/CPRA, VCDPA, etc.)
The patchwork of US state privacy laws, led by California, regulating consumer data rights.
NIST AI RMF
NIST
Voluntary US framework to better manage risks to individuals, organizations, and society associated with AI.
CMMC
Cybersecurity Maturity Model Certification
Mandatory certification for all contractors in the US Department of Defense supply chain.
CJIS
Criminal Justice
Strict requirements for any organization accessing or storing US criminal justice data.
NIS2
Network and
Sweeping EU cybersecurity directive impacting critical infrastructure and their supply chains.
DORA
Digital Operational Resilience Act
Strict operational resilience and cybersecurity rules for the EU financial sector and its ICT providers.
CPS 234
Prudential Standard CPS 234
Mandatory information security standard for APRA-regulated entities in Australia.
EU AI Act
European Union
The world's first comprehensive legal framework for AI, categorizing systems by risk.
Essential Eight
ACSC Essential Eight Maturity Model
Australia's baseline cybersecurity strategies to mitigate cyber threats.
Cyber Essentials
Cyber Essentials & Cyber Essentials Plus
UK Government-backed baseline certification to protect against common cyber attacks.
CRI Profile
Cyber Risk Institute Profile
The unified cybersecurity framework built specifically for the financial services sector.
Framework Comparison Matrix
| Framework | Best For | Timeline | Certifiable? | India Relevant? | US Relevant? | EU Relevant? |
|---|---|---|---|---|---|---|
| SOC 2 | US B2B SaaS & Cloud Vendors | 3–6 months | No (Attestation Report) | Medium (Procurement-driven) | Very High (Baseline) | Low (ISO preferred) |
| ISO 27001 | Global Enterprise & APAC/EU Markets | 6–12 months | Yes (Certificate) | Very High (Mandatory in RFPs) | Medium (Accepted) | Very High (Preferred) |
| DPDP Act | Indian B2C & Resident Data Fiduciaries | 6–12 months | No (Regulatory Law) | Legally Mandatory | N/A | N/A |
| SEBI CSCRF | Indian Capital Market FinTechs & REs | 3–9 months | Yes (Tier 1/2 RE Audits) | Legally Mandatory for SEBI | N/A | N/A |
| ISO 42001 | AI developers & EU AI Act Vendors | 3–12 months | Yes (AIMS Certificate) | Growing (AI deployment) | Growing | High (EU AI Act Prep) |
| FedRAMP | Cloud Vendors selling to US Federal Agencies | 18–24 months | Yes (ATO Award) | N/A | Mandatory for Gov | N/A |
| NIST CSF 2.0 | US Risk Strategy & Internal Posture | 3–6 months | No (Self-assessment) | Low | High (US Public/Defense) | Low |
Not sure which one applies to you?
Use our smart decision engine to assess your company size, geography, data classification, and buyer demand to build a prioritized roadmap.
Take the Framework Finder Quiz