Practitioner Knowledge Base

Compliance Frameworks — Plain English Guides

Every major GRC framework explained by a practitioner who has worked inside them — not just read about them.

Not sure which one you need? → Take the 2-minute quiz
SOC 2AICPA
3–6 months

SOC 2

System and Organisation Controls 2

The security standard US enterprise buyers require. Covers your systems, controls, and data handling.

B2B SaaSUS MarketCloud ServicesAPI Platforms
ISO 27001
6–12 months to certification

ISO 27001

ISO/IEC 27001:2022

The global information security standard. The most recognised security certification in India, EU, and APAC markets.

India MarketEU MarketEnterpriseGovernment Contracts
DPDP
6–12 months for full compliance

dpdp

Digital Personal Data Protection Act 2023

India's data protection law. Mandatory for any company processing personal data of Indian residents.

India MarketPersonal Data ProcessingAll Sectors
SEBI CSCRF
3–9 months depending on tier

SEBI CSCRF

SEBI Cybersecurity and Cyber Resilience Framework 2024

Mandatory for all SEBI-regulated entities. Covers stockbrokers, AMCs, depositories, and their technology providers.

Indian FinTechSEBI-Regulated EntitiesSecurities Market
ISO 42001
3–5 months

ISO 42001

ISO/IEC 42001:2023

The world's first AI governance standard. Required by EU AI Act-aligned buyers. First-mover advantage still available.

AI ProductsEU MarketEnterprise AIAI Deployers
FedRAMP
18–24 months

FedRAMP

Federal Risk and Authorization Management Program

Required for cloud vendors selling to US federal agencies. Intensive 18–24 month process.

US Government SalesCloud ServicesUS Federal Agencies
NIST CSF 2.0
3–6 months for initial implementation

NIST CSF 2.0

NIST Cybersecurity Framework 2.0

The US cybersecurity risk management framework. Non-certifiable but widely used for internal governance and government-adjacent sales.

US MarketCritical InfrastructureGovernment-AdjacentInternal Governance
GDPR
3–6 months for full compliance

GDPR

General Data Protection Regulation

The most stringent privacy law globally. Mandatory for any company processing personal data of EU/UK residents.

EU/UK MarketB2C & B2B SaaSPersonal Data Processing
HIPAA
3–6 months for full compliance

HIPAA

Health Insurance Portability and Accountability Act

Mandatory US regulation for protecting sensitive patient health information (PHI) from disclosure.

US Healthcare MarketHealthTech SaaSMedical Billing
HITRUST
9–18 months to certification

HITRUST

HITRUST CSF (Common Security Framework)

The gold standard for healthcare security and compliance. A highly rigorous, certifiable framework.

Enterprise HealthcareHealthTech SaaSMedical Data Processors
USDP
2–4 months for program setup

USDP

US State Data Privacy Laws (CCPA/CPRA, VCDPA, etc.)

The patchwork of US state privacy laws, led by California, regulating consumer data rights.

US B2CMarketing/AdTech SaaSData Brokers
NIST-AI-RMF
2–4 months to implement

NIST AI RMF

NIST

Voluntary US framework to better manage risks to individuals, organizations, and society associated with AI.

AI DevelopersEnterprise AI AdoptersUS Government AI Vendors
CMMC
6–12 months for Level 2

CMMC

Cybersecurity Maturity Model Certification

Mandatory certification for all contractors in the US Department of Defense supply chain.

US Defense ContractorsGovTech VendorsManufacturers
CJIS
6–9 months for compliance

CJIS

Criminal Justice

Strict requirements for any organization accessing or storing US criminal justice data.

GovTech VendorsPolice/Court SaaSCloud Providers
NIS2
6–9 months for program alignment

NIS2

Network and

Sweeping EU cybersecurity directive impacting critical infrastructure and their supply chains.

EU Essential EntitiesB2B SaaS in EUManaged Service Providers
DORA
6–12 months for compliance

DORA

Digital Operational Resilience Act

Strict operational resilience and cybersecurity rules for the EU financial sector and its ICT providers.

EU Financial EntitiesFinTech SaaSCloud Providers serving EU Banks
CPS234
6–9 months for program alignment

CPS 234

Prudential Standard CPS 234

Mandatory information security standard for APRA-regulated entities in Australia.

Australian Financial SectorFinTech SaaS in ANZSuperannuation Funds
EU-AI-ACT
6–18 months depending on risk tier

EU AI Act

European Union

The world's first comprehensive legal framework for AI, categorizing systems by risk.

AI Providers in EUDeployers of High-Risk AIGeneral Purpose AI (GPAI) Models
ESSENTIAL-EIGHT
3–6 months for Maturity Level 1/2

Essential Eight

ACSC Essential Eight Maturity Model

Australia's baseline cybersecurity strategies to mitigate cyber threats.

Australian Government EntitiesGovTech SaaS in ANZAustralian Corporates
CYBER-ESSENTIALS
2–4 weeks

Cyber Essentials

Cyber Essentials & Cyber Essentials Plus

UK Government-backed baseline certification to protect against common cyber attacks.

UK Government SuppliersUK SMEsCompanies bidding on UK public contracts
CRI
6–12 months for comprehensive alignment

CRI Profile

Cyber Risk Institute Profile

The unified cybersecurity framework built specifically for the financial services sector.

BanksInsurance CompaniesFinTech SaaS Providers

Framework Comparison Matrix

FrameworkBest ForTimelineCertifiable?India Relevant?US Relevant?EU Relevant?
SOC 2US B2B SaaS & Cloud Vendors3–6 monthsNo (Attestation Report)Medium (Procurement-driven)Very High (Baseline)Low (ISO preferred)
ISO 27001Global Enterprise & APAC/EU Markets6–12 monthsYes (Certificate)Very High (Mandatory in RFPs)Medium (Accepted)Very High (Preferred)
DPDP ActIndian B2C & Resident Data Fiduciaries6–12 monthsNo (Regulatory Law)Legally MandatoryN/AN/A
SEBI CSCRFIndian Capital Market FinTechs & REs3–9 monthsYes (Tier 1/2 RE Audits)Legally Mandatory for SEBIN/AN/A
ISO 42001AI developers & EU AI Act Vendors3–12 monthsYes (AIMS Certificate)Growing (AI deployment)GrowingHigh (EU AI Act Prep)
FedRAMPCloud Vendors selling to US Federal Agencies18–24 monthsYes (ATO Award)N/AMandatory for GovN/A
NIST CSF 2.0US Risk Strategy & Internal Posture3–6 monthsNo (Self-assessment)LowHigh (US Public/Defense)Low

Not sure which one applies to you?

Use our smart decision engine to assess your company size, geography, data classification, and buyer demand to build a prioritized roadmap.

Take the Framework Finder Quiz