ZenGRC comes with the content you need to be compliant.
ZenGRC can support any framework and provides content for over 30 various standard and regulations. Using our pre-loaded content not only saves you time but also helps you quickly identify gaps and overlaps of running multiple programs at the same time. If you need to comply with a standard or regulation that is not listed here, it can be easily loaded into ZenGRC and managed through the application like the frameworks below.
Use Case / Description
|CJIS||Official Policy Page||Get help with CJIS||The Criminal Justice Information Services (CJIS) Security Policy provides requirements for criminal justice and associated agencies to use when accessing Criminal Justice Information (CJI). This Policy is also applicable to service providers who process CJI on behalf of criminal justice agencies.|
The policy prescribes safeguards that must be in place to secure CJI at rest and in transit. The policy integrates guidance from NIST with presidential and FBI directives, along with federal law and is audited periodically by the FBI for compliance. Failure to adhere to the policy may result in sanctions against non-compliant agencies.
|COBIT 5||General Info||Get help with COBIT v5||COBIT v5 (Control Objectives for Information and Related Technologies) is a framework created by international professional association ISACA for IT management and governance. It is generic and useful for enterprises of all sizes and across sectors, including commercial, not-for-profit, and the public sector. The framework incorporates the latest thinking in enterprise governance and management techniques, and provides globally accepted principles, practices, analytical tools and models to help increase the trust in, and value from, information systems. It is meant to be a supportive tool for managers to bridge gaps among technical issues, business risks and control requirements.|
|COSO 2013 Internal Control–Integrated Framework||General Info||Get help with COSO||The Committee of Sponsoring Organizations of the Treadway Commission (COSO) provides non-prescriptive guidance on internal controls, enterprise risk management, and fraud deterrence. COSO 2013 Integrated Control-Integrated Framework is recognized as leading guidance for designing and implementing internal controls and assessing their effectiveness.|
This framework is commonly used as basis for management's evaluation of its internal controls over financial reporting for compliance with the Sarbanes-Oxley Act of 2002 ("SOX").
|CSA Cloud Controls Matrix||General Info||Get help with CSA CCM|
The Cloud Security Alliance Cloud Controls Matrix (CCM) is specifically designed to provide fundamental security principles to guide cloud vendors and to assist prospective cloud customers in assessing the overall security risk of a cloud provider. The CSA CCM provides a controls framework that gives detailed understanding of security concepts and principles that are aligned to the Cloud Security Alliance guidance in 13 domains.
|CSC-CIS/SANS 20||CIS General Info Page||Get help with CSC-CIS/SANS 20||Sponsored by the Center for Internet Security (CIS) and the SANS Institute, the CIS Critical Security Controls (CSC) is a prioritized list of recommended controls for cyber defense based on collective best practices and real-world risks, threats, and responses.|
|EU/US Privacy Shield|
|General Info||Get help with Privacy Shield / EU GDPR||Taken from the International Trade Associate Privacy Shield site:|
The EU-U.S. and Swiss-U.S. Privacy Shield Frameworks were designed by the U.S. Department of Commerce, and the European Commission and Swiss Administration, respectively, to provide companies on both sides of the Atlantic with a mechanism to comply with data protection requirements when transferring personal data from the European Union and Switzerland to the United States in support of transatlantic commerce.The Privacy Shield program enables U.S.-based organizations to join one or both of the Privacy Shield Frameworks in order to benefit from the adequacy determinations. To join either Privacy Shield Framework, a U.S.-based organization will be required to self-certify to the Department of Commerce (via this website) and publicly commit to comply with the Framework’s requirements. While joining the Privacy Shield is voluntary, once an eligible organization makes the public commitment to comply with the Framework’s requirements, the commitment will become enforceable under U.S. law. All organizations interested in self-certifying to the EU-U.S. Privacy Shield Framework or Swiss-U.S. Privacy Shield Framework should review the requirements in their entirety.
|FedRAMP Low / Moderate / High||General Info||Get help with FedRAMP||From www.fedramp.gov: "The Federal Risk and Authorization Management Program, or FedRAMP, is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. This approach uses a 'do once, use many times' framework..." FedRAMP offers significant cost savings for US Federal Government agencies when using and securing of cloud services, and supports the compliance requirements in the Federal Information Security Management Act (FISMA).|
|HIPAA||HIPAA for Professionals||Get help with HIPAA||The Health Insurance Portability and Accountability act (HIPAA) defines rules for the security and privacy of healthcare information, called Protected/Personal Health Information (PHI). The US Department of Health & Human Services (HHS) is responsible for enforcement.|
You may be subject to HIPAA if you are a:
|HITRUST CSF||HITRUST CSF License||Get help with HITRUST CSF||The Health Information Trust Alliance (HITRUST Alliance) publishes a Common Security Framework (CSF). The HITRUST CSF is designed to provide healthcare organizations with a consolidated approach to a variety of federal, state, and industry regulations governing their operations. The CSF harmonizes these regulatory frameworks and provides cross references to a variety of other frameworks, including ISO 27001, NIST, and PCI-DSS.|
HITRUST also publishes guides for assessment against the framework, including cross references needed to assess compliance as part of a SOC 2 audit.
Note: Reciprocity can not provide the HITRUST CSF unless a customer is already a licensee. The framework is free, and available for download from the HITRUST License website (linked at Right).
|ISO 27001 Appendix A with guidance from ISO 27002|
|ISO 27000 Family of Standards||Get help with ISO 27001 Appendix A||The ISO/IEC 27000 family of standards helps organizations keep information assets secure.|
ISO IEC 27001:2013 includes Annex A, which lists illustrative information security control objectives and information security controls. It is taken directly from ISO IEC 27002 2013 sections 5 to 18, which provides additional guidance on the implementation, operation, and maintenance of security controls. However, using this framework in not obligatory in order to be ISO 27001 certified.
ISO IEC 27001:2013 section 6.1.3 enables organizations to use Annex A, and/or any other suitable resources, to "produce a Statement of Applicability that contains the necessary controls".
|ISO 27001/2, 27017, 27018||ISO 27000 Family of Standards||Get help with ISO 27001, 2, 17, 18||The ISO/IEC 27000 family of standards helps organizations keep information assets secure.|
Within the ISO 27000 family of standards there are a variety of frameworks which focus on specific areas of information security.
|NIST CSF||NIST CSF Page||In response to Executive Order 13636, “Improving Critical Infrastructure Cybersecurity," the National Institute of Standards and Technology (NIST) published the Framework for Improving Critical Infrastructure Cybersecurity (Cybersecurity Framework or CSF). The CSF is designed to drive an organization's cybersecurity efforts through a risk-based management process. It contains a set of requirements hierarchically structured into Functions, Categories, and Subcategories, as well as Informative References which point to other security frameworks such as ISO 27001, NIST SP 800-53, and COBIT.|
The overall framework is structured into three parts:
|NIST SP 800-53 rev4||NIST SP 800-53 - Security and Privacy Controls for Federal Information Systems and Organizations||Get help with NIST SP 800-53||The Federal Information Security Modernization Act (FISMA) requires civilian agencies of the US Federal Government to report on the security posture of their information systems. Businesses supporting these government agencies may also be required to implement such controls, if they interconnect with or operate systems on behalf of the government.|
There are a variety of documents which guide the implementation and management of security controls for such systems, including the Federal Information Processing Standards (FIPS) and National Institute of Standards and Technology Special Publications (NIST SP).
NIST SP 800-53 has three risk-based baselines for controls: Low, Moderate, and High. Higher-risk systems require more controls, while lower-risk systems require less stringent levels of protection.
|PCI-DSS v3.2||PCI-DSS Overview||Get help with PCI-DSS v3.2||The Payment Card Industry Data Security Standard (PCI-DSS) was created by the major credit card brands in 2004 to encourage and enhance the security of credit card data. The use of the DSS, which is a prescriptive set of requirements for securing credit card data at rest and in transit, is mandated by the major card brands and is required of all organizations accepting credit card payment transactions, known as merchants.|
Merchants are assigned levels based on the number of transactions they process of various brands per year. These levels determine the type of annual compliance assessment that the merchant must perform, either a self-assessment or one by a third-party Qualified Security Assessor (QSA). Failure to comply with the PCI-DSS may result in fines from credit card acquirers or even loss of the ability to accept credit card transactions. The DSS and associated standards are managed by the PCI Security Standards Council and regularly updated as new threats emerge.
|Reciprocity Consolidated Objectives||Get help with Reciprocity Consolidated Objectives||The Reciprocity Consolidated Objectives provides mappings between common objectives across our most commonly used frameworks. These mappings provide a foundation on which to build a consolidated list of controls with the goal of reducing redundancy in your compliance program.|
Frameworks included in the Reciprocity Consolidated Objectives include NIST800-53/FedRAMP, HIPAA, ISO27001, PCI DSS, SOC2, and the CSC-CIS/SANS Top 20.
|SOC 1 / SSAE 16 / ISAE 3402||SOC 1 Information Page||Get help with SOC 1||From AICPA.org:|
These reports, prepared in accordance with Statement on Standards for Attestation Engagements (SSAE) No. 16, Reporting on Controls at a Service Organization, are specifically intended to meet the needs of the managements of user entities and the user entities’ auditors, as they evaluate the effect of the controls at the service organization on the user entities’ financial statement assertions. These reports are important components of user entities’ evaluation of their internal controls over financial reporting for purposes of comply with laws and regulations such as the Sarbanes-Oxley Act and the user entities’ auditors as they plan and perform audits of the user entities’ financial statements. There are two types of reports for these engagements:
The use of these reports are restricted to the management of the service organization, user entities of the service organization and user auditors.
|SOC 2 / SOC 3||SOC 2 Information Page||Get help with SOC 2|
|SOX||SOX Law||Get help with SOX||Publicly traded U.S. corporations must maintain compliance with provisions of the Sarbanes-Oxley Act of 2002 (SOX). The U.S. Securities and Exchange Commission (SEC) enforces this law directly and through oversight of the Public Company Accounting Oversight Board (PCAOB). Companies subject to SOX must establish and evaluate internal controls in accordance with other established controls frameworks such as COSO and COBIT.|
While there are high-level requirements, SOX is not prescriptive regarding the scope and approach to conducting a SOX assessment of internal controls. Corporate management establishes the design and evaluates the effectiveness of internal controls, which are also assessed externally by public accounting firms.