Frameworks
Cover the frameworks buyers and auditors ask for most.
Pick frameworks based on customer demand, legal exposure, market plans, and audit pressure. Then reuse shared controls wherever you can.
10+framework paths
1shared control map
Sharedframework leverage
Framework map
One control program can support many trust requests.
| Framework | Best fit | Best first move |
|---|---|---|
| SOC 2 | B2B SaaS and customer security reviews. | Get access, changes, incidents, vendors, policies, and monitoring in order. |
| ISO 27001 | Global security programs and enterprise buyers. | Clean up the risk register, control scope, action plans, and leadership reviews. |
| HIPAA and HITRUST | Healthcare and protected health information. | Focus on access, training, BAAs, risk review, incidents, and vendor oversight. |
| GDPR | EU personal data and privacy work. | Track data, subprocessors, privacy requests, retention, and breach response. |
| PCI, FedRAMP, and CMMC | Payment, public sector, and regulated buyers. | Clarify scope, technical controls, evidence depth, and fix tracking. |
| NIST AI RMF and ISO 42001 | AI risk and responsible AI programs. | Track AI risks, model use, policies, monitoring, and owners. |
The smart move is shared controls first.
Access, change review, incidents, vendors, policies, training, assets, and risk treatment show up again and again across frameworks.