ISpectra Technologies
22 frameworks · A–Z

Compliance Frameworks Glossary

Plain-English definitions of the security, privacy and industry frameworks ISpectra helps organizations achieve — what each one is, who it applies to, and where to go next.

C

C5

Cloud Security

The Cloud Computing Compliance Criteria Catalogue — a German BSI-backed attestation standard defining a baseline of security controls for cloud service providers. Widely requested by enterprise and public-sector buyers across the DACH region.

Read more

CIS Controls

Frameworks

A prioritized set of 18 safeguards published by the Center for Internet Security that give organizations a practical, defense-in-depth roadmap for reducing the most common cyberattacks. Often used as the foundation for broader programs.

Read more

CMMC

Government

The Cybersecurity Maturity Model Certification — the U.S. Department of Defense program that verifies contractors protect Federal Contract Information and Controlled Unclassified Information. Required to bid on many DoD contracts.

Read more

Cyber Essentials

Government

A UK government-backed certification covering five technical controls that defend organizations against the most common internet-based threats. Frequently mandatory for UK public-sector contracts.

Read more
D

DORA

Financial

The EU’s Digital Operational Resilience Act sets uniform requirements for the digital resilience of banks, insurers and other financial entities — covering ICT risk management, incident reporting, resilience testing and third-party oversight.

Read more

DPDP Act

Privacy

India’s Digital Personal Data Protection Act 2023 governs how “data fiduciaries” collect, process and protect the personal data of Indian residents — including explicit consent, purpose limitation and prompt breach notification.

Read more
E

Essential Eight

Government

A prioritized set of eight mitigation strategies defined by the Australian Signals Directorate to protect organizations against cyber threats. A baseline expectation for many Australian government entities.

Read more
F

FedRAMP

Government

The U.S. Federal Risk and Authorization Management Program standardizes security assessment and authorization for cloud products used by federal agencies. An authorization (ATO) is required to sell cloud services to the U.S. government.

Read more

A U.S. Federal Trade Commission rule under the Gramm-Leach-Bliley Act requiring non-banking financial institutions to build and maintain a written information security program that protects customer information.

Read more
G

GDPR

Privacy

The EU’s General Data Protection Regulation governs the processing of EU residents’ personal data and grants individuals rights over that data. It applies to any organization worldwide that handles EU personal data.

Read more
H

HIPAA

Healthcare

The U.S. Health Insurance Portability and Accountability Act sets national standards for protecting sensitive patient health information (PHI) held by healthcare providers, health plans and their business associates.

Read more
I

ISO 27001

Certification

The leading international standard for an Information Security Management System (ISMS). Certification proves an organization systematically manages information-security risk through the controls of Annex A and continual improvement.

Read more

ISO 27017

Cloud Security

An international code of practice that extends ISO 27001/27002 with cloud-specific security controls, clarifying the split of responsibilities between cloud providers and their customers.

Read more
M

Microsoft SSPA

Vendor Risk

Microsoft’s Supplier Security and Privacy Assurance program — a set of data protection requirements that suppliers processing Microsoft personal or confidential data must attest to each year.

Read more

MVSP

Vendor Risk

The Minimum Viable Secure Product — a vendor-neutral baseline, backed by a consortium including Google and Salesforce, defining the minimum security controls every B2B software product should implement. Common in vendor security reviews.

Read more
N

NIS2 Directive

Critical Infra

An EU directive that strengthens cybersecurity and incident-reporting obligations for operators of essential and important services across critical sectors, significantly expanding the scope of the original NIS Directive.

Read more

NIST 800-53

Government

A comprehensive catalog of security and privacy controls published by the U.S. National Institute of Standards and Technology. It underpins FedRAMP and FISMA and is widely adopted by government and enterprise alike.

Read more

NYDFS 23 NYCRR 500

Financial

A cybersecurity regulation from the New York State Department of Financial Services requiring banks, insurers and other financial-services companies operating in New York to run a risk-based cybersecurity program, appoint a CISO and report incidents.

Read more
P

PCI DSS

Payments

The Payment Card Industry Data Security Standard — a global set of requirements that any organization storing, processing or transmitting cardholder data must meet to protect payment card information.

Read more
S

SOC 2

Attestation

An AICPA attestation report that evaluates a service organization’s controls against the Trust Service Criteria — Security, Availability, Processing Integrity, Confidentiality and Privacy. The de facto standard enterprise buyers request from SaaS vendors.

Read more

SOX ITGC

Financial

The IT General Controls that support U.S. Sarbanes-Oxley Act compliance, safeguarding the integrity of financial-reporting systems through controls over access, change management and IT operations for public companies.

Read more
T

TISAX

Automotive

The Trusted Information Security Assessment Exchange — an automotive-industry assessment mechanism based on the VDA ISA catalog that lets suppliers share standardized information-security assessment results across the automotive supply chain.

Read more