Map your controls once and reuse them across every standard you need. Start with a plain-language guide to the framework you're working on — what it asks for, and how teams keep it audit-ready between audits.
In-depth, plain-language walkthroughs of each standard. More are on the way — every framework below is supported today from one control set.
The international standard for an ISMS — certification, Annex A controls, the Statement of Applicability and staying audit-ready.
The AICPA attestation report SaaS vendors use to prove security — Trust Services Criteria, Type I vs Type II, and the observation period.
The EU data protection law explained plainly — lawful bases, data subject rights, RoPA, DPIAs and the 72-hour breach clock.
The US law that protects health information — PHI and ePHI, the Privacy, Security and Breach Notification Rules, business associates and BAAs.
The payment-card data security standard — the 12 requirements, scope and segmentation, SAQ vs ROC, and staying compliant as business-as-usual.
The voluntary US cybersecurity framework — six Functions, Implementation Tiers and Current-to-Target Profiles, with no certificate to chase.
The first comprehensive law on AI — risk tiers, high-risk obligations, the GPAI rules, conformity assessment and the phased timeline.
The EU cybersecurity directive for essential and important entities — risk-management measures, incident reporting and management accountability.
The EU regulation on digital operational resilience for financial entities — ICT risk, incident reporting, resilience testing and third-party risk.
The open body of application-security resources — the OWASP Top 10, the ASVS, SAMM and the API Security Top 10 that teams build and verify secure software against.
The international standard for an AI management system — certifiable, with AI risk and impact assessments and lifecycle governance.
The prioritized, voluntary set of cybersecurity safeguards — the 18 Controls, their Safeguards and the IG1 to IG3 implementation groups.
The CSA cloud-security control framework — domains, the CAIQ, the STAR program and answering customer security reviews.
The cloud extensions to ISO/IEC 27001 — cloud security guidance (27017) and PII protection in public clouds (27018), added as scope.
Switzerland’s revised data-protection law (revFADP / nDSG) explained — the principles, records, DPIAs, breach notification and how it lines up with the GDPR.
Working toward a standard we haven't written up yet? Book a conversation and we'll walk through yours.
Map your controls once, reuse the evidence across every standard, and keep each one audit-ready between audits.