Multi-framework
One platform.
Every framework.
Map your controls and risks to every major compliance standard simultaneously. No duplication. No spreadsheets. No consultant fees.
The international standard for information security management systems (ISMS). The most recognised framework for enterprise security certification.
- 114 Annex A controls across 14 domains
- Covers risk assessment, access control, cryptography, and incident response
- Required by many enterprise procurement and vendor security reviews
- Certification issued by accredited third-party auditors
The US standard for SaaS and cloud service providers. Increasingly required by US enterprise customers before signing contracts.
- Five Trust Service Criteria: Security, Availability, Processing Integrity, Confidentiality, Privacy
- Type I (design) and Type II (operating effectiveness over time) audits
- Security criterion is mandatory — others are optional by scope
- Auditor report shared directly with customers under NDA
The US National Institute of Standards and Technology Cybersecurity Framework. A flexible, risk-based approach to managing cyber risk.
- Five core functions: Identify, Protect, Detect, Respond, Recover
- Framework tiers allow you to target your current maturity level
- Used as a baseline by US federal agencies and regulated industries
- Maps cleanly to ISO 27001 — one set of controls covers both
Required for any organisation that stores, processes, or transmits cardholder data. Mandatory if you handle payment cards.
- 12 high-level requirements covering network security, access control, and monitoring
- Levels 1–4 based on annual card transaction volume
- Non-compliance can result in fines and loss of payment processing rights
- Annual assessment by Qualified Security Assessor (QSA) at higher levels
The UK and EU General Data Protection Regulation. Mandatory for any organisation processing personal data of UK or EU residents.
- Lawful basis required for every category of personal data processing
- Data subject rights: access, rectification, erasure, portability
- Breach notification to ICO within 72 hours
- Fines up to £17.5M or 4% of global annual turnover (whichever is higher)
US Healthcare data regulation covering protected health information (PHI). Required for health tech companies operating in the US market.
- Administrative, physical, and technical safeguards for PHI
- Privacy Rule covers use and disclosure of health information
- Security Rule sets standards for electronic PHI (ePHI)
- Breach notification requirements under the Breach Notification Rule
Map once, cover all
Stop managing compliance
in six spreadsheets
A single RiskGuard control can satisfy requirements across ISO 27001, SOC 2, and NIST CSF simultaneously. Add a new framework and your existing controls carry over — no rework, no duplication.
Ready to get
audit-ready?
Book a 30-minute demo and see how RiskGuard can get your startup compliant — without the consultant fees.