ISO/IEC 27001 is the world's best-known standard for information security management systems (ISMS). It defines requirements an ISMS must meet. The ISO/IEC 27001 standard provides companies of any size and from all sectors of activity with guidance for establishing, implementing, maintaining and continually improving an information security management system. Conformity with ISO/IEC 27001 means that an organization or business has put in place a system to manage risks related to the security of data owned or handled by the company, and that this system respects all the best practices and principles enshrined in this International Standard. ISO/IEC 27001 promotes a holistic approach to information security: vetting people, policies and technology. An information security management system implemented according to this standard is a tool for risk management, cyber-resilience and operational excellence.

The NIST Cybersecurity Framework (CSF) 2.0 provides guidance to organizations across industries, governments, and sectors to effectively manage cybersecurity risks. Designed for universal application, it helps organizations of all sizes and maturity levels understand, assess, prioritize, and communicate their cybersecurity efforts. The CSF focuses on high-level outcomes without prescribing specific actions, linking instead to resources that offer practical guidance for achieving those outcomes. The framework is particularly valuable for individuals leading cybersecurity programs but is also relevant to executives, risk managers, boards, and policymakers involved in cybersecurity decision-making and risk management. It is intended to integrate cybersecurity with broader enterprise risks, including financial, privacy, supply chain, and reputational risks. CSF 2.0 emphasises flexibility and adaptability, acknowledging that organizations have unique missions, objectives, and risk tolerances. Its sector- and technology-neutral structure allows for tailored implementation while promoting a common understanding across diverse audiences. The framework organizes its cybersecurity outcomes into six core functions: GOVERN, IDENTIFY, PROTECT, DETECT, RESPOND, and RECOVER, providing a clear structure for managing cybersecurity risks.

SOC, or System and Organisation Controls, is a set of frameworks developed by the American Institute of Certified Public Accountants (AICPA) to help organisations demonstrate that their systems and controls meet rigorous criteria for data security and operational integrity. SOC 1 focuses on internal controls relevant to financial reporting, SOC 2 emphasises trust services criteria such as security, availability, processing integrity, confidentiality, and privacy, while SOC 3 is a general-use version of SOC 2 that provides insights into compliance without disclosing sensitive details. These reports are widely adopted by service providers to build trust, showcase compliance, and assure stakeholders of their commitment to security and reliability.

Developed by the Cybersecurity Centre Belgium (CCB), the CyberFundamentals Framework is a set of concrete measures to protect your data, significantly reduce the risk of the most common cyber-attacks and increase your organisation's cyber resilience.To respond to the severity of the threat an organisation is exposed to, in addition to the starting level Small, 3 assurance levels are provided: Basic, Important and Essential. The starting level Small allows an organisation to make an initial assessment. It is intended for micro-organisations or organisations with limited technical knowledge.

Developed by the Cybersecurity Centre Belgium (CCB), the CyberFundamentals Framework is a set of concrete measures to protect your data, significantly reduce the risk of the most common cyber-attacks and increase your organisation's cyber resilience.To respond to the severity of the threat an organisation is exposed to, in addition to the starting level Small, 3 assurance levels are provided: Basic, Important and Essential. The assurance level Important is designed to minimise the risks of targeted cyber-attacks by actors with common skills and resources in addition to known cyber security risks.

Developed by the Cybersecurity Centre Belgium (CCB), the CyberFundamentals Framework is a set of concrete measures to protect your data, significantly reduce the risk of the most common cyber-attacks and increase your organisation's cyber resilience.To respond to the severity of the threat an organisation is exposed to, in addition to the starting level Small, 3 assurance levels are provided: Basic, Important and Essential. The assurance level Basic contains the standard information security measures for all enterprises. These provide an effective security value with technology and processes that are generally already available. Where justified, the measures are tailored and refined.

Developed by the Cybersecurity Centre Belgium (CCB), the CyberFundamentals Framework is a set of concrete measures to protect your data, significantly reduce the risk of the most common cyber-attacks and increase your organisation's cyber resilience.To respond to the severity of the threat an organisation is exposed to, in addition to the starting level Small, 3 assurance levels are provided: Basic, Important and Essential. The assurance level Essential goes one step further and is designed to address the risk of advanced cyber-attacks by actors with extensive skills and resources.

Small and medium organisations are highly vulnerable to cyber threats, especially cybercrime, which often leads to financial or privacy breaches. The Canadian Centre for Cyber Security Controls for Small and Medium Organizations V1.2 provides a framework to enhance resilience through strategic cyber security investments. By applying the 80/20 rule—achieving 80% of the benefit with 20% of the effort—it streamlines and prioritises baseline controls, making cyber security more accessible and effective for resource-limited organisations.

The Cybersecurity Maturity Model Certification (CMMC) 2.0 program is the latest version of the CMMC framework, simplifying requirements into three levels of cybersecurity maturity and aligning them with widely recognised NIST cybersecurity standards. This program is specifically designed to assess and improve cybersecurity practices across contractors working with the Department of Defense (DoD), ensuring the protection of sensitive information within the defence industrial base.

The Digital Operational Resilience Act (DORA) is a regulation introduced by the European Union to strengthen the cybersecurity and operational resilience of financial institutions across its member states. DORA is designed to ensure that financial entities, including banks, insurance companies, investment firms, and payment service providers, can withstand, respond to, and recover from cyber threats and other operational disruptions. By establishing a comprehensive regulatory framework, DORA mandates financial institutions to implement robust ICT (Information and Communication Technology) risk management strategies. This includes stringent requirements for identifying, managing, and mitigating risks associated with third-party ICT providers, incident reporting, and continuous monitoring of cyber threats. The regulation also standardises rules for incident response and operational continuity to enhance the stability of the European financial sector.

The General Data Protection Regulation (GDPR) is a comprehensive regulation aimed at safeguarding personal data and privacy rights of individuals within the European Union (EU) and European Economic Area (EEA). It establishes strict rules on data collection, processing, storage, and sharing, ensuring individuals maintain control over their personal information while holding organisations accountable for protecting that data.

The Health Insurance Portability and Accountability Act (HIPAA) is a U.S. regulation designed to safeguard the privacy, security, and confidentiality of individuals' healthcare information. It establishes stringent standards for the handling, storage, and sharing of protected health information (PHI) by healthcare providers, insurers, and associated entities, ensuring compliance and fostering trust in the healthcare system.

The IAPP Certified Information Privacy Manager (CIPM) is a globally recognised certification tailored for privacy professionals responsible for managing privacy programmes and ensuring compliance with data protection regulations. It provides a comprehensive framework for establishing, operating, and maintaining privacy programmes within organisations, demonstrating expertise in aligning privacy practices with legal and operational requirements.

ISO 9001 is a globally recognized standard for quality management. It helps organizations of all sizes and sectors to improve their performance, meet customer expectations and demonstrate their commitment to quality. Its requirements define how to establish, implement, maintain, and continually improve a quality management system (QMS). Implementing ISO 9001 means your organization has put in place effective processes and trained staff to deliver flawless products or services time after time. Business benefits of ISO 9001 include enhanced customer confidence through robust quality control processes, effective complaint resolution with timely and satisfactory problem-solving, improved processes by eliminating inefficiencies and reducing waste, and ongoing optimisation through regular audits and reviews that refine quality management systems for long-term success.

The Cloud Cybersecurity Controls is developed by the NCA as an extension to the Essential Cybersecurity Controls (ECC) to advance national cybersecurity goals by addressing cloud computing services from the perspectives of Cloud Service Providers (CSPs) and Cloud Service Tenants (CSTs). The CCC establishes the minimum cybersecurity requirements for CSPs and CSTs, enabling them to deliver and utilise secure cloud computing services while effectively mitigating cyber risks. It emphasises protecting the confidentiality, integrity, and availability of data and information within the cloud environment. To achieve these objectives, the CCC focuses on four key cybersecurity pillars: strategy, people, procedures, and technology.

The Critical Systems Cybersecurity Controls is developed by the NCA as an extension to the Essential Cybersecurity Controls (ECC) to fit the cybersecurity needs for national critical systems.

The Data Cybersecurity Controls is developed by the NCA as an extension to the Essential Cybersecurity Controls (ECC) to contribute to raising the cybersecurity maturity by setting the minimum cybersecurity requirements to enable organizations to protect their data during its entire data lifecycle. These controls have been developed after conducting a comprehensive study of multiple national and international cybersecurity standards, frameworks and controls, studying related laws and regulations, reviewing cybersecurity best practices and analyzing cybersecurity risks, threats, previous incidents and attacks at the national level.

The Essential Cybersecurity Controls (ECC) is developed by the NCA to define the minimum cybersecurity requirements for national organisations within its scope of ECC implementation. This framework outlines the controls, their objectives, scope, statement of applicability, compliance approach, and monitoring processes. The primary goal of these controls is to establish baseline cybersecurity requirements for protecting the information and technology assets of organisations. These requirements, rooted in industry-leading practices, aim to minimise cybersecurity risks stemming from both internal and external threats. To achieve this, the ECC focuses on safeguarding the confidentiality, integrity, and availability of organisational information and technology assets, with a strategic emphasis on four key cybersecurity pillars: strategy, people, processes, and technology.

The OTCC framework, developed by the Saudi National Cybersecurity Authority (NCA), provides comprehensive cybersecurity controls to address risks unique to Operational Technology (OT) environments, including industrial control systems (ICS), supervisory control and data acquisition (SCADA) systems, and other critical assets vital for the safety, reliability, and continuity of industrial operations. It focuses on securing physical processes, preventing unauthorised access, and ensuring system integrity while aligning with international standards. This framework is crucial for organisations managing critical infrastructure, manufacturing, and industrial systems to enhance resilience and comply with cybersecurity regulations.

The Telework Cybersecurity Controls (TCC) is developed by the NCA as an extension to the Essential Cybersecurity Controls (ECC) to contribute to raising the level of cybersecurity level by enabling the organization to perform its work remotely in a secure manner and adapt to the changes in the business environment and telework systems, and enhancing the organization’s cybersecurity capabilities and resilience against cyber threats when providing remote work.

NIS2, the revised Directive on Security of Network and Information Systems, is an EU directive aimed at significantly enhancing the cybersecurity resilience of critical infrastructure sectors across member states. It establishes stricter security requirements for organisations providing essential services, including energy, transportation, healthcare, water supply, and digital infrastructure. The directive expands the scope of regulated entities, introduces stricter incident reporting obligations, and mandates robust risk management measures. It emphasises cross-border collaboration, harmonises cybersecurity frameworks across the EU, and ensures that critical infrastructure operators and digital service providers implement comprehensive measures to protect against cyber threats, mitigate risks, and ensure continuity of vital services.

In collaboration with the private and public sectors, NIST has developed a framework to better manage risks to individuals, organizations, and society associated with artificial intelligence (AI). The NIST AI Risk Management Framework (AI RMF) is intended for voluntary use and to improve the ability to incorporate trustworthiness considerations into the design, development, use, and evaluation of AI products, services, and systems.

The NIST Privacy Framework is a voluntary tool designed to help organizations identify and manage privacy risks while fostering innovation and protecting individuals' privacy. Privacy risk management involves understanding how systems, products, and services may create privacy-related issues and developing solutions to address these risks. Privacy risk assessments, a key component of this process, help organizations evaluate the trade-offs between data processing benefits and associated risks, guiding responses such as mitigation, transfer, avoidance, or acceptance of risks. These assessments are essential for balancing privacy values, as methods like data encryption or distributed architectures may conflict with enabling individual control. They also distinguish privacy risks from compliance risks, encouraging ethical decision-making beyond legal obligations. By addressing privacy risks effectively, organizations can optimize data use, safeguard individual privacy, maintain public trust, and support the successful adoption of products and services.

The RMF provides a disciplined, structured, and flexible process for managing security and privacy risk that includes information security categorization; control selection, implementation, and assessment; system and common control authorizations; and continuous monitoring. The RMF includes activities to prepare organizations to execute the framework at appropriate risk management levels. The RMF also promotes near real-time risk management and ongoing information system and common control authorization through the implementation of continuous monitoring processes; provides senior leaders and executives with the necessary information to make efficient, cost-effective, risk management decisions about the systems supporting their missions and business functions; and incorporates security and privacy into the system development life cycle. Executing the RMF tasks links essential risk management processes at the system level to risk management processes at the organization level. In addition, it establishes responsibility and accountability for the controls implemented within an organization’s information systems and inherited by those systems.

This publication provides a catalog of security and privacy controls for information systems and organizations to protect organizational operations and assets, individuals, other organizations, and the Nation from a diverse set of threats and risks, including hostile attacks, human errors, natural disasters, structural failures, foreign intelligence entities, and privacy risks. The controls are flexible and customizable and implemented as part of an organization-wide process to manage risk. The controls address diverse requirements derived from mission and business needs, laws, executive orders, directives, regulations, policies, standards, and guidelines. Finally, the consolidated control catalog addresses security and privacy from a functionality perspective (i.e., the strength of functions and mechanisms provided by the controls) and from an assurance perspective (i.e., the measure of confidence in the security or privacy capability provided by the controls). Addressing functionality and assurance helps to ensure that information technology products and the systems that rely on those products are sufficiently trustworthy.

The Online Social Media Account Cybersecurity Controls (OSMACC) is a comprehensive framework designed to secure social media accounts from cyber threats such as unauthorised access, misuse, and account compromise. It outlines key cybersecurity measures, including strong authentication, access control, and activity monitoring, to protect sensitive information and maintain account integrity. OSMACC is tailored for organisations and individuals seeking to enhance the security of their social media presence, ensuring robust protection against evolving threats in the digital landscape.

This guide provides small-to-medium sized businesses (SMB), specifically those who have modest or no cybersecurity plans in place, with considerations to kick-start their cybersecurity risk management strategy by using the NIST Cybersecurity Framework (CSF) 2.0. The guide also can assist other relatively small organizations, such as non-profits, government agencies, and schools. It is a supplement to the NIST CSF and is not intended to replace it.

PCI Security Standards are developed and maintained by the PCI Security Standards Council to protect payment data throughout the payment lifecycle. The different PCI Standards support different stakeholders and functions within the payments industry. The PCI DSS defines security requirements to protect environments where payment account data is stored, processed, or transmitted. PCI DSS provides a baseline of technical and operational requirements designed to protect payment account data.

ISO/IEC 42001 is the first internationally recognised standard for artificial intelligence management systems (AIMS). It provides organisations with a structured framework for governing and managing AI systems responsibly, ensuring their alignment with ethical principles, regulatory requirements, and risk management best practices. The ISO/IEC 42001 standard helps organisations of any size and sector establish, implement, maintain, and continuously improve an AI management system, fostering trust, transparency, and accountability in AI-driven operations. Compliance with ISO/IEC 42001 demonstrates an organisation’s commitment to managing AI risks and ensuring AI systems operate in a fair, reliable, and secure manner.