We use strictly necessary cookies to run this site, and — only with your consent — analytics & marketing cookies (Google Analytics, Google Tag Manager) to improve it. No analytics or marketing cookies are set unless you accept. See our Cookie Policy and Privacy Policy.

Knowledge Center

Standards & framework document library

Every major security and compliance standard in one place — with links to the official source documents and CyberSigma’s practical guides, checkers and calculators. Curated by CERT-In empanelled, PCI QSA auditors.

In-depth framework guides

Full explainers for each standard — what it is, who needs it, key requirements, how to comply and FAQs.

Security frameworks

NIST Cybersecurity Framework (CSF 2.0)
NIST · Global

A voluntary, outcome-based framework for managing and reducing cybersecurity risk.

Read the guide →
NIST SP 800-53
NIST · Global

A comprehensive catalog of security and privacy controls for information systems.

Read the guide →
COBIT
ISACA · Global

A governance and management framework for enterprise information and technology.

Read the guide →
CIS Controls
Center for Internet Security · Global

A prioritised set of 18 safeguards that stop the most common attacks.

Read the guide →
MITRE ATT&CK
MITRE · Global

A knowledge base of real-world adversary tactics and techniques.

Read the guide →
SANS / CWE Top 25
MITRE / SANS · Global

The most dangerous and common software weaknesses developers must avoid.

Read the guide →
OWASP Top 10
OWASP · Global

The standard awareness document for the most critical web application risks.

Read the guide →
SABSA (Security Architecture)
The SABSA Institute · Global

A business-driven framework and methodology for enterprise security architecture.

Read the guide →
CSA CCM & STAR
Cloud Security Alliance · Global

The Cloud Controls Matrix and STAR programme for cloud security assurance.

Read the guide →
TOGAF
The Open Group · Global

The leading enterprise architecture framework and method (ADM).

Read the guide →
NIST SP 800-171
NIST · Global / US

Protecting Controlled Unclassified Information (CUI) in non-federal systems.

Read the guide →
IEC 62443 (OT/ICS Security)
IEC / ISA · Global

The standard for cybersecurity of industrial automation and control systems.

Read the guide →
Zero Trust (NIST SP 800-207)
NIST · Global

A security model of "never trust, always verify" for modern architectures.

Read the guide →
MITRE D3FEND
MITRE · Global

A knowledge base of defensive countermeasures mapped to ATT&CK.

Read the guide →
OWASP ASVS
OWASP · Global

A detailed, testable standard for verifying application security.

Read the guide →
COSO Internal Control Framework
COSO · Global

The leading framework for internal control and enterprise risk management.

Read the guide →
MITRE ATLAS (AI/ML Threats)
MITRE · Global

A knowledge base of adversarial threats to AI and machine-learning systems.

Read the guide →
OWASP API Security Top 10
OWASP · Global

The most critical security risks to APIs.

Read the guide →
ISO/IEC 27005 (Information Security Risk Management)
ISO / IEC · Global

Guidance for managing information security risk.

Read the guide →
ISO/IEC 27035 (Incident Management)
ISO / IEC · Global

The standard for information security incident management.

Read the guide →
ISO/IEC 27031 (ICT Continuity)
ISO / IEC · Global

ICT readiness for business continuity.

Read the guide →
ISO/IEC 29147 & 30111 (Vulnerability Disclosure)
ISO / IEC · Global

Standards for vulnerability disclosure and handling.

Read the guide →
NIST Secure Software Development Framework (SSDF)
NIST · Global

Secure software development practices (SP 800-218).

Read the guide →
NIST SP 800-63 (Digital Identity)
NIST · Global

Digital identity guidelines — identity proofing, authentication and federation.

Read the guide →
NIST AI Risk Management Framework
NIST · Global

Voluntary framework to manage risks of AI systems.

Read the guide →
CSA AI Controls Matrix (AICM)
Cloud Security Alliance · Global

CSA control matrix for securing and governing AI systems.

Read the guide →
Cyber Risk Institute (CRI) Profile
Cyber Risk Institute · Global (Finance)

Harmonised cybersecurity profile for the financial sector.

Read the guide →
Secure Controls Framework (SCF)
Secure Controls Framework Council · Global

Metaframework mapping controls across 100+ authorities.

Read the guide →
NIST SP 800-161 (C-SCRM)
NIST · Global

Cyber supply-chain risk management practices for systems.

Read the guide →
NIST SP 800-82 (OT Security)
NIST · Global

Guide to securing operational technology and control systems.

Read the guide →
NIST Ransomware Risk Management Profile
NIST · Global

CSF profile to prevent, detect and recover from ransomware.

Read the guide →
Cybersecurity Capability Maturity Model (C2M2)
US DOE · Global

Maturity model to evaluate and improve cyber capabilities.

Read the guide →
CryptoCurrency Security Standard (CCSS)
C4 (CryptoCurrency Certification Consortium) · Global

Security standard for systems that use cryptocurrencies.

Read the guide →

Certifications & attestations

CMMI V3.0
ISACA / CMMI Institute · Global

Capability Maturity Model Integration — a model for building repeatable, measurable, continually improving organisational capability.

Read the guide →
ISO/IEC 27001
ISO / IEC · Global

The international standard for an Information Security Management System (ISMS).

Read the guide →
SOC 2 (AICPA)
AICPA · Global

An attestation report on controls relevant to security, availability and privacy.

Read the guide →
PCI DSS
PCI SSC · Global

The security standard for organisations that handle payment card data.

Read the guide →
SWIFT CSP / CSCF
SWIFT · Global

SWIFT’s Customer Security Controls Framework for institutions on the SWIFT network.

Read the guide →
PCI PIN & P2PE
PCI SSC · Global

Standards for secure PIN management and point-to-point encryption of card data.

Read the guide →
HITRUST CSF
HITRUST Alliance · Global / US

A certifiable security framework that harmonises HIPAA, ISO, NIST, PCI and more.

Read the guide →
CMMC
US Department of Defense · United States

Cybersecurity Maturity Model Certification for the US defense supply chain.

Read the guide →
FedRAMP
US FedRAMP PMO / GSA · United States

The US government authorisation programme for cloud services.

Read the guide →
ISO 22301
ISO · Global

The international standard for business continuity management systems (BCMS).

Read the guide →
ISO/IEC 27017
ISO / IEC · Global

Cloud-specific information security controls extending ISO 27002.

Read the guide →
ISO/IEC 42001 (AI Management)
ISO / IEC · Global

The management-system standard for artificial intelligence (AIMS).

Read the guide →
ISO/IEC 20000-1
ISO / IEC · Global

The international standard for an IT service management system (SMS).

Read the guide →
ISO 9001 (Quality)
ISO · Global

The international standard for a quality management system (QMS).

Read the guide →
SOX IT General Controls (ITGC)
US SEC / PCAOB · United States

IT general controls supporting Sarbanes-Oxley financial-reporting compliance.

Read the guide →
TISAX (Automotive)
ENX Association · Global / Europe

The information-security assessment standard for the automotive industry.

Read the guide →
Common Criteria (ISO/IEC 15408) / IC3S
Common Criteria / STQC · Global / India

International product security evaluation and certification.

Read the guide →
FIPS 140-3 Cryptographic Module Validation
NIST / CMVP · Global

Validation of cryptographic modules to US federal standards.

Read the guide →
PCI Software Security Framework & 3DS
PCI SSC · Global

PCI standards for payment software security and 3-D Secure.

Read the guide →
ISO/SAE 21434 & UNECE R155 (Automotive Cybersecurity)
ISO / SAE / UNECE · Global

Cybersecurity engineering for road vehicles.

Read the guide →
Medical Device Cybersecurity
FDA / IEC · Global

Cybersecurity for medical devices across the product lifecycle.

Read the guide →
BSI C5 (Cloud Computing Compliance Criteria Catalogue)
BSI (Germany) · Germany / EU

German catalogue of cloud security controls attested by auditors.

Read the guide →
ISO 28000 (Supply Chain Security)
ISO · Global

Management system for security of the supply chain.

Read the guide →
ISO 27799 (Health Informatics Security)
ISO · Global

Health-sector application of ISO 27002 controls.

Read the guide →

Data privacy laws

GDPR
European Union · EU / EEA

The EU regulation governing the processing of personal data.

Read the guide →
HIPAA
US Dept. of Health & Human Services · United States

US law protecting the privacy and security of protected health information (PHI).

Read the guide →
ISO/IEC 27701
ISO / IEC · Global

A privacy extension (PIMS) to ISO 27001 for managing personal data.

Read the guide →
CCPA / CPRA
State of California · United States

California’s consumer privacy law and its CPRA amendments.

Read the guide →
ISO/IEC 27018
ISO / IEC · Global

Protection of personal data (PII) in public cloud services.

Read the guide →
LGPD (Brazil)
Brazil (ANPD) · Brazil

Brazil’s General Data Protection Law for personal data.

Read the guide →
POPIA (South Africa)
South Africa (Information Regulator) · South Africa

South Africa’s Protection of Personal Information Act.

Read the guide →
PDPA (Singapore)
PDPC (Singapore) · Singapore

Singapore’s Personal Data Protection Act.

Read the guide →
PIPEDA (Canada)
Canada (OPC) · Canada

Canada’s federal private-sector privacy law.

Read the guide →
EU-US Data Privacy Framework
US Dept of Commerce / EC · EU / US

Transatlantic mechanism for lawful personal-data transfers.

Read the guide →

India regulatory

DPDP Act, 2023 (India)
MeitY, Government of India · India

India’s data-protection law governing the personal data of data principals.

Read the guide →
RBI Cyber Security Framework for Banks
Reserve Bank of India · India

Baseline cyber security and resilience controls mandated by RBI for banks.

Read the guide →
RBI Digital Payment Security Controls
Reserve Bank of India · India

RBI’s master direction on securing internet, mobile and card digital payment channels.

Read the guide →
RBI IT Governance, Risk, Controls & Assurance
Reserve Bank of India · India

RBI’s master direction on IT governance, risk, controls and IS assurance practices.

Read the guide →
RBI Payment Aggregators & Payment Gateways (PA-PG)
Reserve Bank of India · India

Authorisation and security requirements for payment aggregators and payment gateways.

Read the guide →
RBI Prepaid Payment Instruments (PPI)
Reserve Bank of India · India

Rules for issuing and operating prepaid payment instruments (wallets, cards).

Read the guide →
RBI System Audit Report (SAR) & Data Localisation
Reserve Bank of India · India

Annual system audit and payment-data localisation assurance for payment system operators.

Read the guide →
NPCI UPI / TPAP Security Audit
NPCI · India

Security audit requirements for UPI Third-Party Application Providers and PSP banks.

Read the guide →
Bharat Bill Payment System (BBPS) Audit
NPCI Bharat BillPay (NBBL) · India

System audit requirements for BBPS operating units in the bill-payment ecosystem.

Read the guide →
SEBI CSCRF
SEBI · India

SEBI’s Cyber Security and Cyber Resilience Framework for regulated entities.

Read the guide →
IRDAI Information & Cyber Security
IRDAI · India

Information and cyber security guidelines for insurers and intermediaries.

Read the guide →
UIDAI / Aadhaar (AUA-KUA)
UIDAI · India

Security and audit requirements for entities in the Aadhaar authentication ecosystem.

Read the guide →
CERT-In Directions (Cyber Incident Reporting)
CERT-In, MeitY · India

CERT-In’s directions on incident reporting, log retention and security practices.

Read the guide →
RBI Account Aggregator Framework
Reserve Bank of India · India

The consent-based financial-data-sharing framework in India.

Read the guide →
RBI IT Framework for NBFCs
Reserve Bank of India · India

RBI’s IT governance, security and audit expectations for NBFCs.

Read the guide →
PFRDA Cyber Security & IS Audit
PFRDA · India

Information and cyber security audit for the pension (NPS) ecosystem.

Read the guide →
IFSCA Cyber Resilience Audit
IFSCA · India (GIFT IFSC)

Cyber security and resilience audit for regulated entities in GIFT IFSC.

Read the guide →
RBI Housing Finance Company (HFC) IS & Cyber Audit
Reserve Bank of India · India

Information systems and cyber security audit for housing finance companies.

Read the guide →
RBI Digital Lending (DLA/LSP) Audit
Reserve Bank of India · India

Technical and privacy due-diligence audit of digital lending apps and service providers.

Read the guide →
RBI Co-operative Bank Cyber Security Framework
Reserve Bank of India · India

Basic and Comprehensive (graded) cyber security framework audit for UCBs.

Read the guide →
RBI IT Outsourcing Directions Audit
Reserve Bank of India · India

Audit of IT outsourcing, cloud and supply-chain risk for RBI-regulated entities.

Read the guide →
RBI Fraud Risk Management Audit
Reserve Bank of India · India

Audit of fraud governance, monitoring and reporting technology for REs.

Read the guide →
RBI KYC / V-CIP Technology Audit
Reserve Bank of India · India

Audit of KYC and Video-based Customer Identification Process technology controls.

Read the guide →
NPCI Product Security Audits (IMPS, RuPay, AePS, NACH, NFS, FASTag, CTS)
NPCI · India

Security audits across NPCI’s payment products beyond UPI.

Read the guide →
SEBI Stock Broker & MII System Audit
SEBI · India

System audits for stock brokers, clearing members and market infrastructure institutions.

Read the guide →
CERT-In Comprehensive Cyber Security Audit
CERT-In, MeitY · India

Cyber security audit under CERT-In’s 2025 audit policy guidelines.

Read the guide →
STQC IT Testing & Certification
STQC, MeitY · India

Government testing and certification for IT products, e-governance and security.

Read the guide →
TEC MTCTE (Telecom Equipment)
TEC / DoT · India

Mandatory Testing and Certification of Telecom Equipment, including security.

Read the guide →
NCIIPC Critical Information Infrastructure Audit
NCIIPC · India

Protection and audit of Critical Information Infrastructure in India.

Read the guide →
CCA / eSign / Digital Signature Audit
CCA (MeitY) · India

Audit of Certifying Authorities, eSign and digital-signature ecosystems.

Read the guide →
GIGW & Web Accessibility (WCAG) Audit
MeitY / W3C · India / Global

Government website guidelines and web accessibility compliance audit.

Read the guide →
ABDM / Health Data Security Audit
National Health Authority · India

Security and privacy audit for the Ayushman Bharat Digital Mission ecosystem.

Read the guide →
CEA Power-Sector Cyber Security
Central Electricity Authority · India

Cyber security in the power/electricity sector under CEA regulations.

Read the guide →

Regional & national frameworks

SAMA Cyber Security Framework
Saudi Central Bank (SAMA) · Saudi Arabia

Mandatory cyber security framework for financial institutions in Saudi Arabia.

Read the guide →
Saudi NCA Essential Cybersecurity Controls (ECC)
National Cybersecurity Authority (Saudi Arabia) · Saudi Arabia

Saudi Arabia’s mandatory Essential Cybersecurity Controls for national entities.

Read the guide →
UAE Information Assurance (NESA / SIA)
UAE Cybersecurity Council / SIA · United Arab Emirates

The UAE’s Information Assurance standards for government and critical entities.

Read the guide →
Qatar National Information Assurance (NIA)
Qatar (NCSA) · Qatar

Qatar’s National Information Assurance standard for information security.

Read the guide →
MAS TRM (Singapore)
Monetary Authority of Singapore · Singapore

Technology Risk Management guidelines for Singapore financial institutions.

Read the guide →
APRA CPS 234 (Australia)
APRA (Australia) · Australia

Information security prudential standard for APRA-regulated entities.

Read the guide →
ASD Essential Eight (Australia)
Australian Signals Directorate (ACSC) · Australia

Eight prioritised mitigation strategies against cyber threats.

Read the guide →
Cyber Essentials (UK)
UK NCSC / IASME · United Kingdom

A UK government-backed certification for baseline cyber hygiene.

Read the guide →
DORA (Digital Operational Resilience Act)
European Union · EU

EU regulation on ICT and operational resilience for financial entities.

Read the guide →
NIS2 Directive
European Union · EU

EU directive raising cybersecurity for essential and important entities.

Read the guide →
EU AI Act
European Union · EU

Risk-tiered EU regulation governing AI systems and models.

Read the guide →
UK FCA Operational Resilience
FCA / PRA / Bank of England · UK

UK regulatory rules on operational resilience for financial firms.

Read the guide →
GLBA & FTC Safeguards Rule
US FTC · United States

US financial-privacy and information-safeguards requirements.

Read the guide →
NYDFS Part 500 Cybersecurity Regulation
NY Dept of Financial Services · United States

New York cybersecurity rules for financial-services companies.

Read the guide →
FFIEC Cybersecurity Assessment
FFIEC · United States

US banking regulators' cyber maturity and IT examination framework.

Read the guide →
NERC CIP (Critical Infrastructure Protection)
NERC · North America

Mandatory cyber standards for the North American bulk power system.

Read the guide →
FBI CJIS Security Policy
US FBI · United States

Security policy protecting US criminal-justice information.

Read the guide →
Canada OSFI B-13 (Technology & Cyber Risk)
OSFI (Canada) · Canada

Canadian guideline on technology and cyber risk for FRFIs.

Read the guide →
Korea ISMS-P
KISA (Korea) · South Korea

Korean certification for information security and privacy management.

Read the guide →
Japan ISMAP
Government of Japan · Japan

Japanese assessment program for government cloud services.

Read the guide →
China PIPL / Cybersecurity Law / MLPS
PRC Government · China

China's data-protection, cybersecurity and grading regime.

Read the guide →
Australia ISM & IRAP
ASD / ACSC (Australia) · Australia

Australian government security manual and assessor program.

Read the guide →
Payments & cardsInformation securityData privacyIndia regulatoryTesting & assurance

Payments & cards

PCI DSS

PCI Security Standards Council

The Payment Card Industry Data Security Standard (currently v4.0.1) — the global standard for organisations that store, process or transmit cardholder data.

Official documents
CyberSigma resources

PCI PIN & P2PE

PCI Security Standards Council

Requirements for the secure management of PINs and the encryption of account data from point of interaction to decryption.

Official documents
CyberSigma resources

SWIFT CSP / CSCF

SWIFT

The Customer Security Programme and its Customer Security Controls Framework — mandatory and advisory controls for institutions on the SWIFT network.

Official documents
CyberSigma resources

Information security

ISO/IEC 27001 & 27002

ISO / IEC

ISO/IEC 27001:2022 specifies the requirements for an Information Security Management System (ISMS); ISO/IEC 27002:2022 provides the Annex A control guidance.

Official documents
CyberSigma resources

SOC 1 / SOC 2 / SOC 3

AICPA

System and Organization Controls reports based on the Trust Services Criteria (Security, Availability, Processing Integrity, Confidentiality, Privacy).

Official documents
CyberSigma resources

NIST CSF & SP 800-53

NIST

The NIST Cybersecurity Framework (CSF 2.0) and Special Publication 800-53 control catalog — widely used voluntary frameworks for managing cyber risk.

Official documents
CyberSigma resources

Data privacy

DPDP Act, 2023 (India)

MeitY, Government of India

India’s Digital Personal Data Protection Act, 2023 and its draft Rules — obligations for data fiduciaries handling the personal data of Indian data principals.

Official documents
CyberSigma resources

GDPR (EU)

European Union

The EU General Data Protection Regulation — the benchmark privacy regulation for processing the personal data of individuals in the EU/EEA.

Official documents
CyberSigma resources

HIPAA (US)

US Dept. of Health & Human Services

The Health Insurance Portability and Accountability Act — Security, Privacy and Breach Notification Rules for protected health information (PHI).

Official documents
CyberSigma resources

India regulatory

RBI Cyber Security Framework

Reserve Bank of India

RBI Master Directions and circulars on cyber security for banks, NBFCs, payment system operators and co-operative banks, plus data-localisation requirements.

Official documents
CyberSigma resources

SEBI CSCRF

Securities and Exchange Board of India

SEBI’s Cyber Security and Cyber Resilience Framework for regulated entities in the securities market.

Official documents
CyberSigma resources

IRDAI Cyber Security

Insurance Regulatory & Development Authority

IRDAI’s information and cyber security guidelines for insurers and insurance intermediaries.

Official documents
CyberSigma resources

UIDAI / Aadhaar (AUA-KUA)

UIDAI

Security and audit requirements for Authentication User Agencies and KYC User Agencies operating within the Aadhaar ecosystem.

Official documents
CyberSigma resources

CERT-In Directions

CERT-In, MeitY

CERT-In’s directions on cyber-incident reporting, log retention and security practices — and the empanelment framework CyberSigma is authorised under.

Official documents
CyberSigma resources

Testing & assurance

VAPT & OWASP

OWASP / CERT-In

Vulnerability Assessment & Penetration Testing aligned to OWASP (Top 10, Testing Guide, ASVS, MASVS) and CERT-In requirements — across web, API, mobile, cloud, thick-client, network, LLM and IoT.

Official documents
CyberSigma resources

Third-party risk & assurance

Various

Vendor/third-party risk management, IT general controls (ITGC), security architecture review and firewall/configuration assurance.

Official documents
CyberSigma resources

Official document links point to the issuing bodies; CyberSigma is not affiliated with them. Need help applying a standard?

Talk to a senior auditor →