In-depth framework guides
Full explainers for each standard — what it is, who needs it, key requirements, how to comply and FAQs.
Security frameworks
A voluntary, outcome-based framework for managing and reducing cybersecurity risk.
Read the guide →A comprehensive catalog of security and privacy controls for information systems.
Read the guide →A governance and management framework for enterprise information and technology.
Read the guide →A prioritised set of 18 safeguards that stop the most common attacks.
Read the guide →A knowledge base of real-world adversary tactics and techniques.
Read the guide →The most dangerous and common software weaknesses developers must avoid.
Read the guide →The standard awareness document for the most critical web application risks.
Read the guide →A business-driven framework and methodology for enterprise security architecture.
Read the guide →The Cloud Controls Matrix and STAR programme for cloud security assurance.
Read the guide →The leading enterprise architecture framework and method (ADM).
Read the guide →Protecting Controlled Unclassified Information (CUI) in non-federal systems.
Read the guide →The standard for cybersecurity of industrial automation and control systems.
Read the guide →A security model of "never trust, always verify" for modern architectures.
Read the guide →A knowledge base of defensive countermeasures mapped to ATT&CK.
Read the guide →A detailed, testable standard for verifying application security.
Read the guide →The leading framework for internal control and enterprise risk management.
Read the guide →A knowledge base of adversarial threats to AI and machine-learning systems.
Read the guide →The most critical security risks to APIs.
Read the guide →Guidance for managing information security risk.
Read the guide →The standard for information security incident management.
Read the guide →ICT readiness for business continuity.
Read the guide →Standards for vulnerability disclosure and handling.
Read the guide →Secure software development practices (SP 800-218).
Read the guide →Digital identity guidelines — identity proofing, authentication and federation.
Read the guide →Voluntary framework to manage risks of AI systems.
Read the guide →CSA control matrix for securing and governing AI systems.
Read the guide →Harmonised cybersecurity profile for the financial sector.
Read the guide →Metaframework mapping controls across 100+ authorities.
Read the guide →Cyber supply-chain risk management practices for systems.
Read the guide →Guide to securing operational technology and control systems.
Read the guide →CSF profile to prevent, detect and recover from ransomware.
Read the guide →Maturity model to evaluate and improve cyber capabilities.
Read the guide →Security standard for systems that use cryptocurrencies.
Read the guide →Certifications & attestations
Capability Maturity Model Integration — a model for building repeatable, measurable, continually improving organisational capability.
Read the guide →The international standard for an Information Security Management System (ISMS).
Read the guide →An attestation report on controls relevant to security, availability and privacy.
Read the guide →The security standard for organisations that handle payment card data.
Read the guide →SWIFT’s Customer Security Controls Framework for institutions on the SWIFT network.
Read the guide →Standards for secure PIN management and point-to-point encryption of card data.
Read the guide →A certifiable security framework that harmonises HIPAA, ISO, NIST, PCI and more.
Read the guide →Cybersecurity Maturity Model Certification for the US defense supply chain.
Read the guide →The US government authorisation programme for cloud services.
Read the guide →The international standard for business continuity management systems (BCMS).
Read the guide →Cloud-specific information security controls extending ISO 27002.
Read the guide →The management-system standard for artificial intelligence (AIMS).
Read the guide →The international standard for an IT service management system (SMS).
Read the guide →The international standard for a quality management system (QMS).
Read the guide →IT general controls supporting Sarbanes-Oxley financial-reporting compliance.
Read the guide →The information-security assessment standard for the automotive industry.
Read the guide →International product security evaluation and certification.
Read the guide →Validation of cryptographic modules to US federal standards.
Read the guide →PCI standards for payment software security and 3-D Secure.
Read the guide →Cybersecurity engineering for road vehicles.
Read the guide →Cybersecurity for medical devices across the product lifecycle.
Read the guide →German catalogue of cloud security controls attested by auditors.
Read the guide →Management system for security of the supply chain.
Read the guide →Health-sector application of ISO 27002 controls.
Read the guide →Data privacy laws
The EU regulation governing the processing of personal data.
Read the guide →US law protecting the privacy and security of protected health information (PHI).
Read the guide →A privacy extension (PIMS) to ISO 27001 for managing personal data.
Read the guide →California’s consumer privacy law and its CPRA amendments.
Read the guide →Protection of personal data (PII) in public cloud services.
Read the guide →Brazil’s General Data Protection Law for personal data.
Read the guide →South Africa’s Protection of Personal Information Act.
Read the guide →Singapore’s Personal Data Protection Act.
Read the guide →Canada’s federal private-sector privacy law.
Read the guide →Transatlantic mechanism for lawful personal-data transfers.
Read the guide →India regulatory
India’s data-protection law governing the personal data of data principals.
Read the guide →Baseline cyber security and resilience controls mandated by RBI for banks.
Read the guide →RBI’s master direction on securing internet, mobile and card digital payment channels.
Read the guide →RBI’s master direction on IT governance, risk, controls and IS assurance practices.
Read the guide →Authorisation and security requirements for payment aggregators and payment gateways.
Read the guide →Rules for issuing and operating prepaid payment instruments (wallets, cards).
Read the guide →Annual system audit and payment-data localisation assurance for payment system operators.
Read the guide →Security audit requirements for UPI Third-Party Application Providers and PSP banks.
Read the guide →System audit requirements for BBPS operating units in the bill-payment ecosystem.
Read the guide →SEBI’s Cyber Security and Cyber Resilience Framework for regulated entities.
Read the guide →Information and cyber security guidelines for insurers and intermediaries.
Read the guide →Security and audit requirements for entities in the Aadhaar authentication ecosystem.
Read the guide →CERT-In’s directions on incident reporting, log retention and security practices.
Read the guide →The consent-based financial-data-sharing framework in India.
Read the guide →RBI’s IT governance, security and audit expectations for NBFCs.
Read the guide →Information and cyber security audit for the pension (NPS) ecosystem.
Read the guide →Cyber security and resilience audit for regulated entities in GIFT IFSC.
Read the guide →Information systems and cyber security audit for housing finance companies.
Read the guide →Technical and privacy due-diligence audit of digital lending apps and service providers.
Read the guide →Basic and Comprehensive (graded) cyber security framework audit for UCBs.
Read the guide →Audit of IT outsourcing, cloud and supply-chain risk for RBI-regulated entities.
Read the guide →Audit of fraud governance, monitoring and reporting technology for REs.
Read the guide →Audit of KYC and Video-based Customer Identification Process technology controls.
Read the guide →Security audits across NPCI’s payment products beyond UPI.
Read the guide →System audits for stock brokers, clearing members and market infrastructure institutions.
Read the guide →Cyber security audit under CERT-In’s 2025 audit policy guidelines.
Read the guide →Government testing and certification for IT products, e-governance and security.
Read the guide →Mandatory Testing and Certification of Telecom Equipment, including security.
Read the guide →Protection and audit of Critical Information Infrastructure in India.
Read the guide →Audit of Certifying Authorities, eSign and digital-signature ecosystems.
Read the guide →Government website guidelines and web accessibility compliance audit.
Read the guide →Security and privacy audit for the Ayushman Bharat Digital Mission ecosystem.
Read the guide →Cyber security in the power/electricity sector under CEA regulations.
Read the guide →Regional & national frameworks
Mandatory cyber security framework for financial institutions in Saudi Arabia.
Read the guide →Saudi Arabia’s mandatory Essential Cybersecurity Controls for national entities.
Read the guide →The UAE’s Information Assurance standards for government and critical entities.
Read the guide →Qatar’s National Information Assurance standard for information security.
Read the guide →Technology Risk Management guidelines for Singapore financial institutions.
Read the guide →Information security prudential standard for APRA-regulated entities.
Read the guide →Eight prioritised mitigation strategies against cyber threats.
Read the guide →A UK government-backed certification for baseline cyber hygiene.
Read the guide →EU regulation on ICT and operational resilience for financial entities.
Read the guide →EU directive raising cybersecurity for essential and important entities.
Read the guide →Risk-tiered EU regulation governing AI systems and models.
Read the guide →UK regulatory rules on operational resilience for financial firms.
Read the guide →US financial-privacy and information-safeguards requirements.
Read the guide →New York cybersecurity rules for financial-services companies.
Read the guide →US banking regulators' cyber maturity and IT examination framework.
Read the guide →Mandatory cyber standards for the North American bulk power system.
Read the guide →Security policy protecting US criminal-justice information.
Read the guide →Canadian guideline on technology and cyber risk for FRFIs.
Read the guide →Korean certification for information security and privacy management.
Read the guide →Japanese assessment program for government cloud services.
Read the guide →China's data-protection, cybersecurity and grading regime.
Read the guide →Australian government security manual and assessor program.
Read the guide →Payments & cards
PCI DSS
The Payment Card Industry Data Security Standard (currently v4.0.1) — the global standard for organisations that store, process or transmit cardholder data.
PCI PIN & P2PE
Requirements for the secure management of PINs and the encryption of account data from point of interaction to decryption.
SWIFT CSP / CSCF
The Customer Security Programme and its Customer Security Controls Framework — mandatory and advisory controls for institutions on the SWIFT network.
Information security
ISO/IEC 27001 & 27002
ISO/IEC 27001:2022 specifies the requirements for an Information Security Management System (ISMS); ISO/IEC 27002:2022 provides the Annex A control guidance.
SOC 1 / SOC 2 / SOC 3
System and Organization Controls reports based on the Trust Services Criteria (Security, Availability, Processing Integrity, Confidentiality, Privacy).
NIST CSF & SP 800-53
The NIST Cybersecurity Framework (CSF 2.0) and Special Publication 800-53 control catalog — widely used voluntary frameworks for managing cyber risk.
- ↗ NIST CSF 2.0 — full standard (PDF)
- ↗ NIST SP 800-53 Rev. 5 — control catalog (PDF)
- ↗ NIST Cybersecurity Framework portal
Data privacy
DPDP Act, 2023 (India)
India’s Digital Personal Data Protection Act, 2023 and its draft Rules — obligations for data fiduciaries handling the personal data of Indian data principals.
GDPR (EU)
The EU General Data Protection Regulation — the benchmark privacy regulation for processing the personal data of individuals in the EU/EEA.
HIPAA (US)
The Health Insurance Portability and Accountability Act — Security, Privacy and Breach Notification Rules for protected health information (PHI).
India regulatory
RBI Cyber Security Framework
RBI Master Directions and circulars on cyber security for banks, NBFCs, payment system operators and co-operative banks, plus data-localisation requirements.
SEBI CSCRF
SEBI’s Cyber Security and Cyber Resilience Framework for regulated entities in the securities market.
IRDAI Cyber Security
IRDAI’s information and cyber security guidelines for insurers and insurance intermediaries.
UIDAI / Aadhaar (AUA-KUA)
Security and audit requirements for Authentication User Agencies and KYC User Agencies operating within the Aadhaar ecosystem.
CERT-In Directions
CERT-In’s directions on cyber-incident reporting, log retention and security practices — and the empanelment framework CyberSigma is authorised under.
- ↗ CERT-In Directions under 70B, Apr 2022 (PDF)
- ↗ CERT-In (official)
- ↗ CERT-In empanelled organizations (PDF)
Testing & assurance
VAPT & OWASP
Vulnerability Assessment & Penetration Testing aligned to OWASP (Top 10, Testing Guide, ASVS, MASVS) and CERT-In requirements — across web, API, mobile, cloud, thick-client, network, LLM and IoT.
Third-party risk & assurance
Vendor/third-party risk management, IT general controls (ITGC), security architecture review and firewall/configuration assurance.
Official document links point to the issuing bodies; CyberSigma is not affiliated with them. Need help applying a standard?
Talk to a senior auditor →