01 / Decision Tree
Answer a few questions, get personalized compliance framework recommendations.
Choosing the right compliance framework depends on your industry, your customers, the data you handle, and the governments and regulators you answer to. This tool walks you through a short series of questions and maps your answers to the security and compliance frameworks most relevant to your organization, from SOC 2 and ISO 27001 to HIPAA, PCI DSS, CMMC, and emerging AI governance standards.
The full set of questions and every possible recommendation is listed below for reference. Use the interactive tool above for a guided, personalized path, or read through the questions and the framework matrix directly.
The table below summarizes the core framework recommendation for each industry scenario. Additional cross-cutting frameworks may be recommended on top of these based on your AI/ML usage and the international governments you work with.
| Industry | Scenario | Recommended framework(s) |
|---|---|---|
| SaaS / Technology and other industries | Yes, US customers | SOC 2 |
| SaaS / Technology and other industries | Yes, international customers | ISO 27001 |
| SaaS / Technology and other industries | Yes, both US and international | SOC 2 + ISO 27001 |
| SaaS / Technology and other industries | Not yet, but planning to sell to enterprise | SOC 2 |
| Healthcare / Medical Devices | We handle PHI as a covered entity | HIPAA + HITRUST |
| Healthcare / Medical Devices | We handle PHI as a business associate | HIPAA |
| Healthcare / Medical Devices | We build medical devices or SaMD | FDA Cybersecurity + HIPAA |
| Healthcare / Medical Devices | PHI + need to demonstrate compliance to partners | HIPAA + HITRUST + SOC 2 |
| Financial Services / FinTech | We process payment card data | PCI DSS |
| Financial Services / FinTech | We are publicly traded or preparing for IPO (SOX) | SOX |
| Financial Services / FinTech | Payment cards + broader security certification | PCI DSS + SOC 2 |
| Financial Services / FinTech | Financial data but no card processing or SOX | SOC 2 |
| Defense / Government | FCI only (Federal Contract Information) | CMMC Level 1 |
| Defense / Government | CUI (Controlled Unclassified Information) | CMMC Level 2 |
| Defense / Government | CUI + critical programs | CMMC Level 3 |
| Defense / Government | Subcontractor to a prime | CMMC Level 2 |
Regardless of your industry, these frameworks may apply based on the specific data you process and the markets you serve.
| If this applies to you | Framework(s) added |
|---|---|
| You develop, deploy, or procure AI/ML systems | NIST AI RMF + ISO 42001 |
| You sell to or work with the Australian government | IRAP |
| You provide cloud services to the Singapore government | ISMAP |
| You work with Spanish or EU government agencies | ENS |
| You process personal data of individuals in India | India DPDP |
| Any of the above frameworks (validation of controls) | Penetration Testing |
Service Organization Control Type 2, the gold standard for demonstrating security controls to US enterprise customers. Covers trust service criteria including security, availability, and confidentiality.
The international standard for information security management systems (ISMS). Recognized globally with over 70,000 certified organizations worldwide.
The Health Insurance Portability and Accountability Act sets national standards for protecting sensitive patient health information from disclosure.
The HITRUST Common Security Framework (CSF) provides a certifiable framework that harmonizes healthcare regulations with ISO, NIST, and PCI standards.
The Payment Card Industry Data Security Standard protects cardholder data through a set of security controls required by all organizations that handle credit card transactions.
Sarbanes-Oxley Act Section 404 requires IT General Controls over financial reporting systems. Applies to publicly traded companies and their service providers.
FDA premarket cybersecurity requirements under Section 524B of the FD&C Act. Mandatory for all cyber devices submitted for 510(k), PMA, or De Novo review since October 2023.
Cybersecurity Maturity Model Certification Level 1 covers 15 basic safeguarding practices for Federal Contract Information (FCI). Self-assessment based.
CMMC Level 2 requires implementation of 110 NIST SP 800-171 practices to protect Controlled Unclassified Information (CUI). Requires third-party assessment.
CMMC Level 3 adds 24 enhanced security requirements from NIST SP 800-172 for critical programs. Requires government-led assessment.
The international standard for AI management systems (AIMS). Provides a framework for organizations developing, providing, or using AI systems to manage risks and demonstrate responsible AI governance.
The NIST AI Risk Management Framework helps organizations design, develop, deploy, and use AI systems in a trustworthy and responsible manner. Covers governance, mapping, measuring, and managing AI risks.
The Information Security Registered Assessors Program (IRAP) is the Australian government's framework for assessing ICT security. Required for organizations providing services to Australian government agencies.
The Information System Security Management and Assessment Program (ISMAP) is Japan and Singapore's cloud security assessment framework for government procurement. Required for cloud service providers selling to the Singapore government.
The Esquema Nacional de Seguridad (National Security Framework) is Spain's mandatory security framework for organizations working with Spanish public sector entities and EU government agencies.
The Digital Personal Data Protection Act 2023 establishes India's comprehensive data protection regime, governing the processing of personal data of individuals in India with significant penalties for non-compliance.
Validates your security controls through real-world attack simulation. Required by PCI DSS (Req 11.4), CMMC (CA.L2-3.12.1), and HITRUST. Strongly recommended for SOC 2, ISO 27001, and HIPAA compliance.