[{"data":1,"prerenderedAt":8080},["ShallowReactive",2],{"\u002Fframeworks\u002Fdora":3,"framework-hub-topics-dora":228,"related-articles-dora":229,"related-glossary-dora":230,"related-frameworks-dora":231},{"id":4,"title":5,"advantages":6,"body":28,"checklist":149,"cta":159,"description":141,"extension":162,"faq":163,"hero":177,"lastUpdated":193,"meta":194,"name":195,"navigation":196,"path":197,"resources":198,"seo":212,"slug":215,"stats":216,"stem":226,"__hash__":227},"frameworks\u002F5.frameworks\u002Fdora.md","Dora",[7,14,21],{"title":8,"description":9,"bullets":10},"ICT risk management framework","The governance, controls, and continuity expected of an in-scope financial entity.",[11,12,13],"ICT risk register tied to control treatments","Business continuity and ICT response plans","Management-body accountability and oversight",{"title":15,"description":16,"bullets":17},"Incident reporting and testing","Classify ICT incidents, hit the reporting windows, and track resilience testing.",[18,19,20],"Incident classification and reporting timers","Major-incident notifications to the competent authority","Resilience testing, including TLPT where required",{"title":22,"description":23,"bullets":24},"ICT third-party risk","The Register of Information and contractual controls DORA requires.",[25,26,27],"Register of Information on ICT providers","Contractual requirements and concentration risk","Reuse of vendor evidence across frameworks",{"type":29,"value":30,"toc":140},"minimark",[31,36,49,53,64,68,106,110,123,127],[32,33,35],"h2",{"id":34},"what-is-dora","What is DORA?",[37,38,39,40,44,45,48],"p",{},"The ",[41,42,43],"strong",{},"Digital Operational Resilience Act — Regulation (EU) 2022\u002F2554"," — is an EU regulation that harmonizes how financial entities manage the resilience of the information and communication technology (ICT) they depend on. It has been ",[41,46,47],{},"directly applicable across the EU since January 17, 2025",", and because it is a regulation rather than a directive, it applies as written with no national transposition. 2026 marks the first genuine supervisory enforcement cycle, with regulators signaling they will act on incident-reporting failures and gaps in the Register of Information.",[32,50,52],{"id":51},"who-must-comply","Who must comply",[37,54,55,56,59,60,63],{},"DORA covers roughly ",[41,57,58],{},"20 types of financial entities"," — banks, insurers and reinsurers, investment firms, payment and electronic-money institutions, crypto-asset service providers, trading venues, and fund managers among them. Critically, it also reaches ",[41,61,62],{},"critical ICT third-party service providers"," (such as major cloud and software vendors), which the European Supervisory Authorities can oversee directly.",[32,65,67],{"id":66},"the-five-pillars","The five pillars",[69,70,71,78,84,90,100],"ol",{},[72,73,74,77],"li",{},[41,75,76],{},"ICT risk management"," — a governance framework, controls, and continuity capabilities owned and overseen by the management body.",[72,79,80,83],{},[41,81,82],{},"ICT-related incident management"," — classify ICT incidents by severity and report major incidents to the competent authority within defined windows (initial, intermediate, and final reports).",[72,85,86,89],{},[41,87,88],{},"Digital operational resilience testing"," — a testing program that, for significant entities, includes threat-led penetration testing (TLPT).",[72,91,92,95,96,99],{},[41,93,94],{},"ICT third-party risk management"," — maintain a ",[41,97,98],{},"Register of Information"," on all ICT third-party arrangements, impose contractual requirements, and manage concentration risk.",[72,101,102,105],{},[41,103,104],{},"Information and intelligence sharing"," — voluntary arrangements to share cyber threat information among financial entities.",[32,107,109],{"id":108},"how-dora-relates-to-nis2","How DORA relates to NIS2",[37,111,112,113,116,117,122],{},"For financial entities, DORA is ",[41,114,115],{},"lex specialis",": where DORA and the broader ",[118,119,121],"a",{"href":120},"\u002Fframeworks\u002Fnis2","NIS2"," Directive overlap, DORA's ICT-specific requirements take precedence. In practice, in-scope financial firms run their ICT resilience program to DORA.",[32,124,126],{"id":125},"how-episki-helps","How episki helps",[37,128,129,130,134,135,139],{},"episki implements DORA as living controls: an ICT risk register, incident classification with reporting timers, the Register of Information on your ICT providers, and resilience-testing tracking. Because the same vendor and security evidence maps to ",[118,131,133],{"href":132},"\u002Fframeworks\u002Fiso27001","ISO 27001"," and ",[118,136,138],{"href":137},"\u002Fframeworks\u002Fsoc2","SOC 2",", your DORA program reuses work you already do instead of standing up a parallel one.",{"title":141,"searchDepth":142,"depth":142,"links":143},"",2,[144,145,146,147,148],{"id":34,"depth":142,"text":35},{"id":51,"depth":142,"text":52},{"id":66,"depth":142,"text":67},{"id":108,"depth":142,"text":109},{"id":125,"depth":142,"text":126},{"title":150,"description":151,"items":152},"DORA readiness inside episki","What an in-scope financial entity needs in place.",[153,154,155,156,157,158],"ICT risk management framework and policies","ICT asset and dependency inventory","Incident classification and reporting workflow","Register of Information on ICT third-party arrangements","Digital operational resilience testing program (incl. TLPT)","Business continuity and ICT response and recovery plans",{"title":160,"description":161},"Build a DORA program in episki","Stand up ICT risk, incident reporting, and the Register of Information — and reuse the evidence across ISO 27001 and SOC 2.","md",{"title":164,"items":165},"DORA frequently asked questions",[166,168,171,174],{"label":35,"content":167},"The Digital Operational Resilience Act (Regulation (EU) 2022\u002F2554) is an EU regulation that sets uniform requirements for the security and operational resilience of the information and communication technology (ICT) that financial entities rely on. It has applied directly across all EU Member States since January 17, 2025 — as a regulation, it needs no national transposition.",{"label":169,"content":170},"Who must comply?","DORA applies to around 20 types of financial entities — banks, insurers and reinsurers, investment firms, payment and electronic-money institutions, crypto-asset service providers, fund managers, and more — as well as to critical ICT third-party service providers, which fall under direct oversight by the European Supervisory Authorities.",{"label":172,"content":173},"What are the five pillars?","DORA is organized into five areas: ICT risk management; ICT-related incident management, classification, and reporting; digital operational resilience testing (including threat-led penetration testing for significant entities); ICT third-party risk management (including the Register of Information); and information- and intelligence-sharing arrangements.",{"label":175,"content":176},"How does DORA relate to NIS2?","For financial entities, DORA acts as lex specialis — it takes precedence over the more general NIS2 Directive in the areas it specifically regulates, so in-scope financial firms generally follow DORA's ICT requirements rather than NIS2's.",{"headline":178,"title":179,"description":180,"links":181},"Digital operational resilience, in one place","Comply with the EU DORA regulation","ICT risk management, incident classification and reporting timers, the Register of Information, and ICT third-party risk — implemented as living controls for financial entities and their ICT providers.",[182,186],{"label":183,"icon":184,"to":185},"Start free trial","i-lucide-rocket","https:\u002F\u002Fapp.episki.com\u002Fauth\u002Fregister",{"label":187,"icon":188,"color":189,"variant":190,"to":191,"target":192},"Book a demo","i-lucide-message-circle","neutral","subtle","\u002Fdemo","_blank","2026-06-13",{},"DORA",true,"\u002Fframeworks\u002Fdora",{"headline":199,"title":200,"description":201,"items":202},"DORA accelerators","DORA readiness accelerators","Stand up a defensible resilience program and survive the first supervisory cycle.",[203,206,209],{"title":204,"description":205},"Register of Information builder","Maintain the DORA Register of Information on your ICT third-party arrangements.",{"title":207,"description":208},"Incident reporting timers","Classify ICT incidents and track the initial, intermediate, and final report windows.",{"title":210,"description":211},"Third-party risk crosswalk","Reuse vendor due-diligence evidence across DORA, ISO 27001, and SOC 2.",{"title":213,"description":214},"DORA Compliance Software","Meet the EU Digital Operational Resilience Act (Regulation 2022\u002F2554) — ICT risk management, incident reporting, resilience testing, the Register of Information, and third-party risk in one workspace.","dora",[217,220,223],{"value":218,"description":219},"5 pillars","ICT risk, incident reporting, resilience testing, third-party risk, and info sharing.",{"value":221,"description":222},"Register of Info","A maintained Register of Information on ICT third-party arrangements.",{"value":224,"description":225},"In force","Directly applicable across the EU since January 17, 2025 — no transposition needed.","5.frameworks\u002Fdora","wGQJ2f7moAg4zuIk6Z6cdLGx6hKzFNhGopakBWGX95w",[],[],[],[232,356,572,1081,1256,1446,1545,1756,1882,2057,2179,2374,2960,3081,3245,3741,3900,4044,4169,4286,4459,4624,4751,4867,5038,5660,5898,6413,6584,6754,6874,7474,7634,7764,7922],{"id":233,"title":234,"advantages":235,"body":257,"checklist":286,"cta":296,"description":141,"extension":162,"faq":299,"hero":315,"lastUpdated":322,"meta":323,"name":324,"navigation":196,"path":325,"resources":326,"seo":340,"slug":343,"stats":344,"stem":354,"__hash__":355},"frameworks\u002F5.frameworks\u002Fccpa.md","Ccpa",[236,243,250],{"title":237,"description":238,"bullets":239},"DSAR intake and fulfillment","Consumers submit requests through your trust portal; you fulfill them on the platform.",[240,241,242],"Right to know, delete, correct, opt-out, limit","Identity verification flows","45-day SLA timers with extension workflow",{"title":244,"description":245,"bullets":246},"Sale \u002F share \u002F SPI controls","CCPA opt-out of sale; CPRA opt-out of sharing for cross-context behavioral advertising; SPI use-limitation.",[247,248,249],"GPC signal honored","Do Not Sell or Share My Personal Information","Sensitive PI use-limitation log",{"title":251,"description":252,"bullets":253},"Mapped to GDPR and ISO 27701","Most CCPA\u002FCPRA obligations have GDPR analogues. Reuse the work.",[254,255,256],"DSAR types crosswalked to GDPR rights","SPI categories mapped to GDPR special-category data","ISO 27701 control mapping",{"type":29,"value":258,"toc":281},[259,263,266,269,273,276,278],[32,260,262],{"id":261},"what-is-ccpa-cpra","What is CCPA \u002F CPRA?",[37,264,265],{},"The California Consumer Privacy Act (CCPA) was the first comprehensive US state privacy law, taking effect January 1, 2020. It was substantially amended by the California Privacy Rights Act (CPRA) — passed by ballot initiative in 2020 and effective January 1, 2023 — which established the California Privacy Protection Agency (CPPA), created the new category of Sensitive Personal Information (SPI), added a right to correction, and broadened \"sale\" opt-outs to \"sale or share\" opt-outs.",[37,267,268],{},"The combined CCPA\u002FCPRA gives California consumers a set of rights resembling but not identical to GDPR: the right to know what personal information is collected, the right to delete it, the right to correct it, the right to opt out of sale or sharing, the right to limit the use of SPI, and the right to non-discrimination for exercising rights.",[32,270,272],{"id":271},"who-is-subject","Who is subject",[37,274,275],{},"For-profit businesses doing business in California that meet at least one threshold: $25M+ annual gross revenue, processing personal information of 100,000+ consumers or households, or deriving 50%+ of annual revenue from selling or sharing personal information. The law also creates obligations for service providers and contractors processing personal information on behalf of businesses.",[32,277,126],{"id":125},[37,279,280],{},"Most organizations subject to CCPA\u002FCPRA are also subject to GDPR (and increasingly to a growing set of other US state laws: VCDPA, CPA, CTDPA, UCPA, TIPA, and so on). episki treats privacy as a single program with a single set of artifacts that satisfy multiple laws — DSAR intake, opt-out workflows, inventories, retention — rather than parallel California and EU programs.",{"title":141,"searchDepth":142,"depth":142,"links":282},[283,284,285],{"id":261,"depth":142,"text":262},{"id":271,"depth":142,"text":272},{"id":125,"depth":142,"text":126},{"title":287,"description":288,"items":289},"CCPA \u002F CPRA readiness inside episki","From notice at collection to fulfilling the right to delete.",[290,291,292,293,294,295],"Personal Information inventory (categories collected, sources, purposes)","Notice at collection language and triggers","DSAR intake portal with verification","Opt-out of sale\u002Fshare workflows (including GPC)","Sensitive PI use-limitation requests","12-month look-back for \"right to know\" requests",{"title":297,"description":298},"Operationalize CCPA \u002F CPRA in episki","Add California to your privacy program without spinning up a parallel system.",{"title":300,"items":301},"CCPA \u002F CPRA frequently asked questions",[302,305,309,312],{"label":303,"content":304},"What's the difference between CCPA and CPRA?","CCPA (California Consumer Privacy Act) was the original 2018 law. CPRA (California Privacy Rights Act, effective 2023) substantially amended CCPA — establishing the California Privacy Protection Agency (CPPA), creating the category of Sensitive Personal Information (SPI), adding the right to correction, and replacing \"sale\" opt-outs with \"sale or share\" opt-outs.",{"label":306,"content":307},"Who is subject to CCPA\u002FCPRA?",{"For-profit businesses doing business in California that meet at least one of":308},"(a) $25M+ annual gross revenue, (b) process personal information of 100,000+ consumers or households, or (c) derive 50%+ of revenue from selling\u002Fsharing personal information. The CPRA also creates obligations for service providers and contractors.",{"label":310,"content":311},"What is the Global Privacy Control?","The Global Privacy Control (GPC) is a browser-level signal expressing the user's intent to opt out of the sale or sharing of their personal information. CPRA regulations require businesses to honor GPC as a valid opt-out request when received from a known consumer.",{"label":313,"content":314},"How fast must I respond to a DSAR?","45 days from receipt, with one 45-day extension available if reasonably necessary and the consumer is notified. Identity verification must be completed before substantive response.",{"headline":316,"title":317,"description":318,"links":319},"California privacy, operationalized","Meet CCPA and CPRA without a separate program","DSAR intake on your trust portal, GPC opt-out signal handling, sensitive personal information inventory, and use-limitation workflows — wired to the rest of your privacy program.",[320,321],{"label":183,"icon":184,"to":185},{"label":187,"icon":188,"color":189,"variant":190,"to":191,"target":192},"2026-05-22",{},"CCPA \u002F CPRA","\u002Fframeworks\u002Fccpa",{"headline":327,"title":328,"description":329,"items":330},"CCPA \u002F CPRA accelerators","California privacy accelerators","Stand up California compliance alongside your GDPR program.",[331,334,337],{"title":332,"description":333},"PI inventory template","Categories of PI, sources, purposes, and disclosures captured per processing activity.",{"title":335,"description":336},"DSAR fulfillment runbook","Step-by-step playbook for each consumer right.",{"title":338,"description":339},"GPC + opt-out implementation guide","Technical implementation guide for honoring GPC and surfacing the opt-out link.",{"title":341,"description":342},"CCPA \u002F CPRA Compliance Software","Operationalize California consumer-privacy obligations — DSAR fulfillment, opt-out signals (GPC), sensitive PI inventory, and CPRA workflows.","ccpa",[345,348,351],{"value":346,"description":347},"45-day","Standard DSAR fulfillment SLA tracked per request with extension workflow.",{"value":349,"description":350},"GPC","Global Privacy Control signal handling for opt-out of sale\u002Fsharing.",{"value":352,"description":353},"SPI","Sensitive Personal Information inventory and use-limitation tracking.","5.frameworks\u002Fccpa","aHDWEaIpwaeqYf2dOCeXAcKB_PHGQrCCS9pgyiqv2jY",{"id":357,"title":358,"advantages":359,"body":381,"checklist":507,"cta":517,"description":141,"extension":162,"faq":520,"hero":534,"lastUpdated":193,"meta":541,"name":542,"navigation":196,"path":543,"resources":544,"seo":558,"slug":561,"stats":562,"stem":570,"__hash__":571},"frameworks\u002F5.frameworks\u002Fcis-controls.md","Cis Controls",[360,367,374],{"title":361,"description":362,"bullets":363},"18 controls, 153 safeguards","The complete v8.1 catalog implemented as controls with mapped evidence.",[364,365,366],"Asset, software, and data management","Access control, MFA, and account management","Continuous vulnerability and log management",{"title":368,"description":369,"bullets":370},"Implementation Groups","Start with essential cyber hygiene and grow into deeper safeguards.",[371,372,373],"IG1 — 56 foundational safeguards","IG2 — added rigor for larger orgs","IG3 — mature, high-risk environments",{"title":375,"description":376,"bullets":377},"A baseline that maps everywhere","CIS safeguards cross-walk to your other frameworks for evidence reuse.",[378,379,380],"Crosswalk to NIST CSF 2.0","Crosswalk to ISO 27001 and SOC 2","A practical on-ramp to CMMC and PCI DSS",{"type":29,"value":382,"toc":500},[383,387,417,420,426,451,454,458,473,477,495,497],[32,384,386],{"id":385},"what-are-the-cis-controls","What are the CIS Controls?",[37,388,39,389,392,393,396,397,401,402,405,406,409,410,134,413,416],{},[41,390,391],{},"CIS Critical Security Controls"," are a prioritized, prescriptive set of cybersecurity best practices maintained by the ",[41,394,395],{},"Center for Internet Security (CIS)",". Where many frameworks tell you ",[398,399,400],"em",{},"what outcomes"," to achieve, the CIS Controls tell you ",[398,403,404],{},"what to do first"," — they are ordered by impact and grounded in real-world attack data from sources like MITRE ATT&CK and the Verizon Data Breach Investigations Report. The current version, ",[41,407,408],{},"CIS Controls v8.1 (released June 2024)",", defines ",[41,411,412],{},"18 controls",[41,414,415],{},"153 safeguards",".",[32,418,368],{"id":419},"implementation-groups",[37,421,422,423,425],{},"The CIS Controls are designed to be adopted incrementally through three ",[41,424,368],{},":",[427,428,429,439,445],"ul",{},[72,430,431,434,435,438],{},[41,432,433],{},"IG1"," — the ",[41,436,437],{},"56 foundational safeguards"," that constitute essential cyber hygiene. Every organization, regardless of size, should meet IG1 to defend against the most common attacks.",[72,440,441,444],{},[41,442,443],{},"IG2"," — additional safeguards for organizations that manage more sensitive data and operate more complex environments.",[72,446,447,450],{},[41,448,449],{},"IG3"," — the full set, for mature organizations in high-risk sectors facing sophisticated, targeted threats.",[37,452,453],{},"This tiering makes the CIS Controls one of the most practical starting points for a security program: a smaller organization can implement IG1 and demonstrably reduce risk without committing to a full enterprise framework on day one.",[32,455,457],{"id":456},"what-v81-changed","What v8.1 changed",[37,459,460,461,464,465,468,469,472],{},"Version 8.1 is a refinement rather than a rewrite. It adds alignment with ",[41,462,463],{},"NIST CSF 2.0"," — including the new ",[41,466,467],{},"Govern"," function — clarifies safeguard language, and refreshes mappings to other frameworks, all while keeping the familiar 18-control structure. (Note that the CIS Controls are distinct from the ",[41,470,471],{},"CIS Benchmarks",", which are system-specific configuration-hardening guides; the two are complementary.)",[32,474,476],{"id":475},"how-the-cis-controls-map-to-other-frameworks","How the CIS Controls map to other frameworks",[37,478,479,480,483,484,488,489,491,492,494],{},"Because the CIS Controls are prescriptive and well-mapped, they make an excellent ",[41,481,482],{},"baseline and crosswalk layer",". The safeguards align cleanly with ",[118,485,487],{"href":486},"\u002Fframeworks\u002Fnistcsf","NIST CSF",", ",[118,490,133],{"href":132}," Annex A, and the ",[118,493,138],{"href":137}," Trust Services Criteria, and they provide a practical on-ramp toward more prescriptive regimes like PCI DSS and CMMC.",[32,496,126],{"id":125},[37,498,499],{},"episki ships the full CIS Controls v8.1 catalog — all 18 controls and 153 safeguards — as living controls tagged by Implementation Group. Pick IG1, IG2, or IG3, assign owners, and collect evidence once; episki cross-maps each safeguard to your other frameworks so a single piece of evidence proves CIS, NIST CSF, ISO 27001, and SOC 2 at the same time.",{"title":141,"searchDepth":142,"depth":142,"links":501},[502,503,504,505,506],{"id":385,"depth":142,"text":386},{"id":419,"depth":142,"text":368},{"id":456,"depth":142,"text":457},{"id":475,"depth":142,"text":476},{"id":125,"depth":142,"text":126},{"title":508,"description":509,"items":510},"CIS Controls readiness inside episki","What a prioritized security program needs in place.",[511,512,513,514,515,516],"Implementation Group selection (IG1 \u002F IG2 \u002F IG3)","Enterprise asset and software inventory (Controls 1-2)","Data protection and secure configuration (Controls 3-4)","Account and access control management (Controls 5-6)","Continuous vulnerability and audit log management (Controls 7-8)","Crosswalks to NIST CSF, ISO 27001, and SOC 2",{"title":518,"description":519},"Build a CIS Controls program in episki","Implement the 18 controls once and reuse the evidence across NIST CSF, ISO 27001, and SOC 2.",{"title":521,"items":522},"CIS Controls frequently asked questions",[523,525,528,531],{"label":386,"content":524},"The CIS Critical Security Controls are a prioritized, prescriptive set of cybersecurity best practices maintained by the Center for Internet Security. The current version, CIS Controls v8.1 (released June 2024), organizes 153 safeguards across 18 controls, grounded in real-world attack data from sources such as MITRE ATT&CK and the Verizon DBIR.",{"label":526,"content":527},"What are Implementation Groups?","Implementation Groups (IG1, IG2, and IG3) let organizations prioritize by size, resources, and risk. IG1 is the 56-safeguard set of essential cyber hygiene that every organization should meet; IG2 adds safeguards for organizations managing more sensitive data; IG3 covers mature, high-risk environments facing sophisticated threats.",{"label":529,"content":530},"What changed in v8.1?","CIS Controls v8.1 is a refinement of v8. It adds alignment with NIST CSF 2.0 — including the new Govern function — updates and clarifies safeguard language, and refreshes the mappings to other frameworks, all without changing the overall 18-control structure.",{"label":532,"content":533},"Are CIS Controls the same as CIS Benchmarks?","No. The CIS Controls are a prioritized set of security actions for an organization. CIS Benchmarks are detailed, system-specific configuration-hardening guides (for operating systems, cloud services, and applications). The two are complementary — Benchmarks help you implement parts of the Controls.",{"headline":535,"title":536,"description":537,"links":538},"Prioritized security, by the numbers","Implement the CIS Critical Security Controls","All 18 CIS Controls and 153 safeguards as a living control library, scoped by Implementation Group, and cross-mapped to NIST CSF, ISO 27001, and SOC 2.",[539,540],{"label":183,"icon":184,"to":185},{"label":187,"icon":188,"color":189,"variant":190,"to":191,"target":192},{},"CIS Controls","\u002Fframeworks\u002Fcis-controls",{"headline":545,"title":546,"description":547,"items":548},"CIS Controls accelerators","CIS Controls program accelerators","Turn a prioritized list into an operating security program.",[549,552,555],{"title":550,"description":551},"Implementation Group selector","Pick the right safeguard set for your size, resources, and risk profile.",{"title":553,"description":554},"Safeguard tracker","Owners, evidence, and status for each of the 153 safeguards.",{"title":556,"description":557},"NIST CSF \u002F ISO 27001 crosswalk","Reuse CIS evidence across your other frameworks automatically.",{"title":559,"description":560},"CIS Controls v8.1 Compliance Software","Implement the CIS Critical Security Controls v8.1 — 18 controls and 153 safeguards across Implementation Groups IG1-IG3 — mapped to NIST CSF, ISO 27001, and SOC 2.","cis-controls",[563,565,567],{"value":412,"description":564},"The full CIS Controls v8.1 catalog implemented as living episki controls.",{"value":415,"description":566},"Every safeguard tracked with evidence, owners, and Implementation Group.",{"value":568,"description":569},"IG1 \u002F IG2 \u002F IG3","Scope to the Implementation Group that matches your size and risk.","5.frameworks\u002Fcis-controls","1tNqH-nzegfyEfAd_VKJcs8dXlVQv5mARQb0vyl8McA",{"id":573,"title":574,"advantages":575,"body":597,"checklist":1010,"cta":1019,"description":141,"extension":162,"faq":1022,"hero":1040,"lastUpdated":1048,"meta":1049,"name":1050,"navigation":196,"path":1051,"resources":1052,"seo":1065,"slug":1068,"stats":1069,"stem":1079,"__hash__":1080},"frameworks\u002F5.frameworks\u002Fcmmc.md","Cmmc",[576,583,590],{"title":577,"description":578,"bullets":579},"NIST 800-171 control mapping","Every CMMC Level 2 practice is linked to its NIST SP 800-171 source requirement with pre-written narratives.",[580,581,582],"14 control families mapped to 110 security requirements","AI-drafted implementation narratives and testing procedures","Gap analysis highlights missing controls before your assessment",{"title":584,"description":585,"bullets":586},"Assessment preparation workspace","Whether you self-assess or engage a C3PAO, episki organizes evidence and scoring in one place.",[587,588,589],"POA&M tracking with 180-day close-out reminders","Scoring methodology aligned to DoD assessment guide","Assessor portal with scoped read-only access",{"title":591,"description":592,"bullets":593},"Cross-framework reuse","Controls mapped to CMMC automatically satisfy overlapping NIST CSF, ISO 27001, and FedRAMP requirements.",[594,595,596],"Unified control graph eliminates duplicate documentation","Evidence collected once, reused across every framework","Framework coverage dashboard shows gaps at a glance",{"type":29,"value":598,"toc":992},[599,603,606,609,614,621,632,643,647,655,687,690,694,706,717,721,724,741,754,757,761,764,775,782,786,800,803,807,815,841,845,872,876,884,888,896,900,908,912,915,953,957,989],[32,600,602],{"id":601},"what-is-cmmc","What is CMMC?",[37,604,605],{},"The Cybersecurity Maturity Model Certification (CMMC) is the Department of Defense's verification program for ensuring that every organization in the defense industrial base adequately protects sensitive federal information. CMMC takes the cybersecurity standards the DoD has required for years and turns them into a verifiable certification that contractors must hold before a contract can be awarded.",[37,607,608],{},"Before CMMC, defense contractors were expected to comply with DFARS clause 252.204-7012 and the 110 security requirements in NIST SP 800-171 on the honor system. They self-attested. A 2018 DoD Inspector General report and the 2019 MITRE \"Deliver Uncompromised\" study both found the self-attestation model was failing — contractors claimed compliance they had not achieved, and nation-state adversaries were quietly stealing terabytes of Controlled Unclassified Information (CUI) from the supply chain. CMMC is the DoD's response: instead of trust, the Pentagon now requires verification.",[610,611,613],"h3",{"id":612},"cmmc-10-to-cmmc-20","CMMC 1.0 to CMMC 2.0",[37,615,616,617,620],{},"The first version of CMMC — sometimes called CMMC 1.0 — was announced in January 2020. It had ",[41,618,619],{},"five maturity levels",", added its own unique practices and maturity processes on top of NIST SP 800-171, and would have required third-party assessment for almost everyone in the defense supply chain. Industry pushback was substantial. Small businesses said the compliance burden was unaffordable. Cybersecurity teams argued that the custom CMMC practices and \"maturity processes\" diverged from established standards without clear security benefit.",[37,622,623,624,627,628,631],{},"In November 2021 the DoD announced ",[41,625,626],{},"CMMC 2.0",", a streamlined successor. CMMC 2.0 collapsed the five levels into ",[41,629,630],{},"three",", eliminated the custom CMMC practices, and aligned Level 2 directly with NIST SP 800-171 so there is no daylight between the two. It also re-introduced self-assessment as a compliant path for many contracts — a concession to cost that CMMC 1.0 did not allow.",[37,633,634,635,638,639,642],{},"The CMMC 2.0 program rule (32 CFR Part 170) was published in the Federal Register on October 15, 2024, and took effect on ",[41,636,637],{},"December 16, 2024",". The companion DFARS rule (48 CFR) was published on September 10, 2025, and took effect on ",[41,640,641],{},"November 10, 2025"," — the moment CMMC moved from a program on paper to an enforceable contract requirement. When we talk about \"CMMC\" today, we mean CMMC 2.0 as enforced through DFARS.",[610,644,646],{"id":645},"the-three-cmmc-levels","The three CMMC levels",[37,648,649,650,654],{},"CMMC uses a tiered model so that a small contractor handling a bill of materials gets a proportionate requirement, while a prime contractor engineering a weapons system gets a much heavier one. Each CMMC level builds on the one below it. ",[118,651,653],{"href":652},"\u002Fframeworks\u002Fcmmc\u002Flevels","See the full breakdown of CMMC levels"," for control counts, assessment types, and scoping rules.",[427,656,657,667,677],{},[72,658,659,662,663,666],{},[41,660,661],{},"Level 1 — Foundational."," Covers the basic safeguarding of Federal Contract Information (FCI). It requires 17 practices drawn directly from FAR 52.204-21. Any organization that processes FCI under a DoD contract must meet Level 1. It is verified through an ",[41,664,665],{},"annual self-assessment"," with a senior official affirming the results in the Supplier Performance Risk System (SPRS).",[72,668,669,672,673,676],{},[41,670,671],{},"Level 2 — Advanced."," Protects Controlled Unclassified Information (CUI). It requires all ",[41,674,675],{},"110 security requirements"," from NIST SP 800-171 Rev 2 across 14 control families. Level 2 has two assessment paths — self-assessment for less sensitive CUI, and third-party C3PAO assessment for more sensitive CUI or critical programs. Level 2 is where most defense contractors will land.",[72,678,679,682,683,686],{},[41,680,681],{},"Level 3 — Expert."," Reserved for the most sensitive DoD programs where advanced persistent threats are a credible risk. It includes every Level 2 requirement ",[41,684,685],{},"plus 24 enhanced requirements"," selected from NIST SP 800-172. Level 3 is verified through a government-led DIBCAC assessment and requires a valid Level 2 C3PAO certification as a prerequisite.",[37,688,689],{},"The CMMC level you need is determined by the specific solicitation or contract — not by company size or industry. A small engineering firm with a CUI-sensitive subcontract may need Level 2 C3PAO, while a larger prime on a less sensitive contract may only need Level 1.",[610,691,693],{"id":692},"nist-sp-800-171-is-the-heart-of-cmmc","NIST SP 800-171 is the heart of CMMC",[37,695,696,697,700,701,705],{},"CMMC Level 2 is a ",[41,698,699],{},"direct one-to-one mapping"," to NIST SP 800-171 Rev 2. There are no extra practices, no CMMC-specific maturity processes, no layered-on requirements. Every CMMC Level 2 practice corresponds to a single NIST SP 800-171 security requirement. This alignment was intentional: it made CMMC easier to implement and easier to audit, and it meant organizations that had been working toward ",[118,702,704],{"href":703},"\u002Fglossary\u002Fnist","NIST"," SP 800-171 compliance since 2017 did not have to start over.",[37,707,708,709,713,714,716],{},"The 110 requirements are organized into 14 control families including Access Control, Audit and Accountability, Configuration Management, Identification and Authentication, Incident Response, System and Communications Protection, and System and Information Integrity. CMMC Level 3 layers 24 additional enhanced requirements on top, drawn from NIST SP 800-172. ",[118,710,712],{"href":711},"\u002Fframeworks\u002Fcmmc\u002Fnist-800-171-mapping","See the detailed NIST SP 800-171 mapping"," for the full control family breakdown and cross-framework overlap with ",[118,715,487],{"href":486}," and ISO 27001.",[610,718,720],{"id":719},"who-needs-cmmc","Who needs CMMC?",[37,722,723],{},"Any organization that processes, stores, or transmits FCI or CUI as part of a DoD contract or subcontract will need CMMC certification. That is a much broader population than \"defense contractors\" in the traditional sense. CMMC applies to:",[427,725,726,729,732,735,738],{},[72,727,728],{},"Prime contractors holding contracts directly with the DoD",[72,730,731],{},"Subcontractors at every tier in the supply chain",[72,733,734],{},"Cloud service providers hosting DoD contractor data",[72,736,737],{},"Managed service providers and IT vendors with access to FCI or CUI",[72,739,740],{},"Foreign suppliers in the defense industrial base handling covered information",[37,742,743,744,748,749,753],{},"CMMC flow-down is one of the most important operational realities. If a prime contractor shares CUI with a subcontractor, that subcontractor must hold the same CMMC level. If that subcontractor further shares CUI with a tier-three supplier, the tier-three supplier must also be certified. CMMC's reach extends deep into the supply chain. ",[118,745,747],{"href":746},"\u002Fframeworks\u002Fcmmc\u002Fwho-needs-cmmc","See who needs CMMC"," for detailed scoping guidance, and our ",[118,750,752],{"href":751},"\u002Findustry\u002Fgovernment","government industry page"," for broader public-sector compliance context.",[37,755,756],{},"Roughly 80,000 organizations are expected to pursue CMMC Level 2, and a few thousand the most stringent CMMC Level 3 — numbers from the DoD's own economic analysis of the CMMC rule.",[610,758,760],{"id":759},"the-cmmc-assessment-process","The CMMC assessment process",[37,762,763],{},"CMMC assessments come in three flavors that align to the three CMMC levels: self-assessment, C3PAO third-party assessment, and DIBCAC government-led assessment. Regardless of type, the assessment methodology is the same — scoring is based on the DoD Assessment Methodology and NIST SP 800-171A objectives.",[37,765,766,767,770,771,774],{},"A CMMC Level 2 C3PAO assessment typically runs through five stages: scoping, readiness review, evidence collection and review, on-site or virtual assessment, and scoring with any final findings. A Level 2 assessment starts with a score of 110 and subtracts points for each unmet objective. A score of 110 yields full certification. A score of ",[41,768,769],{},"88 or above"," with remaining gaps documented in a Plan of Action and Milestones (POA&M) yields a ",[41,772,773],{},"conditional"," certification with a 180-day remediation window. A score below 88 yields no certification at all.",[37,776,777,781],{},[118,778,780],{"href":779},"\u002Fframeworks\u002Fcmmc\u002Fassessment-process","See the full CMMC assessment process"," for scoring details, POA&M rules, and what you can and cannot defer.",[610,783,785],{"id":784},"c3paos-and-certified-assessors","C3PAOs and certified assessors",[37,787,788,789,792,793,134,796,799],{},"Third-party CMMC assessments are conducted by ",[41,790,791],{},"CMMC Third-Party Assessment Organizations (C3PAOs)"," accredited by the Cyber AB (the Cyber Accreditation Body, formerly the CMMC Accreditation Body). C3PAOs employ ",[41,794,795],{},"Certified CMMC Assessors (CCAs)",[41,797,798],{},"Certified CMMC Professionals (CCPs)"," who conduct the actual assessment work. CCAs must pass a certification exam administered by the Cyber AB and complete ongoing professional development.",[37,801,802],{},"The pool of accredited C3PAOs is deliberately limited — growing from just a handful at the start of 2024 to several dozen by early 2026. That scarcity matters. As CMMC Phase 2 enforcement begins in November 2026 and more contracts require C3PAO assessment, assessor availability will tighten. Organizations that wait to begin CMMC preparation until a contract requires it will likely find assessment slots booked six to twelve months out.",[610,804,806],{"id":805},"cmmc-implementation-timeline","CMMC implementation timeline",[37,808,809,810,814],{},"CMMC enforcement follows a four-phase rollout under the DFARS rule. The rollout gradually expands CMMC requirements over four years so the assessor ecosystem can scale and contractors have time to prepare. ",[118,811,813],{"href":812},"\u002Fframeworks\u002Fcmmc\u002Fimplementation-timeline","See the full CMMC implementation timeline"," for dates and milestones.",[427,816,817,823,829,835],{},[72,818,819,822],{},[41,820,821],{},"Phase 1 (November 2025 – November 2026)."," Active now. CMMC Level 1 and Level 2 self-assessments appear as conditions of award in select solicitations. A limited number of contracts require Level 2 C3PAO assessments at DoD discretion.",[72,824,825,828],{},[41,826,827],{},"Phase 2 (November 2026 – November 2027)."," CMMC Level 2 C3PAO certification requirements expand significantly. Level 3 requirements begin appearing in select solicitations.",[72,830,831,834],{},[41,832,833],{},"Phase 3 (November 2027 – November 2028)."," CMMC Level 2 and Level 3 requirements appear broadly across applicable DoD contracts.",[72,836,837,840],{},[41,838,839],{},"Phase 4 (November 2028 onward)."," All DoD contracts requiring FCI or CUI handling include the appropriate CMMC level as a condition of award. Full CMMC enforcement.",[610,842,844],{"id":843},"cmmc-and-dfars","CMMC and DFARS",[37,846,847,848,851,852,134,855,858,859,862,863,867,868,416],{},"CMMC is the certification. DFARS is the contractual mechanism that makes the certification binding. ",[41,849,850],{},"DFARS 252.204-7012"," has required safeguarding of covered defense information and rapid incident reporting since 2017. ",[41,853,854],{},"DFARS 252.204-7019",[41,856,857],{},"-7020"," added the requirement to post NIST SP 800-171 assessment scores to SPRS. ",[41,860,861],{},"DFARS 252.204-7021",", effective November 10, 2025, added the requirement to hold the specific CMMC level called out in the solicitation before contract award. ",[118,864,866],{"href":865},"\u002Fframeworks\u002Fcmmc\u002Fdfars-relationship","See how CMMC and DFARS relate"," for the full clause-by-clause picture. For blog-length coverage of DFARS and CMMC in context, see our ",[118,869,871],{"href":870},"\u002Fblog\u002Fcompliance-framework-comparison","compliance framework comparison",[610,873,875],{"id":874},"self-assessment-vs-third-party-assessment","Self-assessment vs third-party assessment",[37,877,878,879,883],{},"Not every CMMC obligation requires bringing in a C3PAO. CMMC Level 1 is always a self-assessment. CMMC Level 2 splits — some contracts accept self-assessment, and some require C3PAO certification. CMMC Level 3 is always government-led by DIBCAC. Self-assessment is cheaper and faster, but it comes with False Claims Act exposure if the attestation misrepresents your posture. Third-party CMMC assessment is more expensive but produces a defensible certification. ",[118,880,882],{"href":881},"\u002Fframeworks\u002Fcmmc\u002Fself-assessment-vs-third-party","Compare CMMC self-assessment vs third-party"," to decide which applies to you and how to budget.",[610,885,887],{"id":886},"handling-cui-the-cmmc-way","Handling CUI the CMMC way",[37,889,890,891,895],{},"Controlled Unclassified Information sits at the center of CMMC Level 2 and CMMC Level 3. Identifying CUI in your environment, marking it correctly, applying the right access controls, and documenting the CUI boundary are all preconditions for a successful CMMC assessment. FCI and CUI are not the same thing, and the differences drive which CMMC level you need. ",[118,892,894],{"href":893},"\u002Fframeworks\u002Fcmmc\u002Fcui-handling","See CUI handling under CMMC"," for marking rules, scoping guidance, and common mistakes.",[610,897,899],{"id":898},"subcontractor-requirements","Subcontractor requirements",[37,901,902,903,907],{},"CMMC flow-down affects nearly every defense prime. If you share FCI or CUI with a subcontractor, the subcontractor must hold the required CMMC level before you share the data. That means primes need to track subcontractor CMMC status across their supply chain, verify SPRS entries, and plan for the long tail of small suppliers that may not have started their CMMC journey. ",[118,904,906],{"href":905},"\u002Fframeworks\u002Fcmmc\u002Fsubcontractor-requirements","See CMMC subcontractor requirements"," for the full flow-down model and how to reduce the burden.",[610,909,911],{"id":910},"getting-cmmc-ready","Getting CMMC ready",[37,913,914],{},"CMMC readiness is not a last-mile sprint. Most organizations need 6 to 18 months to close gaps across all 110 NIST SP 800-171 requirements and prepare for CMMC Level 2. The high-leverage moves to start today:",[69,916,917,923,929,935,941,947],{},[72,918,919,922],{},[41,920,921],{},"Scope your CMMC environment."," Map where FCI and CUI enter, flow through, and are stored in your systems. Your CMMC assessment boundary is only as good as your scoping work.",[72,924,925,928],{},[41,926,927],{},"Complete your SSP."," A System Security Plan that documents every NIST SP 800-171 requirement — implementation status, responsible party, and evidence reference — is the backbone of any CMMC assessment.",[72,930,931,934],{},[41,932,933],{},"Submit a SPRS score."," Even before any contract requires CMMC, a current SPRS score demonstrates good faith and exposes gaps early. DoD agencies increasingly reference SPRS scores in source selection.",[72,936,937,940],{},[41,938,939],{},"Stand up a POA&M register."," Track every gap with an owner, a remediation plan, and a 180-day countdown. CMMC conditional certification lives or dies on POA&M closure.",[72,942,943,946],{},[41,944,945],{},"Review your flow-down."," Inventory every subcontractor, cloud service provider, and managed service provider that touches FCI or CUI. Confirm they are on their own CMMC path.",[72,948,949,952],{},[41,950,951],{},"Schedule a readiness review."," A mock CMMC assessment — internal or with a consultant or C3PAO — surfaces problems while there is still time to fix them.",[610,954,956],{"id":955},"common-cmmc-challenges","Common CMMC challenges",[427,958,959,965,971,977,983],{},[72,960,961,964],{},[41,962,963],{},"Scoping complexity."," Determining which systems, people, and processes handle CUI is often the hardest first step and the source of the most CMMC assessment rework.",[72,966,967,970],{},[41,968,969],{},"NIST SP 800-171 gaps."," Many contractors self-attested NIST SP 800-171 compliance for years but never closed all 110 requirements. CMMC exposes that gap.",[72,972,973,976],{},[41,974,975],{},"POA&M management."," Tracking remediation across teams within a 180-day window is hard without tooling. CMMC conditional certifications are revoked when POA&Ms go stale.",[72,978,979,982],{},[41,980,981],{},"Subcontractor flow-down."," Primes must verify subcontractor CMMC status continuously, not once at onboarding.",[72,984,985,988],{},[41,986,987],{},"Evidence organization."," A CMMC assessment can touch hundreds of evidence artifacts. Without a single source of truth, assessors burn billable hours chasing documents.",[37,990,991],{},"A structured approach that maps controls to NIST SP 800-171, reuses evidence across CMMC and other frameworks, tracks POA&M progress, and monitors the assessment timeline removes most of this friction — and that is exactly what the episki CMMC workspace is designed for.",{"title":141,"searchDepth":142,"depth":142,"links":993},[994],{"id":601,"depth":142,"text":602,"children":995},[996,998,999,1000,1001,1002,1003,1004,1005,1006,1007,1008,1009],{"id":612,"depth":997,"text":613},3,{"id":645,"depth":997,"text":646},{"id":692,"depth":997,"text":693},{"id":719,"depth":997,"text":720},{"id":759,"depth":997,"text":760},{"id":784,"depth":997,"text":785},{"id":805,"depth":997,"text":806},{"id":843,"depth":997,"text":844},{"id":874,"depth":997,"text":875},{"id":886,"depth":997,"text":887},{"id":898,"depth":997,"text":899},{"id":910,"depth":997,"text":911},{"id":955,"depth":997,"text":956},{"title":1011,"description":1012,"items":1013},"CMMC readiness checklist inside episki","Everything is preloaded in your free trial so you can start scoping your assessment and closing gaps immediately.",[1014,1015,1016,1017,1018],"NIST SP 800-171 control library with mapped CMMC practices","Level 1, 2, and 3 scoping guidance and practice sets","POA&M register with risk-ranked remediation priorities","System Security Plan (SSP) template with AI drafting","Evidence library organized by control family",{"title":1020,"description":1021},"Launch your CMMC workspace today","Import your NIST 800-171 controls, map them to CMMC levels, and start closing gaps before your next assessment.",{"title":1023,"items":1024},"CMMC frequently asked questions",[1025,1028,1031,1034,1037],{"label":1026,"content":1027},"What is CMMC 2.0?","CMMC 2.0 (Cybersecurity Maturity Model Certification) is the Department of Defense's program for verifying that defense contractors protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). The final program rule took effect December 16, 2024, and DFARS contract enforcement began November 10, 2025.",{"label":1029,"content":1030},"What are the three CMMC levels?","Level 1 requires 17 basic safeguarding practices for FCI based on FAR 52.204-21. Level 2 requires 110 security practices aligned to NIST SP 800-171 Rev 2 for CUI. Level 3 adds 24 enhanced practices from NIST SP 800-172 for the most sensitive programs. Each level builds on the one below it.",{"label":1032,"content":1033},"How much does CMMC certification cost?","Costs vary by level and organization size. Level 1 requires only an annual self-assessment. Level 2 self-assessments are free but require significant preparation effort. Level 2 C3PAO assessments typically range from $50,000 to $150,000+ depending on scope. episki reduces preparation costs by automating evidence collection and control documentation.",{"label":1035,"content":1036},"When will CMMC be required in contracts?","CMMC is being phased into DoD contracts over four phases. Phase 1 began November 10, 2025, requiring Level 1 and Level 2 self-assessments in select solicitations. Phase 2 (November 2026) expands Level 2 C3PAO requirements. Phase 3 (November 2027) adds Level 3. By Phase 4 (November 2028), all applicable DoD contracts will require the appropriate CMMC level.",{"label":1038,"content":1039},"Who needs CMMC certification?","Any organization that processes, stores, or transmits FCI or CUI as part of a DoD contract or subcontract needs CMMC certification. This includes prime contractors, subcontractors at all tiers, and cloud service providers hosting DoD data. The required level depends on the sensitivity of information handled.",{"headline":1041,"title":1042,"description":1043,"links":1044},"CMMC without the guesswork","Get assessment-ready for CMMC without rebuilding your security program","episki maps NIST SP 800-171 and 800-172 controls to CMMC levels, automates evidence collection, and keeps your POA&M current so your team can focus on winning contracts.",[1045,1047],{"label":1046,"icon":184,"to":185},"Start CMMC trial",{"label":187,"icon":188,"color":189,"variant":190,"to":191,"target":192},"2026-04-27",{},"CMMC","\u002Fframeworks\u002Fcmmc",{"headline":1053,"title":1053,"description":1054,"items":1055},"CMMC acceleration resources","Give leadership and contracting officers visibility into your cybersecurity posture at every stage.",[1056,1059,1062],{"title":1057,"description":1058},"Executive scorecard","Translate control work into CMMC readiness percentages and contract eligibility status.",{"title":1060,"description":1061},"Assessment readiness kit","Pre-assessment checklist, evidence package review, and mock scoring aligned to DIBCAC methodology.",{"title":1063,"description":1064},"Subcontractor flow-down tracker","Monitor which subcontractors need their own CMMC certification and track their progress.",{"title":1066,"description":1067},"CMMC Compliance Software","Prepare for CMMC Level 1, 2, and 3 assessments with pre-mapped NIST 800-171 controls, automated evidence collection, and C3PAO-ready workspaces. Start your free 14-day trial.","cmmc",[1070,1073,1076],{"value":1071,"description":1072},"3 maturity levels","Pre-mapped practices for Level 1, Level 2, and Level 3 with assessment-type guidance for each.",{"value":1074,"description":1075},"110 practices","Full NIST SP 800-171 Rev 2 control set mapped to CMMC Level 2 objectives out of the box.",{"value":1077,"description":1078},"Phase 1 live now","DFARS enforcement began November 2025. Level 1 and Level 2 self-assessments already required in select solicitations.","5.frameworks\u002Fcmmc","5qiklS1v5QKF6cHH8uPj1P6lsxy0PYzcAzuOabzrNOc",{"id":1082,"title":1083,"advantages":1084,"body":1106,"checklist":1192,"cta":1202,"description":141,"extension":162,"faq":1205,"hero":1219,"lastUpdated":193,"meta":1226,"name":1116,"navigation":196,"path":1227,"resources":1228,"seo":1242,"slug":1245,"stats":1246,"stem":1254,"__hash__":1255},"frameworks\u002F5.frameworks\u002Fcsa-star.md","Csa Star",[1085,1092,1099],{"title":1086,"description":1087,"bullets":1088},"CCM v4 control library","The Cloud Controls Matrix implemented as living episki controls.",[1089,1090,1091],"17 domains of cloud security control objectives","Shared-responsibility model captured per control","Built-in mappings to ISO 27001, SOC 2, and more",{"title":1093,"description":1094,"bullets":1095},"CAIQ, answered from evidence","Complete the Consensus Assessment Initiative Questionnaire from real controls.",[1096,1097,1098],"CAIQ v4 responses generated from your controls","Consistent answers across customer questionnaires","Publish to the CSA STAR registry",{"title":1100,"description":1101,"bullets":1102},"One effort, many programs","CCM is a meta-framework — its controls map almost everywhere.",[1103,1104,1105],"Crosswalk to ISO 27001 \u002F 27017 \u002F 27018","Crosswalk to SOC 2 and NIST CSF","Reuse for PCI DSS and GDPR mapping",{"type":29,"value":1107,"toc":1186},[1108,1112,1129,1133,1148,1152,1166,1168],[32,1109,1111],{"id":1110},"what-is-csa-star","What is CSA STAR?",[37,1113,1114,1117,1118,1121,1122,1125,1126,416],{},[41,1115,1116],{},"CSA STAR"," — Security, Trust, Assurance and Risk — is the ",[41,1119,1120],{},"Cloud Security Alliance's"," cloud assurance program. It gives cloud providers a recognized way to document and publish their security posture, and gives cloud customers a public registry to evaluate them. STAR is built on two artifacts: the ",[41,1123,1124],{},"Cloud Controls Matrix (CCM)"," and the ",[41,1127,1128],{},"Consensus Assessment Initiative Questionnaire (CAIQ)",[32,1130,1132],{"id":1131},"ccm-v4-and-the-caiq","CCM v4 and the CAIQ",[37,1134,1135,1136,1139,1140,1143,1144,1147],{},"The current ",[41,1137,1138],{},"CCM v4"," organizes roughly ",[41,1141,1142],{},"197 control objectives across 17 domains"," of cloud security — identity and access management, data security and privacy, application security, supply-chain management, and more — with the shared-responsibility model built in. The ",[41,1145,1146],{},"CAIQ"," is the questionnaire form of the CCM: a standardized set of yes\u002Fno questions that maps to each control, designed to replace the endless bespoke security questionnaires that cloud buyers send.",[32,1149,1151],{"id":1150},"star-levels","STAR Levels",[427,1153,1154,1160],{},[72,1155,1156,1159],{},[41,1157,1158],{},"Level 1 — Self-Assessment."," Complete the CAIQ (or a CCM-based self-assessment) and publish it to the free, public CSA STAR registry.",[72,1161,1162,1165],{},[41,1163,1164],{},"Level 2 — Third-Party Assessment."," An accredited assessor verifies your controls, often as a STAR Certification (paired with ISO 27001) or STAR Attestation (paired with SOC 2).",[32,1167,126],{"id":125},[37,1169,1170,1171,1173,1174,1177,1178,488,1180,1182,1183,1185],{},"episki ships the ",[41,1172,1138],{}," catalog as living controls, generates consistent ",[41,1175,1176],{},"CAIQ v4"," answers from your real evidence, and cross-maps every CCM control to ",[118,1179,133],{"href":132},[118,1181,138],{"href":137},", and ",[118,1184,487],{"href":486},". Reach STAR Level 1 from your existing program, or assemble the Level 2 package without rebuilding a thing.",{"title":141,"searchDepth":142,"depth":142,"links":1187},[1188,1189,1190,1191],{"id":1110,"depth":142,"text":1111},{"id":1131,"depth":142,"text":1132},{"id":1150,"depth":142,"text":1151},{"id":125,"depth":142,"text":126},{"title":1193,"description":1194,"items":1195},"CSA STAR readiness inside episki","What a cloud provider needs to reach the STAR registry.",[1196,1197,1198,1199,1200,1201],"CCM v4 control library scoped to your services","Shared-responsibility documentation per control","CAIQ v4 questionnaire completed from evidence","STAR Level 1 self-assessment package","STAR Level 2 third-party certification readiness","Crosswalks to ISO 27001 and SOC 2",{"title":1203,"description":1204},"Reach the STAR registry from episki","Implement CCM v4 once, answer the CAIQ from evidence, and reuse it across ISO 27001 and SOC 2.",{"title":1206,"items":1207},"CSA STAR frequently asked questions",[1208,1210,1213,1216],{"label":1111,"content":1209},"CSA STAR (Security, Trust, Assurance and Risk) is a cloud assurance program from the Cloud Security Alliance. It is built on the Cloud Controls Matrix (CCM) — currently CCM v4, with around 197 control objectives across 17 domains — and the Consensus Assessment Initiative Questionnaire (CAIQ). Results are published on the public CSA STAR registry.",{"label":1211,"content":1212},"What are STAR Levels 1 and 2?","STAR Level 1 is a self-assessment in which an organization completes the CAIQ or a CCM-based self-assessment and publishes it to the registry. STAR Level 2 is a third-party assessment — a certification or attestation performed by an accredited assessor, often combined with an ISO 27001 or SOC 2 audit.",{"label":1214,"content":1215},"What is the Cloud Controls Matrix?","The CCM is a cybersecurity control framework for cloud computing, organized into domains covering areas such as identity and access management, data security, and supply-chain management. It is a meta-framework with built-in mappings to ISO 27001, ISO 27017\u002F27018, SOC 2, NIST CSF, PCI DSS, and more.",{"label":1217,"content":1218},"How does STAR relate to ISO 27001 and SOC 2?","STAR Level 2 is frequently pursued alongside ISO 27001 or SOC 2 because the CCM maps to both, letting a single body of evidence support multiple cloud-assurance outcomes at once.",{"headline":1220,"title":1221,"description":1222,"links":1223},"Cloud assurance, on the STAR registry","Run the CSA STAR program with CCM v4","The Cloud Controls Matrix v4 as a living control library and the CAIQ as a guided questionnaire — Level 1 self-assessment or Level 2 third-party assurance — mapped to ISO 27001 and SOC 2.",[1224,1225],{"label":183,"icon":184,"to":185},{"label":187,"icon":188,"color":189,"variant":190,"to":191,"target":192},{},"\u002Fframeworks\u002Fcsa-star",{"headline":1229,"title":1230,"description":1231,"items":1232},"CSA STAR accelerators","Cloud assurance accelerators","Get listed on the STAR registry and stop re-answering the same questionnaires.",[1233,1236,1239],{"title":1234,"description":1235},"CAIQ builder","Generate consistent CAIQ v4 answers from your live controls.",{"title":1237,"description":1238},"CCM crosswalk","Map CCM controls to ISO 27001, SOC 2, and NIST CSF automatically.",{"title":1240,"description":1241},"STAR submission pack","Assemble the Level 1 or Level 2 package for the STAR registry.",{"title":1243,"description":1244},"CSA STAR \u002F CCM Compliance Software","Complete the CSA STAR program with the Cloud Controls Matrix v4 (CCM) and CAIQ — Level 1 self-assessment or Level 2 certification — cross-mapped to ISO 27001 and SOC 2.","csa-star",[1247,1249,1251],{"value":1138,"description":1248},"~197 control objectives across 17 cloud security domains.",{"value":1146,"description":1250},"The Consensus Assessment Initiative Questionnaire, answered from live controls.",{"value":1252,"description":1253},"STAR L1 \u002F L2","Self-assessment or third-party certification on the public STAR registry.","5.frameworks\u002Fcsa-star","lXgGbqGdkk5vG7P1QPq8UaVpBMYoFrT4bdu3fBbNoYQ",{"id":1257,"title":1258,"advantages":1259,"body":1281,"checklist":1381,"cta":1391,"description":141,"extension":162,"faq":1394,"hero":1408,"lastUpdated":193,"meta":1415,"name":1258,"navigation":196,"path":1416,"resources":1417,"seo":1430,"slug":1433,"stats":1434,"stem":1444,"__hash__":1445},"frameworks\u002F5.frameworks\u002Fcyber-essentials.md","Cyber Essentials",[1260,1267,1274],{"title":1261,"description":1262,"bullets":1263},"The five technical controls","The complete Cyber Essentials control set, implemented and evidenced.",[1264,1265,1266],"Firewalls and secure configuration","User access control with MFA","Malware protection and update management",{"title":1268,"description":1269,"bullets":1270},"CE and CE Plus ready","Self-assessment for CE, and a clean evidence trail for the CE Plus audit.",[1271,1272,1273],"Self-assessment questionnaire support","Asset and device scoping","Evidence ready for the CE Plus technical audit",{"title":1275,"description":1276,"bullets":1277},"A UK on-ramp that maps up","Cyber Essentials controls feed your larger frameworks.",[1278,1279,1280],"Crosswalk to ISO 27001 and NIST CSF","Reuse evidence across SOC 2","Government-recognized baseline",{"type":29,"value":1282,"toc":1375},[1283,1287,1304,1307,1342,1346,1363,1365],[32,1284,1286],{"id":1285},"what-is-cyber-essentials","What is Cyber Essentials?",[37,1288,1289,1291,1292,1295,1296,1299,1300,1303],{},[41,1290,1258],{}," is a UK government-backed certification scheme — owned by the ",[41,1293,1294],{},"National Cyber Security Centre (NCSC)"," and delivered by the ",[41,1297,1298],{},"IASME Consortium"," — designed to protect organizations against the most common internet-based cyber attacks. It is deliberately simple: the entire scheme rests on ",[41,1301,1302],{},"five technical controls",", which makes it an excellent baseline and a frequent requirement for UK public-sector contracts.",[32,1305,1261],{"id":1306},"the-five-technical-controls",[69,1308,1309,1315,1321,1330,1336],{},[72,1310,1311,1314],{},[41,1312,1313],{},"Firewalls"," — boundary and host firewalls configured to block untrusted traffic.",[72,1316,1317,1320],{},[41,1318,1319],{},"Secure configuration"," — remove or disable unnecessary functionality and change default credentials.",[72,1322,1323,1326,1327,416],{},[41,1324,1325],{},"User access control"," — least-privilege accounts, with ",[41,1328,1329],{},"multi-factor authentication required for cloud services",[72,1331,1332,1335],{},[41,1333,1334],{},"Malware protection"," — anti-malware, allow-listing, or sandboxing across in-scope devices.",[72,1337,1338,1341],{},[41,1339,1340],{},"Security update management"," — keep software supported and patched within required windows.",[32,1343,1345],{"id":1344},"cyber-essentials-vs-cyber-essentials-plus","Cyber Essentials vs Cyber Essentials Plus",[37,1347,1348,1350,1351,1354,1355,1358,1359,1362],{},[41,1349,1258],{}," is a verified self-assessment against the five controls. ",[41,1352,1353],{},"Cyber Essentials Plus"," assesses the same controls but adds a hands-on ",[41,1356,1357],{},"technical audit"," — vulnerability scans and tests of a sample of in-scope devices — for a higher level of assurance. NCSC and IASME ",[41,1360,1361],{},"update the technical requirements annually",", so recent revisions have tightened expectations (for example, mandatory MFA for cloud services and stricter marking of critical controls).",[32,1364,126],{"id":125},[37,1366,1367,1368,488,1370,1182,1372,1374],{},"episki implements the five Cyber Essentials controls as living controls with scoping for your devices, users, and cloud services, and keeps the evidence current for the annual recertification or the CE Plus audit. Because the controls map up to ",[118,1369,133],{"href":132},[118,1371,487],{"href":486},[118,1373,138],{"href":137},", Cyber Essentials becomes the first rung of a larger program rather than a dead end.",{"title":141,"searchDepth":142,"depth":142,"links":1376},[1377,1378,1379,1380],{"id":1285,"depth":142,"text":1286},{"id":1306,"depth":142,"text":1261},{"id":1344,"depth":142,"text":1345},{"id":125,"depth":142,"text":126},{"title":1382,"description":1383,"items":1384},"Cyber Essentials readiness inside episki","What a UK organization needs in place.",[1385,1386,1387,1388,1389,1390],"Scope definition (devices, users, cloud services)","Firewalls and boundary controls","Secure configuration and removal of defaults","User access control with MFA on cloud services","Malware protection across in-scope devices","Security update management within required windows",{"title":1392,"description":1393},"Certify to Cyber Essentials in episki","Implement the five controls once and reuse the evidence toward ISO 27001 and SOC 2.",{"title":1395,"items":1396},"Cyber Essentials frequently asked questions",[1397,1399,1402,1405],{"label":1286,"content":1398},"Cyber Essentials is a UK government-backed certification scheme, run by the National Cyber Security Centre (NCSC) and delivered by the IASME Consortium, that helps organizations protect against the most common cyber attacks. It is built on five technical controls: firewalls, secure configuration, user access control, malware protection, and security update management.",{"label":1400,"content":1401},"What's the difference between CE and CE Plus?","Cyber Essentials is a verified self-assessment. Cyber Essentials Plus covers the same five controls but adds a hands-on technical audit by an assessor, including vulnerability scans and tests of in-scope devices, providing a higher level of assurance.",{"label":1403,"content":1404},"Is multi-factor authentication required?","Yes. The current Cyber Essentials requirements make multi-factor authentication mandatory for cloud services where it is available, alongside stricter marking of critical controls such as timely security updates. NCSC and IASME refresh the technical requirements annually, so the question set evolves each year.",{"label":1406,"content":1407},"Who needs Cyber Essentials?","Any UK organization that wants a recognized cybersecurity baseline — and notably, it is required for many UK central-government contracts that involve handling certain sensitive or personal information.",{"headline":1409,"title":1410,"description":1411,"links":1412},"UK Cyber Essentials, made simple","Certify to Cyber Essentials and CE Plus","The five Cyber Essentials technical controls — firewalls, secure configuration, access control, malware protection, and update management — implemented, evidenced, and ready for assessment.",[1413,1414],{"label":183,"icon":184,"to":185},{"label":187,"icon":188,"color":189,"variant":190,"to":191,"target":192},{},"\u002Fframeworks\u002Fcyber-essentials",{"headline":1418,"title":1418,"description":1419,"items":1420},"Cyber Essentials accelerators","Pass the assessment and keep the certificate current year over year.",[1421,1424,1427],{"title":1422,"description":1423},"Scope builder","Define the devices, users, and cloud services in assessment scope.",{"title":1425,"description":1426},"Control evidence tracker","Owners and evidence for each of the five technical controls.",{"title":1428,"description":1429},"ISO 27001 crosswalk","Reuse Cyber Essentials work toward ISO 27001 and SOC 2.",{"title":1431,"description":1432},"Cyber Essentials Compliance Software","Achieve UK Cyber Essentials and Cyber Essentials Plus — the five technical controls, including mandatory MFA for cloud services — managed and evidenced in one workspace.","cyber-essentials",[1435,1438,1441],{"value":1436,"description":1437},"5 controls","Firewalls, secure configuration, access control, malware protection, and updates.",{"value":1439,"description":1440},"CE + CE Plus","Self-assessed Cyber Essentials and hands-on-verified Cyber Essentials Plus.",{"value":1442,"description":1443},"MFA required","Multi-factor authentication for cloud services per the current requirements.","5.frameworks\u002Fcyber-essentials","uafsEsSg38iTtDlHU0E0k980FcyUniCe4U3mnzZ1EGM",{"id":4,"title":5,"advantages":1447,"body":1454,"checklist":1521,"cta":1523,"description":141,"extension":162,"faq":1524,"hero":1530,"lastUpdated":193,"meta":1534,"name":195,"navigation":196,"path":197,"resources":1535,"seo":1540,"slug":215,"stats":1541,"stem":226,"__hash__":227},[1448,1450,1452],{"title":8,"description":9,"bullets":1449},[11,12,13],{"title":15,"description":16,"bullets":1451},[18,19,20],{"title":22,"description":23,"bullets":1453},[25,26,27],{"type":29,"value":1455,"toc":1514},[1456,1458,1464,1466,1472,1474,1498,1500,1506,1508],[32,1457,35],{"id":34},[37,1459,39,1460,44,1462,48],{},[41,1461,43],{},[41,1463,47],{},[32,1465,52],{"id":51},[37,1467,55,1468,59,1470,63],{},[41,1469,58],{},[41,1471,62],{},[32,1473,67],{"id":66},[69,1475,1476,1480,1484,1488,1494],{},[72,1477,1478,77],{},[41,1479,76],{},[72,1481,1482,83],{},[41,1483,82],{},[72,1485,1486,89],{},[41,1487,88],{},[72,1489,1490,95,1492,99],{},[41,1491,94],{},[41,1493,98],{},[72,1495,1496,105],{},[41,1497,104],{},[32,1499,109],{"id":108},[37,1501,112,1502,116,1504,122],{},[41,1503,115],{},[118,1505,121],{"href":120},[32,1507,126],{"id":125},[37,1509,129,1510,134,1512,139],{},[118,1511,133],{"href":132},[118,1513,138],{"href":137},{"title":141,"searchDepth":142,"depth":142,"links":1515},[1516,1517,1518,1519,1520],{"id":34,"depth":142,"text":35},{"id":51,"depth":142,"text":52},{"id":66,"depth":142,"text":67},{"id":108,"depth":142,"text":109},{"id":125,"depth":142,"text":126},{"title":150,"description":151,"items":1522},[153,154,155,156,157,158],{"title":160,"description":161},{"title":164,"items":1525},[1526,1527,1528,1529],{"label":35,"content":167},{"label":169,"content":170},{"label":172,"content":173},{"label":175,"content":176},{"headline":178,"title":179,"description":180,"links":1531},[1532,1533],{"label":183,"icon":184,"to":185},{"label":187,"icon":188,"color":189,"variant":190,"to":191,"target":192},{},{"headline":199,"title":200,"description":201,"items":1536},[1537,1538,1539],{"title":204,"description":205},{"title":207,"description":208},{"title":210,"description":211},{"title":213,"description":214},[1542,1543,1544],{"value":218,"description":219},{"value":221,"description":222},{"value":224,"description":225},{"id":1546,"title":1547,"advantages":1548,"body":1570,"checklist":1689,"cta":1699,"description":141,"extension":162,"faq":1702,"hero":1716,"lastUpdated":193,"meta":1723,"name":1724,"navigation":196,"path":1725,"resources":1726,"seo":1740,"slug":1743,"stats":1744,"stem":1754,"__hash__":1755},"frameworks\u002F5.frameworks\u002Feu-ai-act.md","Eu Ai Act",[1549,1556,1563],{"title":1550,"description":1551,"bullets":1552},"Risk classification, done right","Classify each AI system into the Act's risk tiers and apply the right obligations.",[1553,1554,1555],"Prohibited-practice screening","High-risk (Annex III \u002F Annex I) determination","Transparency duties for limited-risk systems",{"title":1557,"description":1558,"bullets":1559},"High-risk obligations as controls","The Annex III obligations implemented and evidenced, not described.",[1560,1561,1562],"Risk management system and data governance","Technical documentation, logging, and transparency","Human oversight, accuracy, robustness, and cybersecurity",{"title":1564,"description":1565,"bullets":1566},"One AI program, many frameworks","AI Act work reuses your ISO 42001 and NIST AI RMF evidence.",[1567,1568,1569],"Crosswalk to ISO 42001 (AIMS)","Crosswalk to the NIST AI RMF","GPAI \u002F foundation-model tracking",{"type":29,"value":1571,"toc":1682},[1572,1576,1586,1590,1593,1619,1626,1630,1661,1665,1668,1670],[32,1573,1575],{"id":1574},"what-is-the-eu-ai-act","What is the EU AI Act?",[37,1577,39,1578,1581,1582,1585],{},[41,1579,1580],{},"EU AI Act — Regulation (EU) 2024\u002F1689"," — is the world's first comprehensive law governing artificial intelligence. It ",[41,1583,1584],{},"entered into force on August 1, 2024"," and regulates AI based on the risk it poses rather than the technology itself. Like the GDPR, it applies extraterritorially: it reaches providers and deployers outside the EU whenever an AI system's output is used within the Union.",[32,1587,1589],{"id":1588},"the-risk-based-tiers","The risk-based tiers",[37,1591,1592],{},"The Act sorts AI into four tiers:",[427,1594,1595,1601,1607,1613],{},[72,1596,1597,1600],{},[41,1598,1599],{},"Unacceptable risk"," — a short list of prohibited practices (for example, social scoring and certain manipulative or biometric-categorization uses). These have been banned since February 2, 2025.",[72,1602,1603,1606],{},[41,1604,1605],{},"High risk"," — AI used as a safety component of regulated products (Annex I) or in listed sensitive domains (Annex III) such as employment, education, essential services, law enforcement, and biometrics. High-risk systems carry the full weight of the Act's obligations.",[72,1608,1609,1612],{},[41,1610,1611],{},"Limited risk"," — systems such as chatbots and generative content tools that carry transparency duties (users must know they are interacting with AI; synthetic content must be marked).",[72,1614,1615,1618],{},[41,1616,1617],{},"Minimal risk"," — everything else, which is largely unregulated.",[37,1620,1621,1622,1625],{},"Separately, ",[41,1623,1624],{},"general-purpose AI (GPAI) models"," carry their own obligations, which began applying on August 2, 2025.",[32,1627,1629],{"id":1628},"the-timeline-and-the-digital-omnibus","The timeline (and the Digital Omnibus)",[37,1631,1632,1633,1636,1637,1640,1641,1644,1645,1648,1649,1652,1653,1656,1657,1660],{},"The Act phases in over several years. Prohibited practices applied from ",[41,1634,1635],{},"February 2, 2025","; GPAI obligations from ",[41,1638,1639],{},"August 2, 2025","; and high-risk obligations were scheduled for ",[41,1642,1643],{},"August 2, 2026",". In 2026, EU institutions reached a provisional ",[41,1646,1647],{},"\"Digital Omnibus\""," agreement that would defer the high-risk obligations — Annex III use-based systems to ",[41,1650,1651],{},"December 2, 2027"," and Annex I product-embedded AI to ",[41,1654,1655],{},"August 2, 2028"," — along with targeted simplifications. That deferral only becomes law once formally adopted and published in the Official Journal; until then, ",[41,1658,1659],{},"August 2, 2026 remains the operative deadline",", so in-scope organizations should keep preparing.",[32,1662,1664],{"id":1663},"high-risk-obligations","High-risk obligations",[37,1666,1667],{},"Providers of high-risk AI must implement a risk management system, data and data-governance practices, technical documentation, automatic logging, transparency and instructions for use, human oversight, and appropriate accuracy, robustness, and cybersecurity — then pass a conformity assessment and maintain post-market monitoring. Deployers carry their own, lighter set of duties.",[32,1669,126],{"id":125},[37,1671,1672,1673,1125,1677,1681],{},"episki implements the EU AI Act as a working program: an inventory of your AI systems with provider\u002Fdeployer roles, a risk-tier classifier that surfaces the obligations that actually apply, and the high-risk requirements tracked as controls with evidence and owners. Because it cross-maps to ",[118,1674,1676],{"href":1675},"\u002Fframeworks\u002Fiso42001","ISO 42001",[118,1678,1680],{"href":1679},"\u002Fframeworks\u002Fnist-ai-rmf","NIST AI RMF",", your AI Act readiness reuses the AI governance work you are already doing.",{"title":141,"searchDepth":142,"depth":142,"links":1683},[1684,1685,1686,1687,1688],{"id":1574,"depth":142,"text":1575},{"id":1588,"depth":142,"text":1589},{"id":1628,"depth":142,"text":1629},{"id":1663,"depth":142,"text":1664},{"id":125,"depth":142,"text":126},{"title":1690,"description":1691,"items":1692},"EU AI Act readiness inside episki","What an in-scope provider or deployer needs in place.",[1693,1694,1695,1696,1697,1698],"AI system inventory with provider\u002Fdeployer role per system","Risk-tier classification (prohibited, high, limited, minimal)","Risk management system for high-risk AI","Data governance and technical documentation","Logging, human oversight, and transparency measures","Conformity assessment and post-market monitoring evidence",{"title":1700,"description":1701},"Build EU AI Act readiness in episki","Classify your AI, stand up the high-risk obligations, and reuse the work for ISO 42001 and the NIST AI RMF.",{"title":1703,"items":1704},"EU AI Act frequently asked questions",[1705,1707,1710,1713],{"label":1575,"content":1706},"The EU AI Act (Regulation (EU) 2024\u002F1689) is the world's first comprehensive law regulating artificial intelligence. It entered into force on August 1, 2024 and takes a risk-based approach: it bans a small set of unacceptable-risk practices, imposes detailed obligations on high-risk AI systems, requires transparency for limited-risk systems, and leaves minimal-risk AI largely unregulated. It applies extraterritorially to providers and deployers whose AI output is used in the EU.",{"label":1708,"content":1709},"When do the obligations apply?","The Act phases in over time: prohibited practices applied from February 2, 2025 and general-purpose AI (GPAI) model obligations from August 2, 2025. High-risk obligations were set to apply from August 2, 2026. In 2026 the EU reached a provisional 'Digital Omnibus' agreement to defer high-risk obligations (Annex III use-cases to December 2, 2027 and Annex I product-embedded AI to August 2, 2028), but that change only takes effect once formally adopted and published — until then, August 2, 2026 remains the operative date. episki tracks the timeline as it is finalized.",{"label":1711,"content":1712},"What counts as high-risk?","High-risk AI includes systems used as safety components of regulated products (Annex I) and systems in listed sensitive use cases (Annex III) such as employment, education, essential services, law enforcement, and biometrics. High-risk systems carry the heaviest obligations — risk management, data governance, documentation, logging, human oversight, and a conformity assessment.",{"label":1714,"content":1715},"What are the penalties?","Penalties are tiered. Engaging in prohibited AI practices can draw fines up to €35 million or 7% of total worldwide annual turnover, whichever is higher; most other violations are capped at €15 million or 3%, and supplying incorrect information at €7.5 million or 1%.",{"headline":1717,"title":1718,"description":1719,"links":1720},"The EU AI Act, made operational","Classify and govern AI under the EU AI Act","Inventory your AI systems, classify them by risk tier, and stand up the high-risk obligations — risk management, data governance, logging, human oversight — mapped to ISO 42001 and the NIST AI RMF.",[1721,1722],{"label":183,"icon":184,"to":185},{"label":187,"icon":188,"color":189,"variant":190,"to":191,"target":192},{},"EU AI Act","\u002Fframeworks\u002Feu-ai-act",{"headline":1727,"title":1728,"description":1729,"items":1730},"EU AI Act accelerators","AI Act readiness accelerators","Move from \"are we in scope?\" to a defensible high-risk program.",[1731,1734,1737],{"title":1732,"description":1733},"Risk-tier classifier","Walk each AI system through the Act's tiers and surface the applicable obligations.",{"title":1735,"description":1736},"High-risk obligation tracker","Owners, evidence, and status for each Annex III requirement.",{"title":1738,"description":1739},"ISO 42001 \u002F NIST AI RMF crosswalk","Reuse your AI management system evidence against AI Act obligations.",{"title":1741,"description":1742},"EU AI Act Compliance Software","Get ready for the EU AI Act (Regulation 2024\u002F1689) — AI system inventory, risk classification, high-risk obligations, and crosswalks to ISO 42001 and the NIST AI RMF.","eu-ai-act",[1745,1748,1751],{"value":1746,"description":1747},"4 risk tiers","Unacceptable, high, limited, and minimal risk classified per AI system.",{"value":1749,"description":1750},"High-risk ready","Annex III obligations implemented as controls with evidence and owners.",{"value":1752,"description":1753},"42001 mapped","AI Act obligations cross-walked to ISO 42001 and the NIST AI RMF.","5.frameworks\u002Feu-ai-act","5xMudjt8W-oPGtYE_cTWnrC3BphUEFD4mHe174ntO2E",{"id":1757,"title":1758,"advantages":1759,"body":1781,"checklist":1815,"cta":1825,"description":141,"extension":162,"faq":1828,"hero":1842,"lastUpdated":193,"meta":1849,"name":1850,"navigation":196,"path":1851,"resources":1852,"seo":1866,"slug":1869,"stats":1870,"stem":1880,"__hash__":1881},"frameworks\u002F5.frameworks\u002Ffedramp.md","Fedramp",[1760,1767,1774],{"title":1761,"description":1762,"bullets":1763},"800-53 baselines, pre-mapped","Every Low, Moderate, and High control implemented as an episki control with mapped evidence and testing procedures.",[1764,1765,1766],"All 20 control families ready to scope","Tailoring decisions captured in-platform","Overlays for FedRAMP, DoD IL2\u002F4\u002F5, and StateRAMP",{"title":1768,"description":1769,"bullets":1770},"SSP, SAR, POA&M workflows","Generate authorization documents from live data instead of maintaining parallel binders.",[1771,1772,1773],"SSP exports populated from control evidence","POA&M items tracked to closure with milestones","3PAO collaboration via scoped portal",{"title":1775,"description":1776,"bullets":1777},"Continuous monitoring","Monthly ConMon deliverables produced as a side effect of your normal operations.",[1778,1779,1780],"Vulnerability scan ingestion and triage","Deviation requests with approval workflow","Significant change notifications",{"type":29,"value":1782,"toc":1810},[1783,1787,1790,1798,1802,1805,1807],[32,1784,1786],{"id":1785},"what-is-fedramp","What is FedRAMP?",[37,1788,1789],{},"The Federal Risk and Authorization Management Program (FedRAMP) is a US government program that standardizes the security assessment, authorization, and continuous monitoring of cloud products used by federal agencies. Established in 2011 and operated by GSA in partnership with NIST, FedRAMP allows a cloud service to be authorized once and reused by any agency, dramatically reducing duplicate work.",[37,1791,1792,1793,1797],{},"FedRAMP is built on the ",[118,1794,1796],{"href":1795},"\u002Fframeworks\u002Fnist-800-53","NIST 800-53"," control catalog, with specific baselines for Low, Moderate, and High impact levels. Assessments are performed by accredited Third-Party Assessment Organizations (3PAOs), and authorizations are issued by a sponsoring federal agency as an Authority to Operate (ATO). The Joint Authorization Board (JAB) provisional-authorization path has been retired — FedRAMP now uses a single \"FedRAMP Authorized\" designation, and the 2025 FedRAMP 20x initiative is modernizing assessment and continuous monitoring with greater automation and reuse of commercial security evidence.",[32,1799,1801],{"id":1800},"who-needs-fedramp","Who needs FedRAMP",[37,1803,1804],{},"Any cloud service offered to a federal agency typically requires FedRAMP authorization at the appropriate impact level. Authorization is also increasingly used as a procurement filter by state and local governments, defense primes, and international public-sector buyers.",[32,1806,126],{"id":125},[37,1808,1809],{},"FedRAMP is a marathon. episki treats the System Security Plan, POA&M, and continuous monitoring deliverables as live artifacts driven by your real control evidence — not parallel documents you maintain alongside the platform. When a control's evidence changes, the SSP narrative changes with it.",{"title":141,"searchDepth":142,"depth":142,"links":1811},[1812,1813,1814],{"id":1785,"depth":142,"text":1786},{"id":1800,"depth":142,"text":1801},{"id":125,"depth":142,"text":126},{"title":1816,"description":1817,"items":1818},"FedRAMP readiness inside episki","From SSP to ConMon — what you need preloaded in the workspace.",[1819,1820,1821,1822,1823,1824],"NIST 800-53 baseline aligned to your impact level","SSP narrative generation from control evidence","3PAO assessment workspace and POA&M tracking","Continuous monitoring cadences and reporting templates","Significant Change Request workflow","Authorization-package artifact library",{"title":1826,"description":1827},"Build toward FedRAMP without the binders","Start in episki with the right baseline and an SSP that updates with your environment.",{"title":1829,"items":1830},"FedRAMP frequently asked questions",[1831,1833,1836,1839],{"label":1786,"content":1832},"The Federal Risk and Authorization Management Program is a US government program that standardizes security assessment, authorization, and continuous monitoring for cloud services used by federal agencies. FedRAMP-authorized services can be procured by any agency without each agency re-assessing them.",{"label":1834,"content":1835},"What's the difference between Low, Moderate, and High?","The three impact levels reflect the potential damage of a confidentiality, integrity, or availability breach to the data being processed. Most commercial SaaS pursues Moderate. High is reserved for systems handling the most sensitive non-classified federal data.",{"label":1837,"content":1838},"Do I need an agency sponsor?","Yes. Since the Joint Authorization Board (JAB) provisional-authorization path was retired and FedRAMP consolidated to a single \"FedRAMP Authorized\" designation, agency authorization is the path to an ATO — you partner with a sponsoring federal agency. The FedRAMP 20x initiative announced in 2025 is streamlining assessment and continuous monitoring with more automation.",{"label":1840,"content":1841},"How long does FedRAMP authorization take?","A typical FedRAMP Moderate authorization takes 12–18 months from kickoff to ATO. Mature security programs and dedicated FedRAMP teams can compress this, but it's a major engineering and compliance investment.",{"headline":1843,"title":1844,"description":1845,"links":1846},"FedRAMP without the binders","Authorize your cloud service for the US government","NIST 800-53 baselines pre-mapped, System Security Plan and POA&M workflows in-platform, continuous monitoring evidence cadences that hold up to ConMon audits.",[1847,1848],{"label":183,"icon":184,"to":185},{"label":187,"icon":188,"color":189,"variant":190,"to":191,"target":192},{},"FedRAMP","\u002Fframeworks\u002Ffedramp",{"headline":1853,"title":1854,"description":1855,"items":1856},"FedRAMP accelerators","FedRAMP authorization accelerators","Move from \"we want FedRAMP\" to a credible 3PAO engagement faster.",[1857,1860,1863],{"title":1858,"description":1859},"SSP generator","Compose your System Security Plan from live control data — no parallel Word doc.",{"title":1861,"description":1862},"3PAO collaboration room","Scoped portal for your assessor with evidence rooms and walkthrough scheduling.",{"title":1864,"description":1865},"ConMon dashboard","A single view of your monthly ConMon obligations and their status.",{"title":1867,"description":1868},"FedRAMP Compliance Software","Build toward FedRAMP Low, Moderate, or High authorization with NIST 800-53 baselines, SSP\u002FSAR\u002FPOA&M workflows, and continuous monitoring artifacts.","fedramp",[1871,1874,1877],{"value":1872,"description":1873},"3 baselines","Low, Moderate, and High control sets ready to scope into your environment.",{"value":1875,"description":1876},"SSP-ready","System Security Plan generated from your control evidence, not the other way around.",{"value":1878,"description":1879},"ConMon","Monthly continuous-monitoring cadences with deviation and POA&M tracking built in.","5.frameworks\u002Ffedramp","mgwhJ5pdmsD1Uq2HUErDXUD3mRkNlwTCtU2N3k7T0H8",{"id":1883,"title":1884,"advantages":1885,"body":1907,"checklist":1992,"cta":2001,"description":141,"extension":162,"faq":2004,"hero":2018,"lastUpdated":193,"meta":2025,"name":2026,"navigation":196,"path":2027,"resources":2028,"seo":2042,"slug":2045,"stats":2046,"stem":2055,"__hash__":2056},"frameworks\u002F5.frameworks\u002Fffiec.md","Ffiec",[1886,1893,1900],{"title":1887,"description":1888,"bullets":1889},"A clean CAT replacement","Move off the retired CAT onto a maintained, examiner-recognized framework.",[1890,1891,1892],"NIST CSF 2.0 mapping out of the box","CRI Profile for financial-sector depth","CIS Controls and CISA CPGs as options",{"title":1894,"description":1895,"bullets":1896},"Examination readiness","Organize controls and evidence to the FFIEC IT Examination Handbook.",[1897,1898,1899],"Control-to-handbook mapping","Examiner-ready evidence library","Risk assessment and board reporting",{"title":1901,"description":1902,"bullets":1903},"One program, every regulator","Reuse the same controls across overlapping financial obligations.",[1904,1905,1906],"Crosswalk to GLBA Safeguards","Crosswalk to NY DFS Part 500","Reuse SOC 2 and ISO 27001 evidence",{"type":29,"value":1908,"toc":1987},[1909,1913,1923,1927,1938,1959,1966,1968],[32,1910,1912],{"id":1911},"what-is-the-ffiec","What is the FFIEC?",[37,1914,39,1915,1918,1919,1922],{},[41,1916,1917],{},"Federal Financial Institutions Examination Council (FFIEC)"," is the US interagency body that prescribes uniform principles, standards, and report forms for the federal examination of financial institutions. Its ",[41,1920,1921],{},"IT Examination Handbook"," is the reference examiners use to evaluate an institution's information security, business continuity, and IT risk management.",[32,1924,1926],{"id":1925},"the-cat-sunset","The CAT sunset",[37,1928,1929,1930,1933,1934,1937],{},"From 2015, many institutions used the ",[41,1931,1932],{},"FFIEC Cybersecurity Assessment Tool (CAT)"," to self-assess their cyber maturity. The FFIEC ",[41,1935,1936],{},"retired the CAT on August 31, 2025",", having decided not to update it to reflect newer government resources. Institutions are expected to transition to standardized, actively maintained frameworks instead:",[427,1939,1940,1945,1951],{},[72,1941,1942,1944],{},[41,1943,463],{}," — by far the most common replacement.",[72,1946,1947,1950],{},[41,1948,1949],{},"CRI Profile"," — the Cyber Risk Institute's financial-sector tailoring of NIST CSF, which maps to FFIEC handbooks, NY DFS Part 500, and other supervisory regimes.",[72,1952,1953,1125,1955,1958],{},[41,1954,542],{},[41,1956,1957],{},"CISA Cybersecurity Performance Goals"," — additional options.",[37,1960,1961,1962,1965],{},"Importantly, the ",[41,1963,1964],{},"IT Examination Handbook and the examination program itself remain in force"," — only the voluntary CAT tool went away.",[32,1967,126],{"id":125},[37,1969,1970,1971,1973,1974,488,1978,488,1982,1182,1984,1986],{},"episki maps your program to ",[118,1972,463],{"href":486}," or the CRI Profile, carries your prior CAT work forward, and organizes controls and evidence to the FFIEC IT Examination Handbook domains. Because the same controls cross-map to ",[118,1975,1977],{"href":1976},"\u002Fframeworks\u002Fglba","GLBA",[118,1979,1981],{"href":1980},"\u002Fframeworks\u002Fnydfs","NY DFS Part 500",[118,1983,138],{"href":137},[118,1985,133],{"href":132},", your institution runs one program for every regulator instead of many.",{"title":141,"searchDepth":142,"depth":142,"links":1988},[1989,1990,1991],{"id":1911,"depth":142,"text":1912},{"id":1925,"depth":142,"text":1926},{"id":125,"depth":142,"text":126},{"title":1993,"description":1994,"items":1995},"FFIEC readiness inside episki","What an examined institution needs in place after the CAT sunset.",[1996,1997,1998,1999,2000,1898],"Successor framework selected (NIST CSF 2.0 or CRI Profile)","Control library mapped to the FFIEC IT Examination Handbook","Cybersecurity risk assessment kept current","Board and management reporting","Third-party \u002F vendor risk management",{"title":2002,"description":2003},"Stay FFIEC exam-ready in episki","Map to NIST CSF 2.0 or the CRI Profile and keep evidence ready across GLBA and NY DFS.",{"title":2005,"items":2006},"FFIEC frequently asked questions",[2007,2009,2012,2015],{"label":1912,"content":2008},"The Federal Financial Institutions Examination Council (FFIEC) is a US interagency body that sets uniform principles and standards for the examination of financial institutions. Its IT Examination Handbook defines the expectations examiners use to assess an institution's information security and IT risk management.",{"label":2010,"content":2011},"What happened to the FFIEC CAT?","The FFIEC Cybersecurity Assessment Tool (CAT) was sunset on August 31, 2025. The FFIEC decided not to update it to reflect newer resources such as NIST Cybersecurity Framework 2.0 and the CISA Cybersecurity Performance Goals, and instead points institutions to those standardized, maintained frameworks.",{"label":2013,"content":2014},"What should replace the CAT?","Institutions are moving to maintained frameworks — most commonly NIST CSF 2.0, followed by the CIS Controls, the Cyber Risk Institute (CRI) Profile (a financial-sector tailoring of NIST CSF), and the CISA Cybersecurity Performance Goals. episki supports mapping your program to any of these while preserving your prior CAT work.",{"label":2016,"content":2017},"Is the FFIEC handbook still in effect?","Yes. The CAT was a voluntary assessment tool; the FFIEC IT Examination Handbook and the underlying examination program remain in force. Institutions still need to demonstrate sound cybersecurity and IT risk management to their examiners.",{"headline":2019,"title":2020,"description":2021,"links":2022},"FFIEC exams, after the CAT","Stay FFIEC examination-ready","With the FFIEC Cybersecurity Assessment Tool retired, map your program to NIST CSF 2.0 or the CRI Profile, manage the controls examiners expect, and keep evidence exam-ready.",[2023,2024],{"label":183,"icon":184,"to":185},{"label":187,"icon":188,"color":189,"variant":190,"to":191,"target":192},{},"FFIEC","\u002Fframeworks\u002Fffiec",{"headline":2029,"title":2030,"description":2031,"items":2032},"FFIEC accelerators","FFIEC readiness accelerators","Make the post-CAT transition without losing exam readiness.",[2033,2036,2039],{"title":2034,"description":2035},"CAT-to-CSF mapping","Carry your prior CAT work forward into NIST CSF 2.0 or the CRI Profile.",{"title":2037,"description":2038},"Exam evidence library","Organize artifacts to the IT Examination Handbook domains.",{"title":2040,"description":2041},"Financial-framework crosswalk","Reuse evidence across GLBA, NY DFS, SOC 2, and ISO 27001.",{"title":2043,"description":2044},"FFIEC Cybersecurity Compliance Software","Meet FFIEC IT examination expectations after the CAT sunset — map to NIST CSF 2.0 or the CRI Profile, manage controls and evidence, and stay exam-ready.","ffiec",[2047,2050,2052],{"value":2048,"description":2049},"CAT retired","The FFIEC CAT was sunset on August 31, 2025 — a successor mapping is needed.",{"value":463,"description":2051},"The most-adopted CAT replacement, fully supported in episki.",{"value":2053,"description":2054},"Exam-ready","IT Examination Handbook expectations tracked as living controls.","5.frameworks\u002Fffiec","YkaQ3kiErD_C2D33cApVsdRiKKoYkqOiCeiNB_pYYjM",{"id":2058,"title":2059,"advantages":2060,"body":2082,"checklist":2111,"cta":2121,"description":141,"extension":162,"faq":2124,"hero":2139,"lastUpdated":322,"meta":2146,"name":2147,"navigation":196,"path":2148,"resources":2149,"seo":2163,"slug":2166,"stats":2167,"stem":2177,"__hash__":2178},"frameworks\u002F5.frameworks\u002Fgdpr.md","Gdpr",[2061,2068,2075],{"title":2062,"description":2063,"bullets":2064},"Records of Processing (Art. 30)","Keep a live inventory of every processing activity with lawful basis, categories of data, retention, and transfers.",[2065,2066,2067],"Controller and processor records side by side","Versioned changes auditors and DPAs can review","Cross-link to vendors (Art. 28 processors) via TPRM",{"title":2069,"description":2070,"bullets":2071},"DPIA workflows (Art. 35)","Run Data Protection Impact Assessments where they belong — next to the processing activity they assess.",[2072,2073,2074],"DPIA templates aligned to EDPB guidance","Risk treatment plans linked to controls","Stakeholder consultation captured in-platform",{"title":2076,"description":2077,"bullets":2078},"Data-subject rights (Arts. 12–22)","Intake, identity-verify, fulfill, and track DSARs without leaving the workspace.",[2079,2080,2081],"DSAR intake form on your trust center","SLA timers per right type","Audit trail of every response",{"type":29,"value":2083,"toc":2106},[2084,2088,2091,2094,2098,2101,2103],[32,2085,2087],{"id":2086},"what-is-gdpr","What is GDPR?",[37,2089,2090],{},"The General Data Protection Regulation (Regulation (EU) 2016\u002F679) is the EU's comprehensive data-protection law. It applies extraterritorially: any organization processing personal data of individuals in the EU\u002FEEA is in scope, regardless of where the organization is located.",[37,2092,2093],{},"GDPR replaces the patchwork of pre-2018 national laws with a single set of obligations and individual rights. It introduces formal records of processing, mandatory breach notification, a 72-hour clock on serious incidents, fines up to 4% of global annual turnover, and a structured set of rights for data subjects (access, rectification, erasure, portability, objection, restriction, automated-decision review).",[32,2095,2097],{"id":2096},"who-needs-to-comply","Who needs to comply",[37,2099,2100],{},"If your organization offers goods or services to people in the EU\u002FEEA, monitors their behavior, or processes their personal data in any capacity, GDPR applies to you. Most B2B SaaS companies fall in scope because their customers' employees or end users live in the EU. UK businesses are subject to a near-identical UK GDPR, and Switzerland's revised FADP follows similar principles.",[32,2102,126],{"id":125},[37,2104,2105],{},"The platform treats GDPR not as a one-time project but as a continuous program. Article 30 records, DPIAs, DSARs, breach response, sub-processor management, and lawful-basis assessments live in the same workspace as the rest of your security program — so when a control changes, the privacy artifact changes with it.",{"title":141,"searchDepth":142,"depth":142,"links":2107},[2108,2109,2110],{"id":2086,"depth":142,"text":2087},{"id":2096,"depth":142,"text":2097},{"id":125,"depth":142,"text":126},{"title":2112,"description":2113,"items":2114},"GDPR readiness checklist inside episki","Everything the EDPB expects, available in your trial.",[2115,2116,2117,2118,2119,2120],"Article 30 records for every processing activity","Standard Contractual Clauses for international transfers","DPIA templates with risk treatment workflows","DSAR intake portal with SLA tracking","Breach notification runbook with 72-hour timers","Lawful basis assessments per processing activity",{"title":2122,"description":2123},"Stand up GDPR in days, not quarters","Start the free trial to bring your records, DPIAs, and DSAR queue into one workspace.",{"title":2125,"items":2126},"GDPR frequently asked questions",[2127,2130,2133,2136],{"label":2128,"content":2129},"Who is subject to GDPR?","GDPR applies to any organization processing personal data of individuals in the EU\u002FEEA, regardless of where the organization is located. Most SaaS companies with any EU customers or users fall in scope.",{"label":2131,"content":2132},"What is the difference between a controller and a processor?","A controller determines the purposes and means of processing personal data. A processor processes personal data on behalf of a controller. SaaS companies are typically processors for their customers' data and controllers for their own employee, marketing, and account data.",{"label":2134,"content":2135},"When is a DPIA required?","A Data Protection Impact Assessment is required when processing is likely to result in a high risk to individuals — for example, large-scale processing of special-category data, systematic monitoring, or use of new technologies. Many DPOs run DPIAs more broadly as good practice.",{"label":2137,"content":2138},"How quickly must we report a breach?","Controllers must notify the supervisory authority within 72 hours of becoming aware of a personal data breach, unless the breach is unlikely to result in a risk to individuals. High-risk breaches also require notifying affected individuals without undue delay.",{"headline":2140,"title":2141,"description":2142,"links":2143},"GDPR without the spreadsheet","Run your GDPR program in one workspace","Records of processing, DPIAs, lawful-basis tracking, data-subject requests, breach timers — wired together so your DPO and your engineers can move at the same speed.",[2144,2145],{"label":183,"icon":184,"to":185},{"label":187,"icon":188,"color":189,"variant":190,"to":191,"target":192},{},"GDPR","\u002Fframeworks\u002Fgdpr",{"headline":2150,"title":2151,"description":2152,"items":2153},"GDPR accelerators","GDPR program accelerators","Move from \"we should do this\" to a running program in weeks, not quarters.",[2154,2157,2160],{"title":2155,"description":2156},"Records of Processing template","Pre-filled rows for common SaaS processing activities, ready to adapt.",{"title":2158,"description":2159},"Sub-processor list publisher","Publish your Article 28 sub-processors to your trust center with diff notifications.",{"title":2161,"description":2162},"Breach playbook","Step-by-step runbook for the first 72 hours of a notifiable breach.",{"title":2164,"description":2165},"GDPR Compliance Software","Operationalize the EU General Data Protection Regulation with records of processing, DPIAs, data-subject request workflows, and 72-hour breach timers.","gdpr",[2168,2171,2174],{"value":2169,"description":2170},"Article 30","Records of processing for controllers and processors, kept current as systems change.",{"value":2172,"description":2173},"72-hour","Breach notification timers and templated regulator\u002Fdata-subject comms.",{"value":2175,"description":2176},"0 spreadsheets","Lawful basis, retention, and cross-border transfers live in the platform.","5.frameworks\u002Fgdpr","VucfsyeWX8YopfAL91XkkpZ0cgEUj4JrmpLkYIDDEIo",{"id":2180,"title":2181,"advantages":2182,"body":2204,"checklist":2312,"cta":2321,"description":141,"extension":162,"faq":2324,"hero":2338,"lastUpdated":193,"meta":2345,"name":1977,"navigation":196,"path":1976,"resources":2346,"seo":2359,"slug":2362,"stats":2363,"stem":2372,"__hash__":2373},"frameworks\u002F5.frameworks\u002Fglba.md","Glba",[2183,2190,2197],{"title":2184,"description":2185,"bullets":2186},"A written security program","The Safeguards Rule's required program, designed and evidenced.",[2187,2188,2189],"Designated Qualified Individual","Written risk assessment kept current","Board \u002F governing-body reporting",{"title":2191,"description":2192,"bullets":2193},"The required safeguards","The technical and administrative controls the Rule mandates.",[2194,2195,2196],"Access controls and MFA","Encryption of customer information","Logging, monitoring, and secure disposal",{"title":2198,"description":2199,"bullets":2200},"Breach notification ready","Detect, assess, and report qualifying events to the FTC on time.",[2201,2202,2203],"Incident response plan","30-day FTC notification workflow","Service-provider oversight",{"type":29,"value":2205,"toc":2306},[2206,2210,2228,2232,2239,2243,2276,2294,2296],[32,2207,2209],{"id":2208},"what-is-glba","What is GLBA?",[37,2211,39,2212,2215,2216,2219,2220,2223,2224,2227],{},[41,2213,2214],{},"Gramm-Leach-Bliley Act (GLBA)"," is a US federal law requiring financial institutions to protect the security and confidentiality of customers' ",[41,2217,2218],{},"nonpublic personal information",". Its information-security obligations are carried out through the FTC's ",[41,2221,2222],{},"Safeguards Rule (16 CFR Part 314)",", while the companion ",[41,2225,2226],{},"Privacy Rule"," governs how institutions disclose information-sharing practices and offer opt-outs.",[32,2229,2231],{"id":2230},"who-is-covered","Who is covered",[37,2233,2234,2235,2238],{},"The FTC interprets \"financial institution\" broadly. Beyond banks, the Safeguards Rule reaches mortgage lenders and brokers, payday lenders, auto dealers that arrange financing, tax preparers, collection agencies, investment advisers, and many ",[41,2236,2237],{},"fintechs"," — any business significantly engaged in providing financial products or services. A large number of organizations are in scope without realizing it.",[32,2240,2242],{"id":2241},"what-the-safeguards-rule-requires","What the Safeguards Rule requires",[37,2244,2245,2246,2249,2250,2253,2254,2257,2258,2261,2262,488,2265,2268,2269,2272,2273,416],{},"The amended Safeguards Rule (with most requirements effective ",[41,2247,2248],{},"June 9, 2023",") requires a ",[41,2251,2252],{},"written information security program"," led by a designated ",[41,2255,2256],{},"Qualified Individual",", supported by a documented ",[41,2259,2260],{},"risk assessment"," and a defined set of safeguards: access controls and ",[41,2263,2264],{},"multi-factor authentication",[41,2266,2267],{},"encryption"," of customer information at rest and in transit, secure disposal, change management, logging and monitoring, secure development practices, ",[41,2270,2271],{},"service-provider oversight",", an incident response plan, and periodic ",[41,2274,2275],{},"reporting to the board or governing body",[37,2277,2278,2279,2282,2283,2286,2287,2290,2291,416],{},"A subsequent amendment, effective ",[41,2280,2281],{},"May 13, 2024",", added a ",[41,2284,2285],{},"breach-notification requirement",": covered institutions must notify the FTC as soon as possible, and within ",[41,2288,2289],{},"30 days",", of discovering a breach involving the unencrypted information of ",[41,2292,2293],{},"500 or more consumers",[32,2295,126],{"id":125},[37,2297,2298,2299,488,2301,1182,2303,2305],{},"episki implements the Safeguards Rule elements as living controls with a designated owner, a maintained risk assessment, and a breach-notification workflow tuned to the FTC's 30-day window. The same controls cross-map to ",[118,2300,2026],{"href":2027},[118,2302,1981],{"href":1980},[118,2304,138],{"href":137},", so a single program satisfies overlapping financial obligations.",{"title":141,"searchDepth":142,"depth":142,"links":2307},[2308,2309,2310,2311],{"id":2208,"depth":142,"text":2209},{"id":2230,"depth":142,"text":2231},{"id":2241,"depth":142,"text":2242},{"id":125,"depth":142,"text":126},{"title":2313,"description":2314,"items":2315},"GLBA readiness inside episki","What a covered financial institution needs in place.",[2187,2316,2317,2318,2319,2320],"Written risk assessment","Access controls and multi-factor authentication","Encryption of customer information at rest and in transit","Service-provider security oversight","Incident response and 30-day FTC breach notification",{"title":2322,"description":2323},"Build a GLBA Safeguards program in episki","Implement the Safeguards Rule once and reuse the evidence across FFIEC, NY DFS, and SOC 2.",{"title":2325,"items":2326},"GLBA frequently asked questions",[2327,2329,2332,2335],{"label":2209,"content":2328},"The Gramm-Leach-Bliley Act (GLBA) is a US federal law that requires financial institutions to protect the security and confidentiality of customers' nonpublic personal information. Its security requirements are implemented through the FTC's Safeguards Rule (16 CFR Part 314), with a companion Privacy Rule governing how that information is shared.",{"label":2330,"content":2331},"Who must comply with the Safeguards Rule?","The FTC defines 'financial institution' broadly — it includes banks' nonbank competitors and many businesses 'significantly engaged' in financial activities, such as mortgage lenders, payday lenders, auto dealers that arrange financing, tax preparers, and fintechs. Many organizations are surprised to find they are in scope.",{"label":2333,"content":2334},"What does the updated Safeguards Rule require?","The Safeguards Rule, as amended (with key requirements effective June 2023), requires a written information security program led by a designated Qualified Individual, a risk assessment, access controls, encryption, multi-factor authentication, secure disposal, logging and monitoring, service-provider oversight, and periodic reporting to the board or governing body.",{"label":2336,"content":2337},"Is there a breach-notification requirement?","Yes. An amendment effective May 13, 2024 requires covered financial institutions to notify the FTC as soon as possible, and no later than 30 days, after discovering a security breach involving the unencrypted information of 500 or more consumers.",{"headline":2339,"title":2340,"description":2341,"links":2342},"GLBA Safeguards, operationalized","Comply with the GLBA Safeguards Rule","The FTC Safeguards Rule elements as living controls — risk assessment, access controls, encryption, MFA, and breach notification — for financial institutions of every size.",[2343,2344],{"label":183,"icon":184,"to":185},{"label":187,"icon":188,"color":189,"variant":190,"to":191,"target":192},{},{"headline":2347,"title":2348,"description":2349,"items":2350},"GLBA accelerators","GLBA Safeguards accelerators","Stand up a defensible Safeguards program and keep it current.",[2351,2354,2357],{"title":2352,"description":2353},"Safeguards control set","The Rule's required elements as living controls with owners.",{"title":2355,"description":2356},"Breach notification workflow","Assess qualifying events and track the FTC reporting window.",{"title":2040,"description":2358},"Reuse evidence across FFIEC, NY DFS, and SOC 2.",{"title":2360,"description":2361},"GLBA Safeguards Rule Compliance Software","Meet the GLBA Safeguards Rule — qualified individual, risk assessment, encryption, MFA, and the FTC breach-notification requirement — managed and evidenced in one workspace.","glba",[2364,2367,2370],{"value":2365,"description":2366},"Safeguards Rule","The FTC's information-security requirements implemented as controls.",{"value":2368,"description":2369},"30-day notice","FTC breach-notification timer for events affecting 500+ consumers.",{"value":2256,"description":2371},"A designated owner accountable for the information security program.","5.frameworks\u002Fglba","PvtbzndzysaRMHSrNkJUcvuP7NXbv_C-FfJGyA4sczE",{"id":2375,"title":2376,"advantages":2377,"body":2399,"checklist":2891,"cta":2900,"description":141,"extension":162,"faq":2903,"hero":2921,"lastUpdated":1048,"meta":2929,"name":2776,"navigation":196,"path":2930,"resources":2931,"seo":2944,"slug":2947,"stats":2948,"stem":2958,"__hash__":2959},"frameworks\u002F5.frameworks\u002Fhipaa.md","Hipaa",[2378,2385,2392],{"title":2379,"description":2380,"bullets":2381},"Safeguards mapped to your stack","Every HIPAA standard comes with plain-language owners, SLAs, and tests.",[2382,2383,2384],"Assign compliance, engineering, and ops leads to each safeguard","Playbooks explain what “good” looks like for each requirement","Timeline view keeps renewals and reviews on schedule",{"title":2386,"description":2387,"bullets":2388},"PHI-aware evidence locker","Secure uploads, access controls, and audit trails keep regulators satisfied.",[2389,2390,2391],"Granular permissions for internal and external reviewers","Automated retention and deletion policies","Download tracking and access audit trails",{"title":2393,"description":2394,"bullets":2395},"Vendor & incident workflows","Track BAAs, vendor attestations, and incidents from discovery to closure.",[2396,2397,2398],"BAA repository tied to vendor risk levels","Incident response runbooks with reminders","Post-incident reports aligned to HIPAA timelines",{"type":29,"value":2400,"toc":2864},[2401,2405,2408,2421,2424,2428,2431,2474,2478,2481,2486,2490,2493,2497,2505,2525,2528,2532,2539,2547,2551,2554,2558,2561,2564,2577,2581,2584,2587,2591,2609,2613,2625,2629,2632,2640,2644,2647,2650,2657,2661,2668,2671,2675,2682,2685,2708,2712,2715,2718,2724,2728,2731,2757,2760,2763,2767,2770,2789,2792,2796,2802,2806,2809,2838,2846,2850,2853,2861],[32,2402,2404],{"id":2403},"what-is-hipaa","What is HIPAA?",[37,2406,2407],{},"HIPAA, the Health Insurance Portability and Accountability Act of 1996, is the cornerstone US federal law governing the privacy and security of patient health information. Signed into law by President Bill Clinton, the act was originally designed to improve the portability of health insurance coverage when workers changed jobs, combat fraud and waste in healthcare, and simplify the administration of health insurance through standardized electronic transactions. Over the decades since, HIPAA has evolved into the defining US regulation for how healthcare organizations and their partners handle sensitive patient data.",[37,2409,2410,2411,2415,2416,2420],{},"At its core, the law establishes national standards that protect sensitive patient information — known as ",[118,2412,2414],{"href":2413},"\u002Fglossary\u002Fphi","protected health information",", or PHI — from unauthorized use and disclosure. Any organization that creates, receives, maintains, or transmits PHI must comply, whether that organization is a hospital, a health plan, a billing clearinghouse, or a SaaS vendor providing services to healthcare customers. The ",[118,2417,2419],{"href":2418},"\u002Fglossary\u002Fhipaa","HIPAA glossary entry"," provides a concise definition, while this page walks through the full regulatory landscape so you understand how each HIPAA rule fits together.",[37,2422,2423],{},"Enforcement falls to the US Department of Health and Human Services (HHS) through its Office for Civil Rights (OCR). State attorneys general also have authority to bring enforcement actions under powers granted by the HITECH Act. The law applies across all 50 states and preempts weaker state privacy laws, though state laws that provide greater protection remain in force.",[32,2425,2427],{"id":2426},"a-brief-history-of-hipaa","A brief history of HIPAA",[37,2429,2430],{},"HIPAA was enacted in 1996, but its privacy and security requirements were not finalized overnight. The act directed HHS to develop implementing regulations, and the major rules were rolled out over more than a decade.",[427,2432,2433,2439,2445,2451,2462,2468],{},[72,2434,2435,2438],{},[41,2436,2437],{},"1996"," — Congress passes HIPAA, directing HHS to issue regulations on privacy, security, and electronic transactions.",[72,2440,2441,2444],{},[41,2442,2443],{},"2000"," — The HIPAA Privacy Rule is published; it takes full effect in 2003.",[72,2446,2447,2450],{},[41,2448,2449],{},"2003"," — The HIPAA Security Rule is finalized, with compliance required by 2005 for most entities.",[72,2452,2453,2456,2457,2461],{},[41,2454,2455],{},"2009"," — The Health Information Technology for Economic and Clinical Health Act (",[118,2458,2460],{"href":2459},"\u002Fframeworks\u002Fhipaa\u002Fhitech-and-omnibus","HITECH",") is signed into law as part of the American Recovery and Reinvestment Act, extending HIPAA obligations to business associates and introducing breach notification requirements.",[72,2463,2464,2467],{},[41,2465,2466],{},"2013"," — The HIPAA Omnibus Rule implements HITECH and further strengthens HIPAA enforcement, fines, and patient rights.",[72,2469,2470,2473],{},[41,2471,2472],{},"2024 and beyond"," — HHS continues to update HIPAA guidance, most recently around cybersecurity expectations, reproductive health privacy, and the proposed modernization of the HIPAA Security Rule to reflect modern threats.",[610,2475,2477],{"id":2476},"hitech-and-the-omnibus-rule","HITECH and the Omnibus Rule",[37,2479,2480],{},"The HITECH Act of 2009 was a watershed moment. Before HITECH, HIPAA obligations technically applied only to covered entities, and business associates were bound solely by contract. HITECH changed that by making business associates directly liable. It also introduced the federal Breach Notification Rule, increased civil monetary penalties, and funded the nationwide adoption of electronic health records — which dramatically expanded the volume of electronic PHI requiring protection.",[37,2482,2483,2484,416],{},"The 2013 Omnibus Rule then translated HITECH into binding regulation. It extended the Privacy and Security Rules to business associates and their subcontractors, tightened the definition of a breach, strengthened individual rights to access electronic health records, and aligned the law with the Genetic Information Nondiscrimination Act (GINA). For a deeper breakdown of what changed, read ",[118,2485,2477],{"href":2459},[32,2487,2489],{"id":2488},"who-hipaa-applies-to","Who HIPAA applies to",[37,2491,2492],{},"HIPAA applies to two broad categories of organizations: covered entities and business associates. Understanding which category your organization falls into is the first and most important step in any HIPAA compliance program.",[610,2494,2496],{"id":2495},"covered-entities","Covered entities",[37,2498,2499,2500,2504],{},"A ",[118,2501,2503],{"href":2502},"\u002Fglossary\u002Fcovered-entity","covered entity"," is any of the following:",[427,2506,2507,2513,2519],{},[72,2508,2509,2512],{},[41,2510,2511],{},"Health plans"," — health insurance companies, HMOs, employer-sponsored group health plans, government programs like Medicare and Medicaid, and long-term care insurers.",[72,2514,2515,2518],{},[41,2516,2517],{},"Healthcare providers"," — hospitals, clinics, physician practices, dentists, pharmacies, psychologists, and any other provider that transmits health information electronically for billing or eligibility purposes.",[72,2520,2521,2524],{},[41,2522,2523],{},"Healthcare clearinghouses"," — entities that process nonstandard health information into standard formats (or vice versa), such as billing services and repricing companies.",[37,2526,2527],{},"If your organization directly delivers healthcare or finances it, you are almost certainly a covered entity.",[610,2529,2531],{"id":2530},"business-associates","Business associates",[37,2533,2499,2534,2538],{},[118,2535,2537],{"href":2536},"\u002Fglossary\u002Fbusiness-associate","business associate"," is any person or organization that performs a function or activity on behalf of a covered entity that involves the use or disclosure of PHI. Typical business associates include cloud hosting providers, billing vendors, EHR vendors, IT service providers, analytics firms, legal counsel, accounting firms, transcription services, and SaaS platforms that process PHI on behalf of covered entities.",[37,2540,2541,2542,2546],{},"Most modern SaaS companies serving healthcare customers are business associates. If your product ingests, stores, processes, or transmits PHI for a covered entity, HIPAA applies to you directly — regardless of whether you consider yourself a \"healthcare company.\" Subcontractors of business associates are themselves business associates and are bound by the same obligations. Signing a ",[118,2543,2545],{"href":2544},"\u002Fglossary\u002Fbaa","business associate agreement"," with every upstream and downstream partner that touches PHI is non-negotiable.",[610,2548,2550],{"id":2549},"who-is-not-covered-by-hipaa","Who is not covered by HIPAA?",[37,2552,2553],{},"Not every organization that handles health information is subject to the law. Consumer wellness apps, fitness trackers, direct-to-consumer genetic testing services, employers (in their role as employers), life insurers, and schools generally fall outside its reach unless they act on behalf of a covered entity. That said, many of these organizations still face FTC oversight, state privacy laws, and customer expectations that mirror HIPAA protections.",[32,2555,2557],{"id":2556},"the-hipaa-privacy-rule","The HIPAA Privacy Rule",[37,2559,2560],{},"The HIPAA Privacy Rule sets national standards for the protection of PHI in all forms — electronic, paper, and oral. It establishes when PHI may be used and disclosed, defines patient rights over their own health data, and imposes the minimum necessary standard on most disclosures. The Privacy Rule applies to covered entities directly and to business associates through their BAAs.",[37,2562,2563],{},"Key Privacy Rule concepts include the Notice of Privacy Practices, patient access rights (including the right to an electronic copy of an electronic health record within 30 days), the right to request amendments and accounting of disclosures, the minimum necessary standard, permitted uses for treatment, payment, and operations, and the authorization requirements for marketing and sale of PHI.",[37,2565,2566,2567,2571,2572,2576],{},"For a comprehensive walkthrough of the HIPAA Privacy Rule, permitted disclosures, and patient rights, read the dedicated ",[118,2568,2570],{"href":2569},"\u002Fframeworks\u002Fhipaa\u002Fprivacy-rule","HIPAA Privacy Rule"," guide. For more on the narrowly tailored access principle that governs day-to-day PHI handling, see the ",[118,2573,2575],{"href":2574},"\u002Fframeworks\u002Fhipaa\u002Fminimum-necessary-rule","minimum necessary rule"," page.",[32,2578,2580],{"id":2579},"the-hipaa-security-rule","The HIPAA Security Rule",[37,2582,2583],{},"The HIPAA Security Rule establishes the national floor for protecting electronic PHI (ePHI). While the Privacy Rule covers every form of PHI, the Security Rule is scoped to electronic data — which, in 2026, is effectively every record of clinical or financial relevance inside a modern healthcare organization.",[37,2585,2586],{},"The Security Rule organizes its requirements into three categories of safeguards. Every covered entity and business associate must implement each category based on a documented HIPAA risk analysis.",[610,2588,2590],{"id":2589},"administrative-safeguards","Administrative safeguards",[37,2592,2593,2594,2598,2599,2603,2604,2608],{},"Administrative safeguards are the policies, procedures, and organizational measures that govern your HIPAA program. They include security management processes, a designated security official, ",[118,2595,2597],{"href":2596},"\u002Fframeworks\u002Fhipaa\u002Fworkforce-training","workforce training",", a ",[118,2600,2602],{"href":2601},"\u002Fframeworks\u002Fhipaa\u002Fsanctions-policy","sanctions policy"," for workforce violations, access management, ",[118,2605,2607],{"href":2606},"\u002Fframeworks\u002Fhipaa\u002Fcontingency-planning","contingency planning",", periodic evaluations, and BAAs with every downstream partner. These typically consume the most effort because they touch every corner of the business.",[610,2610,2612],{"id":2611},"physical-safeguards","Physical safeguards",[37,2614,2615,2616,488,2620,2624],{},"Physical safeguards protect the facilities, workstations, devices, and media that house ePHI. This category covers ",[118,2617,2619],{"href":2618},"\u002Fframeworks\u002Fhipaa\u002Ffacility-access-controls","facility access controls",[118,2621,2623],{"href":2622},"\u002Fframeworks\u002Fhipaa\u002Fworkstation-and-device-controls","workstation and device controls",", and media disposal. For cloud-first SaaS companies, physical safeguards increasingly translate into inherited controls from hyperscale cloud providers, but every regulated organization still needs defensible answers for the laptops, offices, and portable media its workforce uses.",[610,2626,2628],{"id":2627},"technical-safeguards","Technical safeguards",[37,2630,2631],{},"Technical safeguards are the technology controls that protect ePHI and govern access to it. They include unique user identification, automatic logoff, encryption and decryption of ePHI at rest and in transit, audit controls that log system activity, integrity controls that prevent improper alteration, and person or entity authentication.",[37,2633,2634,2635,2639],{},"For a deep dive into the complete Security Rule standards, required versus addressable implementation specifications, and how to pass an OCR audit of your ePHI safeguards, read the ",[118,2636,2638],{"href":2637},"\u002Fframeworks\u002Fhipaa\u002Fsecurity-rule","HIPAA Security Rule"," guide.",[32,2641,2643],{"id":2642},"the-hipaa-breach-notification-rule","The HIPAA Breach Notification Rule",[37,2645,2646],{},"The Breach Notification Rule, added by HITECH and finalized in the Omnibus Rule, requires covered entities and business associates to notify affected individuals, HHS, and in some cases the media when unsecured PHI is breached. A breach is presumed whenever PHI is used or disclosed in a way that is not permitted under the Privacy Rule, unless the organization can demonstrate through a four-factor risk assessment that there is a low probability the PHI has been compromised.",[37,2648,2649],{},"Notifications must be made without unreasonable delay and in no case later than 60 calendar days after discovery. Business associates must notify their covered entity clients, who in turn notify affected individuals. Breaches involving 500 or more individuals must be reported to HHS within 60 days and listed on the public OCR \"Wall of Shame,\" while smaller breaches may be reported in an annual log.",[37,2651,2652,2653,2639],{},"For full details on timelines, content requirements, and documentation expectations, see the ",[118,2654,2656],{"href":2655},"\u002Fframeworks\u002Fhipaa\u002Fbreach-notification","HIPAA Breach Notification Rule",[32,2658,2660],{"id":2659},"business-associate-agreements","Business associate agreements",[37,2662,2663,2664,2667],{},"No PHI should ever leave a covered entity — or a business associate — without a properly executed BAA in place. A ",[118,2665,2545],{"href":2666},"\u002Fframeworks\u002Fhipaa\u002Fbusiness-associate-agreements"," is a legally binding contract that defines permitted uses and disclosures of PHI, requires implementation of appropriate safeguards, obligates breach notification, mandates BAA flow-down to subcontractors, and establishes termination rights when a business associate violates the agreement.",[37,2669,2670],{},"In practice, BAA management is one of the most common HIPAA failure modes for growing SaaS companies. Deals close, engineering ships, and PHI starts flowing before legal has countersigned the BAA — creating exposure for both sides. A disciplined BAA intake process, a BAA repository with renewal reminders, and clear ownership of vendor risk are table stakes for any serious compliance program.",[32,2672,2674],{"id":2673},"hipaa-compliance-checklist","HIPAA compliance checklist",[37,2676,2677,2678,2681],{},"Translating the regulatory language into day-to-day operations is where most programs struggle. The ",[118,2679,2674],{"href":2680},"\u002Fframeworks\u002Fhipaa\u002Fcompliance-checklist"," walks through every major obligation — from assigning a security official through finalizing your Notice of Privacy Practices — as a sequenced program of work.",[37,2683,2684],{},"At a high level, a complete HIPAA program includes:",[427,2686,2687,2690,2693,2696,2699,2702,2705],{},[72,2688,2689],{},"A current risk analysis and documented risk management plan.",[72,2691,2692],{},"Written policies and procedures covering Privacy, Security, and Breach Notification obligations.",[72,2694,2695],{},"A signed BAA with every vendor, subcontractor, and customer that exchanges PHI.",[72,2697,2698],{},"Workforce training at hire and at least annually thereafter, with documented completion.",[72,2700,2701],{},"Access control, audit logging, encryption, and contingency planning for every system that touches ePHI.",[72,2703,2704],{},"An incident response runbook aligned to the Breach Notification Rule.",[72,2706,2707],{},"Documentation retained for at least six years from creation or last effective date, whichever is later.",[32,2709,2711],{"id":2710},"hipaa-risk-analysis","HIPAA risk analysis",[37,2713,2714],{},"Every HIPAA Security Rule program begins with a risk analysis. Under 45 CFR §164.308(a)(1)(ii)(A), covered entities and business associates must conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI. HHS has repeatedly stated that a missing or superficial risk analysis is among the most common findings in OCR enforcement actions.",[37,2716,2717],{},"A defensible risk analysis inventories every system that creates, receives, maintains, or transmits ePHI, identifies threats and vulnerabilities affecting each system, measures the likelihood and impact of each risk, and feeds directly into the Security Management Process that prioritizes mitigation. Most mature programs align their methodology to NIST Special Publication 800-30, which OCR cites favorably.",[37,2719,2720,2721,2639],{},"For a full breakdown of methodology, documentation requirements, and common pitfalls, read the ",[118,2722,2711],{"href":2723},"\u002Fframeworks\u002Fhipaa\u002Frisk-analysis",[32,2725,2727],{"id":2726},"penalties-and-enforcement","Penalties and enforcement",[37,2729,2730],{},"Enforcement is administered by OCR, with parallel criminal enforcement authority held by the Department of Justice and civil enforcement authority held by state attorneys general. HIPAA penalties are tiered by culpability.",[427,2732,2733,2739,2745,2751],{},[72,2734,2735,2738],{},[41,2736,2737],{},"Tier 1 — Unknowing violation"," — $100 to $50,000 per violation; annual cap $25,000 for identical violations.",[72,2740,2741,2744],{},[41,2742,2743],{},"Tier 2 — Reasonable cause"," — $1,000 to $50,000 per violation; annual cap $100,000.",[72,2746,2747,2750],{},[41,2748,2749],{},"Tier 3 — Willful neglect, corrected"," — $10,000 to $50,000 per violation; annual cap $250,000.",[72,2752,2753,2756],{},[41,2754,2755],{},"Tier 4 — Willful neglect, uncorrected"," — $50,000 per violation; annual cap $1.5 million per violation category.",[37,2758,2759],{},"Penalty amounts are adjusted annually for inflation. Criminal penalties can reach $250,000 and 10 years of imprisonment for offenses involving intent to sell, transfer, or use PHI for commercial advantage, personal gain, or malicious harm.",[37,2761,2762],{},"OCR enforcement tends to cluster around predictable themes: missing or inadequate risk analyses, lost unencrypted devices, failure to terminate workforce access, insufficient BAAs, delayed breach notifications, and refusal to provide patient access to records. Organizations that can demonstrate a mature, well-documented program — with evidence of ongoing risk analysis, training, and monitoring — consistently receive more favorable resolutions.",[32,2764,2766],{"id":2765},"hipaa-vs-hitech-vs-hitrust","HIPAA vs HITECH vs HITRUST",[37,2768,2769],{},"These three acronyms sit close together in healthcare conversations and are often conflated. They are related but distinct.",[427,2771,2772,2778,2783],{},[72,2773,2774,2777],{},[41,2775,2776],{},"HIPAA"," is the underlying federal law and its implementing regulations (Privacy, Security, Breach Notification, and Enforcement Rules). HIPAA defines the legal obligations.",[72,2779,2780,2782],{},[41,2781,2460],{}," is a 2009 federal law that strengthened HIPAA — extending it to business associates, introducing breach notification, increasing penalties, and funding EHR adoption. HITECH is part of HIPAA's regulatory stack, not a separate framework.",[72,2784,2785,2788],{},[41,2786,2787],{},"HITRUST"," is a private-sector certification maintained by the HITRUST Alliance. The HITRUST CSF is a control framework that maps HIPAA, NIST, ISO 27001, PCI DSS, and other standards into a single certifiable set of controls. HITRUST is a common way to demonstrate HIPAA compliance to sophisticated healthcare customers, but HITRUST certification is not itself required by HIPAA.",[37,2790,2791],{},"A healthcare SaaS company might pursue HITRUST CSF certification as a commercial asset while its underlying legal obligation remains HIPAA compliance under HITECH-amended rules.",[610,2793,2795],{"id":2794},"hipaa-and-soc-2","HIPAA and SOC 2",[37,2797,2798,2799,2801],{},"Many SaaS companies pursue ",[118,2800,138],{"href":137}," alongside HIPAA. The two frameworks complement each other: SOC 2 evaluates security, availability, confidentiality, processing integrity, and privacy trust services criteria, while HIPAA is a statutory requirement for handling PHI. A well-designed control environment can satisfy both with substantial overlap.",[32,2803,2805],{"id":2804},"getting-hipaa-compliant","Getting HIPAA compliant",[37,2807,2808],{},"The most successful HIPAA programs treat compliance as a continuous operating rhythm rather than a once-a-year scramble. A typical rollout for a SaaS company serving healthcare customers looks like this.",[69,2810,2811,2814,2817,2820,2823,2826,2829,2832,2835],{},[72,2812,2813],{},"Confirm your status as a covered entity, business associate, or both, and inventory the PHI you handle today.",[72,2815,2816],{},"Appoint a security official and a privacy official (the same person may hold both roles at small companies).",[72,2818,2819],{},"Conduct a risk analysis scoped to every system that creates, receives, maintains, or transmits ePHI.",[72,2821,2822],{},"Implement the administrative, physical, and technical safeguards required by the Security Rule, informed by your risk analysis.",[72,2824,2825],{},"Draft and publish policies and procedures covering Privacy, Security, and Breach Notification obligations.",[72,2827,2828],{},"Execute BAAs with every vendor that touches PHI, and require a signed BAA before onboarding any new customer that qualifies as a covered entity.",[72,2830,2831],{},"Deliver workforce training at hire and annually thereafter, and document completion.",[72,2833,2834],{},"Stand up an incident response runbook aligned to the Breach Notification Rule.",[72,2836,2837],{},"Operate the program: review access quarterly, test contingency plans at least annually, refresh your risk analysis whenever material change occurs, and retain documentation for at least six years.",[37,2839,2840,2841,2845],{},"For companies operating in the broader ",[118,2842,2844],{"href":2843},"\u002Findustry\u002Fhealthcare","healthcare industry",", HIPAA is rarely the only regulation in scope. State privacy laws, the 21st Century Cures Act, FDA software-as-a-medical-device requirements, and payor-specific security reviews often run in parallel — which is why most compliance programs are built into a broader GRC operating model.",[32,2847,2849],{"id":2848},"how-episki-helps-with-hipaa-compliance","How episki helps with HIPAA compliance",[37,2851,2852],{},"episki is the HIPAA compliance platform for healthtech teams that need to ship fast without losing control of PHI. We map Privacy, Security, and Breach Notification obligations directly to your systems, automate evidence collection for every safeguard, manage BAAs across your vendor ecosystem, and keep risk analyses current as your stack evolves.",[37,2854,2855,2856,2860],{},"Our platform was designed by practitioners who have led HIPAA programs at healthcare organizations and audited them as consultants. The result is a workspace that makes it obvious what is done, what is due, and what is drifting — so you can spend less time reconstructing evidence the week before a customer audit and more time building product. Read the ",[118,2857,2859],{"href":2858},"\u002Fblog\u002Fhipaa-compliance-healthtech","HIPAA for healthtech"," playbook for a closer look at how modern SaaS companies operate HIPAA at startup speed.",[37,2862,2863],{},"Ready to tighten your HIPAA program? Start a free trial or book a demo from the top of this page.",{"title":141,"searchDepth":142,"depth":142,"links":2865},[2866,2867,2870,2875,2876,2881,2882,2883,2884,2885,2886,2889,2890],{"id":2403,"depth":142,"text":2404},{"id":2426,"depth":142,"text":2427,"children":2868},[2869],{"id":2476,"depth":997,"text":2477},{"id":2488,"depth":142,"text":2489,"children":2871},[2872,2873,2874],{"id":2495,"depth":997,"text":2496},{"id":2530,"depth":997,"text":2531},{"id":2549,"depth":997,"text":2550},{"id":2556,"depth":142,"text":2557},{"id":2579,"depth":142,"text":2580,"children":2877},[2878,2879,2880],{"id":2589,"depth":997,"text":2590},{"id":2611,"depth":997,"text":2612},{"id":2627,"depth":997,"text":2628},{"id":2642,"depth":142,"text":2643},{"id":2659,"depth":142,"text":2660},{"id":2673,"depth":142,"text":2674},{"id":2710,"depth":142,"text":2711},{"id":2726,"depth":142,"text":2727},{"id":2765,"depth":142,"text":2766,"children":2887},[2888],{"id":2794,"depth":997,"text":2795},{"id":2804,"depth":142,"text":2805},{"id":2848,"depth":142,"text":2849},{"title":2892,"description":2893,"items":2894},"HIPAA launch kit","Guided steps keep privacy, security, and ops in sync from day one.",[2895,2896,2897,2898,2899],"Safeguard library with ownership matrix","Evidence tracking for access logs and configs","BAA tracker with renewal reminders","Incident and breach response templates","Stakeholder portal with PHI redaction controls",{"title":2901,"description":2902},"Launch HIPAA monitoring in minutes","Kick off the free trial and invite stakeholders before your next diligence call.",{"title":2904,"items":2905},"HIPAA compliance frequently asked questions",[2906,2909,2912,2915,2918],{"label":2907,"content":2908},"Who needs to comply with HIPAA?","HIPAA applies to covered entities (health plans, healthcare providers, clearinghouses) and business associates — any vendor or subcontractor that creates, receives, maintains, or transmits protected health information (PHI). SaaS companies serving healthcare customers almost always qualify as business associates.",{"label":2910,"content":2911},"What is a Business Associate Agreement (BAA)?","A BAA is a legally required contract between a covered entity and a business associate that establishes permitted uses and disclosures of PHI, requires appropriate safeguards, and outlines breach notification responsibilities. No PHI should be shared with a vendor before a BAA is signed.",{"label":2913,"content":2914},"What are the penalties for HIPAA violations?","HIPAA penalties range from $100 to $50,000 per violation depending on the level of negligence, with annual maximums up to $1.5 million per violation category. Criminal penalties can include fines up to $250,000 and imprisonment. The HHS Office for Civil Rights enforces compliance.",{"label":2916,"content":2917},"Does HIPAA apply to SaaS companies?","Yes. Any SaaS company that handles, stores, or transmits PHI on behalf of a healthcare organization is considered a business associate under HIPAA and must comply with the Security Rule, Privacy Rule, and Breach Notification Rule.",{"label":2919,"content":2920},"What are the three HIPAA safeguard categories?","HIPAA requires administrative safeguards (policies, training, risk assessments), physical safeguards (facility access, workstation security), and technical safeguards (access controls, encryption, audit logging) to protect electronic PHI.",{"headline":2922,"title":2923,"description":2924,"links":2925},"HIPAA-ready cloud teams","Stay HIPAA compliant while shipping product weekly","episki maps administrative, physical, and technical safeguards to your systems and keeps PHI protections verifiable.",[2926,2928],{"label":2927,"icon":184,"to":185},"Start HIPAA trial",{"label":187,"icon":188,"color":189,"variant":190,"to":191,"target":192},{},"\u002Fframeworks\u002Fhipaa",{"headline":2932,"title":2932,"description":2933,"items":2934},"HIPAA enablement","Keep leadership, customers, and partners aligned.",[2935,2938,2941],{"title":2936,"description":2937},"Board-ready posture report","Shows maturity score, risk trends, and upcoming audits.",{"title":2939,"description":2940},"Customer FAQ pack","Answers the most common HIPAA diligence questions.",{"title":2942,"description":2943},"Ops automation guide","Explains how to plug security tasks into existing tools.",{"title":2945,"description":2946},"HIPAA Compliance Management Software","Map HIPAA safeguards, track PHI evidence, and manage BAAs in one secure workspace. Get audit-ready in 30 days with episki's free trial.","hipaa",[2949,2952,2955],{"value":2950,"description":2951},"30-day rollout","Average time to production monitoring across safeguards.",{"value":2953,"description":2954},"PHI-safe sharing","Role-based portals keep sensitive documents organized and protected.",{"value":2956,"description":2957},"24\u002F7 alerts","Continuous monitoring for access, logging, and vendor risks.","5.frameworks\u002Fhipaa","eoPxPKOr8agxk9b40i3fesVSwt_T_6UskheTa58ZMNA",{"id":2961,"title":2962,"advantages":2963,"body":2985,"checklist":3014,"cta":3023,"description":141,"extension":162,"faq":3026,"hero":3041,"lastUpdated":322,"meta":3048,"name":3049,"navigation":196,"path":3050,"resources":3051,"seo":3065,"slug":3068,"stats":3069,"stem":3079,"__hash__":3080},"frameworks\u002F5.frameworks\u002Fhitrust.md","Hitrust",[2964,2971,2978],{"title":2965,"description":2966,"bullets":2967},"e1, i1, r2 scoping","Pick the right assessment type and scope, with the right control selection guided by HITRUST's risk factors.",[2968,2969,2970],"HITRUST CSF library at the requirement level","Risk-factor-driven control selection","Inheritance from prior assessments",{"title":2972,"description":2973,"bullets":2974},"External assessor collaboration","HITRUST authorized External Assessors get a scoped workspace with the evidence and walkthroughs they need.",[2975,2976,2977],"Scoped portal per engagement","Evidence packets organized by requirement","MyCSF-style language in episki narratives",{"title":2979,"description":2980,"bullets":2981},"Cross-mapped to HIPAA, SOC 2, ISO 27001","Stop maintaining parallel programs. One control, many certifications.",[2982,2983,2984],"Evidence reuse across audits","Crosswalks visible per control","Map once, satisfy many",{"type":29,"value":2986,"toc":3009},[2987,2991,2994,2997,3001,3004,3006],[32,2988,2990],{"id":2989},"what-is-hitrust-csf","What is HITRUST CSF?",[37,2992,2993],{},"The HITRUST Common Security Framework is a certifiable, risk-based control framework originally developed for the healthcare industry and now used across regulated industries broadly. HITRUST integrates requirements from HIPAA, NIST, ISO 27001, PCI DSS, GDPR, and other authorities into a single, scalable control catalog.",[37,2995,2996],{},"The HITRUST organization offers three assessment types: e1 (essentials), i1 (intermediate), and r2 (the comprehensive, certifiable assessment). Each escalates the rigor of evidence and the breadth of controls. r2 is the most widely recognized in enterprise procurement.",[32,2998,3000],{"id":2999},"who-needs-hitrust","Who needs HITRUST",[37,3002,3003],{},"HITRUST CSF Certified status is increasingly expected — sometimes required — by major payers, hospitals, and pharma companies before doing business with a SaaS or technology vendor. Outside healthcare, financial services and government contractors are also adopting HITRUST as a comprehensive way to demonstrate a mature control environment.",[32,3005,126],{"id":125},[37,3007,3008],{},"HITRUST is dense (the r2 control set alone is hundreds of requirements). episki keeps the HITRUST CSF crosswalked to your existing controls so you're not running a parallel HITRUST-only program. Add HITRUST to a workspace that already has SOC 2 or HIPAA and most of the evidence is already in place.",{"title":141,"searchDepth":142,"depth":142,"links":3010},[3011,3012,3013],{"id":2989,"depth":142,"text":2990},{"id":2999,"depth":142,"text":3000},{"id":125,"depth":142,"text":126},{"title":3015,"description":3016,"items":3017},"HITRUST readiness inside episki","Everything you need to scope and prepare for assessment.",[2968,3018,3019,3020,3021,3022],"Risk-factor questionnaire driving control selection","Evidence library organized by HITRUST domain","Cross-walks to HIPAA, SOC 2, and ISO 27001","External Assessor collaboration workspace","Interim assessment workflow",{"title":3024,"description":3025},"Start your HITRUST program in episki","Pull in your existing controls, pick the right assessment type, and prep your assessor.",{"title":3027,"items":3028},"HITRUST frequently asked questions",[3029,3032,3035,3038],{"label":3030,"content":3031},"What's the difference between e1, i1, and r2?","e1 is a foundational essentials-based assessment with 44 controls. i1 is an intermediate-rigor assessment around 180 controls. r2 (formerly r2 CSF Certified) is the most rigorous, fully-tailored assessment with hundreds of controls and is what most enterprise healthcare buyers expect.",{"label":3033,"content":3034},"How does HITRUST relate to HIPAA?","HITRUST CSF is a comprehensive framework that incorporates HIPAA security and privacy requirements along with controls from NIST, ISO, PCI, and others. Many healthcare organizations pursue HITRUST as a way to demonstrate HIPAA compliance plus more.",{"label":3036,"content":3037},"Who performs HITRUST assessments?","HITRUST r2 and i1 assessments are performed by HITRUST Authorized External Assessors. e1 can be self-assessed or validated. The assessor uploads results to MyCSF for HITRUST's quality assurance review.",{"label":3039,"content":3040},"How long does a HITRUST r2 take?","A first-time r2 typically takes 9–18 months from kickoff to certification depending on scope and maturity. Programs that have an existing SOC 2 or ISO 27001 in episki can move significantly faster because evidence and controls already exist.",{"headline":3042,"title":3043,"description":3044,"links":3045},"HITRUST without the binder cart","Move from e1 to r2 without rebuilding your program","HITRUST CSF mapped to your existing controls, assessment-handler-friendly evidence packets, and cross-walks to HIPAA, SOC 2, and ISO 27001 so you stop running parallel programs.",[3046,3047],{"label":183,"icon":184,"to":185},{"label":187,"icon":188,"color":189,"variant":190,"to":191,"target":192},{},"HITRUST CSF","\u002Fframeworks\u002Fhitrust",{"headline":3052,"title":3053,"description":3054,"items":3055},"HITRUST accelerators","HITRUST program accelerators","Stop running HITRUST as a separate animal.",[3056,3059,3062],{"title":3057,"description":3058},"Scoping wizard","Risk-factor-driven control selection so you don't over- or under-scope.",{"title":3060,"description":3061},"Evidence cross-walk","Reuse the same evidence across HIPAA, SOC 2, ISO 27001, and HITRUST.",{"title":3063,"description":3064},"Assessor handoff packet","Pre-organized evidence and narratives for your External Assessor.",{"title":3066,"description":3067},"HITRUST CSF Compliance Software","Run HITRUST e1, i1, or r2 assessments with the HITRUST CSF mapped to your existing controls and evidence. Cross-mapped to HIPAA, SOC 2, and ISO 27001.","hitrust",[3070,3073,3076],{"value":3071,"description":3072},"3 paths","e1, i1, and r2 assessment types supported with the right scoping.",{"value":3074,"description":3075},"100+ controls","HITRUST CSF requirements pre-mapped to your control library.",{"value":3077,"description":3078},"1 program","One evidence set serving HITRUST, HIPAA, SOC 2, ISO 27001 simultaneously.","5.frameworks\u002Fhitrust","Y2i7iyIQbqmgSThiqRVwM8nlgjXYsnacfjsRREXMeic",{"id":3082,"title":3083,"advantages":3084,"body":3106,"checklist":3179,"cta":3189,"description":141,"extension":162,"faq":3192,"hero":3206,"lastUpdated":193,"meta":3213,"name":3214,"navigation":196,"path":3215,"resources":3216,"seo":3229,"slug":3232,"stats":3233,"stem":3243,"__hash__":3244},"frameworks\u002F5.frameworks\u002Fiso22301.md","Iso22301",[3085,3092,3099],{"title":3086,"description":3087,"bullets":3088},"A real BCMS, not a binder","The ISO 22301 management system implemented as living artifacts.",[3089,3090,3091],"Business impact analysis and risk assessment","Continuity strategies and solutions","Documented plans and recovery objectives",{"title":3093,"description":3094,"bullets":3095},"Tested and improved","Exercises, reviews, and corrective actions that satisfy auditors.",[3096,3097,3098],"Exercise and test scheduling","Post-incident and post-exercise reviews","Corrective actions tracked to closure",{"title":3100,"description":3101,"bullets":3102},"Reuse your ISMS","ISO 22301 shares the harmonized structure with ISO 27001.",[3103,3104,3105],"Shared clauses 4-10 with ISO 27001","One combined audit where scoped together","Crosswalk to SOC 2 availability criteria",{"type":29,"value":3107,"toc":3173},[3108,3112,3122,3126,3152,3156,3168,3170],[32,3109,3111],{"id":3110},"what-is-iso-22301","What is ISO 22301?",[37,3113,3114,3117,3118,3121],{},[41,3115,3116],{},"ISO 22301:2019"," is the international standard for a ",[41,3119,3120],{},"Business Continuity Management System (BCMS)",". It defines the requirements for a documented, repeatable system that helps an organization prepare for, respond to, and recover from disruptive incidents — from outages and natural disasters to supply-chain failures and cyber attacks. It is certifiable, and it follows the Plan-Do-Check-Act model common to ISO management-system standards.",[32,3123,3125],{"id":3124},"what-a-bcms-covers","What a BCMS covers",[37,3127,3128,3129,3132,3133,3135,3136,3139,3140,3143,3144,3147,3148,3151],{},"At its core, ISO 22301 is driven by a ",[41,3130,3131],{},"business impact analysis (BIA)"," and a ",[41,3134,2260],{}," that together identify an organization's critical activities, their dependencies, and the impact of disruption over time. From there, the organization defines ",[41,3137,3138],{},"continuity strategies",", sets ",[41,3141,3142],{},"recovery time and recovery point objectives (RTO\u002FRPO)",", documents ",[41,3145,3146],{},"continuity and incident-response plans",", and validates them through an ",[41,3149,3150],{},"exercise and testing program"," with reviews and corrective actions.",[32,3153,3155],{"id":3154},"how-it-relates-to-iso-27001","How it relates to ISO 27001",[37,3157,3158,3159,3162,3163,3165,3166,416],{},"ISO 22301 shares the ",[41,3160,3161],{},"ISO harmonized structure"," (clauses 4–10) with ",[118,3164,133],{"href":132},", so the leadership, risk-management, and continual-improvement processes overlap substantially. Many organizations run the two together and pursue a combined audit, and the BCMS also strengthens the availability story for ",[118,3167,138],{"href":137},[32,3169,126],{"id":125},[37,3171,3172],{},"episki implements ISO 22301 as a working BCMS: a BIA builder, disruption-scenario risk assessment, continuity plans tied to your recovery objectives, and an exercise program with corrective actions tracked to closure. Because it reuses your ISO 27001 management system, the BCMS is an extension of your program rather than a separate binder.",{"title":141,"searchDepth":142,"depth":142,"links":3174},[3175,3176,3177,3178],{"id":3110,"depth":142,"text":3111},{"id":3124,"depth":142,"text":3125},{"id":3154,"depth":142,"text":3155},{"id":125,"depth":142,"text":126},{"title":3180,"description":3181,"items":3182},"ISO 22301 readiness inside episki","What a BCMS needs in place.",[3183,3184,3185,3186,3187,3188],"BCMS scope, policy, and objectives","Business impact analysis (BIA)","Risk assessment of disruption scenarios","Continuity strategies and recovery objectives (RTO \u002F RPO)","Business continuity and incident response plans","Exercise program, reviews, and corrective actions",{"title":3190,"description":3191},"Build a certifiable BCMS in episki","Stand up ISO 22301 alongside ISO 27001 and reuse the management-system work.",{"title":3193,"items":3194},"ISO 22301 frequently asked questions",[3195,3197,3200,3203],{"label":3111,"content":3196},"ISO 22301:2019 is the international standard for a Business Continuity Management System (BCMS). It specifies requirements to plan, establish, implement, operate, monitor, review, maintain, and continually improve a documented system that protects against, reduces the likelihood of, and ensures recovery from disruptive incidents.",{"label":3198,"content":3199},"Is the current version 2019?","Yes. ISO 22301:2019 is the current edition. As of 2026 it remains the in-force version, with no confirmed publication date for a revision.",{"label":3201,"content":3202},"How does it relate to ISO 27001?","ISO 22301 and ISO 27001 share the ISO harmonized (high-level) structure, so the management-system clauses (4-10) overlap heavily. Organizations frequently run them together and can pursue a combined audit, reusing leadership, risk, and improvement processes across both.",{"label":3204,"content":3205},"What is a business impact analysis?","A business impact analysis (BIA) identifies an organization's critical activities, their dependencies, and the impact of disruption over time. It drives the recovery time and recovery point objectives (RTO\u002FRPO) and the continuity strategies the BCMS puts in place.",{"headline":3207,"title":3208,"description":3209,"links":3210},"Business continuity, certifiable","Build a BCMS with ISO 22301","ISO 22301:2019 as a working program — business impact analysis, continuity strategies, plans, and exercises — that reuses your ISO 27001 management system.",[3211,3212],{"label":183,"icon":184,"to":185},{"label":187,"icon":188,"color":189,"variant":190,"to":191,"target":192},{},"ISO 22301","\u002Fframeworks\u002Fiso22301",{"headline":3217,"title":3218,"description":3219,"items":3220},"ISO 22301 accelerators","Business continuity accelerators","Stand up a certifiable BCMS without a parallel project.",[3221,3224,3227],{"title":3222,"description":3223},"BIA builder","Capture critical activities, dependencies, and recovery objectives.",{"title":3225,"description":3226},"Continuity plan templates","Document plans tied to your BIA and recovery objectives.",{"title":1428,"description":3228},"Reuse your ISMS management-system evidence for the BCMS.",{"title":3230,"description":3231},"ISO 22301 Business Continuity Compliance Software","Build a certifiable Business Continuity Management System (BCMS) per ISO 22301:2019 — business impact analysis, continuity plans, and exercises — in one workspace.","iso22301",[3234,3237,3240],{"value":3235,"description":3236},":2019","The current edition of the international BCMS standard.",{"value":3238,"description":3239},"BIA-driven","Continuity priorities set by a documented business impact analysis.",{"value":3241,"description":3242},"27001 aligned","Shares the ISO harmonized structure with ISO 27001 for reuse.","5.frameworks\u002Fiso22301","2s6x28xbCIwNPuyM9M8z5eDemH7fWDKwh8wxG-9I-MU",{"id":3246,"title":3247,"advantages":3248,"body":3270,"checklist":3672,"cta":3683,"description":141,"extension":162,"faq":3686,"hero":3704,"lastUpdated":193,"meta":3712,"name":133,"navigation":196,"path":132,"resources":3713,"seo":3726,"slug":3729,"stats":3730,"stem":3739,"__hash__":3740},"frameworks\u002F5.frameworks\u002Fiso27001.md","Iso27001",[3249,3256,3263],{"title":3250,"description":3251,"bullets":3252},"Statement of Applicability in minutes","Generate and maintain your SoA directly from your control graph with justification notes for every inclusion and exclusion.",[3253,3254,3255],"Auto-populate applicability status from existing controls","Link each control to risk treatment decisions","Export auditor-ready SoA documents on demand",{"title":3257,"description":3258,"bullets":3259},"Risk-driven control management","Connect your risk register to Annex A controls so treatment plans and evidence stay aligned as threats evolve.",[3260,3261,3262],"Risk assessment templates following ISO 27005 guidance","Heat maps show residual risk by domain","Treatment plans tie directly to control tasks and owners",{"title":3264,"description":3265,"bullets":3266},"Surveillance audit confidence","Keep your ISMS current between certification cycles with continuous monitoring and internal audit workflows.",[3267,3268,3269],"Automated evidence refresh and expiration alerts","Internal audit scheduling with finding tracking","Management review templates with trend data",{"type":29,"value":3271,"toc":3654},[3272,3276,3287,3290,3293,3296,3300,3303,3306,3309,3313,3316,3329,3333,3336,3343,3346,3350,3358,3361,3369,3373,3380,3383,3391,3395,3398,3442,3450,3458,3462,3465,3468,3475,3479,3482,3485,3496,3500,3503,3511,3515,3518,3525,3529,3532,3558,3565,3569,3572,3580,3584,3587,3595,3599,3602,3623,3629,3633,3636,3648,3651],[32,3273,3275],{"id":3274},"what-is-iso-27001","What is ISO 27001?",[37,3277,3278,3281,3282,3286],{},[118,3279,133],{"href":3280},"\u002Fglossary\u002Fiso27001"," is the world's most widely adopted international standard for information security management. Formally titled ISO\u002FIEC 27001, it defines the requirements for establishing, implementing, maintaining, and continually improving an Information Security Management System, or ",[118,3283,3285],{"href":3284},"\u002Fglossary\u002Fisms","ISMS",". Organizations that align with ISO 27001 commit to a risk-based, process-driven approach to protecting the confidentiality, integrity, and availability of the information they hold on behalf of customers, employees, and business partners.",[37,3288,3289],{},"The standard is published jointly by two bodies. The International Organization for Standardization (ISO), headquartered in Geneva, develops consensus-based standards across nearly every industry. The International Electrotechnical Commission (IEC) is its counterpart for electrotechnical and information technology standards. Together, their joint technical committee ISO\u002FIEC JTC 1\u002FSC 27 maintains the ISO 27001 family, which includes supporting documents such as ISO 27002 (implementation guidance) and ISO 27005 (risk management guidance).",[37,3291,3292],{},"ISO 27001 was first released in 2005, revised in 2013, and most recently updated in October 2022. The 2022 revision is now the only version against which new ISO 27001 certifications are issued. Any discussion of ISO 27001 today should default to this edition, which reorganized the control set and introduced eleven new controls addressing modern risks like threat intelligence, data masking, and secure coding.",[37,3294,3295],{},"At the heart of ISO 27001 is the concept of an ISMS. An ISMS is not a product you can buy or a checklist you can run through once. It is the living combination of policies, processes, people, and technology that your organization uses to identify information security risks, decide how to treat them, implement controls, measure effectiveness, and continually improve. ISO 27001 provides the blueprint. Your ISMS is the thing you build from that blueprint.",[32,3297,3299],{"id":3298},"why-iso-27001-matters","Why ISO 27001 matters",[37,3301,3302],{},"ISO 27001 is recognized in more than 160 countries and frequently shows up as a procurement requirement for enterprise technology contracts, financial services partnerships, public sector work, and any organization selling into European or APAC markets. Unlike self-attested programs, ISO 27001 certification is issued by an independent accredited certification body, which gives customers and regulators external assurance that your security practices are real and not marketing.",[37,3304,3305],{},"Beyond procurement, ISO 27001 brings discipline. Many organizations treat security as a reactive function that only activates after an incident or failed audit. The ISO 27001 approach forces proactive risk identification, documented decisions, and measurable effectiveness. Even teams that never pursue certification often adopt the ISO 27001 framework as an internal operating model because it is mature, well-documented, and maps cleanly to other standards.",[37,3307,3308],{},"ISO 27001 also signals organizational maturity to investors. Due diligence for Series B and later funding rounds almost always includes a security review. Holding an ISO 27001 certificate short-circuits much of that review and accelerates close.",[32,3310,3312],{"id":3311},"the-iso-27001-certification-process","The ISO 27001 certification process",[37,3314,3315],{},"ISO 27001 certification follows a standardized two-stage audit model used worldwide. A Stage 1 audit reviews your ISMS documentation and readiness. A Stage 2 audit evaluates whether your ISMS is actually implemented and effective in practice. If there are no major nonconformities, the certification body recommends certification and a three-year certificate is issued. Annual surveillance audits follow, with full recertification every three years.",[37,3317,3318,3319,3323,3324,3328],{},"For a deep walkthrough of every phase of the journey, including timelines, auditor expectations, and common pitfalls, see the ",[118,3320,3322],{"href":3321},"\u002Fframeworks\u002Fiso27001\u002Fcertification-process","ISO 27001 certification process guide",". If you are still evaluating whether to pursue ISO 27001 at all, the ",[118,3325,3327],{"href":3326},"\u002Fblog\u002Fiso27001-certification-guide","ISO 27001 certification guide"," covers the business case and sequencing decisions.",[32,3330,3332],{"id":3331},"iso-270012022-what-changed","ISO 27001:2022 — What changed",[37,3334,3335],{},"The 2022 revision is the current version of the standard. Two changes matter most for teams implementing ISO 27001 today.",[37,3337,3338,3339,3342],{},"First, the control set was restructured. The 2013 edition had 114 controls across 14 domains. ISO 27001:2022 consolidates these into ",[41,3340,3341],{},"93 controls across four themes",": organizational (37 controls), people (8 controls), physical (14 controls), and technological (34 controls). Eleven entirely new controls were introduced, including threat intelligence, information security for cloud services, ICT readiness for business continuity, physical security monitoring, configuration management, information deletion, data masking, data leakage prevention, monitoring activities, web filtering, and secure coding.",[37,3344,3345],{},"Second, the clause-level requirements in sections 4 through 10 received targeted updates around planning, leadership commitment, and operational control. The Plan-Do-Check-Act structure remains, but the language is tighter and more aligned with other ISO management system standards such as ISO 9001 and ISO 14001. Organizations holding ISO 27001:2013 certificates were given a three-year transition window that closed on October 31, 2025; those certificates have now expired, and all certifications are issued and assessed exclusively against ISO 27001:2022.",[32,3347,3349],{"id":3348},"annex-a-controls","Annex A controls",[37,3351,3352,3353,3357],{},"Annex A of ISO 27001 is the reference control set. The ",[118,3354,3356],{"href":3355},"\u002Fglossary\u002Fannex-a","93 Annex A controls"," are organized under the four themes described above and represent the universe of possible safeguards your ISMS might apply. Every control must be evaluated for applicability and either implemented or formally excluded with justification.",[37,3359,3360],{},"Organizational controls cover governance, policy, third-party management, incident response, and business continuity. People controls address screening, training, responsibilities, and remote working. Physical controls protect buildings, equipment, and storage media. Technological controls handle access control, cryptography, logging, vulnerability management, secure development, and cloud security.",[37,3362,3363,3364,3368],{},"For a full breakdown of every theme, example controls in each, and how to prioritize implementation, see the ",[118,3365,3367],{"href":3366},"\u002Fframeworks\u002Fiso27001\u002Fannex-a-controls","ISO 27001 Annex A controls reference",". ISO 27002:2022 provides detailed implementation guidance for each control and is invaluable as a companion reference, though it is not mandatory to follow prescriptively.",[32,3370,3372],{"id":3371},"statement-of-applicability-soa","Statement of Applicability (SoA)",[37,3374,39,3375,3379],{},[118,3376,3378],{"href":3377},"\u002Fglossary\u002Fstatement-of-applicability","Statement of Applicability"," is arguably the single most important document in your ISO 27001 program. The SoA lists every Annex A control, records whether it is applicable to your ISMS, explains why, and summarizes how the control is implemented. It is the document auditors will open first, and it is the document customers may ask to see.",[37,3381,3382],{},"A well-built SoA ties directly to your risk assessment output. Controls are marked applicable because they treat identified risks, satisfy legal or contractual requirements, or reflect business decisions. Controls marked not applicable require a short but credible justification. Auditors routinely sample SoA entries during Stage 2 and ask for corresponding evidence.",[37,3384,3385,3386,3390],{},"See the dedicated guide on the ",[118,3387,3389],{"href":3388},"\u002Fframeworks\u002Fiso27001\u002Fstatement-of-applicability","ISO 27001 Statement of Applicability"," for format examples, justification patterns, and common SoA mistakes.",[32,3392,3394],{"id":3393},"building-your-isms","Building your ISMS",[37,3396,3397],{},"Implementing ISO 27001 is primarily an exercise in building a functioning ISMS. The standard walks through this in clauses 4 through 10:",[427,3399,3400,3406,3412,3418,3424,3430,3436],{},[72,3401,3402,3405],{},[41,3403,3404],{},"Clause 4 — Context of the organization."," Understand internal and external issues, interested parties, and define the ISMS scope.",[72,3407,3408,3411],{},[41,3409,3410],{},"Clause 5 — Leadership."," Top management must demonstrate commitment, approve the information security policy, and assign roles.",[72,3413,3414,3417],{},[41,3415,3416],{},"Clause 6 — Planning."," Identify risks and opportunities, set information security objectives, and plan how to achieve them.",[72,3419,3420,3423],{},[41,3421,3422],{},"Clause 7 — Support."," Provide resources, competence, awareness, communication, and documented information.",[72,3425,3426,3429],{},[41,3427,3428],{},"Clause 8 — Operation."," Execute the risk assessment and risk treatment process and operate the ISMS on an ongoing basis.",[72,3431,3432,3435],{},[41,3433,3434],{},"Clause 9 — Performance evaluation."," Monitor, measure, analyze, evaluate, conduct internal audits, and hold management reviews.",[72,3437,3438,3441],{},[41,3439,3440],{},"Clause 10 — Improvement."," Handle nonconformities and drive continual improvement.",[37,3443,3444,3445,3449],{},"Each clause has mandatory documented information and mandatory activities. The ",[118,3446,3448],{"href":3447},"\u002Fframeworks\u002Fiso27001\u002Fisms-implementation","ISO 27001 ISMS implementation guide"," breaks down exactly what to produce at each stage.",[37,3451,3452,3453,3457],{},"Scope definition deserves special attention. A scope that is too narrow can fail to satisfy customers. A scope that is too broad inflates audit cost and implementation effort. The ",[118,3454,3456],{"href":3455},"\u002Fframeworks\u002Fiso27001\u002Fisms-scope","ISMS scope"," guide walks through how to draw the right boundaries for your business.",[32,3459,3461],{"id":3460},"iso-27001-risk-assessment","ISO 27001 risk assessment",[37,3463,3464],{},"Risk assessment is the engine that drives control selection in ISO 27001. The standard requires a documented, repeatable methodology. Most organizations use a qualitative or semi-quantitative approach that evaluates likelihood and impact across confidentiality, integrity, and availability. ISO 27005 provides detailed guidance but is not mandatory.",[37,3466,3467],{},"Outputs of the risk assessment feed directly into the risk treatment plan, which in turn feeds the Statement of Applicability. This chain is why ISO 27001 auditors spend significant time tracing from a risk to a treatment decision to a control to evidence of operation. Break this chain and you create nonconformities.",[37,3469,3470,3471,416],{},"For methodology, risk register structure, treatment options, and residual risk handling, see the ",[118,3472,3474],{"href":3473},"\u002Fframeworks\u002Fiso27001\u002Frisk-assessment","ISO 27001 risk assessment guide",[32,3476,3478],{"id":3477},"internal-audits-and-management-review","Internal audits and management review",[37,3480,3481],{},"Two activities inside Clause 9 are frequent failure points for first-time ISO 27001 certifiers. Clause 9.2 requires internal audits of the ISMS at planned intervals. Clause 9.3 requires a formal management review with defined inputs and outputs. Both must be complete before your Stage 2 audit.",[37,3483,3484],{},"Internal audits must cover every clause of ISO 27001 and every applicable Annex A control across your audit cycle. Auditors must be objective and impartial, which typically means the person who built a control cannot audit it. Findings must be documented, communicated, and tracked to closure.",[37,3486,3487,3488,1125,3492,416],{},"Management reviews force leadership engagement. Inputs include audit results, risk changes, nonconformities, and stakeholder feedback. Outputs include decisions on resources, improvement opportunities, and changes to the ISMS. Detailed coverage lives in the ",[118,3489,3491],{"href":3490},"\u002Fframeworks\u002Fiso27001\u002Finternal-audit","internal audit guide",[118,3493,3495],{"href":3494},"\u002Fframeworks\u002Fiso27001\u002Fmanagement-review","management review guide",[32,3497,3499],{"id":3498},"nonconformities-and-corrective-action","Nonconformities and corrective action",[37,3501,3502],{},"When something in your ISMS does not meet ISO 27001 requirements, your own policies, or customer obligations, that is a nonconformity. Clauses 10.1 and 10.2 require you to react, contain the consequences, perform root cause analysis, implement corrective action, and verify effectiveness.",[37,3504,3505,3506,3510],{},"Mature organizations treat nonconformities as valuable signals rather than failures. The ",[118,3507,3509],{"href":3508},"\u002Fframeworks\u002Fiso27001\u002Fnonconformity-and-corrective-action","nonconformity and corrective action"," guide walks through the full CAPA workflow auditors expect to see.",[32,3512,3514],{"id":3513},"continual-improvement","Continual improvement",[37,3516,3517],{},"Clause 10.3 requires continual improvement of the suitability, adequacy, and effectiveness of the ISMS. This is not about constantly changing controls. It is about demonstrating measurable progress over time through metrics, KPIs, trend analysis, and lessons learned.",[37,3519,3520,3521,416],{},"Learn how to set ISMS metrics that auditors respect and leadership actually uses in the ",[118,3522,3524],{"href":3523},"\u002Fframeworks\u002Fiso27001\u002Fcontinual-improvement","continual improvement guide",[32,3526,3528],{"id":3527},"cost-and-timeline","Cost and timeline",[37,3530,3531],{},"ISO 27001 certification costs vary by scope, organization size, and maturity. A realistic budget range for a first-time certification at a small to mid-sized technology company looks like this:",[427,3533,3534,3540,3546,3552],{},[72,3535,3536,3539],{},[41,3537,3538],{},"Internal effort."," Six to twelve months of fractional time from an ISMS owner plus contributions from engineering, HR, legal, and IT. Equivalent fully loaded cost of $50,000 to $200,000.",[72,3541,3542,3545],{},[41,3543,3544],{},"External consulting (optional)."," Gap analysis and implementation support from a consultancy typically runs $20,000 to $100,000 depending on scope.",[72,3547,3548,3551],{},[41,3549,3550],{},"Certification body fees."," Stage 1 and Stage 2 audits combined usually cost $15,000 to $40,000. Annual surveillance audits run $8,000 to $20,000. Recertification in year three runs similar to the initial audit.",[72,3553,3554,3557],{},[41,3555,3556],{},"Platform and tooling."," GRC platforms like episki typically replace $30,000 or more in spreadsheet-driven consulting labor annually.",[37,3559,3560,3561,3564],{},"Total first-year ISO 27001 program cost for a 50 to 200 person company commonly lands between $60,000 and $150,000 all-in. Timeline from kickoff to certificate in hand is typically nine to fifteen months. See the ",[118,3562,3563],{"href":3321},"cost and timeline discussion in the certification process guide"," for more detail.",[32,3566,3568],{"id":3567},"choosing-a-certification-body","Choosing a certification body",[37,3570,3571],{},"Only an accredited certification body can issue a recognized ISO 27001 certificate. Accreditation is granted by national bodies such as UKAS in the United Kingdom, ANAB in the United States, and JAS-ANZ in Australia and New Zealand, all operating under the International Accreditation Forum (IAF). A certificate from a non-accredited body has little value with enterprise customers.",[37,3573,3574,3575,3579],{},"Selection criteria include accreditation scope, industry experience, auditor availability, geographic coverage, and cost transparency. The ",[118,3576,3578],{"href":3577},"\u002Fframeworks\u002Fiso27001\u002Fcertification-body-selection","certification body selection guide"," walks through the full evaluation.",[32,3581,3583],{"id":3582},"surveillance-audits-and-recertification","Surveillance audits and recertification",[37,3585,3586],{},"Once certified, your ISO 27001 certificate is valid for three years. Certification bodies conduct a lighter annual surveillance audit in years one and two to confirm the ISMS is still operating effectively. A full recertification audit occurs in year three. Nonconformities identified during surveillance can put your certificate at risk if not resolved within the specified timeframe.",[37,3588,3589,3590,3594],{},"See the ",[118,3591,3593],{"href":3592},"\u002Fframeworks\u002Fiso27001\u002Fsurveillance-audits","surveillance audits guide"," for preparation checklists and what auditors typically sample during year-one and year-two visits.",[32,3596,3598],{"id":3597},"iso-27001-vs-soc-2-vs-nist-csf","ISO 27001 vs SOC 2 vs NIST CSF",[37,3600,3601],{},"Customers and leadership teams frequently ask how ISO 27001 compares to other frameworks. The short version:",[427,3603,3604,3612],{},[72,3605,3606,3611],{},[41,3607,3608,3609,416],{},"ISO 27001 vs ",[118,3610,138],{"href":137}," ISO 27001 is an international certification of an ISMS. SOC 2 is a US-centric attestation of controls aligned with the AICPA Trust Services Criteria. SOC 2 produces a detailed report; ISO 27001 produces a certificate. SOC 2 is faster to complete and often preferred by US buyers. ISO 27001 is stronger for European customers and regulated industries. Many organizations run both, mapping controls once in a tool like episki.",[72,3613,3614,3617,3618,3622],{},[41,3615,3616],{},"ISO 27001 vs NIST CSF."," NIST CSF is a voluntary US framework structured around five functions: Identify, Protect, Detect, Respond, and Recover. It is not a certification. Organizations often use NIST CSF as a maturity assessment tool and ISO 27001 as the formal certification. The two map cleanly at the control level. See ",[118,3619,3621],{"href":3620},"\u002Fframeworks\u002Fnistcsf\u002Fmapping-to-other-frameworks","NIST CSF mapping to other frameworks"," for a side-by-side comparison.",[37,3624,3625,3626,3628],{},"If you are weighing which framework to pursue first, the ",[118,3627,3327],{"href":3326}," covers framework sequencing for growing companies.",[32,3630,3632],{"id":3631},"getting-certified-with-episki","Getting certified with episki",[37,3634,3635],{},"Most teams discover that ISO 27001 certification is less about security expertise and more about sustained, organized execution across months of risk assessments, control implementation, evidence collection, and documentation. Spreadsheet-based ISO 27001 programs tend to collapse under their own weight, especially when the certification cycle extends across surveillance audits and the 2022 transition creates additional documentation churn.",[37,3637,3638,3639,134,3643,3647],{},"episki was built to collapse that effort. The platform ships with the full 93-control Annex A library pre-mapped, automatic Statement of Applicability generation, a risk register tied to ISO 27005 treatment options, internal audit workflows, management review templates, and continuous evidence collection. Customers regularly compare episki against more established vendors; see ",[118,3640,3642],{"href":3641},"\u002Fcompare\u002Fvanta","episki vs Vanta",[118,3644,3646],{"href":3645},"\u002Fcompare\u002Fdrata","episki vs Drata"," for honest side-by-side views.",[37,3649,3650],{},"Teams using episki typically cut ISO 27001 preparation time by 60 percent compared to manual approaches and arrive at Stage 2 with a clean, auditor-ready evidence pack. Whether you are starting from zero or migrating an existing ISO 27001:2013 program to the 2022 standard, the platform scales with your scope.",[37,3652,3653],{},"Start a free trial, import your controls, and run your first ISO 27001 gap analysis in under an hour.",{"title":141,"searchDepth":142,"depth":142,"links":3655},[3656,3657,3658,3659,3660,3661,3662,3663,3664,3665,3666,3667,3668,3669,3670,3671],{"id":3274,"depth":142,"text":3275},{"id":3298,"depth":142,"text":3299},{"id":3311,"depth":142,"text":3312},{"id":3331,"depth":142,"text":3332},{"id":3348,"depth":142,"text":3349},{"id":3371,"depth":142,"text":3372},{"id":3393,"depth":142,"text":3394},{"id":3460,"depth":142,"text":3461},{"id":3477,"depth":142,"text":3478},{"id":3498,"depth":142,"text":3499},{"id":3513,"depth":142,"text":3514},{"id":3527,"depth":142,"text":3528},{"id":3567,"depth":142,"text":3568},{"id":3582,"depth":142,"text":3583},{"id":3597,"depth":142,"text":3598},{"id":3631,"depth":142,"text":3632},{"title":3673,"description":3674,"items":3675},"ISO 27001 certification checklist inside episki","Everything you need to scope, implement, and certify your ISMS is preloaded in your free trial.",[3676,3677,3678,3679,3680,3681,3682],"ISMS scope definition and context of the organization templates","Full Annex A control library with implementation guidance","Risk assessment and treatment plan workflows","Statement of Applicability generator","Internal audit programme with finding management","Management review agenda and output templates","Corrective action tracking with root cause analysis",{"title":3684,"description":3685},"Start your ISO 27001 journey today","Import your controls, define your ISMS scope, and generate your first Statement of Applicability in under an hour.",{"title":3687,"items":3688},"ISO 27001 frequently asked questions",[3689,3692,3695,3698,3701],{"label":3690,"content":3691},"How long does ISO 27001 certification take?","Most organizations achieve certification in 6-12 months depending on scope and existing maturity. The process includes a Stage 1 documentation review and a Stage 2 implementation audit. episki reduces preparation time by up to 60% with pre-mapped controls and automated evidence.",{"label":3693,"content":3694},"What is the difference between ISO 27001 and SOC 2?","ISO 27001 is an international certification standard focused on building a complete information security management system (ISMS). SOC 2 is a US-based attestation that evaluates specific Trust Services Criteria. Many companies pursue both, and episki lets you map controls once and reuse them across frameworks.",{"label":3696,"content":3697},"What is an ISMS?","An Information Security Management System (ISMS) is the set of policies, procedures, controls, and processes an organization uses to manage information security risk. ISO 27001 provides the framework for establishing, implementing, maintaining, and continually improving an ISMS.",{"label":3699,"content":3700},"How much does ISO 27001 certification cost?","Certification costs vary by organization size and scope but typically range from $30,000 to $80,000 including auditor fees, with ongoing surveillance audit costs annually. episki's flat-rate pricing keeps the platform cost predictable at $500\u002Fmonth.",{"label":3702,"content":3703},"How often are ISO 27001 surveillance audits?","After initial certification, surveillance audits occur annually to confirm your ISMS remains effective. A full recertification audit is required every three years. episki's continuous monitoring keeps evidence current between audits.",{"headline":3705,"title":3706,"description":3707,"links":3708},"ISO 27001 certification on your timeline","Build and maintain your ISMS without drowning in spreadsheets","episki maps Annex A controls, tracks your Statement of Applicability, and keeps risk treatment plans linked to real evidence so certification audits run smoothly.",[3709,3711],{"label":3710,"icon":184,"to":185},"Start ISO 27001 trial",{"label":187,"icon":188,"color":189,"variant":190,"to":191,"target":192},{},{"headline":3714,"title":3714,"description":3715,"items":3716},"ISO 27001 certification resources","Give leadership, auditors, and customers visibility into your ISMS maturity.",[3717,3720,3723],{"title":3718,"description":3719},"ISMS maturity dashboard","Visual progress across all Annex A domains with gap analysis and trending.",{"title":3721,"description":3722},"Auditor collaboration portal","Scoped access for certification bodies with evidence requests and Q&A threads.",{"title":3724,"description":3725},"Customer trust pack","Shareable ISO 27001 certification summary with scope details and control highlights.",{"title":3727,"description":3728},"ISO 27001 Compliance Platform","Build and certify your ISMS faster with episki. Annex A control mapping, SoA generation, and risk treatment plans in one workspace. Free 14-day trial.","iso27001",[3731,3733,3736],{"value":3356,"description":3732},"Pre-mapped to your control graph with owners, evidence, and review cadences.",{"value":3734,"description":3735},"60% less prep","Average reduction in Stage 2 audit preparation time with episki's automation.",{"value":3737,"description":3738},"Continuous compliance","Surveillance audits stay painless with always-current evidence and risk registers.","5.frameworks\u002Fiso27001","0kJ9ZuJ6IvuVTvRUinnO_bjD2yLr-nODQ-G3gYmCiok",{"id":3742,"title":3743,"advantages":3744,"body":3766,"checklist":3834,"cta":3844,"description":141,"extension":162,"faq":3847,"hero":3861,"lastUpdated":193,"meta":3868,"name":3869,"navigation":196,"path":3870,"resources":3871,"seo":3884,"slug":3887,"stats":3888,"stem":3898,"__hash__":3899},"frameworks\u002F5.frameworks\u002Fiso27017.md","Iso27017",[3745,3752,3759],{"title":3746,"description":3747,"bullets":3748},"Cloud controls on your ISMS","ISO 27017 builds on ISO 27002 with cloud-specific implementation guidance.",[3749,3750,3751],"Cloud-specific guidance for relevant 27002 controls","Seven additional cloud-only controls","Assessed alongside ISO 27001",{"title":3753,"description":3754,"bullets":3755},"Shared responsibility, documented","Make the provider\u002Fcustomer split explicit for every cloud control.",[3756,3757,3758],"Provider vs. customer responsibility per control","Virtualization and segregation controls","Administrative operations and monitoring",{"title":3760,"description":3761,"bullets":3762},"Reuse your security evidence","27017 leans on the controls you already maintain for 27001 and SOC 2.",[3763,3764,3765],"Evidence shared with ISO 27001 \u002F 27018","Crosswalk to SOC 2 and CSA CCM","One audit, broader scope",{"type":29,"value":3767,"toc":3828},[3768,3772,3797,3801,3804,3808,3820,3822],[32,3769,3771],{"id":3770},"what-is-iso-27017","What is ISO 27017?",[37,3773,3774,3777,3778,3781,3782,3785,3786,3789,3790,134,3793,3796],{},[41,3775,3776],{},"ISO\u002FIEC 27017:2015"," is the international ",[41,3779,3780],{},"code of practice for cloud security",". It does not stand on its own — it supplements ",[41,3783,3784],{},"ISO\u002FIEC 27002"," by adding cloud-specific implementation guidance to existing controls and introducing ",[41,3787,3788],{},"seven additional controls"," that apply only to cloud computing. It is written for both ",[41,3791,3792],{},"cloud service providers",[41,3794,3795],{},"cloud service customers",", making the shared-responsibility model explicit.",[32,3798,3800],{"id":3799},"what-it-adds","What it adds",[37,3802,3803],{},"For many ISO 27002 controls, 27017 provides cloud-specific guidance — how the control applies when infrastructure, platform, or software is consumed as a service. On top of that, it adds cloud-only controls covering areas such as the shared roles and responsibilities between provider and customer, removal and return of customer assets at contract termination, segregation in virtualized environments, virtual machine hardening, and the monitoring of cloud administrative operations.",[32,3805,3807],{"id":3806},"how-its-assessed","How it's assessed",[37,3809,3810,3811,3814,3815,3819],{},"Because 27017 is an extension rather than a standalone standard, it is ",[41,3812,3813],{},"assessed as part of an ISO\u002FIEC 27001 audit",". Organizations add 27017 — and frequently ",[118,3816,3818],{"href":3817},"\u002Fframeworks\u002Fiso27018","ISO 27018"," for PII — to the scope of their existing ISMS, so a single certification effort covers information security and cloud-specific controls together.",[32,3821,126],{"id":125},[37,3823,3824,3825,3827],{},"episki layers ISO 27017 onto your ",[118,3826,133],{"href":132}," ISMS: a shared-responsibility matrix for each cloud service, cloud-specific guidance mapped to your ISO 27002 controls, and evidence reused across SOC 2 and the CSA Cloud Controls Matrix — so cloud security is an extension of your program, not a second one.",{"title":141,"searchDepth":142,"depth":142,"links":3829},[3830,3831,3832,3833],{"id":3770,"depth":142,"text":3771},{"id":3799,"depth":142,"text":3800},{"id":3806,"depth":142,"text":3807},{"id":125,"depth":142,"text":126},{"title":3835,"description":3836,"items":3837},"ISO 27017 readiness inside episki","What a cloud provider or customer needs in place.",[3838,3839,3840,3841,3842,3843],"ISO 27001 ISMS in place or in progress","Shared-responsibility matrix per cloud service","Cloud-specific control guidance applied","Virtualization segregation and hardening controls","Administrator operations logging and monitoring","Customer data return and removal on contract exit",{"title":3845,"description":3846},"Add ISO 27017 to your ISMS in episki","Extend your ISO 27001 program with cloud controls and reuse the evidence across SOC 2 and CSA CCM.",{"title":3848,"items":3849},"ISO 27017 frequently asked questions",[3850,3852,3855,3858],{"label":3771,"content":3851},"ISO\u002FIEC 27017:2015 is an international code of practice for information security controls for cloud services. It supplements ISO\u002FIEC 27002 with cloud-specific implementation guidance and adds seven controls unique to cloud computing, addressing both cloud service providers and cloud service customers.",{"label":3853,"content":3854},"Is ISO 27017 separately certifiable?","ISO 27017 is not a standalone management-system standard — it is assessed as an extension of an ISO\u002FIEC 27001 ISMS. Organizations typically add 27017 (and often 27018) to the scope of their ISO 27001 audit.",{"label":3856,"content":3857},"Who should adopt it?","Cloud service providers that want to demonstrate strong cloud security practices, and cloud customers that want a recognized framework for governing their use of cloud services. It is common alongside SOC 2 and the CSA STAR program.",{"label":3859,"content":3860},"How does it relate to ISO 27018?","ISO 27017 focuses on cloud security broadly, while ISO 27018 focuses specifically on protecting personally identifiable information (PII) in public clouds. Many organizations adopt both as extensions of the same ISO 27001 ISMS.",{"headline":3862,"title":3863,"description":3864,"links":3865},"Cloud security, ISO-aligned","Extend your ISMS with ISO 27017 cloud controls","ISO\u002FIEC 27017:2015 adds cloud-specific guidance on top of ISO 27002 — shared responsibility, virtualization, and admin operations — assessed alongside your ISO 27001 certificate.",[3866,3867],{"label":183,"icon":184,"to":185},{"label":187,"icon":188,"color":189,"variant":190,"to":191,"target":192},{},"ISO 27017","\u002Fframeworks\u002Fiso27017",{"headline":3872,"title":3873,"description":3874,"items":3875},"ISO 27017 accelerators","Cloud control accelerators","Layer cloud controls onto your ISMS without a parallel project.",[3876,3879,3882],{"title":3877,"description":3878},"Shared-responsibility matrix","Document provider and customer duties for every cloud control.",{"title":3880,"description":3881},"Cloud control guidance","Cloud-specific implementation notes mapped to your ISO 27002 controls.",{"title":1428,"description":3883},"Reuse your ISMS evidence to satisfy the 27017 extension.",{"title":3885,"description":3886},"ISO 27017 Cloud Security Compliance Software","Add the ISO\u002FIEC 27017:2015 cloud security code of practice to your ISO 27001 ISMS — cloud-specific controls and provider\u002Fcustomer responsibilities in one workspace.","iso27017",[3889,3892,3895],{"value":3890,"description":3891},"37 + 7","ISO 27002 controls with cloud guidance, plus 7 cloud-specific controls.",{"value":3893,"description":3894},"Shared model","Provider and customer responsibilities documented per control.",{"value":3896,"description":3897},"27001 add-on","Assessed as an extension of your ISO 27001 ISMS, not a separate program.","5.frameworks\u002Fiso27017","sK06I70jEoI-4_OT3V1rOOffedbZ-bpqb7aGa-Im3Ts",{"id":3901,"title":3902,"advantages":3903,"body":3925,"checklist":3982,"cta":3991,"description":141,"extension":162,"faq":3994,"hero":4007,"lastUpdated":193,"meta":4014,"name":3818,"navigation":196,"path":3817,"resources":4015,"seo":4029,"slug":4032,"stats":4033,"stem":4042,"__hash__":4043},"frameworks\u002F5.frameworks\u002Fiso27018.md","Iso27018",[3904,3911,3918],{"title":3905,"description":3906,"bullets":3907},"Cloud PII controls","ISO 27018 supplements ISO 27002 with controls for protecting PII in public clouds.",[3908,3909,3910],"Consent, choice, and purpose limitation","Transparency on subprocessors and data location","Return, transfer, and disposal of PII",{"title":3912,"description":3913,"bullets":3914},"Built for processors","Designed for public-cloud providers handling customer PII on their behalf.",[3915,3916,3917],"Customer-controller \u002F provider-processor split","No use of PII for advertising without consent","Breach notification support to the customer",{"title":3919,"description":3920,"bullets":3921},"Reuse privacy evidence","27018 dovetails with ISO 27701 and GDPR work you already do.",[3922,3923,3924],"Crosswalk to ISO 27701 (PIMS)","Crosswalk to GDPR articles","One audit alongside ISO 27001 \u002F 27017",{"type":29,"value":3926,"toc":3976},[3927,3931,3944,3946,3949,3951,3964,3966],[32,3928,3930],{"id":3929},"what-is-iso-27018","What is ISO 27018?",[37,3932,3933,3777,3936,3939,3940,3943],{},[41,3934,3935],{},"ISO\u002FIEC 27018:2019",[41,3937,3938],{},"code of practice for protecting personally identifiable information (PII) in public clouds",". It supplements ISO\u002FIEC 27002 with privacy-specific controls and guidance aimed at organizations that act as ",[41,3941,3942],{},"PII processors"," in a public-cloud setting. First published in 2014 and revised in 2019, it was the first international standard dedicated to cloud privacy.",[32,3945,3800],{"id":3799},[37,3947,3948],{},"ISO 27018 augments the ISMS with controls that address how a cloud provider handles its customers' PII: obtaining consent and respecting purpose limitation, being transparent about subprocessors and the geographic location of data, restricting the use of PII for marketing or advertising without consent, supporting the customer in meeting data-subject requests, and ensuring PII is returned, transferred, or securely disposed of at the end of the relationship.",[32,3950,3807],{"id":3806},[37,3952,3953,3954,3956,3957,3960,3961,3963],{},"Like ",[118,3955,3869],{"href":3870},", ISO 27018 is ",[41,3958,3959],{},"not a standalone certification"," — it is assessed as an extension to an ",[118,3962,133],{"href":132}," ISMS. Many cloud providers add both 27017 (cloud security) and 27018 (cloud privacy) to the same audit scope.",[32,3965,126],{"id":125},[37,3967,3968,3969,134,3973,3975],{},"episki layers ISO 27018 onto your ISMS with a cloud PII inventory, a subprocessor register, and consent and disposal controls — all cross-mapped to ",[118,3970,3972],{"href":3971},"\u002Fframeworks\u002Fiso27701","ISO 27701",[118,3974,2147],{"href":2148}," so your cloud-privacy evidence does double duty across your privacy program.",{"title":141,"searchDepth":142,"depth":142,"links":3977},[3978,3979,3980,3981],{"id":3929,"depth":142,"text":3930},{"id":3799,"depth":142,"text":3800},{"id":3806,"depth":142,"text":3807},{"id":125,"depth":142,"text":126},{"title":3983,"description":3984,"items":3985},"ISO 27018 readiness inside episki","What a public-cloud PII processor needs in place.",[3838,3986,3987,3988,3989,3990],"PII processing inventory for cloud services","Consent, choice, and purpose-limitation controls","Subprocessor disclosure and data-location transparency","PII return, transfer, and secure disposal procedures","Breach notification support to the customer-controller",{"title":3992,"description":3993},"Add ISO 27018 to your ISMS in episki","Extend your ISO 27001 program with cloud privacy controls and reuse the evidence across GDPR and ISO 27701.",{"title":3995,"items":3996},"ISO 27018 frequently asked questions",[3997,3999,4002,4005],{"label":3930,"content":3998},"ISO\u002FIEC 27018:2019 is an international code of practice for protecting personally identifiable information (PII) in public clouds that act as PII processors. It supplements ISO\u002FIEC 27002 and ISO\u002FIEC 27001 with privacy-specific controls and guidance, and was the first international standard focused on cloud privacy.",{"label":4000,"content":4001},"Is it separately certifiable?","Like ISO 27017, ISO 27018 is assessed as an extension of an ISO\u002FIEC 27001 ISMS rather than as a standalone certification. Organizations typically add it (often together with 27017) to their ISO 27001 audit scope.",{"label":4003,"content":4004},"How does it relate to GDPR?","ISO 27018 is not a substitute for GDPR, but its controls map closely to GDPR obligations for processors and provide recognized evidence of good-faith PII protection in the cloud. It pairs naturally with the certifiable ISO 27701 privacy management standard.",{"label":3856,"content":4006},"Public-cloud providers and SaaS companies that process personal data on behalf of their customers, and who want a recognized way to demonstrate responsible cloud PII handling to privacy-conscious buyers.",{"headline":4008,"title":4009,"description":4010,"links":4011},"PII protection for public clouds","Add ISO 27018 privacy controls to your ISMS","ISO\u002FIEC 27018:2019 is the code of practice for protecting personally identifiable information in public clouds acting as a PII processor — assessed alongside ISO 27001 and mapped to GDPR.",[4012,4013],{"label":183,"icon":184,"to":185},{"label":187,"icon":188,"color":189,"variant":190,"to":191,"target":192},{},{"headline":4016,"title":4017,"description":4018,"items":4019},"ISO 27018 accelerators","Cloud privacy accelerators","Demonstrate responsible PII handling without a separate privacy project.",[4020,4023,4026],{"title":4021,"description":4022},"Cloud PII inventory","Track the PII you process per cloud service and its location.",{"title":4024,"description":4025},"Subprocessor register","Disclose and manage subprocessors handling customer PII.",{"title":4027,"description":4028},"ISO 27701 \u002F GDPR crosswalk","Reuse your PIMS and GDPR evidence to satisfy 27018.",{"title":4030,"description":4031},"ISO 27018 Cloud Privacy Compliance Software","Protect PII in public clouds with the ISO\u002FIEC 27018:2019 code of practice — added to your ISO 27001 ISMS and cross-mapped to GDPR and ISO 27701.","iso27018",[4034,4037,4039],{"value":4035,"description":4036},"PII processor","Privacy controls for public-cloud providers acting as PII processors.",{"value":3896,"description":4038},"Assessed as an extension of your ISO 27001 ISMS.",{"value":4040,"description":4041},"GDPR mapped","Controls cross-walked to GDPR and ISO 27701 for evidence reuse.","5.frameworks\u002Fiso27018","ODwAz9-YU1_e8mksIo1Sm2bEwg_jAI6F1CXqsqRDDx8",{"id":4045,"title":4046,"advantages":4047,"body":4069,"checklist":4106,"cta":4116,"description":141,"extension":162,"faq":4119,"hero":4133,"lastUpdated":193,"meta":4140,"name":3972,"navigation":196,"path":3971,"resources":4141,"seo":4155,"slug":4158,"stats":4159,"stem":4167,"__hash__":4168},"frameworks\u002F5.frameworks\u002Fiso27701.md","Iso27701",[4048,4055,4062],{"title":4049,"description":4050,"bullets":4051},"Standalone — or paired with ISO 27001","ISO 27701:2025 can be certified on its own, and it still reuses your existing ISMS controls when you have them.",[4052,4053,4054],"Certify a PIMS with or without ISO 27001","27001 controls flagged with privacy applicability","Single combined audit when run alongside 27001",{"title":4056,"description":4057,"bullets":4058},"Controller and processor controls","Privacy controls scoped based on how you process PII for each activity.",[4059,4060,4061],"Controller-specific privacy controls","Processor-specific privacy controls","Shared controls for organizations with both roles",{"title":4063,"description":4064,"bullets":4065},"Mapped to GDPR, CCPA, and beyond","Cross-walks built in so your 27701 work feeds your other privacy program reporting.",[4066,4067,4068],"GDPR Article-level mapping","CCPA \u002F CPRA mapping","LGPD, PIPEDA, and emerging laws",{"type":29,"value":4070,"toc":4101},[4071,4075,4082,4089,4093,4096,4098],[32,4072,4074],{"id":4073},"what-is-iso-27701","What is ISO 27701?",[37,4076,4077,4078,4081],{},"ISO\u002FIEC 27701 is the international standard for a Privacy Information Management System (PIMS) — it adds privacy-specific requirements and controls to an information security management baseline. First published in 2019 as the first standard organizations could certify against for privacy management, it was substantially revised as ",[41,4079,4080],{},"ISO\u002FIEC 27701:2025"," (published October 2025), which is the current edition. Organizations certified to the 2019 version have until October 2028 to transition.",[37,4083,4084,4085,4088],{},"The standard provides privacy control sets for PII controllers and PII processors (split across Annex A and Annex B in the 2019 edition, and consolidated into a single set in the 2025 edition) and aligns its management clauses (4–10) with the ISO harmonized structure shared by ISO 27001 and ISO 42001. The biggest change in 2025: ISO 27701 is now ",[41,4086,4087],{},"standalone"," — you can certify a PIMS without holding ISO 27001, though the two still pair naturally because 27701 builds on the ISO 27002 security controls.",[32,4090,4092],{"id":4091},"who-pursues-iso-27701","Who pursues ISO 27701",[37,4094,4095],{},"Organizations that want a recognized, certifiable demonstration of privacy management — especially those processing personal data of EU\u002FEEA residents, but increasingly relevant for CCPA, LGPD, and similar regimes. SaaS companies acting as data processors for their customers frequently pursue 27701 alongside SOC 2 and 27001 as a comprehensive trust posture.",[32,4097,126],{"id":125},[37,4099,4100],{},"A PIMS is most efficient when it builds on an existing ISMS. episki keeps your 27001 controls and your 27701 privacy clauses in the same workspace, with the appropriate Annex A or B controls flagged based on your controller\u002Fprocessor role per processing activity.",{"title":141,"searchDepth":142,"depth":142,"links":4102},[4103,4104,4105],{"id":4073,"depth":142,"text":4074},{"id":4091,"depth":142,"text":4092},{"id":125,"depth":142,"text":126},{"title":4107,"description":4108,"items":4109},"ISO 27701 readiness inside episki","Build the PIMS without rebuilding the ISMS.",[4110,4111,4112,4113,4114,4115],"PIMS scope definition (PII processing activities)","Controller \u002F processor role determination per activity","Annex A and Annex B applicable-controls list","Records of Processing (ROPA) integrated with controls","Data-subject rights (DSAR) workflow","Privacy training and awareness program",{"title":4117,"description":4118},"Build a certifiable PIMS in episki","Stand up ISO 27701 — alongside ISO 27001 or on its own — in the same workspace.",{"title":4120,"items":4121},"ISO 27701 frequently asked questions",[4122,4124,4127,4130],{"label":4074,"content":4123},"ISO\u002FIEC 27701 is the international standard for a Privacy Information Management System (PIMS) — it adds controller and processor privacy controls on top of an information security baseline. The 2025 revision (published October 2025, replacing the 2019 edition) made it a standalone standard you can certify against with or without ISO 27001.",{"label":4125,"content":4126},"How does 27701 relate to GDPR?","27701 was designed to provide an international standard organizations can demonstrate when claiming GDPR readiness. Many of its clauses map directly to GDPR Articles, and supervisory authorities increasingly recognize 27701 as evidence of good-faith compliance effort — though it doesn't substitute for GDPR.",{"label":4128,"content":4129},"Controller vs. processor controls?","A PIMS addresses two roles — controls for organizations acting as PII controllers and controls for those acting as PII processors. The 2019 edition split these into Annex A and Annex B; ISO 27701:2025 consolidated them into a single control set covering both roles. Organizations acting as both apply the relevant controls per processing activity.",{"label":4131,"content":4132},"Can we certify to 27701 without 27001?","Yes — as of ISO\u002FIEC 27701:2025 the standard is standalone, so you can certify a PIMS without holding ISO 27001. Many organizations still pursue the two together and run a combined audit, because 27701 reuses the ISO 27001\u002F27002 security baseline.",{"headline":4134,"title":4135,"description":4136,"links":4137},"Privacy management, certifiable","Build a Privacy Information Management System","ISO\u002FIEC 27701:2025 is now a standalone Privacy Information Management System standard — certify with or without ISO 27001. PII controller and processor controls, GDPR Article mapping, and one workspace for security + privacy.",[4138,4139],{"label":183,"icon":184,"to":185},{"label":187,"icon":188,"color":189,"variant":190,"to":191,"target":192},{},{"headline":4142,"title":4143,"description":4144,"items":4145},"ISO 27701 accelerators","PIMS program accelerators","Add a privacy layer to your ISMS without reinventing the wheel.",[4146,4149,4152],{"title":4147,"description":4148},"Role mapper","Determine controller, processor, or joint controller per processing activity.",{"title":4150,"description":4151},"Annex A \u002F B selector","Pick the right control set based on your role determinations.",{"title":4153,"description":4154},"GDPR Article crosswalk","See which ISO 27701 clauses satisfy which GDPR Articles.",{"title":4156,"description":4157},"ISO 27701 Privacy Information Management Software","Stand up a certifiable Privacy Information Management System (PIMS) under ISO\u002FIEC 27701:2025 — now a standalone standard. Mapped to GDPR, CCPA, and other privacy laws.","iso27701",[4160,4163,4165],{"value":4161,"description":4162},"PII controller","Privacy controls for organizations acting as PII controllers.",{"value":4035,"description":4164},"Privacy controls for organizations acting as PII processors.",{"value":4040,"description":4166},"Each ISO 27701 clause cross-walked to relevant GDPR Articles for evidence reuse.","5.frameworks\u002Fiso27701","qCOJ6ph-Eo4DMUbgxeiPOf4yG6EMNi986-l_t_SRM6s",{"id":4170,"title":4171,"advantages":4172,"body":4193,"checklist":4222,"cta":4232,"description":141,"extension":162,"faq":4235,"hero":4249,"lastUpdated":322,"meta":4256,"name":1676,"navigation":196,"path":1675,"resources":4257,"seo":4271,"slug":4274,"stats":4275,"stem":4284,"__hash__":4285},"frameworks\u002F5.frameworks\u002Fiso42001.md","Iso42001",[4173,4180,4187],{"title":4174,"description":4175,"bullets":4176},"Agent registry and use-case inventory","Track every AI use case in your organization with risk classification, ownership, and lifecycle stage.",[4177,4178,4179],"Inventory across vendors, internal builds, and shadow AI","Risk tier per use case using ISO 42001 criteria","Lifecycle stage from concept to retirement",{"title":4181,"description":4182,"bullets":4183},"AI-specific risk treatments","Run AI risks (bias, hallucination, security, drift) through the same treatment workflows as your existing risk register.",[4184,4185,4186],"AI-specific risk taxonomy","Acceptance, mitigation, transfer, avoid paths","Tied to controls and ongoing monitoring",{"title":3349,"description":4188,"bullets":4189},"The 38 operational controls in ISO 42001 Annex A, ready to scope, implement, and evidence.",[4190,4191,4192],"Policies, leadership, resources, lifecycle controls","Data quality, fairness, interpretability","Third-party AI provider obligations",{"type":29,"value":4194,"toc":4217},[4195,4199,4202,4205,4209,4212,4214],[32,4196,4198],{"id":4197},"what-is-iso-42001","What is ISO 42001?",[37,4200,4201],{},"ISO\u002FIEC 42001:2023, published in December 2023, is the world's first international management-system standard for artificial intelligence. It defines requirements for establishing, implementing, maintaining, and continually improving an AI Management System (AIMS) — modeled on the pattern used by ISO 27001 for information security and ISO 9001 for quality.",[37,4203,4204],{},"The standard contains a set of management-system clauses (4–10) covering context, leadership, planning, support, operation, performance evaluation, and improvement, plus a normative Annex A with 38 controls covering the AI lifecycle from policies through third-party providers.",[32,4206,4208],{"id":4207},"who-needs-iso-42001","Who needs ISO 42001",[37,4210,4211],{},"Any organization developing, providing, or using AI systems at material scale. The standard is rapidly becoming the de facto demonstration of mature AI governance for enterprise buyers, regulated industries (financial services, healthcare, public sector), and as a readiness signal for the EU AI Act, which references ISO 42001 as evidence of due diligence.",[32,4213,126],{"id":125},[37,4215,4216],{},"episki is the only GRC platform built with AI governance as a first-class concern — because we ship AI features ourselves. The platform inventories your AI use cases (including agents in episki), classifies them by risk, treats AI-specific risks through the same workflows you use for cyber risk, and crosswalks 42001 to NIST AI RMF and the EU AI Act so evidence is reusable.",{"title":141,"searchDepth":142,"depth":142,"links":4218},[4219,4220,4221],{"id":4197,"depth":142,"text":4198},{"id":4207,"depth":142,"text":4208},{"id":125,"depth":142,"text":126},{"title":4223,"description":4224,"items":4225},"ISO 42001 readiness inside episki","Stand up an AIMS in days, not quarters.",[4226,4227,4228,4229,4230,4231],"AI use-case inventory and risk tiering","Annex A control selection per use case","AI ethics and acceptable use policy","AI risk register with treatment plans","Third-party AI provider (sub-processor) assessment","Ongoing AI performance and incident monitoring",{"title":4233,"description":4234},"Build a certifiable AIMS in episki","Inventory your AI, treat the risks, map to NIST and the EU AI Act — one workspace.",{"title":4236,"items":4237},"ISO 42001 frequently asked questions",[4238,4240,4243,4246],{"label":4198,"content":4239},"ISO\u002FIEC 42001:2023 is the first international standard for an AI Management System (AIMS). It defines requirements for establishing, implementing, maintaining, and continually improving an AIMS within the context of an organization that develops, provides, or uses AI systems. Modeled on ISO 27001's ISMS pattern.",{"label":4241,"content":4242},"Who needs ISO 42001?","Any organization developing, providing, or using AI at material scale benefits. It's increasingly being requested by enterprise buyers, regulated industries, and as readiness signal for the EU AI Act. SaaS companies that ship AI features (drafting, retrieval, agentic workflows) are prime candidates.",{"label":4244,"content":4245},"How does 42001 relate to the EU AI Act?","ISO 42001 is the leading control framework cited by EU AI Act guidance as evidence of due diligence for high-risk AI systems. Certification doesn't satisfy the AI Act on its own, but it materially reduces compliance burden by reusing artifacts and aligning to expected obligations.",{"label":4247,"content":4248},"How does 42001 relate to NIST AI RMF?","NIST AI RMF is a voluntary US framework with four functions (Govern, Map, Measure, Manage). ISO 42001 is the international management-system standard. They're complementary — 42001 provides certifiable management, AI RMF provides operational guidance. episki crosswalks the two.",{"headline":4250,"title":4251,"description":4252,"links":4253},"AI governance, certifiable","The world's first certifiable AI Management System","ISO 42001 is the new international standard for governing AI inside an organization. episki operationalizes it — agent registry, AI use-case inventory, risk treatments, and crosswalks to NIST AI RMF and the EU AI Act.",[4254,4255],{"label":183,"icon":184,"to":185},{"label":187,"icon":188,"color":189,"variant":190,"to":191,"target":192},{},{"headline":4258,"title":4259,"description":4260,"items":4261},"ISO 42001 accelerators","AI governance accelerators","Translate ISO 42001 from a 50-page PDF into a running program.",[4262,4265,4268],{"title":4263,"description":4264},"AI use-case scoping wizard","Determine which 42001 controls apply per use case based on risk classification.",{"title":4266,"description":4267},"NIST AI RMF crosswalk","Map 42001 controls to NIST AI RMF functions for reusable evidence.",{"title":4269,"description":4270},"EU AI Act readiness checklist","Prepare for high-risk and general-purpose AI obligations under the EU AI Act.",{"title":4272,"description":4273},"ISO 42001 AI Management System Software","Build a certifiable AI Management System (AIMS) per ISO\u002FIEC 42001. Agent registry, AI risk treatments, and controls mapped to NIST AI RMF and the EU AI Act.","iso42001",[4276,4279,4282],{"value":4277,"description":4278},"AIMS","A certifiable AI Management System modeled on the ISMS pattern from ISO 27001.",{"value":4280,"description":4281},"38 controls","Annex A operational controls covering the AI lifecycle.",{"value":1680,"description":4283},"Cross-walked to NIST AI RMF and the EU AI Act for reusable evidence.","5.frameworks\u002Fiso42001","Nvsx6BtXfGrOUUx78eCA7EcXtwXUP9oFj4-CpXkU0U8",{"id":4287,"title":4288,"advantages":4289,"body":4310,"checklist":4398,"cta":4407,"description":141,"extension":162,"faq":4410,"hero":4422,"lastUpdated":193,"meta":4429,"name":4430,"navigation":196,"path":4431,"resources":4432,"seo":4445,"slug":4448,"stats":4449,"stem":4457,"__hash__":4458},"frameworks\u002F5.frameworks\u002Flgpd.md","Lgpd",[4290,4297,4304],{"title":4291,"description":4292,"bullets":4293},"Lawful processing","Determine and document a legal basis for each activity.",[4294,4295,4296],"Ten LGPD legal bases supported","Records of processing maintained","Purpose and necessity documented",{"title":4298,"description":4299,"bullets":4300},"Rights and roles","Data-subject rights and the DPO role LGPD expects.",[4301,4302,4303],"Data-subject request workflow","Data Protection Officer (encarregado) duties","Controller \u002F operator role mapping",{"title":4305,"description":4306,"bullets":4307},"One privacy program","LGPD overlaps almost entirely with GDPR.",[3923,4308,4309],"Reuse ROPA and DPIA work","Aligns with CCPA and PIPEDA",{"type":29,"value":4311,"toc":4392},[4312,4316,4345,4349,4359,4363,4377,4379],[32,4313,4315],{"id":4314},"what-is-the-lgpd","What is the LGPD?",[37,4317,39,4318,4321,4322,4325,4326,4329,4330,4333,4334,4337,4338,4341,4342,416],{},[41,4319,4320],{},"Lei Geral de Proteção de Dados (LGPD)"," is ",[41,4323,4324],{},"Brazil's general data protection law",", in force since ",[41,4327,4328],{},"September 18, 2020",". It closely mirrors the EU's GDPR: it sets out ",[41,4331,4332],{},"lawful bases"," for processing personal data, grants individuals a set of ",[41,4335,4336],{},"data-subject rights",", distinguishes ",[41,4339,4340],{},"controllers and operators",", and is enforced by Brazil's national data protection authority, the ",[41,4343,4344],{},"ANPD",[32,4346,4348],{"id":4347},"who-it-applies-to-and-the-penalties","Who it applies to and the penalties",[37,4350,4351,4352,4354,4355,4358],{},"The LGPD reaches any organization that processes the personal data of people in Brazil or carries out processing in Brazil — including many companies based elsewhere that serve Brazilian customers. The ",[41,4353,4344],{}," can impose fines of up to ",[41,4356,4357],{},"2% of a company's revenue in Brazil, capped at R$50 million per violation",", alongside warnings, processing restrictions, and public disclosure.",[32,4360,4362],{"id":4361},"how-it-relates-to-gdpr","How it relates to GDPR",[37,4364,4365,4366,4368,4369,4372,4373,4376],{},"Because the LGPD is so closely aligned with the ",[118,4367,2147],{"href":2148},", most of a GDPR program transfers directly — records of processing, DPIAs, rights workflows, and the data protection officer role all carry over. In a significant ",[41,4370,4371],{},"2026"," development, ",[41,4374,4375],{},"Brazil and the EU adopted mutual adequacy decisions",", easing personal-data transfers between the two jurisdictions.",[32,4378,126],{"id":125},[37,4380,4381,4382,488,4384,1182,4387,4391],{},"episki implements the LGPD as living controls: a legal-basis mapper for each processing activity, records of processing, a data-subject request workflow, the encarregado (DPO) role, international-transfer safeguards, and an ANPD breach-notification workflow — all cross-mapped to ",[118,4383,2147],{"href":2148},[118,4385,4386],{"href":325},"CCPA",[118,4388,4390],{"href":4389},"\u002Fframeworks\u002Fpipeda","PIPEDA"," so one privacy program serves every market.",{"title":141,"searchDepth":142,"depth":142,"links":4393},[4394,4395,4396,4397],{"id":4314,"depth":142,"text":4315},{"id":4347,"depth":142,"text":4348},{"id":4361,"depth":142,"text":4362},{"id":125,"depth":142,"text":126},{"title":4399,"description":4400,"items":4401},"LGPD readiness inside episki","What an organization processing Brazilian personal data needs.",[4402,4403,4301,4404,4405,4406],"Legal-basis determination per processing activity","Records of processing (ROPA)","Data Protection Officer (encarregado) designated","International-transfer safeguards","ANPD breach notification workflow",{"title":4408,"description":4409},"Build an LGPD program in episki","Implement lawful bases and data-subject rights once and reuse your GDPR work.",{"title":4411,"items":4412},"LGPD frequently asked questions",[4413,4415,4417,4419],{"label":4315,"content":4414},"The Lei Geral de Proteção de Dados (LGPD) is Brazil's general data protection law, in force since September 18, 2020. It closely mirrors the EU GDPR — defining lawful bases for processing, data-subject rights, controller and operator obligations, and a national authority (the ANPD) to enforce it.",{"label":169,"content":4416},"The LGPD applies to any organization that processes the personal data of individuals in Brazil, or processes data in Brazil, regardless of where the organization is based — so it reaches many companies outside Brazil that serve Brazilian customers.",{"label":1714,"content":4418},"The ANPD can impose fines of up to 2% of a company's revenue in Brazil, capped at R$50 million per violation, along with warnings, data-processing restrictions, and public disclosure of the infraction.",{"label":4420,"content":4421},"How does LGPD relate to GDPR?","The LGPD is closely aligned with the GDPR, so most of a GDPR program transfers directly. In a notable 2026 development, Brazil and the EU adopted mutual adequacy decisions, easing personal-data transfers between the two jurisdictions.",{"headline":4423,"title":4424,"description":4425,"links":4426},"Brazilian privacy, operationalized","Comply with Brazil's LGPD","Legal bases, data-subject rights, a data protection officer, and ANPD breach handling — implemented as living controls and mapped to GDPR for reuse.",[4427,4428],{"label":183,"icon":184,"to":185},{"label":187,"icon":188,"color":189,"variant":190,"to":191,"target":192},{},"LGPD","\u002Fframeworks\u002Flgpd",{"headline":4433,"title":4433,"description":4434,"items":4435},"LGPD accelerators","Stand up Brazilian privacy compliance and reuse it across regimes.",[4436,4439,4442],{"title":4437,"description":4438},"Legal-basis mapper","Assign and document a lawful basis for each processing activity.",{"title":4440,"description":4441},"DSAR workflow","Intake and fulfill data-subject requests within statutory timelines.",{"title":4443,"description":4444},"GDPR crosswalk","Reuse your GDPR records and DPIAs to satisfy the LGPD.",{"title":4446,"description":4447},"LGPD Compliance Software","Comply with Brazil's LGPD — legal bases, data-subject rights, DPO, and ANPD breach notification — with controls and records of processing mapped to GDPR.","lgpd",[4450,4453,4455],{"value":4451,"description":4452},"10 legal bases","Lawful-basis determination for every processing activity.",{"value":4344,"description":4454},"Brazil's data protection authority — breach notification workflow built in.",{"value":4040,"description":4456},"LGPD aligns closely with GDPR, so privacy work is reused.","5.frameworks\u002Flgpd","FAVEd54a9oZpN6lticmToYgAlJapSFcmAQjwLWbkl3E",{"id":4460,"title":4461,"advantages":4462,"body":4484,"checklist":4562,"cta":4572,"description":141,"extension":162,"faq":4575,"hero":4589,"lastUpdated":193,"meta":4596,"name":121,"navigation":196,"path":120,"resources":4597,"seo":4609,"slug":4612,"stats":4613,"stem":4622,"__hash__":4623},"frameworks\u002F5.frameworks\u002Fnis2.md","Nis2",[4463,4470,4477],{"title":4464,"description":4465,"bullets":4466},"Article 21 measures as controls","The ten baseline risk-management measures implemented and evidenced.",[4467,4468,4469],"Incident handling, BCDR, and crisis management","Supply-chain and third-party security","Cryptography, access control, and MFA",{"title":4471,"description":4472,"bullets":4473},"Incident reporting on the clock","Classify significant incidents and hit every reporting window.",[4474,4475,4476],"24-hour early warning","72-hour incident notification","One-month final report",{"title":4478,"description":4479,"bullets":4480},"Governance and accountability","The management-body oversight and training NIS2 requires.",[4481,4482,4483],"Management-body approval and liability","Security awareness and training","Entity registration with the authority",{"type":29,"value":4485,"toc":4556},[4486,4490,4500,4503,4507,4522,4526,4545,4547],[32,4487,4489],{"id":4488},"what-is-nis2","What is NIS2?",[37,4491,4492,4495,4496,4499],{},[41,4493,4494],{},"NIS2 — Directive (EU) 2022\u002F2555"," — is the European Union's updated cybersecurity directive. It replaces the original 2016 NIS Directive and dramatically expands both the range of organizations in scope and the rigor of what they must do. The transposition deadline for Member States was ",[41,4497,4498],{},"October 17, 2024",", and because national implementation and enforcement have rolled out unevenly, 2026 is a key year as the remaining requirements and supervisory regimes come fully into effect.",[37,4501,4502],{},"Unlike a regulation, a directive is implemented through national law, so the precise rules vary by Member State — but the baseline obligations below are common across the EU.",[32,4504,4506],{"id":4505},"who-is-in-scope","Who is in scope",[37,4508,4509,4510,4513,4514,4517,4518,4521],{},"NIS2 applies to medium and large organizations across roughly ",[41,4511,4512],{},"18 sectors",", including energy, transport, banking and financial market infrastructure, health, water, digital infrastructure, ICT service management, public administration, manufacturing, and food. In-scope organizations are classified as ",[41,4515,4516],{},"essential"," or ",[41,4519,4520],{},"important"," entities; essential entities face proactive supervision, while important entities are supervised reactively, and the distinction also affects the size of potential fines.",[32,4523,4525],{"id":4524},"core-requirements","Core requirements",[427,4527,4528,4534,4540],{},[72,4529,4530,4533],{},[41,4531,4532],{},"Risk-management measures (Article 21)"," — a baseline set of ten measures including incident handling, business continuity and crisis management, supply-chain security, secure development and vulnerability handling, cryptography, access control, and multi-factor authentication.",[72,4535,4536,4539],{},[41,4537,4538],{},"Incident reporting (Article 23)"," — for a significant incident, a 24-hour early warning, a 72-hour notification, and a one-month final report to the national CSIRT or competent authority.",[72,4541,4542,4544],{},[41,4543,4478],{}," — management bodies must approve and oversee cybersecurity measures and can be held personally liable; staff must receive training, and entities must register with their authority.",[32,4546,126],{"id":125},[37,4548,4549,4550,4552,4553,4555],{},"episki implements the Article 21 measures as living controls, tracks the 24-hour \u002F 72-hour \u002F one-month reporting windows for every significant incident, and manages supply-chain and governance obligations in one workspace. Because most NIS2 measures map directly to ",[118,4551,133],{"href":132}," Annex A and ",[118,4554,487],{"href":486},", an existing security program covers the large majority of NIS2 — episki shows you exactly where the gaps are.",{"title":141,"searchDepth":142,"depth":142,"links":4557},[4558,4559,4560,4561],{"id":4488,"depth":142,"text":4489},{"id":4505,"depth":142,"text":4506},{"id":4524,"depth":142,"text":4525},{"id":125,"depth":142,"text":126},{"title":4563,"description":4564,"items":4565},"NIS2 readiness inside episki","What an essential or important entity needs in place.",[4566,4567,4568,4569,4570,4571],"Scope determination (essential vs. important entity)","Article 21 risk-management measures as controls","Incident classification and 24h \u002F 72h \u002F 1-month reporting","Supply-chain and third-party security program","Business continuity, backup, and crisis management","Management-body oversight, training, and registration",{"title":4573,"description":4574},"Build a NIS2 program in episki","Implement the Article 21 measures once and reuse your ISO 27001 evidence to get there faster.",{"title":4576,"items":4577},"NIS2 frequently asked questions",[4578,4581,4584,4587],{"label":4579,"content":4580},"What is the NIS2 Directive?","NIS2 (Directive (EU) 2022\u002F2555) is the EU's updated cybersecurity directive, replacing the original 2016 NIS Directive. It significantly broadens the sectors and entities in scope, raises baseline risk-management requirements, introduces strict incident-reporting timelines, and makes management bodies accountable for cybersecurity. As a directive, it is implemented through each Member State's national law.",{"label":4582,"content":4583},"Who is in scope?","NIS2 covers medium and large organizations across roughly 18 sectors — energy, transport, banking, financial market infrastructure, health, drinking and waste water, digital infrastructure, public administration, space, postal services, manufacturing, food, and more. In-scope organizations are classified as either 'essential' or 'important' entities, which determines the level of supervision and the size of potential fines.",{"label":4585,"content":4586},"What are the reporting deadlines?","For a significant incident, NIS2 requires an early warning within 24 hours, a fuller incident notification within 72 hours, and a final report within one month. episki tracks each window per incident so deadlines are not missed.",{"label":1714,"content":4588},"Penalties are tiered by entity type. Essential entities can face fines up to €10 million or 2% of total worldwide annual turnover, whichever is higher; important entities up to €7 million or 1.4%. Senior management can be held personally accountable for compliance failures.",{"headline":4590,"title":4591,"description":4592,"links":4593},"NIS2, without the guesswork","Comply with the EU NIS2 Directive","The Article 21 risk-management measures as controls, Article 23 incident reporting timers, supply-chain security, and management-body oversight — mapped to ISO 27001 so you don't start from scratch.",[4594,4595],{"label":183,"icon":184,"to":185},{"label":187,"icon":188,"color":189,"variant":190,"to":191,"target":192},{},{"headline":4598,"title":4599,"description":4600,"items":4601},"NIS2 accelerators","NIS2 readiness accelerators","Translate the Directive into a working program your regulator will recognize.",[4602,4605,4607],{"title":4603,"description":4604},"Scope assessment","Determine whether you are an essential or important entity, and your obligations.",{"title":207,"description":4606},"Track the early-warning, notification, and final-report windows per incident.",{"title":1428,"description":4608},"Reuse your ISO 27001 Annex A controls to satisfy the Article 21 measures.",{"title":4610,"description":4611},"NIS2 Directive Compliance Software","Meet the EU NIS2 Directive (2022\u002F2555) — risk-management measures, incident reporting timers, supply-chain security, and management accountability, mapped to ISO 27001.","nis2",[4614,4616,4619],{"value":4512,"description":4615},"Essential and important entities across energy, health, digital, finance, and more.",{"value":4617,"description":4618},"24h \u002F 72h","Early-warning and notification timers for significant incidents, tracked to the deadline.",{"value":4620,"description":4621},"ISO 27001 mapped","Article 21 measures cross-walked to ISO 27001 Annex A for evidence reuse.","5.frameworks\u002Fnis2","cabPcLqUVKeQOnB-ekCjE3395pO7WDKRkk92jqHYb0E",{"id":4625,"title":4626,"advantages":4627,"body":4649,"checklist":4686,"cta":4695,"description":141,"extension":162,"faq":4698,"hero":4712,"lastUpdated":193,"meta":4719,"name":4720,"navigation":196,"path":4721,"resources":4722,"seo":4735,"slug":4738,"stats":4739,"stem":4749,"__hash__":4750},"frameworks\u002F5.frameworks\u002Fnist-800-171.md","Nist 800 171",[4628,4635,4642],{"title":4629,"description":4630,"bullets":4631},"14 control families, pre-mapped","Every 800-171 requirement implemented as a control with mapped evidence and testing.",[4632,4633,4634],"Access Control, Audit, AT, CM, IR, MA, MP, PE, PS, RM, CA, SC, SI","Identification & Authentication, plus all enhancements","Pre-built testing procedures per requirement",{"title":4636,"description":4637,"bullets":4638},"SSP and POA&M","Generate your System Security Plan and Plan of Action & Milestones from live evidence.",[4639,4640,4641],"SSP narrative composed from real controls","POA&M items tracked to closure","Self-assessment scoring per DFARS 252.204-7019\u002F-7020",{"title":4643,"description":4644,"bullets":4645},"Bridge to CMMC Level 2","The same 110 controls map directly to CMMC L2 practices, so your 800-171 work isn't wasted.",[4646,4647,4648],"CMMC Level 2 practice mapping","C3PAO-friendly evidence packaging","Reuse 800-171 evidence in your CMMC assessment",{"type":29,"value":4650,"toc":4681},[4651,4655,4658,4669,4673,4676,4678],[32,4652,4654],{"id":4653},"what-is-nist-800-171","What is NIST 800-171?",[37,4656,4657],{},"NIST Special Publication 800-171 (\"Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations\") is a set of 110 security requirements that organizations must meet when they handle Controlled Unclassified Information on behalf of the US federal government. It is the operative standard underneath DFARS 252.204-7012 (and -7019\u002F-7020\u002F-7021), making it a baseline obligation for nearly every Department of Defense contractor and subcontractor.",[37,4659,4660,4661,4664,4665,4668],{},"The 110 controls are organized into 14 families and are derived from a tailored subset of NIST 800-53 controls. NIST published ",[41,4662,4663],{},"Rev. 3"," in May 2024 — the current revision of the standard itself — but the Department of Defense still requires ",[41,4666,4667],{},"Rev. 2"," (published 2020) for DFARS and CMMC compliance until a future rulemaking adopts Rev. 3. For defense contractors today, Rev. 2 remains the operative baseline.",[32,4670,4672],{"id":4671},"who-needs-800-171","Who needs 800-171",[37,4674,4675],{},"If you're a DoD prime or subcontractor handling Controlled Unclassified Information — or if you expect to be one — 800-171 applies to you. Many primes flow the obligation down to their entire supply chain via contract.",[32,4677,126],{"id":125},[37,4679,4680],{},"episki ships the full 800-171 Rev. 2 catalog at the requirement level. The SSP, POA&M, and SPRS score are produced from your real control evidence — no parallel Word document. When you're ready to formalize for CMMC Level 2, the same controls map directly to CMMC practices.",{"title":141,"searchDepth":142,"depth":142,"links":4682},[4683,4684,4685],{"id":4653,"depth":142,"text":4654},{"id":4671,"depth":142,"text":4672},{"id":125,"depth":142,"text":126},{"title":4687,"description":4688,"items":4689},"NIST 800-171 readiness inside episki","Everything DoD primes look for, ready to deploy.",[4690,4691,4692,4693,4694,4646],"800-171 Rev. 2 control catalog at the requirement level","SSP narrative generated from control evidence","POA&M tracking with milestone management","DFARS self-assessment scoring methodology","Supplier Performance Risk System (SPRS) score export",{"title":4696,"description":4697},"Get a credible 800-171 program standing","Start in episki, score yourself, and bridge to CMMC Level 2 in the same workspace.",{"title":4699,"items":4700},"NIST 800-171 frequently asked questions",[4701,4703,4706,4709],{"label":4654,"content":4702},"NIST Special Publication 800-171 is a set of 110 security requirements protecting Controlled Unclassified Information (CUI) in non-federal information systems and organizations. It's the baseline DoD contractors must meet under DFARS 252.204-7012.",{"label":4704,"content":4705},"What's the relationship between 800-171 and CMMC?","CMMC Level 2 requires implementing the same 110 800-171 controls, plus a formal assessment by a C3PAO. CMMC Level 3 adds additional controls from NIST 800-172. So 800-171 work directly transfers to CMMC.",{"label":4707,"content":4708},"Do we need to be assessed?","For DFARS, primes generally rely on contractor self-assessments scored and posted to SPRS. For CMMC Level 2, a C3PAO assessment is required. Many contractors run a basic self-assessment now and prepare for CMMC formally.",{"label":4710,"content":4711},"What is the SPRS score?","The Supplier Performance Risk System score is a numeric value (from 110 down to -203 depending on non-compliance) that you submit to DoD reflecting your 800-171 self-assessment status. Many primes filter subs based on SPRS score.",{"headline":4713,"title":4714,"description":4715,"links":4716},"800-171 without the SSP-Word-document slog","Protect CUI without the spreadsheet","All 14 control families and 110 security requirements pre-mapped. SSP and POA&M workflows ready out of the box. A lift-and-shift path to CMMC Level 2.",[4717,4718],{"label":183,"icon":184,"to":185},{"label":187,"icon":188,"color":189,"variant":190,"to":191,"target":192},{},"NIST 800-171","\u002Fframeworks\u002Fnist-800-171",{"headline":4723,"title":4724,"description":4725,"items":4726},"NIST 800-171 accelerators","NIST 800-171 program accelerators","Move from \"we got the letter from our prime\" to a credible SSP fast.",[4727,4730,4732],{"title":4728,"description":4729},"SPRS scoring calculator","Compute your DoD self-assessment score with the official methodology.",{"title":1858,"description":4731},"Compose the SSP narrative from your control implementations.",{"title":4733,"description":4734},"CMMC Level 2 mapping","See exactly which 800-171 controls become which CMMC practices.",{"title":4736,"description":4737},"NIST 800-171 Compliance Software","Protect Controlled Unclassified Information (CUI) as a DoD contractor with the 110 controls of NIST 800-171 — the foundation underneath CMMC Level 2.","nist-800-171",[4740,4743,4746],{"value":4741,"description":4742},"110 controls","The full 800-171 Rev. 2 catalog implemented as living episki controls.",{"value":4744,"description":4745},"14 families","Access Control through System and Information Integrity, all covered.",{"value":4747,"description":4748},"CMMC L2 ready","The 110 controls are the foundation of CMMC Level 2 — same evidence, same workspace.","5.frameworks\u002Fnist-800-171","mhRwu9zHoyxykBZhscsKbp0Dk8Kh9tUu0nY2UEDFSBE",{"id":4752,"title":4753,"advantages":4754,"body":4775,"checklist":4804,"cta":4813,"description":141,"extension":162,"faq":4816,"hero":4830,"lastUpdated":322,"meta":4837,"name":1796,"navigation":196,"path":1795,"resources":4838,"seo":4852,"slug":4855,"stats":4856,"stem":4865,"__hash__":4866},"frameworks\u002F5.frameworks\u002Fnist-800-53.md","Nist 800 53",[4755,4762,4769],{"title":4756,"description":4757,"bullets":4758},"Pre-mapped Rev. 5 controls","The current 800-53 Rev. 5 catalog implemented as living controls with evidence and testing.",[4759,4760,4761],"All 20 families covered","Control enhancements selectable per system","Tailoring rationale captured in-platform",{"title":4763,"description":4764,"bullets":4765},"Overlays and tailoring","Apply overlays (FedRAMP, DoD, Privacy) and document tailoring decisions in the same surface.",[4766,4767,4768],"FedRAMP Low\u002FModerate\u002FHigh overlays","Privacy and PII overlays","Tailoring decisions logged for assessors",{"title":4770,"description":4771,"bullets":4772},"Crosswalks","Map once, demonstrate many. 800-53 controls reuse for FedRAMP, CMMC, and CSF.",[4773,4646,4774],"NIST CSF subcategory mapping","FedRAMP control mapping built in",{"type":29,"value":4776,"toc":4799},[4777,4781,4784,4787,4791,4794,4796],[32,4778,4780],{"id":4779},"what-is-nist-800-53","What is NIST 800-53?",[37,4782,4783],{},"NIST Special Publication 800-53 (currently at Revision 5) is the National Institute of Standards and Technology's comprehensive catalog of security and privacy controls for US federal information systems. It is the most-cited control catalog in compliance — directly required by FedRAMP, used to derive CMMC and DoD control sets, mapped to the NIST Cybersecurity Framework, and adopted by many state, healthcare, and education organizations.",[37,4785,4786],{},"The current Rev. 5 catalog organizes ~1,000 controls and control enhancements into 20 families covering access control, audit, configuration management, incident response, supply chain, privacy, and many more. Controls are organized into baselines (Low \u002F Moderate \u002F High) reflecting the impact level of the system being protected.",[32,4788,4790],{"id":4789},"who-uses-nist-800-53","Who uses NIST 800-53",[37,4792,4793],{},"Beyond federal agencies and their contractors, 800-53 is widely adopted by organizations that want a comprehensive, well-maintained, regularly-updated control library. It's the substrate underneath FedRAMP, the spine of CMMC's NIST 800-171 control set, and a primary reference for the NIST CSF.",[32,4795,126],{"id":125},[37,4797,4798],{},"episki ships the full Rev. 5 catalog at the requirement level, with each control as a living object you can scope, tailor, and produce evidence against. Tailoring rationale and overlay decisions are captured alongside the controls, so the assessor doesn't have to dig.",{"title":141,"searchDepth":142,"depth":142,"links":4800},[4801,4802,4803],{"id":4779,"depth":142,"text":4780},{"id":4789,"depth":142,"text":4790},{"id":125,"depth":142,"text":126},{"title":4805,"description":4806,"items":4807},"NIST 800-53 readiness inside episki","What you need preloaded to start a credible 800-53 program.",[4808,4809,4810,4811,4812,1824],"800-53 Rev. 5 control catalog","System categorization (FIPS 199) workflow","Tailoring and overlay decisions captured per system","Control assessment procedures (SP 800-53A) ready to run","POA&M tracking for non-compliant controls",{"title":4814,"description":4815},"Operationalize 800-53 in episki","Start with the right baseline, capture your tailoring, and stay assessment-ready.",{"title":4817,"items":4818},"NIST 800-53 frequently asked questions",[4819,4821,4824,4827],{"label":4780,"content":4820},"NIST Special Publication 800-53 is a catalog of security and privacy controls for US federal information systems, also widely adopted by non-federal organizations and used as the foundation for FedRAMP, DoD authorizations, and many state-level frameworks.",{"label":4822,"content":4823},"What's the difference between 800-53 and NIST CSF?","800-53 is a detailed catalog of specific controls. The NIST Cybersecurity Framework (CSF) is a higher-level framework organized into Identify\u002FProtect\u002FDetect\u002FRespond\u002FRecover\u002FGovern functions. CSF subcategories often reference 800-53 controls for implementation guidance.",{"label":4825,"content":4826},"When did Rev. 5 come into effect?","NIST 800-53 Revision 5 was published in 2020 and replaced Rev. 4. The current version is fully integrated into FedRAMP. Some legacy authorizations may still reference Rev. 4 controls — episki supports both.",{"label":4828,"content":4829},"Do I need 800-53 if I'm not a federal contractor?","Not strictly, but it's a widely respected control catalog. Many private-sector organizations use 800-53 as a comprehensive control library even when not pursuing FedRAMP, because it's better-maintained and more granular than most alternatives.",{"headline":4831,"title":4832,"description":4833,"links":4834},"800-53, lived in, not photocopied","Operationalize NIST 800-53 control baselines","All 20 control families pre-mapped. Tailoring decisions and overlays captured in-platform. Crosswalks to NIST CSF, FedRAMP, and CMMC so you implement once and demonstrate many.",[4835,4836],{"label":183,"icon":184,"to":185},{"label":187,"icon":188,"color":189,"variant":190,"to":191,"target":192},{},{"headline":4839,"title":4840,"description":4841,"items":4842},"NIST 800-53 accelerators","NIST 800-53 program accelerators","Get a live, defensible 800-53 program — without the binder-cart aesthetic.",[4843,4846,4849],{"title":4844,"description":4845},"System categorization wizard","FIPS 199-style categorization to pick the right baseline.",{"title":4847,"description":4848},"Tailoring rationale capture","Document why a control was tailored in or out — assessors love it.",{"title":4850,"description":4851},"SP 800-53A test procedures","Pre-mapped assessment procedures for each control family.",{"title":4853,"description":4854},"NIST 800-53 Compliance Software","Manage federal control baselines (Low \u002F Moderate \u002F High) with mapped 800-53 control families, overlays, and tailoring records. Crosswalk to NIST CSF, FedRAMP, and CMMC.","nist-800-53",[4857,4860,4862],{"value":4858,"description":4859},"20 families","AC through SR — every NIST 800-53 Rev. 5 control family pre-mapped.",{"value":1872,"description":4861},"Low, Moderate, and High baselines selectable per system.",{"value":4863,"description":4864},"1 control graph","800-53, CSF, FedRAMP, and CMMC mapped to the same underlying controls.","5.frameworks\u002Fnist-800-53","kqZjoaoDs6oZISDaEe26WLtF6czvJAhnEA6liGMioGs",{"id":4868,"title":4869,"advantages":4870,"body":4890,"checklist":4973,"cta":4983,"description":141,"extension":162,"faq":4986,"hero":5000,"lastUpdated":193,"meta":5007,"name":1680,"navigation":196,"path":1679,"resources":5008,"seo":5022,"slug":5025,"stats":5026,"stem":5036,"__hash__":5037},"frameworks\u002F5.frameworks\u002Fnist-ai-rmf.md","Nist Ai Rmf",[4871,4878,4885],{"title":4872,"description":4873,"bullets":4874},"Govern, Map, Measure, Manage","The four AI RMF functions as a repeatable workflow, not a PDF.",[4875,4876,4877],"Govern — AI policy, roles, and accountability","Map and Measure — context, risks, and metrics","Manage — prioritized treatments and monitoring",{"title":4879,"description":4880,"bullets":4881},"AI and agent registry","Inventory every model, system, and autonomous agent with its risk profile.",[4882,4883,4884],"Use-case and model inventory with owners","Third-party and foundation-model tracking","Generative AI Profile considerations built in",{"title":1564,"description":4886,"bullets":4887},"AI RMF evidence feeds ISO 42001 certification and EU AI Act obligations.",[1567,4888,4889],"Crosswalk to EU AI Act risk tiers","Reuse security evidence from ISO 27001 \u002F SOC 2",{"type":29,"value":4891,"toc":4967},[4892,4896,4906,4913,4917,4920,4945,4949,4962,4964],[32,4893,4895],{"id":4894},"what-is-the-nist-ai-rmf","What is the NIST AI RMF?",[37,4897,39,4898,4901,4902,4905],{},[41,4899,4900],{},"NIST AI Risk Management Framework (AI RMF 1.0)"," — published as ",[41,4903,4904],{},"NIST AI 100-1 in January 2023"," — is voluntary guidance for identifying and managing the risks of artificial intelligence across its lifecycle, from design and development through deployment and decommissioning. It was developed through an open, multi-stakeholder process at the direction of Congress and has quickly become the de facto reference for AI governance in the United States.",[37,4907,4908,4909,4912],{},"Rather than prescribe specific controls, the AI RMF defines a set of ",[41,4910,4911],{},"trustworthy-AI characteristics"," — valid and reliable, safe, secure and resilient, accountable and transparent, explainable and interpretable, privacy-enhanced, and fair (with harmful bias managed) — and a flexible process for achieving them.",[32,4914,4916],{"id":4915},"the-four-functions","The four functions",[37,4918,4919],{},"The AI RMF core organizes that process into four functions:",[427,4921,4922,4927,4933,4939],{},[72,4923,4924,4926],{},[41,4925,467],{}," — the foundation. It establishes the organization's AI risk culture, policies, roles, and accountability, including who approves high-risk use cases, how third-party and foundation models are introduced, and how resources are allocated to testing.",[72,4928,4929,4932],{},[41,4930,4931],{},"Map"," — the scoping function. It builds the context for each AI system and identifies the risks that context creates.",[72,4934,4935,4938],{},[41,4936,4937],{},"Measure"," — analyzes, assesses, benchmarks, and monitors AI risks with quantitative and qualitative methods.",[72,4940,4941,4944],{},[41,4942,4943],{},"Manage"," — allocates resources to prioritized risks, applies treatments (mitigate, transfer, avoid, accept), documents residual risk, and handles monitoring, incident response, and recovery.",[32,4946,4948],{"id":4947},"who-uses-the-ai-rmf","Who uses the AI RMF",[37,4950,4951,4952,4954,4955,4957,4958,4961],{},"Any organization that builds, deploys, or procures AI — including generative AI and autonomous agents — uses the AI RMF to put structure around AI risk. It is especially common for US-based companies and federal contractors, and it is the natural companion to the certifiable ",[118,4953,1676],{"href":1675}," AI management system and to ",[118,4956,1724],{"href":1725}," readiness. NIST's companion ",[41,4959,4960],{},"Generative AI Profile (NIST AI 600-1)",", published in July 2024, extends the framework with risks specific to generative models.",[32,4963,126],{"id":125},[37,4965,4966],{},"episki turns the AI RMF into a working program: a live registry of your AI systems, models, and agents; the Govern-Map-Measure-Manage workflow as repeatable tasks and evidence; and crosswalks that let the same work feed your ISO 42001 certification and EU AI Act obligations — so AI governance is one program, not three.",{"title":141,"searchDepth":142,"depth":142,"links":4968},[4969,4970,4971,4972],{"id":4894,"depth":142,"text":4895},{"id":4915,"depth":142,"text":4916},{"id":4947,"depth":142,"text":4948},{"id":125,"depth":142,"text":126},{"title":4974,"description":4975,"items":4976},"NIST AI RMF readiness inside episki","What an AI governance program needs in place.",[4977,4978,4979,4980,4981,4982],"AI system, model, and agent inventory","AI governance policy and accountable roles (Govern)","Context and risk mapping per AI use case (Map)","Risk metrics and evaluation evidence (Measure)","Risk treatments, monitoring, and incident response (Manage)","Crosswalks to ISO 42001 and the EU AI Act",{"title":4984,"description":4985},"Build a trustworthy-AI program in episki","Run the NIST AI RMF once and reuse the work for ISO 42001 and the EU AI Act.",{"title":4987,"items":4988},"NIST AI RMF frequently asked questions",[4989,4991,4994,4997],{"label":4895,"content":4990},"The NIST Artificial Intelligence Risk Management Framework (AI RMF 1.0, published as NIST AI 100-1 in January 2023) is voluntary guidance for managing risks across the AI lifecycle. It is organized around four core functions — Govern, Map, Measure, and Manage — and a set of trustworthy-AI characteristics such as validity, safety, security, accountability, transparency, privacy, and fairness.",{"label":4992,"content":4993},"What are the four functions?","Govern establishes the AI risk culture, policies, and accountability. Map develops the context and identifies risks for each AI use case. Measure analyzes, assesses, and tracks those risks with appropriate metrics. Manage prioritizes and acts on risks — mitigate, transfer, avoid, or accept — and handles monitoring and incident response.",{"label":4995,"content":4996},"Is the AI RMF mandatory?","The AI RMF itself is voluntary, but it has become the de facto US baseline for AI governance and is widely referenced in contracts, procurement, and policy. It also pairs naturally with the certifiable ISO\u002FIEC 42001 standard and helps structure EU AI Act readiness.",{"label":4998,"content":4999},"What is the Generative AI Profile?","NIST published a companion Generative AI Profile (NIST AI 600-1) in July 2024 that identifies risks unique to generative AI and suggested actions across the four functions. episki incorporates these considerations for organizations deploying generative models and agents.",{"headline":5001,"title":5002,"description":5003,"links":5004},"Trustworthy AI, operationalized","Run the NIST AI Risk Management Framework","An AI and agent inventory, risk mapping and measurement, and the Govern-Map-Measure-Manage workflow — pre-mapped to ISO 42001 and the EU AI Act so one AI program serves them all.",[5005,5006],{"label":183,"icon":184,"to":185},{"label":187,"icon":188,"color":189,"variant":190,"to":191,"target":192},{},{"headline":5009,"title":5010,"description":5011,"items":5012},"NIST AI RMF accelerators","AI risk program accelerators","Stand up trustworthy-AI governance without starting from a blank page.",[5013,5016,5019],{"title":5014,"description":5015},"AI use-case intake","Capture new AI systems and agents with risk tiering at request time.",{"title":5017,"description":5018},"Risk profile builder","Map and measure risks against the trustworthy-AI characteristics.",{"title":5020,"description":5021},"ISO 42001 \u002F EU AI Act crosswalk","See which AI RMF outcomes satisfy which 42001 clauses and AI Act obligations.",{"title":5023,"description":5024},"NIST AI RMF Compliance Software","Operationalize the NIST AI Risk Management Framework (AI RMF 1.0) — Govern, Map, Measure, Manage — with an AI\u002Fagent registry, risk treatments, and crosswalks to ISO 42001 and the EU AI Act.","nist-ai-rmf",[5027,5030,5033],{"value":5028,"description":5029},"4 functions","Govern, Map, Measure, and Manage implemented as a working AI risk workflow.",{"value":5031,"description":5032},"AI inventory","A live registry of AI systems, models, and agents with owners and risk tiers.",{"value":5034,"description":5035},"ISO 42001 mapped","AI RMF outcomes cross-walked to ISO 42001 and the EU AI Act for reuse.","5.frameworks\u002Fnist-ai-rmf","FYMN3zym3_STUV3jyXL3Vtdwhi1VdbUzg1T8w2Epr5Y",{"id":5039,"title":5040,"advantages":5041,"body":5063,"checklist":5592,"cta":5601,"description":141,"extension":162,"faq":5604,"hero":5621,"lastUpdated":1048,"meta":5630,"name":487,"navigation":196,"path":486,"resources":5631,"seo":5644,"slug":5647,"stats":5648,"stem":5658,"__hash__":5659},"frameworks\u002F5.frameworks\u002Fnistcsf.md","Nistcsf",[5042,5049,5056],{"title":5043,"description":5044,"bullets":5045},"Tailored CSF roadmap","Start with opinionated baseline controls, then layer your own.",[5046,5047,5048],"Gap analysis highlights missing outcomes","Auto-generated improvement initiatives","Budget impact estimates for leadership",{"title":5050,"description":5051,"bullets":5052},"Continuous monitoring and AI ops","Stream alerts, detections, and incidents into CSF context.",[5053,5054,5055],"Connect SIEM, EDR, and cloud posture tools","AI summarizes incidents for exec updates","Workflows escalate unreviewed alerts",{"title":5057,"description":5058,"bullets":5059},"Board and customer alignment","Share progress externally with confidence.",[5060,5061,5062],"Customizable scorecards for customers or partners","Trend lines show quarter-over-quarter improvements","Trust room access with expiring links",{"type":29,"value":5064,"toc":5570},[5065,5069,5076,5079,5083,5090,5093,5097,5100,5109,5113,5116,5119,5158,5164,5168,5171,5174,5178,5187,5191,5201,5205,5215,5219,5229,5233,5243,5247,5257,5260,5264,5271,5297,5303,5307,5313,5316,5330,5333,5344,5348,5358,5375,5382,5386,5394,5400,5411,5415,5418,5465,5468,5472,5475,5507,5510,5513,5517,5520,5564,5567],[32,5066,5068],{"id":5067},"what-is-nist-csf","What is NIST CSF?",[37,5070,5071,5072,5075],{},"The NIST Cybersecurity Framework (NIST CSF) is a voluntary, outcome-based set of cybersecurity guidelines published by the ",[118,5073,5074],{"href":703},"National Institute of Standards and Technology",". The NIST Cybersecurity Framework gives organizations a shared vocabulary and a prioritized structure for managing cybersecurity risk, measuring program maturity, and communicating security posture to executives, boards, regulators, customers, and insurers.",[37,5077,5078],{},"NIST CSF is not a certification, a control catalog, or a compliance standard. It is a framework — a model that organizes cybersecurity activities into functions, categories, and subcategories so that any organization can describe its current cybersecurity posture, describe its target cybersecurity posture, identify and prioritize opportunities for improvement, assess progress, and communicate cybersecurity risk in a consistent way. Because NIST CSF is technology- and sector-neutral, it has become one of the most widely adopted cybersecurity frameworks in the world, used by Fortune 500 companies, federal contractors, critical infrastructure operators, state and local governments, startups, nonprofits, and multinational enterprises.",[610,5080,5082],{"id":5081},"nist-origin-and-executive-order-13636","NIST origin and Executive Order 13636",[37,5084,5085,5086,5089],{},"The NIST Cybersecurity Framework was created in response to a growing wave of attacks against United States critical infrastructure. In February 2013, President Barack Obama signed ",[41,5087,5088],{},"Executive Order 13636 — Improving Critical Infrastructure Cybersecurity",", which directed NIST to work with industry, academia, and other government agencies to develop a voluntary cybersecurity framework for critical infrastructure operators. The executive order explicitly called for a flexible, repeatable, performance-based, and cost-effective approach that could scale from small municipal utilities to the largest financial institutions.",[37,5091,5092],{},"NIST published version 1.0 of the NIST Cybersecurity Framework in February 2014 after a year of public workshops, industry comment periods, and collaboration with more than three thousand individuals and organizations. The first version of NIST CSF introduced the five core functions — Identify, Protect, Detect, Respond, and Recover — along with the concept of framework profiles and implementation tiers. Even though NIST CSF was designed for critical infrastructure, organizations in every sector quickly adopted it because it filled a gap that prescriptive standards did not: a business-friendly model for talking about cybersecurity risk.",[610,5094,5096],{"id":5095},"the-evolution-of-nist-csf","The evolution of NIST CSF",[37,5098,5099],{},"In April 2018, NIST released NIST CSF version 1.1. This incremental update clarified existing guidance, added a new Supply Chain Risk Management category (ID.SC), improved the self-assessment language, and added authentication and identity proofing subcategories. NIST CSF 1.1 contained 108 subcategories grouped under 23 categories across the five functions, and it remained the dominant version of the NIST Cybersecurity Framework for six years.",[37,5101,5102,5103,5105,5106,5108],{},"In February 2024, NIST published ",[41,5104,463],{}," — the first major revision of the NIST Cybersecurity Framework. NIST CSF 2.0 expanded the scope of the framework beyond critical infrastructure, added a brand-new sixth function called ",[41,5107,467],{},", reorganized several categories, and introduced a richer set of implementation resources including quick-start guides, informative references, and community profiles.",[32,5110,5112],{"id":5111},"nist-csf-20-changes","NIST CSF 2.0 changes",[37,5114,5115],{},"The jump from NIST CSF 1.1 to NIST CSF 2.0 is the most significant update the NIST Cybersecurity Framework has ever received. The changes are not cosmetic — they reshape how organizations are expected to structure and govern their cybersecurity programs.",[37,5117,5118],{},"Highlights of NIST CSF 2.0:",[427,5120,5121,5127,5133,5139,5152],{},[72,5122,5123,5126],{},[41,5124,5125],{},"A sixth function — Govern (GV)"," — elevates cybersecurity governance from a sub-category under Identify to a standalone top-level function covering organizational context, risk management strategy, roles and responsibilities, policy, oversight, and cybersecurity supply chain risk management.",[72,5128,5129,5132],{},[41,5130,5131],{},"Explicit scope expansion"," — NIST CSF 2.0 applies to organizations of any size, sector, or maturity level, not just critical infrastructure. Small-business quick-start guides, community profiles, and sector-specific profiles make the NIST Cybersecurity Framework accessible to organizations that previously found NIST CSF 1.1 too enterprise-centric.",[72,5134,5135,5138],{},[41,5136,5137],{},"Stronger supply chain focus"," — GV.SC expands the NIST CSF treatment of third-party risk, supplier due diligence, and software supply chain security, reflecting the lessons of SolarWinds, Kaseya, Log4j, and MOVEit.",[72,5140,5141,5144,5145,5148,5149,5151],{},[41,5142,5143],{},"Improved implementation guidance"," — NIST CSF 2.0 ships with a companion CSF Reference Tool, searchable informative references mapping NIST CSF subcategories to ",[118,5146,5147],{"href":703},"NIST SP 800-53",", ISO 27001, CIS Controls, ",[118,5150,138],{"href":137},", and more.",[72,5153,5154,5157],{},[41,5155,5156],{},"Refreshed implementation tiers"," — the four-tier maturity model (Partial, Risk-Informed, Repeatable, Adaptive) now explicitly incorporates governance and supply chain considerations.",[37,5159,5160,5161,2639],{},"For a deep dive into every structural and categorical change between NIST CSF 1.1 and NIST CSF 2.0, see our ",[118,5162,5112],{"href":5163},"\u002Fframeworks\u002Fnistcsf\u002Fv2-changes",[32,5165,5167],{"id":5166},"the-six-core-functions-of-nist-csf-20","The six core functions of NIST CSF 2.0",[37,5169,5170],{},"The NIST Cybersecurity Framework organizes cybersecurity activity into a small number of top-level functions. NIST CSF 1.1 defined five functions; NIST CSF 2.0 defines six. Each function represents a category of outcomes that a mature cybersecurity program must deliver, and each function decomposes into categories and subcategories that describe the outcomes in progressively more specific terms.",[37,5172,5173],{},"The six NIST CSF 2.0 functions are:",[610,5175,5177],{"id":5176},"govern-gv","Govern (GV)",[37,5179,39,5180,5182,5183,416],{},[41,5181,467],{}," function — new in NIST CSF 2.0 — establishes, communicates, and monitors the organization's cybersecurity risk management strategy, expectations, and policy. Govern is the leadership and accountability layer of NIST CSF. It sits above the other five functions and informs everything the organization does to identify, protect, detect, respond, and recover. Deep dive: ",[118,5184,5186],{"href":5185},"\u002Fframeworks\u002Fnistcsf\u002Fgovern-function","NIST CSF Govern function",[610,5188,5190],{"id":5189},"identify-id","Identify (ID)",[37,5192,39,5193,5196,5197,416],{},[41,5194,5195],{},"Identify"," function develops an organizational understanding of cybersecurity risk to systems, people, assets, data, and capabilities. Identify is where you inventory what you have, understand the business context in which it operates, and decide what matters most. Without Identify, the rest of the NIST Cybersecurity Framework has nothing to act on. Deep dive: ",[118,5198,5200],{"href":5199},"\u002Fframeworks\u002Fnistcsf\u002Fidentify-function","NIST CSF Identify function",[610,5202,5204],{"id":5203},"protect-pr","Protect (PR)",[37,5206,39,5207,5210,5211,416],{},[41,5208,5209],{},"Protect"," function implements safeguards to ensure delivery of critical services and limit or contain the impact of cybersecurity events. Protect encompasses identity and access management, awareness and training, data security, information protection processes, maintenance, and protective technology. Deep dive: ",[118,5212,5214],{"href":5213},"\u002Fframeworks\u002Fnistcsf\u002Fprotect-function","NIST CSF Protect function",[610,5216,5218],{"id":5217},"detect-de","Detect (DE)",[37,5220,39,5221,5224,5225,416],{},[41,5222,5223],{},"Detect"," function develops and implements appropriate activities to identify the occurrence of a cybersecurity event in a timely manner. Detect covers continuous monitoring, anomaly analysis, and detection processes — the telemetry, alerting, and threat-hunting capabilities that surface attacks as they happen. Deep dive: ",[118,5226,5228],{"href":5227},"\u002Fframeworks\u002Fnistcsf\u002Fdetect-function","NIST CSF Detect function",[610,5230,5232],{"id":5231},"respond-rs","Respond (RS)",[37,5234,39,5235,5238,5239,416],{},[41,5236,5237],{},"Respond"," function contains activities to take action regarding a detected cybersecurity incident. Respond covers incident response planning, communications, analysis, containment, eradication, and lessons-learned improvements. A strong Respond capability is what separates a contained incident from a front-page breach. Deep dive: ",[118,5240,5242],{"href":5241},"\u002Fframeworks\u002Fnistcsf\u002Frespond-function","NIST CSF Respond function",[610,5244,5246],{"id":5245},"recover-rc","Recover (RC)",[37,5248,39,5249,5252,5253,416],{},[41,5250,5251],{},"Recover"," function contains activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity incident. Recover covers recovery planning, improvements, and communications. Recover is how organizations return to normal operations while capturing lessons learned to strengthen the program. Deep dive: ",[118,5254,5256],{"href":5255},"\u002Fframeworks\u002Fnistcsf\u002Frecover-function","NIST CSF Recover function",[37,5258,5259],{},"Together, the six NIST CSF functions describe the complete cybersecurity lifecycle. Mature organizations operate all six functions simultaneously and continuously, not in a linear sequence.",[32,5261,5263],{"id":5262},"nist-csf-implementation-tiers","NIST CSF implementation tiers",[37,5265,5266,5267,5270],{},"NIST CSF uses ",[41,5268,5269],{},"implementation tiers"," to describe the degree to which an organization's cybersecurity risk management practices exhibit the characteristics defined in the NIST Cybersecurity Framework. The four tiers are not a maturity scale in the traditional sense — NIST is careful to say that Tier 4 is not required for every organization. Instead, implementation tiers help organizations choose an appropriate level of rigor given their risk tolerance, mission, regulatory obligations, threat environment, and resources.",[427,5272,5273,5279,5285,5291],{},[72,5274,5275,5278],{},[41,5276,5277],{},"Tier 1 — Partial",": Cybersecurity risk management is ad hoc and reactive. Policies are informal, risk awareness is limited, and supply chain considerations are rarely formalized.",[72,5280,5281,5284],{},[41,5282,5283],{},"Tier 2 — Risk-Informed",": Risk management practices are approved by management but may not be established organization-wide. Cybersecurity activities consider organizational risk objectives.",[72,5286,5287,5290],{},[41,5288,5289],{},"Tier 3 — Repeatable",": Formal policies exist and are applied consistently. The organization has the people, processes, and tooling to operate the NIST Cybersecurity Framework repeatably.",[72,5292,5293,5296],{},[41,5294,5295],{},"Tier 4 — Adaptive",": The organization adapts its cybersecurity practices based on lessons learned, threat intelligence, and changes in the business environment. Cybersecurity risk management is part of the organizational culture.",[37,5298,5299,5300,2639],{},"For a complete walkthrough of each tier, including how to select a target tier and move between tiers, see our ",[118,5301,5263],{"href":5302},"\u002Fframeworks\u002Fnistcsf\u002Fimplementation-tiers",[32,5304,5306],{"id":5305},"nist-csf-framework-profiles","NIST CSF framework profiles",[37,5308,2499,5309,5312],{},[41,5310,5311],{},"framework profile"," is the unique alignment of NIST CSF functions, categories, and subcategories with the organization's business requirements, risk tolerance, and resources. Profiles are the tool that turns the NIST Cybersecurity Framework from a generic model into a specific plan for a specific organization.",[37,5314,5315],{},"NIST CSF supports two kinds of profiles:",[427,5317,5318,5324],{},[72,5319,2499,5320,5323],{},[41,5321,5322],{},"Current Profile"," describes the cybersecurity outcomes the organization is achieving today.",[72,5325,2499,5326,5329],{},[41,5327,5328],{},"Target Profile"," describes the cybersecurity outcomes the organization wants to achieve.",[37,5331,5332],{},"The gap between the Current Profile and the Target Profile becomes a prioritized roadmap: which NIST CSF subcategories need investment, in what order, and at what cost. Community profiles published by NIST (for small business, healthcare, financial services, manufacturing, and others) give organizations a head start by providing pre-built Target Profiles tailored to specific sectors.",[37,5334,5335,5336,5340,5341,416],{},"For a complete framework profiles walkthrough — including how to build your first profile, how to use community profiles, and how to link profiles to your ",[118,5337,5339],{"href":5338},"\u002Fglossary\u002Fcontrol-framework","control framework"," — see ",[118,5342,5306],{"href":5343},"\u002Fframeworks\u002Fnistcsf\u002Fframework-profiles",[32,5345,5347],{"id":5346},"nist-csf-categories-and-subcategories","NIST CSF categories and subcategories",[37,5349,5350,5351,134,5354,5357],{},"Below the function layer, NIST CSF decomposes cybersecurity activity into ",[41,5352,5353],{},"categories",[41,5355,5356],{},"subcategories",". Categories group related outcomes within a function (for example, Asset Management, Access Control, Continuous Monitoring), and subcategories express specific outcome statements that a mature program should achieve.",[427,5359,5360,5370],{},[72,5361,5362,5365,5366,5369],{},[41,5363,5364],{},"NIST CSF 1.1"," defined 23 categories and ",[41,5367,5368],{},"108 subcategories"," across the five original functions.",[72,5371,5372,5374],{},[41,5373,463],{}," reorganized the catalog around six functions. The total number of subcategories in NIST CSF 2.0 was restructured (and slightly reduced after consolidation) to roughly 106, grouped under 22 categories, with Govern contributing six new categories of its own.",[37,5376,5377,5378,5381],{},"Every NIST CSF subcategory is written as an outcome — for example, \"PR.AA-01: Identities and credentials for authorized users, services, and hardware are managed by the organization.\" NIST intentionally avoids prescribing specific technologies, controls, or implementation details. Instead, NIST CSF provides ",[41,5379,5380],{},"informative references"," that map each subcategory to specific controls in NIST SP 800-53, ISO 27001 Annex A, CIS Critical Security Controls, COBIT, and other authoritative sources. This outcome-first design is what makes NIST CSF work across industries, company sizes, and technology stacks.",[32,5383,5385],{"id":5384},"mapping-nist-csf-to-other-frameworks","Mapping NIST CSF to other frameworks",[37,5387,5388,5389,488,5391,5393],{},"One of the most valuable properties of the NIST Cybersecurity Framework is its ability to act as a unifying layer across multiple compliance regimes. Organizations that need to satisfy ",[118,5390,138],{"href":137},[118,5392,133],{"href":132},", HIPAA, PCI DSS, GDPR, FedRAMP, CMMC, and NIST SP 800-171 at the same time can use NIST CSF as the \"Rosetta Stone\" that maps each requirement to a common set of outcomes.",[37,5395,5396,5397,5399],{},"For federal contractors in particular, NIST CSF acts as the governance umbrella above NIST SP 800-171 and ",[118,5398,1050],{"href":711},", both of which are derived from the NIST family of publications. A NIST CSF Target Profile that references NIST SP 800-53 informative references can be reused — with minor adjustments — as an ISO 27001 Statement of Applicability, a SOC 2 Trust Services Criteria mapping, and a HIPAA Security Rule crosswalk.",[37,5401,5402,5403,5405,5406,5410],{},"For a detailed crosswalk between NIST CSF and the major compliance frameworks — including worked examples of how a single NIST CSF subcategory maps to multiple standards — see ",[118,5404,5385],{"href":3620},". If you are actively building that mapping into a live compliance program, our ",[118,5407,5409],{"href":5408},"\u002Fblog\u002Fnist-csf-mapping-compliance","NIST CSF mapping compliance"," guide walks through the operational mechanics.",[32,5412,5414],{"id":5413},"who-uses-nist-csf","Who uses NIST CSF?",[37,5416,5417],{},"The NIST Cybersecurity Framework started as a voluntary framework for United States critical infrastructure. A decade later, NIST CSF is used by:",[427,5419,5420,5426,5435,5441,5447,5453,5459],{},[72,5421,5422,5425],{},[41,5423,5424],{},"Critical infrastructure operators"," — energy, water, transportation, communications, healthcare, and financial services organizations that fall under the 16 critical infrastructure sectors originally targeted by Executive Order 13636.",[72,5427,5428,5431,5432,416],{},[41,5429,5430],{},"Federal agencies and federal contractors"," — Executive Order 13800 required federal agencies to use NIST CSF to manage cybersecurity risk. Agencies and their contractors routinely use NIST CSF alongside ",[118,5433,5434],{"href":711},"NIST SP 800-171 and the CMMC program",[72,5436,5437,5440],{},[41,5438,5439],{},"State, local, tribal, and territorial (SLTT) governments"," — many states have adopted NIST CSF as the baseline cybersecurity model for agencies and municipal systems.",[72,5442,5443,5446],{},[41,5444,5445],{},"Large enterprises"," — Fortune 500 companies use NIST CSF to communicate cybersecurity risk to boards, investors, insurers, and regulators.",[72,5448,5449,5452],{},[41,5450,5451],{},"Small and mid-sized businesses (SMBs)"," — especially after NIST CSF 2.0, which ships with SMB-specific quick-start guides and community profiles.",[72,5454,5455,5458],{},[41,5456,5457],{},"Non-US organizations"," — NIST CSF is widely used outside the United States as a practical cybersecurity model that complements ISO 27001 and other international standards.",[72,5460,5461,5464],{},[41,5462,5463],{},"Insurers and investors"," — cyber insurance carriers and private-equity diligence teams increasingly ask portfolio companies to report maturity against NIST CSF as evidence of disciplined cybersecurity risk management.",[37,5466,5467],{},"The common thread is that NIST CSF works for any organization that needs to manage cybersecurity risk and communicate that risk to non-technical stakeholders. That is essentially every organization.",[32,5469,5471],{"id":5470},"nist-csf-vs-nist-sp-800-53-vs-nist-sp-800-171","NIST CSF vs NIST SP 800-53 vs NIST SP 800-171",[37,5473,5474],{},"NIST publishes dozens of cybersecurity documents, and three of them — NIST CSF, NIST SP 800-53, and NIST SP 800-171 — are often confused. Here is how they differ and how they fit together.",[427,5476,5477,5487,5497],{},[72,5478,5479,5482,5483,5486],{},[41,5480,5481],{},"NIST CSF (Cybersecurity Framework)"," is an ",[41,5484,5485],{},"outcome-based framework",". It defines what cybersecurity outcomes to achieve (the subcategories) but does not tell you exactly how to achieve them. NIST CSF is voluntary, technology-neutral, and applies to any organization.",[72,5488,5489,5492,5493,5496],{},[41,5490,5491],{},"NIST SP 800-53 (Security and Privacy Controls for Information Systems and Organizations)"," is a comprehensive ",[41,5494,5495],{},"control catalog",". SP 800-53 contains more than one thousand security and privacy controls organized into families such as Access Control (AC), Audit and Accountability (AU), and System and Communications Protection (SC). NIST SP 800-53 is mandatory for US federal information systems under FISMA and the Risk Management Framework (RMF).",[72,5498,5499,5502,5503,5506],{},[41,5500,5501],{},"NIST SP 800-171 (Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations)"," is a ",[41,5504,5505],{},"derived subset"," of NIST SP 800-53 focused on protecting Controlled Unclassified Information (CUI) in nonfederal systems. SP 800-171 is mandatory for any organization that handles CUI on behalf of the federal government and forms the basis for CMMC.",[37,5508,5509],{},"The relationship between the three is straightforward: NIST CSF describes the outcomes, NIST SP 800-53 and NIST SP 800-171 describe the controls that deliver those outcomes, and the NIST CSF informative references tell you which 800-53 and 800-171 controls satisfy each NIST CSF subcategory. Organizations use NIST CSF to frame the strategy and use NIST SP 800-53 or NIST SP 800-171 to implement the controls.",[37,5511,5512],{},"Federal contractors that handle CUI will typically use all three: NIST CSF for executive communication and maturity scoring, NIST SP 800-171 as the binding control baseline, and NIST SP 800-53 as the deeper reference catalog.",[32,5514,5516],{"id":5515},"getting-started-with-nist-csf","Getting started with NIST CSF",[37,5518,5519],{},"Implementing the NIST Cybersecurity Framework does not require a multi-year consulting engagement. A typical first NIST CSF implementation follows a repeatable pattern:",[69,5521,5522,5528,5534,5540,5546,5552,5558],{},[72,5523,5524,5527],{},[41,5525,5526],{},"Scope and prioritize"," — decide which parts of the organization are in scope for this iteration of NIST CSF. Startups often scope the entire company. Enterprises may scope a business unit, a product line, or a critical system.",[72,5529,5530,5533],{},[41,5531,5532],{},"Build a Current Profile"," — score the organization's current performance against each NIST CSF subcategory. Be honest. Many organizations discover that half of their NIST CSF subcategories are informal or partially implemented.",[72,5535,5536,5539],{},[41,5537,5538],{},"Build a Target Profile"," — decide what level of NIST CSF maturity the organization needs. Community profiles and sector profiles published by NIST are excellent starting points.",[72,5541,5542,5545],{},[41,5543,5544],{},"Perform a gap analysis"," — the delta between Current and Target is your NIST CSF roadmap. Prioritize by business impact, risk, and cost.",[72,5547,5548,5551],{},[41,5549,5550],{},"Select implementation tiers"," — match each part of the program to an appropriate tier. Not every subcategory needs to be Tier 4.",[72,5553,5554,5557],{},[41,5555,5556],{},"Execute and measure"," — track initiatives, re-score the NIST CSF profile quarterly, and report progress to leadership.",[72,5559,5560,5563],{},[41,5561,5562],{},"Map to other frameworks"," — reuse the NIST CSF profile as the source of truth for SOC 2, ISO 27001, HIPAA, and CMMC evidence.",[37,5565,5566],{},"episki was built for exactly this workflow. episki turns NIST CSF into a live scorecard: you import or build a Current Profile, choose a Target Profile, and episki generates the initiatives, tasks, and evidence collection needed to close the gap — all mapped to your other frameworks automatically. If you are starting from scratch or migrating from NIST CSF 1.1 to NIST CSF 2.0, episki can help you skip the spreadsheet phase entirely.",[37,5568,5569],{},"Ready to operationalize the NIST Cybersecurity Framework? Start a trial, import your controls, and share a NIST CSF scorecard with leadership the same day.",{"title":141,"searchDepth":142,"depth":142,"links":5571},[5572,5576,5577,5585,5586,5587,5588,5589,5590,5591],{"id":5067,"depth":142,"text":5068,"children":5573},[5574,5575],{"id":5081,"depth":997,"text":5082},{"id":5095,"depth":997,"text":5096},{"id":5111,"depth":142,"text":5112},{"id":5166,"depth":142,"text":5167,"children":5578},[5579,5580,5581,5582,5583,5584],{"id":5176,"depth":997,"text":5177},{"id":5189,"depth":997,"text":5190},{"id":5203,"depth":997,"text":5204},{"id":5217,"depth":997,"text":5218},{"id":5231,"depth":997,"text":5232},{"id":5245,"depth":997,"text":5246},{"id":5262,"depth":142,"text":5263},{"id":5305,"depth":142,"text":5306},{"id":5346,"depth":142,"text":5347},{"id":5384,"depth":142,"text":5385},{"id":5413,"depth":142,"text":5414},{"id":5470,"depth":142,"text":5471},{"id":5515,"depth":142,"text":5516},{"title":5593,"description":5594,"items":5595},"NIST CSF launch guide","Use episki’s free trial to benchmark, prioritize, and communicate fast.",[5596,5597,5598,5599,5600],"Baseline maturity assessment","Control library mapped to CSF categories","Initiative tracker with due dates and owners","Risk register tied to CSF outcomes","Executive report template",{"title":5602,"description":5603},"See your NIST CSF score in episki","Start the trial, import controls, and share a scorecard the same day.",{"title":5605,"items":5606},"NIST CSF frequently asked questions",[5607,5609,5612,5615,5618],{"label":5068,"content":5608},"The NIST Cybersecurity Framework (CSF) is a voluntary framework published by the National Institute of Standards and Technology that helps organizations manage and reduce cybersecurity risk. It provides a common language for understanding, managing, and expressing cybersecurity risk through five core functions.",{"label":5610,"content":5611},"What is the difference between NIST CSF and ISO 27001?","NIST CSF is a voluntary, outcome-focused maturity framework that helps organizations assess and improve their cybersecurity posture. ISO 27001 is a certifiable standard requiring a formal ISMS. Many organizations use NIST CSF as an internal maturity model alongside ISO 27001 certification for external assurance.",{"label":5613,"content":5614},"Is NIST CSF mandatory?","NIST CSF is voluntary for most private-sector organizations but is mandatory for US federal agencies under Executive Order 13800. Many industries and regulators reference it as a best-practice baseline, and customers increasingly expect suppliers to demonstrate alignment.",{"label":5616,"content":5617},"What are the NIST CSF implementation tiers?","The four tiers describe the maturity of an organization's cybersecurity risk management. Tier 1 (Partial) is ad hoc and reactive. Tier 2 (Risk-Informed) has some risk awareness. Tier 3 (Repeatable) has formal policies. Tier 4 (Adaptive) continuously improves based on lessons learned and threat intelligence.",{"label":5619,"content":5620},"How does NIST CSF relate to other compliance frameworks?","NIST CSF maps to many standards including SOC 2, ISO 27001, HIPAA, and PCI DSS. Organizations use it as a unifying layer to identify control gaps and overlaps across multiple compliance requirements, reducing duplicate work when pursuing multiple frameworks.",{"headline":5622,"title":5623,"description":5624,"links":5625},"Measure security maturity","Operationalize NIST CSF across Identify, Protect, Detect, Respond, and Recover","episki translates CSF categories into action plans with real-time scoring and executive reporting.",[5626,5628],{"label":5627,"icon":184,"to":185},"Start NIST CSF trial",{"label":187,"icon":5629,"color":189,"variant":190,"to":191,"target":192},"i-lucide-presentation",{},{"headline":5632,"title":5632,"description":5633,"items":5634},"NIST CSF toolset","Everything you need to show measurable progress.",[5635,5638,5641],{"title":5636,"description":5637},"Quarterly business review pack","Slides with KPIs, upcoming initiatives, and resource needs.",{"title":5639,"description":5640},"Customer assurance brief","Explains how NIST CSF maps to their requirements.",{"title":5642,"description":5643},"Automation cookbook","Step-by-step instructions for connecting your tooling.",{"title":5645,"description":5646},"NIST CSF Framework Software","Operationalize NIST CSF with live maturity scoring, risk registers, and executive dashboards. Benchmark and improve your cybersecurity posture with episki.","nistcsf",[5649,5652,5655],{"value":5650,"description":5651},"Live maturity score","Automated scoring by category, tier, and business unit.",{"value":5653,"description":5654},"Unified risk register","Link risks to CSF categories with AI-prioritized remediation.",{"value":5656,"description":5657},"Executive-ready","Dashboards turn security work into business milestones.","5.frameworks\u002Fnistcsf","2IbqrdoWw1N_V3oK3XN9o3DuPJPgIlnBUG_HQts1_Jw",{"id":5661,"title":5662,"advantages":5663,"body":5685,"checklist":5829,"cta":5841,"description":141,"extension":162,"faq":5844,"hero":5861,"lastUpdated":193,"meta":5868,"name":1981,"navigation":196,"path":1980,"resources":5869,"seo":5883,"slug":5886,"stats":5887,"stem":5896,"__hash__":5897},"frameworks\u002F5.frameworks\u002Fnydfs.md","Nydfs",[5664,5671,5678],{"title":5665,"description":5666,"bullets":5667},"Second Amendment, fully covered","Every requirement phased in through November 1, 2025 — implemented as controls, not a checklist.",[5668,5669,5670],"Universal MFA (§500.12) and asset inventory (§500.13)","Expanded governance and senior-governing-body oversight","Class A enhanced requirements scoped when they apply",{"title":5672,"description":5673,"bullets":5674},"CISO program and reporting","The written program, policies, and CISO reporting the regulation requires — kept current automatically.",[5675,5676,5677],"Board\u002Fsenior-governing-body-approved policies","CISO written report to the governing body","Annual risk assessment tied to control treatments",{"title":5679,"description":5680,"bullets":5681},"Reporting and certification","Hit the 72-hour and ransomware-payment notification windows, and build the annual certification from real evidence.",[5682,5683,5684],"72-hour cybersecurity-event notification workflow","Ransomware extortion-payment reporting (24h \u002F 30-day)","§500.17 certification or acknowledgment with remediation plan",{"type":29,"value":5686,"toc":5820},[5687,5691,5698,5708,5710,5717,5724,5728,5739,5771,5773,5776,5780,5795,5799,5815,5817],[32,5688,5690],{"id":5689},"what-is-the-ny-dfs-cybersecurity-regulation","What is the NY DFS Cybersecurity Regulation?",[37,5692,5693,5694,5697],{},"The New York State Department of Financial Services (DFS) Cybersecurity Regulation — ",[41,5695,5696],{},"23 NYCRR Part 500"," — sets cybersecurity requirements for financial-services companies that DFS regulates. First effective on March 1, 2017, it was one of the first comprehensive, prescriptive state cybersecurity rules in the United States, and it became a template for later frameworks such as the NAIC Insurance Data Security Model Law.",[37,5699,5700,5701,5704,5705,416],{},"Part 500 is risk-based but specific: it requires a written cybersecurity program and policy, a designated Chief Information Security Officer (CISO), periodic risk assessments, and a defined set of technical and governance controls to protect Nonpublic Information (NPI). It also requires Covered Entities to ",[41,5702,5703],{},"report cybersecurity events to the DFS superintendent within 72 hours"," and to ",[41,5706,5707],{},"certify their compliance annually",[32,5709,52],{"id":51},[37,5711,5712,5713,5716],{},"The regulation applies to ",[41,5714,5715],{},"Covered Entities"," — any person or organization operating under, or required to operate under, a license, registration, charter, certificate, permit, accreditation, or similar authorization under New York's Banking Law, Insurance Law, or Financial Services Law. That includes NY-licensed banks, insurers, mortgage servicers, and money transmitters. Small entities can qualify for limited exemptions but still must meet a reduced subset of the requirements.",[37,5718,5719,5720,5723],{},"The Second Amendment introduced a ",[41,5721,5722],{},"Class A company"," tier — larger entities (generally at least $20M in NY-sourced gross annual revenue over three fiscal years, and either more than 2,000 employees or more than $1B in gross annual revenue averaged over two years, including affiliates) — which face enhanced obligations including independent audits, endpoint detection and response (EDR), and privileged access management (PAM).",[32,5725,5727],{"id":5726},"the-second-amendment","The Second Amendment",[37,5729,5730,5731,5734,5735,5738],{},"DFS adopted the ",[41,5732,5733],{},"Second Amendment to Part 500 on November 1, 2023",", with requirements phased in through ",[41,5736,5737],{},"November 1, 2025",". As of that final date, the amended regulation is fully in effect. The most significant additions:",[427,5740,5741,5747,5753,5759,5765],{},[72,5742,5743,5746],{},[41,5744,5745],{},"Multi-factor authentication for all access (§500.12)"," — MFA is now required for any individual accessing any information system of a Covered Entity, not just remote or privileged access.",[72,5748,5749,5752],{},[41,5750,5751],{},"Asset inventory (§500.13)"," — written policies and procedures to maintain a complete, accurate, documented inventory of information systems.",[72,5754,5755,5758],{},[41,5756,5757],{},"Stronger governance"," — the CISO must report on the cybersecurity program to the senior governing body, which is expected to exercise meaningful oversight; policies must be approved by the senior governing body or a senior officer.",[72,5760,5761,5764],{},[41,5762,5763],{},"Expanded incident reporting"," — in addition to the 72-hour cybersecurity-event notification, Covered Entities must notify DFS of an extortion (ransomware) payment within 24 hours and provide a written explanation within 30 days.",[72,5766,5767,5770],{},[41,5768,5769],{},"Class A enhanced requirements"," — independent audits, EDR, PAM, and more rigorous, expert-led risk assessments.",[32,5772,4525],{"id":4524},[37,5774,5775],{},"Part 500 covers the controls most security teams already recognize: a written program and policy (§§500.2–500.3), a CISO (§500.4), penetration testing and vulnerability assessments (§500.5), audit trails (§500.6), access privilege management (§500.7), application security (§500.8), risk assessment (§500.9), security personnel and training (§§500.10, 500.14), third-party service provider security policy (§500.11), MFA (§500.12), asset management and data retention (§500.13), monitoring and encryption of NPI (§500.15), an incident response and business continuity plan (§500.16), and notification plus the annual certification (§500.17).",[32,5777,5779],{"id":5778},"the-annual-certification","The annual certification",[37,5781,5782,5783,5786,5787,5790,5791,5794],{},"Each year, a Covered Entity must file a notice to DFS by ",[41,5784,5785],{},"April 15"," covering the prior calendar year — either a ",[41,5788,5789],{},"certification of material compliance"," or a ",[41,5792,5793],{},"written acknowledgment"," that identifies the areas of non-compliance and a remediation plan with timelines. The filing must be signed by the entity's highest-ranking executive and its CISO, and the entity must retain the records and documentation supporting it. A weak or undocumented certification is one of the most common sources of DFS enforcement exposure.",[32,5796,5798],{"id":5797},"how-ny-dfs-maps-to-other-frameworks","How NY DFS maps to other frameworks",[37,5800,5801,5802,5805,5806,5808,5809,5811,5812,5814],{},"Most Part 500 requirements overlap heavily with controls you may already maintain. For US insurers and carriers, the ",[41,5803,5804],{},"NAIC Insurance Data Security Model Law"," is the closest parallel, and the ",[118,5807,133],{"href":132}," Annex A controls, ",[118,5810,138],{"href":137}," Trust Services Criteria, and ",[118,5813,487],{"href":486}," outcomes cover the large majority of Part 500 technical and governance requirements. Mapping NYDFS to a shared control set means a single piece of evidence — an access review, a pen-test report, a risk assessment — can satisfy multiple programs at once.",[32,5816,126],{"id":125},[37,5818,5819],{},"episki implements 23 NYCRR Part 500 as living controls cross-mapped to your other frameworks, so your NYDFS program reuses evidence you already collect for ISO 27001, SOC 2, or NAIC. The CISO report, risk assessment, 72-hour and ransomware notifications, and the §500.17 annual certification are produced from real control evidence — not a parallel binder you rebuild every April.",{"title":141,"searchDepth":142,"depth":142,"links":5821},[5822,5823,5824,5825,5826,5827,5828],{"id":5689,"depth":142,"text":5690},{"id":51,"depth":142,"text":52},{"id":5726,"depth":142,"text":5727},{"id":4524,"depth":142,"text":4525},{"id":5778,"depth":142,"text":5779},{"id":5797,"depth":142,"text":5798},{"id":125,"depth":142,"text":126},{"title":5830,"description":5831,"items":5832},"NY DFS Part 500 readiness inside episki","What a New York-regulated financial institution needs preloaded.",[5833,5834,5835,5836,5837,5838,5839,5840],"Written cybersecurity program and policies (§500.2, §500.3)","CISO designation and annual written report (§500.4)","Risk assessment kept current (§500.9)","Multi-factor authentication across all access (§500.12)","Asset inventory policies and procedures (§500.13)","Incident response and BCDR plans (§500.16)","72-hour cybersecurity-event reporting (§500.17(a))","Annual certification of material compliance (§500.17(b))",{"title":5842,"description":5843},"Build a defensible Part 500 program in episki","Implement 23 NYCRR 500 once, report on time, and reuse the evidence across NAIC, ISO 27001, and SOC 2.",{"title":5845,"items":5846},"NY DFS Part 500 frequently asked questions",[5847,5849,5852,5855,5858],{"label":5690,"content":5848},"23 NYCRR Part 500 is a cybersecurity regulation issued by the New York State Department of Financial Services (DFS). First effective March 1, 2017, it was one of the first comprehensive state cybersecurity rules for financial services and has influenced later standards such as the NAIC Insurance Data Security Model Law. It requires Covered Entities to maintain a risk-based cybersecurity program, designate a CISO, and report cybersecurity events to the DFS.",{"label":5850,"content":5851},"Who is a Covered Entity?","Any individual or organization operating under (or required to operate under) a license, registration, charter, certificate, permit, accreditation, or similar authorization under New York's Banking Law, Insurance Law, or Financial Services Law — for example NY-licensed banks, insurers, mortgage companies, and money transmitters. Limited exemptions exist for very small entities, but even exempt entities must meet a reduced subset of requirements.",{"label":5853,"content":5854},"What changed in the Second Amendment?","The Second Amendment was adopted November 1, 2023 and phased in through November 1, 2025. It added universal multi-factor authentication (§500.12) and documented asset-inventory requirements (§500.13), strengthened governance and senior-governing-body oversight, expanded incident reporting (including ransomware-payment notification), and created a 'Class A company' tier with enhanced requirements. As of November 1, 2025 all phased requirements are in effect.",{"label":5856,"content":5857},"What is a Class A company?","A larger Covered Entity subject to enhanced requirements — generally those with at least $20 million in gross annual revenue from New York operations over the last three fiscal years and either more than 2,000 employees or more than $1 billion in gross annual revenue (averaged over the last two years, including affiliates). Class A companies must perform independent audits, deploy endpoint detection and response and privileged access management, and conduct more rigorous risk assessments.",{"label":5859,"content":5860},"When is the annual certification due?","Covered Entities must file an annual notice to the DFS by April 15 — either a certification of material compliance for the prior calendar year or a written acknowledgment of non-compliance that identifies the gaps and includes a remediation timeline. It must be signed by the highest-ranking executive and the CISO.",{"headline":5862,"title":5863,"description":5864,"links":5865},"NY DFS Part 500, without the binder","Comply with the NY DFS Cybersecurity Regulation","A written cybersecurity program, MFA and asset inventory under the Second Amendment, 72-hour incident reporting, and a defensible annual certification — all driven by live control evidence.",[5866,5867],{"label":183,"icon":184,"to":185},{"label":187,"icon":188,"color":189,"variant":190,"to":191,"target":192},{},{"headline":5870,"title":5871,"description":5872,"items":5873},"NY DFS accelerators","Part 500 program accelerators","Stand up a defensible NYDFS program and reuse the work across your other obligations.",[5874,5877,5880],{"title":5875,"description":5876},"Certification builder","Assemble the §500.17 certification (or acknowledgment of non-compliance with a remediation plan) from live control evidence.",{"title":5878,"description":5879},"Reporting timers","72-hour cybersecurity-event and ransomware-payment notification clocks with owner assignment.",{"title":5881,"description":5882},"NAIC \u002F ISO 27001 crosswalk","Reuse NYDFS evidence against the NAIC Model Law, ISO 27001, and SOC 2.",{"title":5884,"description":5885},"NY DFS 23 NYCRR Part 500 Compliance Software","Meet the New York DFS Cybersecurity Regulation (23 NYCRR Part 500) — CISO program, MFA, asset inventory, 72-hour reporting, and the annual certification — in one workspace.","nydfs",[5888,5891,5893],{"value":5889,"description":5890},"23 NYCRR 500","The full NYDFS Cybersecurity Regulation implemented as living episki controls.",{"value":2172,"description":5892},"Cybersecurity-event reporting to the DFS superintendent tracked with deadline timers.",{"value":5894,"description":5895},"Annual cert","Section 500.17 certification of material compliance, evidenced and ready to sign by April 15.","5.frameworks\u002Fnydfs","pY2EJMbvQXP5lYWg6jB3tUsX8MerjkPCPZWU9bLtZ2U",{"id":5899,"title":5900,"advantages":5901,"body":5923,"checklist":6343,"cta":6352,"description":141,"extension":162,"faq":6355,"hero":6373,"lastUpdated":193,"meta":6382,"name":5935,"navigation":196,"path":6383,"resources":6384,"seo":6397,"slug":6400,"stats":6401,"stem":6411,"__hash__":6412},"frameworks\u002F5.frameworks\u002Fpci.md","Pci",[5902,5909,5916],{"title":5903,"description":5904,"bullets":5905},"Cardholder data mapped","Visualize systems, networks, and data flows tied to each DSS requirement.",[5906,5907,5908],"Track segmentation documentation and approvals","Connect SIEM and log tools for retention evidence","Link vulnerability scans and pen tests to controls",{"title":5910,"description":5911,"bullets":5912},"Task orchestration for engineering","Send prioritized remediation tasks to Jira or Linear with context.",[5913,5914,5915],"Auto-created tickets with required evidence","SLA tracking ensures high-risk remediations close on time","Change management logs sync back automatically",{"title":5917,"description":5918,"bullets":5919},"QSA-ready collaboration","Centralize requests, walkthroughs, and findings with secure file sharing.",[5920,5921,5922],"QSA comments resolve next to each control","Expiring links for sensitive diagrams","Exportable ROC narrative drafts",{"type":29,"value":5924,"toc":6330},[5925,5929,5937,5940,5943,5947,5955,6043,6046,6050,6057,6061,6074,6078,6086,6139,6151,6155,6166,6169,6172,6176,6193,6197,6200,6238,6246,6250,6253,6257,6270,6274,6277,6327],[32,5926,5928],{"id":5927},"what-is-pci-dss","What is PCI DSS?",[37,5930,5931,5932,5936],{},"The Payment Card Industry Data Security Standard -- universally known as ",[118,5933,5935],{"href":5934},"\u002Fglossary\u002Fpci-dss","PCI DSS"," -- is the global baseline for protecting payment card data. Any organization that stores, processes, or transmits cardholder data is expected to meet PCI DSS, from a mom-and-pop e-commerce store to a Fortune 500 retailer and every payment processor in between. PCI DSS exists because card data is one of the most monetizable targets on the internet, and a single breach can expose millions of account numbers, trigger steep fines, and end businesses. PCI DSS translates decades of hard-won lessons into a prescriptive framework that security, engineering, and finance teams can operationalize.",[37,5938,5939],{},"PCI DSS is maintained by the Payment Card Industry Security Standards Council (PCI SSC), an independent standards body founded in 2006 by the five major payment brands: Visa, Mastercard, American Express, Discover, and JCB. The PCI SSC writes and publishes the standard, accredits assessors and scanning vendors, and runs supporting programs such as PA-DSS (now replaced by the PCI Secure Software Standard) and P2PE. While the PCI SSC owns the standard itself, it does not enforce PCI DSS. Enforcement is delegated to the card brands, which in turn push obligations down through acquiring banks and payment processors to merchants and service providers. In practice, your acquirer is the entity that tells you which PCI DSS validation path you owe and what happens if you fail it.",[37,5941,5942],{},"PCI DSS emerged from a patchwork of brand-specific programs in the early 2000s, including Visa's Cardholder Information Security Program (CISP) and Mastercard's Site Data Protection (SDP). PCI DSS v1.0 launched in December 2004. PCI DSS v2.0 arrived in 2010, v3.0 in 2013, v3.1 in 2015, v3.2 in 2016, v3.2.1 in 2018, and the long-anticipated PCI DSS v4.0 in March 2022, followed by v4.0.1 clarifications in June 2024 (v4.0 was retired at the end of 2024, leaving v4.0.1 as the only active version). The \"future-dated\" PCI DSS v4.x requirements became mandatory on March 31, 2025. Each revision tightens controls around emerging threats: phishing-resistant authentication, e-commerce script tampering, automated log review, and customized approaches for mature security programs.",[32,5944,5946],{"id":5945},"the-12-pci-dss-requirements","The 12 PCI DSS requirements",[37,5948,5949,5950,5954],{},"PCI DSS organizes technical and operational controls across twelve core requirements grouped into six objectives. The full set of PCI DSS requirements is detailed on the ",[118,5951,5953],{"href":5952},"\u002Fframeworks\u002Fpci\u002Frequirements","PCI DSS requirements page","; at a glance they are:",[69,5956,5957,5967,5973,5989,5995,6001,6007,6013,6019,6025,6031,6037],{},[72,5958,5959,5962,5963,416],{},[41,5960,5961],{},"Install and maintain network security controls"," -- firewalls and equivalent controls around the ",[118,5964,5966],{"href":5965},"\u002Fglossary\u002Fcardholder-data-environment","cardholder data environment",[72,5968,5969,5972],{},[41,5970,5971],{},"Apply secure configurations to all system components"," -- hardening standards, default credential elimination, and secure build baselines.",[72,5974,5975,5978,5979,5983,5984,5988],{},[41,5976,5977],{},"Protect stored account data"," -- encryption, truncation, hashing, or ",[118,5980,5982],{"href":5981},"\u002Fglossary\u002Ftokenization","tokenization"," of the ",[118,5985,5987],{"href":5986},"\u002Fglossary\u002Fpan","PAN"," and prohibition on storing sensitive authentication data.",[72,5990,5991,5994],{},[41,5992,5993],{},"Protect cardholder data with strong cryptography during transmission"," over open, public networks.",[72,5996,5997,6000],{},[41,5998,5999],{},"Protect all systems and networks from malicious software"," -- anti-malware on in-scope systems and defenses against script-based threats.",[72,6002,6003,6006],{},[41,6004,6005],{},"Develop and maintain secure systems and software"," -- secure SDLC, patching, and vulnerability management for in-scope systems.",[72,6008,6009,6012],{},[41,6010,6011],{},"Restrict access to system components and cardholder data by business need to know"," -- least-privilege role design.",[72,6014,6015,6018],{},[41,6016,6017],{},"Identify users and authenticate access to system components"," -- unique IDs, strong authentication, and phishing-resistant MFA.",[72,6020,6021,6024],{},[41,6022,6023],{},"Restrict physical access to cardholder data"," -- physical security for facilities, media, and devices.",[72,6026,6027,6030],{},[41,6028,6029],{},"Log and monitor all access to system components and cardholder data"," -- centralized logging, daily review, and tamper protection.",[72,6032,6033,6036],{},[41,6034,6035],{},"Test security of systems and networks regularly"," -- ASV scans, internal scans, pen tests, and segmentation validation.",[72,6038,6039,6042],{},[41,6040,6041],{},"Support information security with organizational policies and programs"," -- governance, awareness, incident response, and third-party oversight.",[37,6044,6045],{},"Each PCI DSS requirement is broken into numbered sub-requirements with explicit testing procedures that an assessor follows line by line. The \"defined approach\" dictates specific controls; PCI DSS v4.0 also introduces a \"customized approach\" where mature organizations can meet a requirement's objective through alternative controls, documented in a controls matrix and targeted risk analysis.",[32,6047,6049],{"id":6048},"pci-dss-v40-changes","PCI DSS v4.0 changes",[37,6051,6052,6053,416],{},"PCI DSS v4.0 is the largest revision in more than a decade. Its headline shifts include a customized-approach validation path, mandatory multi-factor authentication for all access into the CDE, expanded requirements to detect and respond to e-commerce script tampering, targeted risk analyses replacing prescriptive frequencies, and stronger expectations for continuous security rather than point-in-time compliance. Several of the most material v4.0 controls became mandatory on March 31, 2025 after a two-year grace period. The full changelog, new testing procedures, and a migration checklist are covered in the ",[118,6054,6056],{"href":6055},"\u002Fframeworks\u002Fpci\u002Fv4-changes","PCI DSS v4.0 changes guide",[32,6058,6060],{"id":6059},"merchant-compliance-levels-1-4","Merchant compliance levels 1-4",[37,6062,6063,6064,6068,6069,6073],{},"Every merchant is assigned to one of four PCI DSS compliance levels based on annual card transaction volume across all channels. PCI DSS Level 1 covers merchants processing more than 6 million transactions per year and requires a formal Report on Compliance (ROC) signed by a ",[118,6065,6067],{"href":6066},"\u002Fglossary\u002Fqsa","QSA",". Level 2 covers 1-6 million transactions. Level 3 covers 20,000 to 1 million e-commerce transactions. Level 4 covers everything below those thresholds. Service providers have their own two-level structure. Your acquiring bank can also assign you a higher PCI DSS level at its discretion -- particularly after a breach. The ",[118,6070,6072],{"href":6071},"\u002Fframeworks\u002Fpci\u002Fcompliance-levels","PCI DSS compliance levels page"," breaks down every threshold by card brand and the validation path each level owes.",[32,6075,6077],{"id":6076},"self-assessment-questionnaires-saqs","Self-Assessment Questionnaires (SAQs)",[37,6079,6080,6081,6085],{},"Merchants and service providers that are not required to complete a full PCI DSS Report on Compliance validate using a ",[118,6082,6084],{"href":6083},"\u002Fglossary\u002Fsaq","Self-Assessment Questionnaire",", or SAQ. The PCI SSC publishes nine SAQ types, each tailored to a specific acceptance channel and technology profile:",[427,6087,6088,6094,6100,6106,6112,6118,6124,6130],{},[72,6089,6090,6093],{},[41,6091,6092],{},"SAQ A"," -- card-not-present merchants that fully outsource all cardholder data functions.",[72,6095,6096,6099],{},[41,6097,6098],{},"SAQ A-EP"," -- e-commerce merchants that partially outsource payment processing but host pages that could affect payment page security.",[72,6101,6102,6105],{},[41,6103,6104],{},"SAQ B"," -- merchants using only imprint machines or standalone dial-out terminals.",[72,6107,6108,6111],{},[41,6109,6110],{},"SAQ B-IP"," -- merchants using only standalone IP-connected POI devices.",[72,6113,6114,6117],{},[41,6115,6116],{},"SAQ C-VT"," -- merchants entering transactions into a virtual payment terminal.",[72,6119,6120,6123],{},[41,6121,6122],{},"SAQ C"," -- merchants with payment application systems connected to the internet.",[72,6125,6126,6129],{},[41,6127,6128],{},"SAQ P2PE"," -- merchants using PCI-listed point-to-point encryption solutions.",[72,6131,6132,134,6135,6138],{},[41,6133,6134],{},"SAQ D for Merchants",[41,6136,6137],{},"SAQ D for Service Providers"," -- the catch-all SAQs for entities that store cardholder data or do not qualify for a simpler SAQ.",[37,6140,6141,6142,1125,6146,6150],{},"Eligibility is narrow and precise. Picking the wrong SAQ is one of the most common PCI DSS mistakes -- and one that an acquiring bank or breach investigation can expose instantly. The ",[118,6143,6145],{"href":6144},"\u002Fframeworks\u002Fpci\u002Fself-assessment-questionnaire","SAQ reference",[118,6147,6149],{"href":6148},"\u002Fframeworks\u002Fpci\u002Fsaq-types-explained","SAQ types explained"," page walk through each SAQ's eligibility, question count, and typical pitfalls.",[32,6152,6154],{"id":6153},"cardholder-data-environment-cde-and-scoping","Cardholder data environment (CDE) and scoping",[37,6156,6157,6158,6160,6161,6165],{},"Every PCI DSS program begins with scoping. The ",[118,6159,5966],{"href":5965},", or CDE, is the set of people, processes, and technologies that store, process, or transmit cardholder data or sensitive authentication data, plus any system component that is connected to or could impact the security of those components. Determining what is in ",[118,6162,6164],{"href":6163},"\u002Fglossary\u002Fpci-scope","PCI scope"," is the single highest-leverage activity in a PCI DSS program -- it drives how many controls apply, how much evidence you collect, and how much your QSA engagement costs.",[37,6167,6168],{},"PCI DSS scoping has three categories: CDE systems that directly handle card data; connected-to systems that can route traffic to the CDE, authenticate CDE users, or otherwise interact with CDE components; and security-impacting systems that could affect CDE security even without direct connectivity (think SIEM, patch management, or anti-malware consoles). All three categories are in scope for PCI DSS.",[37,6170,6171],{},"Document your CDE with an annotated network diagram and a data-flow diagram for every payment channel. PCI DSS v4.0 makes these diagrams a requirement, not a nice-to-have, and your assessor will test them during every assessment.",[32,6173,6175],{"id":6174},"scope-reduction-strategies","Scope reduction strategies",[37,6177,6178,6179,6183,6184,6188,6189,6192],{},"Because PCI DSS obligations scale with the CDE, shrinking the CDE is the fastest way to cut PCI DSS cost and risk. Effective ",[118,6180,6182],{"href":6181},"\u002Fframeworks\u002Fpci\u002Fscope-reduction","PCI DSS scope reduction"," typically combines four levers: strong ",[118,6185,6187],{"href":6186},"\u002Fframeworks\u002Fpci\u002Fnetwork-segmentation","network segmentation"," that isolates the CDE onto dedicated VLANs with tightly controlled firewall rules; ",[118,6190,5982],{"href":6191},"\u002Fframeworks\u002Fpci\u002Ftokenization-vs-encryption"," that replaces stored PANs with non-sensitive surrogates; PCI-listed point-to-point encryption (P2PE) that removes in-store networks from PCI scope; and outsourcing card capture to a validated service provider so your systems never touch real card data. Layered correctly, these strategies can reduce a PCI DSS assessment from hundreds of in-scope systems to a handful.",[32,6194,6196],{"id":6195},"key-pci-dss-roles-qsas-asvs-and-isas","Key PCI DSS roles: QSAs, ASVs, and ISAs",[37,6198,6199],{},"Three accredited roles support every PCI DSS program:",[427,6201,6202,6217,6232],{},[72,6203,6204,6211,6212,6216],{},[41,6205,6206,6207,6210],{},"Qualified Security Assessors (",[118,6208,6209],{"href":6066},"QSAs",")"," -- individuals and firms certified by the PCI SSC to perform on-site PCI DSS assessments, produce the ROC, and sign the Attestation of Compliance. Selecting the right QSA shapes your PCI DSS experience for years; the ",[118,6213,6215],{"href":6214},"\u002Fframeworks\u002Fpci\u002Fqsa-selection","QSA selection guide"," covers how to evaluate firms, cost drivers, and red flags.",[72,6218,6219,6226,6227,6231],{},[41,6220,6221,6222,6210],{},"Approved Scanning Vendors (",[118,6223,6225],{"href":6224},"\u002Fglossary\u002Fasv","ASVs"," -- PCI SSC-approved firms that run the quarterly external vulnerability scans required by PCI DSS Requirement 11.3.2. The ",[118,6228,6230],{"href":6229},"\u002Fframeworks\u002Fpci\u002Fasv-program","ASV program guide"," covers vendor selection, scanning cadence, passing thresholds, and remediation workflows.",[72,6233,6234,6237],{},[41,6235,6236],{},"Internal Security Assessors (ISAs)"," -- employees who have completed PCI SSC training and can complete certain internal PCI DSS assessments or support a QSA engagement. ISAs are a cost-effective way to build PCI DSS capability inside large programs.",[37,6239,6240,6241,6245],{},"Penetration testing (Requirement 11.4) sits alongside ASV scanning and is a frequent source of PCI DSS findings. The ",[118,6242,6244],{"href":6243},"\u002Fframeworks\u002Fpci\u002Fpenetration-testing","PCI DSS penetration testing guide"," covers internal vs external scope, segmentation testing, and frequency.",[32,6247,6249],{"id":6248},"penalties-for-non-compliance","Penalties for non-compliance",[37,6251,6252],{},"PCI DSS is not law, but non-compliance carries material financial consequences. Acquirers can levy fines of $5,000 to $100,000 per month for PCI DSS violations, pass fines down to merchants, raise transaction fees, or revoke payment processing privileges outright. After a confirmed breach of card data, a merchant typically faces a forensic PFI investigation, card brand fines, assessments for fraud losses, reissuance costs for compromised cards, and mandatory Level 1 PCI DSS validation going forward. Regulators and state attorneys general may also get involved, and the organization almost always faces litigation. In short, PCI DSS fines are rarely the largest line item -- the true cost of a breach is reputational damage, customer churn, and the fully loaded cost of breach response.",[32,6254,6256],{"id":6255},"pci-dss-vs-other-frameworks","PCI DSS vs other frameworks",[37,6258,6259,6260,6264,6265,6269],{},"PCI DSS is narrower and more prescriptive than most security frameworks. ISO 27001 is a management-system standard focused on the process of running an ISMS; it tells you how to manage risk but does not specify controls the way PCI DSS does. SOC 2 is an attestation framework where you define your own controls against the Trust Services Criteria; PCI DSS prescribes them. HIPAA and HITECH cover protected health information, not cardholder data. NIST CSF and NIST SP 800-53 offer control catalogues and risk management guidance that many organizations map into their PCI DSS program, especially under the v4.0 customized approach. PCI DSS is also one of the few frameworks with ongoing external validation -- ASV scans every quarter, penetration tests at least annually, and a full assessment every year. For businesses in the ",[118,6261,6263],{"href":6262},"\u002Findustry\u002Ffinance","finance industry"," or running ",[118,6266,6268],{"href":6267},"\u002Findustry\u002Fecommerce","e-commerce"," platforms, PCI DSS almost always becomes the binding constraint that the rest of the security program organizes around.",[32,6271,6273],{"id":6272},"getting-pci-compliant","Getting PCI compliant",[37,6275,6276],{},"A typical path to PCI DSS compliance looks like this:",[69,6278,6279,6285,6291,6297,6303,6309,6315,6321],{},[72,6280,6281,6284],{},[41,6282,6283],{},"Define scope"," -- inventory every place card data lives, moves, or could move. Produce annotated network and data-flow diagrams.",[72,6286,6287,6290],{},[41,6288,6289],{},"Reduce scope"," -- apply segmentation, tokenization, P2PE, and outsourcing to shrink the CDE before assessment.",[72,6292,6293,6296],{},[41,6294,6295],{},"Select your validation path"," -- confirm your PCI DSS level with your acquirer and determine whether you owe a ROC or an SAQ.",[72,6298,6299,6302],{},[41,6300,6301],{},"Gap assess"," -- map your current controls to every applicable PCI DSS requirement and prioritize remediation.",[72,6304,6305,6308],{},[41,6306,6307],{},"Remediate and document"," -- close gaps, write the policies and procedures PCI DSS expects, and stand up the logging, monitoring, scanning, and testing programs.",[72,6310,6311,6314],{},[41,6312,6313],{},"Engage your QSA or ASV"," -- commission the ASV scans, book the penetration test, and (for Level 1) schedule your QSA engagement early enough to allow remediation cycles.",[72,6316,6317,6320],{},[41,6318,6319],{},"Validate and attest"," -- produce the ROC or SAQ plus Attestation of Compliance, and submit to your acquirer on the required cadence.",[72,6322,6323,6326],{},[41,6324,6325],{},"Operate continuously"," -- PCI DSS v4.0 expects continuous monitoring, targeted risk analyses, and evidence that controls stay effective between assessments.",[37,6328,6329],{},"episki automates the bulk of the evidence collection, control testing, and QSA collaboration work so your PCI DSS program is audit-ready year-round instead of scrambling at the end of each cycle. If you are starting a new PCI DSS program or rebuilding an existing one, episki can shorten your path from scoping through Report on Compliance.",{"title":141,"searchDepth":142,"depth":142,"links":6331},[6332,6333,6334,6335,6336,6337,6338,6339,6340,6341,6342],{"id":5927,"depth":142,"text":5928},{"id":5945,"depth":142,"text":5946},{"id":6048,"depth":142,"text":6049},{"id":6059,"depth":142,"text":6060},{"id":6076,"depth":142,"text":6077},{"id":6153,"depth":142,"text":6154},{"id":6174,"depth":142,"text":6175},{"id":6195,"depth":142,"text":6196},{"id":6248,"depth":142,"text":6249},{"id":6255,"depth":142,"text":6256},{"id":6272,"depth":142,"text":6273},{"title":6344,"description":6345,"items":6346},"PCI DSS playbook","Follow structured milestones from scoping through ROC submission.",[6347,6348,6349,6350,6351],"Automated scope confirmation questionnaires","Connector-backed logging and monitoring checks","Quarterly vulnerability and penetration testing tracker","Change-management evidence capture","ROC narrative template and artifact index",{"title":6353,"description":6354},"Keep PCI DSS audit-ready around the clock","Spin up your trial, sync evidence, and invite your QSA in a single day.",{"title":6356,"items":6357},"PCI DSS frequently asked questions",[6358,6361,6364,6367,6370],{"label":6359,"content":6360},"What are the PCI DSS compliance levels?","PCI DSS has four merchant levels based on annual transaction volume. Level 1 (over 6 million transactions) requires a formal Report on Compliance by a QSA. Levels 2-4 may self-assess using the appropriate Self-Assessment Questionnaire (SAQ). Service providers have two levels with different validation requirements.",{"label":6362,"content":6363},"What changed in PCI DSS 4.0?","PCI DSS 4.0 introduced a customized validation approach allowing organizations to meet objectives with alternative controls, expanded multi-factor authentication requirements, strengthened e-commerce and phishing protections, and added emphasis on continuous security rather than point-in-time compliance.",{"label":6365,"content":6366},"Who needs PCI DSS compliance?","Any organization that stores, processes, or transmits cardholder data must comply with PCI DSS. This includes merchants, payment processors, acquirers, issuers, and service providers. The scope is determined by your cardholder data environment (CDE).",{"label":6368,"content":6369},"How often is a PCI DSS assessment required?","PCI DSS assessments are required annually. Level 1 merchants and service providers must complete a formal assessment by a Qualified Security Assessor (QSA). Additionally, quarterly network vulnerability scans by an Approved Scanning Vendor (ASV) are required.",{"label":6371,"content":6372},"What is a cardholder data environment (CDE)?","The CDE includes all people, processes, and technologies that store, process, or transmit cardholder data or sensitive authentication data, plus any systems connected to those components. Accurate CDE scoping is the foundation of an efficient PCI DSS assessment.",{"headline":6374,"title":6375,"description":6376,"links":6377},"PCI controls that stay current","Keep PCI DSS requirements passing even as your CDE evolves","episki maps DSS requirements, automates testing, and keeps QSAs collaborating in one secure workspace.",[6378,6380],{"label":6379,"icon":184,"to":185},"Start PCI trial",{"label":187,"icon":6381,"color":189,"variant":190,"to":191,"target":192},"i-lucide-calendar",{},"\u002Fframeworks\u002Fpci",{"headline":6385,"title":6385,"description":6386,"items":6387},"PCI enablement kit","Give leadership, ops, and QSAs a single source of truth.",[6388,6391,6394],{"title":6389,"description":6390},"CDE architecture report","Share sanitized diagrams and segmentation notes with prospects.",{"title":6392,"description":6393},"Risk and remediation digest","Weekly summary of open items, owners, and due dates.",{"title":6395,"description":6396},"Assessor workspace","Prebuilt template keeps every requirement, artifact, and note aligned.",{"title":6398,"description":6399},"PCI DSS Compliance Tool","Automate PCI DSS evidence collection, manage QSA collaboration, and keep cardholder data controls current. Start your free 14-day trial with episki.","pci",[6402,6405,6408],{"value":6403,"description":6404},"90% automation","Evidence coverage across access, logging, segmentation, and monitoring.",{"value":6406,"description":6407},"QSA portal","Scoped access keeps your assessor in sync without endless spreadsheets.",{"value":6409,"description":6410},"Weekly drift checks","Automated alerts highlight misconfigurations before audits.","5.frameworks\u002Fpci","MnDaLUMpuHJJalOsfYWJQke7Wa1jghWX9EzaLjbnmaI",{"id":6414,"title":6415,"advantages":6416,"body":6437,"checklist":6521,"cta":6531,"description":141,"extension":162,"faq":6534,"hero":6548,"lastUpdated":193,"meta":6555,"name":4390,"navigation":196,"path":4389,"resources":6556,"seo":6569,"slug":6572,"stats":6573,"stem":6582,"__hash__":6583},"frameworks\u002F5.frameworks\u002Fpipeda.md","Pipeda",[6417,6424,6431],{"title":6418,"description":6419,"bullets":6420},"The 10 fair information principles","PIPEDA's principles, from accountability to consent, as controls.",[6421,6422,6423],"Accountability and identified purposes","Consent, limiting collection, and use","Accuracy, safeguards, and openness",{"title":6425,"description":6426,"bullets":6427},"Rights and breach handling","Access requests and breach reporting handled on time.",[6428,6429,6430],"Individual access and correction requests","Real-risk-of-significant-harm assessment","OPC and individual breach notification",{"title":4305,"description":6432,"bullets":6433},"PIPEDA overlaps heavily with GDPR and CCPA.",[6434,6435,6436],"Crosswalk to GDPR and CCPA","Records of processing reused","Aligns with Quebec Law 25 and provincial PIPA",{"type":29,"value":6438,"toc":6515},[6439,6443,6460,6464,6483,6487,6505,6507],[32,6440,6442],{"id":6441},"what-is-pipeda","What is PIPEDA?",[37,6444,39,6445,4321,6448,6451,6452,6455,6456,6459],{},[41,6446,6447],{},"Personal Information Protection and Electronic Documents Act (PIPEDA)",[41,6449,6450],{},"Canada's federal private-sector privacy law",". It governs how organizations collect, use, and disclose personal information in the course of commercial activity, and it is enforced by the ",[41,6453,6454],{},"Office of the Privacy Commissioner of Canada (OPC)",". At its core are ",[41,6457,6458],{},"10 fair information principles",": accountability; identifying purposes; consent; limiting collection; limiting use, disclosure, and retention; accuracy; safeguards; openness; individual access; and challenging compliance.",[32,6461,6463],{"id":6462},"is-pipeda-changing","Is PIPEDA changing?",[37,6465,6466,6467,6470,6471,6474,6475,6478,6479,6482],{},"There has been a long effort to modernize Canadian privacy law through ",[41,6468,6469],{},"Bill C-27",", which would have replaced PIPEDA's private-sector provisions with the ",[41,6472,6473],{},"Consumer Privacy Protection Act (CPPA)"," and introduced an AI statute (AIDA). That bill ",[41,6476,6477],{},"died on the Order Paper when Parliament was prorogued in January 2025",". As a result, ",[41,6480,6481],{},"PIPEDA remains the law in force in 2026",", and organizations should keep complying with it while watching for future reform.",[32,6484,6486],{"id":6485},"breach-reporting-and-provincial-laws","Breach reporting and provincial laws",[37,6488,6489,6490,6493,6494,6497,6498,1125,6501,6504],{},"Since November 2018, organizations must ",[41,6491,6492],{},"report breaches that pose a real risk of significant harm"," to affected individuals and to the OPC, and keep records of all breaches. Several provinces have their own ",[41,6495,6496],{},"substantially similar"," laws — notably ",[41,6499,6500],{},"Quebec's Law 25",[41,6502,6503],{},"PIPA"," statutes in British Columbia and Alberta — which can apply in place of PIPEDA within those provinces.",[32,6506,126],{"id":125},[37,6508,6509,6510,134,6512,6514],{},"episki implements the 10 fair information principles as living controls, with consent and identified-purposes management, an access- and correction-request workflow, and a breach-assessment process tied to the real-risk-of-significant-harm test. Because PIPEDA overlaps heavily with ",[118,6511,2147],{"href":2148},[118,6513,4386],{"href":325},", your Canadian privacy program reuses records of processing and rights workflows you already maintain.",{"title":141,"searchDepth":142,"depth":142,"links":6516},[6517,6518,6519,6520],{"id":6441,"depth":142,"text":6442},{"id":6462,"depth":142,"text":6463},{"id":6485,"depth":142,"text":6486},{"id":125,"depth":142,"text":126},{"title":6522,"description":6523,"items":6524},"PIPEDA readiness inside episki","What an organization handling Canadian personal data needs.",[6525,6526,6527,6528,6529,6530],"Privacy policy and designated accountable individual","Consent and identified-purposes management","Personal information inventory and retention limits","Safeguards proportionate to sensitivity","Access and correction request workflow","Breach assessment and Privacy Commissioner notification",{"title":6532,"description":6533},"Build a PIPEDA program in episki","Implement the fair information principles once and reuse the work for GDPR and CCPA.",{"title":6535,"items":6536},"PIPEDA frequently asked questions",[6537,6539,6542,6545],{"label":6442,"content":6538},"The Personal Information Protection and Electronic Documents Act (PIPEDA) is Canada's federal private-sector privacy law. It governs how organizations collect, use, and disclose personal information in the course of commercial activity, and is built on 10 fair information principles, overseen by the Office of the Privacy Commissioner of Canada (OPC).",{"label":6540,"content":6541},"Is PIPEDA being replaced?","Not currently. Bill C-27 — which would have replaced PIPEDA's private-sector provisions with the Consumer Privacy Protection Act (CPPA) and added an AI law (AIDA) — died on the Order Paper when Parliament was prorogued in January 2025. PIPEDA remains the law in force in 2026, and organizations should continue to comply with it.",{"label":6543,"content":6544},"Does PIPEDA require breach reporting?","Yes. Since November 2018, organizations must report breaches that pose a real risk of significant harm to affected individuals and to the Office of the Privacy Commissioner, and keep records of all breaches.",{"label":6546,"content":6547},"How does PIPEDA relate to GDPR and provincial laws?","PIPEDA shares core principles with the GDPR, so much of a GDPR program carries over. Several provinces have their own substantially similar laws — notably Quebec's Law 25 and the PIPA statutes in British Columbia and Alberta — which can apply instead of PIPEDA in those provinces.",{"headline":6549,"title":6550,"description":6551,"links":6552},"Canadian privacy, operationalized","Comply with Canada's PIPEDA","The 10 fair information principles as living controls, consent and access-request workflows, and breach reporting to the Privacy Commissioner — mapped to GDPR and CCPA.",[6553,6554],{"label":183,"icon":184,"to":185},{"label":187,"icon":188,"color":189,"variant":190,"to":191,"target":192},{},{"headline":6557,"title":6557,"description":6558,"items":6559},"PIPEDA accelerators","Stand up Canadian privacy compliance and reuse it elsewhere.",[6560,6563,6566],{"title":6561,"description":6562},"Access-request workflow","Intake and fulfill individual access and correction requests.",{"title":6564,"description":6565},"Breach reporting workflow","Assess real risk of significant harm and notify the OPC.",{"title":6567,"description":6568},"GDPR \u002F CCPA crosswalk","Reuse records of processing and rights workflows across regimes.",{"title":6570,"description":6571},"PIPEDA Compliance Software","Comply with Canada's PIPEDA — the 10 fair information principles, consent, data-subject requests, and breach reporting to the Privacy Commissioner — in one workspace.","pipeda",[6574,6577,6580],{"value":6575,"description":6576},"10 principles","The fair information principles implemented as living controls.",{"value":6578,"description":6579},"Breach reporting","Real-risk-of-significant-harm assessment and OPC notification workflow.",{"value":4040,"description":6581},"Cross-walked to GDPR and CCPA so privacy work is reused.","5.frameworks\u002Fpipeda","5yFWtmKtscvzro8giXwfvQdA2uSk1cde33IpQv12qOs",{"id":6585,"title":6586,"advantages":6587,"body":6607,"checklist":6691,"cta":6701,"description":141,"extension":162,"faq":6704,"hero":6718,"lastUpdated":193,"meta":6725,"name":6726,"navigation":196,"path":6727,"resources":6728,"seo":6739,"slug":6742,"stats":6743,"stem":6752,"__hash__":6753},"frameworks\u002F5.frameworks\u002Fpopia.md","Popia",[6588,6595,6602],{"title":6589,"description":6590,"bullets":6591},"Eight conditions for lawful processing","From accountability to data-subject participation, as controls.",[6592,6593,6594],"Accountability and processing limitation","Purpose specification and further-processing limits","Information quality, openness, and security safeguards",{"title":6596,"description":6597,"bullets":6598},"Roles, rights, and breaches","The information officer, data-subject rights, and breach reporting.",[6599,6600,6601],"Information officer registration and duties","Data-subject access and objection requests","Information Regulator and data-subject breach notice",{"title":4305,"description":6603,"bullets":6604},"POPIA overlaps heavily with GDPR and other privacy laws.",[3923,6605,6606],"Reuse records of processing","Aligns with LGPD, CCPA, and PIPEDA",{"type":29,"value":6608,"toc":6685},[6609,6613,6634,6637,6655,6659,6670,6672],[32,6610,6612],{"id":6611},"what-is-popia","What is POPIA?",[37,6614,39,6615,4321,6618,6621,6622,6625,6626,6629,6630,6633],{},[41,6616,6617],{},"Protection of Personal Information Act (POPIA)",[41,6619,6620],{},"South Africa's data protection law",". It came into ",[41,6623,6624],{},"full force on July 1, 2021"," and is enforced by the ",[41,6627,6628],{},"Information Regulator",". POPIA governs how \"responsible parties\" (the equivalent of controllers) process personal information, and it is built on ",[41,6631,6632],{},"eight conditions for lawful processing",": accountability, processing limitation, purpose specification, further-processing limitation, information quality, openness, security safeguards, and data-subject participation.",[32,6635,6596],{"id":6636},"roles-rights-and-breaches",[37,6638,6639,6640,6643,6644,6647,6648,6650,6651,6654],{},"Organizations must designate and ",[41,6641,6642],{},"register an information officer"," with the Information Regulator, maintain appropriate ",[41,6645,6646],{},"security safeguards",", and honor ",[41,6649,4336],{}," such as access, correction, and objection. Where personal information is accessed or acquired by an unauthorized person, the responsible party must ",[41,6652,6653],{},"notify the Information Regulator and affected data subjects"," as soon as reasonably possible.",[32,6656,6658],{"id":6657},"recent-developments","Recent developments",[37,6660,6661,6662,6665,6666,6669],{},"In ",[41,6663,6664],{},"April 2025",", the Information Regulator published ",[41,6667,6668],{},"amendments to the POPIA Regulations"," that streamlined several processes — including objecting to processing, requesting corrections or deletions, and obtaining consent for direct marketing — strengthening protections for individuals.",[32,6671,126],{"id":125},[37,6673,6674,6675,6677,6678,488,6680,1182,6682,6684],{},"episki implements POPIA's eight conditions as living controls, manages information-officer registration and data-subject requests, and provides a breach-notification workflow for the Information Regulator and affected individuals. Because POPIA closely parallels the ",[118,6676,2147],{"href":2148}," — and aligns with ",[118,6679,4430],{"href":4431},[118,6681,4386],{"href":325},[118,6683,4390],{"href":4389}," — your South African privacy program reuses records of processing and rights workflows you already maintain.",{"title":141,"searchDepth":142,"depth":142,"links":6686},[6687,6688,6689,6690],{"id":6611,"depth":142,"text":6612},{"id":6636,"depth":142,"text":6596},{"id":6657,"depth":142,"text":6658},{"id":125,"depth":142,"text":126},{"title":6692,"description":6693,"items":6694},"POPIA readiness inside episki","What an organization processing South African personal data needs.",[6695,6696,6697,6698,6699,6700],"Information officer registered with the Regulator","Personal information inventory and processing records","Lawful-processing controls across the eight conditions","Security safeguards proportionate to risk","Data-subject request and objection workflow","Breach notification to the Regulator and data subjects",{"title":6702,"description":6703},"Build a POPIA program in episki","Implement the eight conditions once and reuse your GDPR work.",{"title":6705,"items":6706},"POPIA frequently asked questions",[6707,6709,6712,6715],{"label":6612,"content":6708},"The Protection of Personal Information Act (POPIA) is South Africa's data protection law. It came into full force on July 1, 2021 and sets out eight conditions for the lawful processing of personal information, enforced by the Information Regulator. It applies to responsible parties (controllers) that process personal information in South Africa.",{"label":6710,"content":6711},"What are the eight conditions?","POPIA's eight conditions for lawful processing are: accountability; processing limitation; purpose specification; further processing limitation; information quality; openness; security safeguards; and data subject participation. Together they function much like the GDPR's principles and rights.",{"label":6713,"content":6714},"Does POPIA require breach notification?","Yes. Where there are reasonable grounds to believe personal information has been accessed or acquired by an unauthorized person, the responsible party must notify the Information Regulator and the affected data subjects as soon as reasonably possible.",{"label":6716,"content":6717},"How does POPIA relate to GDPR?","POPIA closely parallels the GDPR, so much of a GDPR program transfers directly. In April 2025, the Information Regulator published amendments to the POPIA Regulations that streamlined processes such as objecting to processing, requesting corrections or deletions, and consent for direct marketing.",{"headline":6719,"title":6720,"description":6721,"links":6722},"South African privacy, operationalized","Comply with South Africa's POPIA","The eight conditions for lawful processing as living controls, information officer duties, data-subject requests, and Information Regulator breach reporting — mapped to GDPR.",[6723,6724],{"label":183,"icon":184,"to":185},{"label":187,"icon":188,"color":189,"variant":190,"to":191,"target":192},{},"POPIA","\u002Fframeworks\u002Fpopia",{"headline":6729,"title":6729,"description":6730,"items":6731},"POPIA accelerators","Stand up South African privacy compliance and reuse it elsewhere.",[6732,6735,6737],{"title":6733,"description":6734},"Conditions control set","The eight conditions for lawful processing as living controls.",{"title":2355,"description":6736},"Notify the Information Regulator and affected data subjects on time.",{"title":4443,"description":6738},"Reuse your GDPR records and rights workflows for POPIA.",{"title":6740,"description":6741},"POPIA Compliance Software","Comply with South Africa's POPIA — the eight conditions for lawful processing, information officer duties, and Information Regulator breach reporting — in one workspace.","popia",[6744,6747,6750],{"value":6745,"description":6746},"8 conditions","The conditions for lawful processing implemented as living controls.",{"value":6748,"description":6749},"Info Regulator","Breach notification and information-officer registration workflows.",{"value":4040,"description":6751},"POPIA aligns with GDPR, so privacy work is reused.","5.frameworks\u002Fpopia","a3Te6EyMHlmV4_2wxOINVqXO0vBXc1SifoBNyGfE6SE",{"id":6755,"title":6756,"advantages":6757,"body":6779,"checklist":6808,"cta":6818,"description":141,"extension":162,"faq":6821,"hero":6835,"lastUpdated":322,"meta":6842,"name":6843,"navigation":196,"path":6844,"resources":6845,"seo":6858,"slug":6861,"stats":6862,"stem":6872,"__hash__":6873},"frameworks\u002F5.frameworks\u002Fsoc1.md","Soc1",[6758,6765,6772],{"title":6759,"description":6760,"bullets":6761},"Control objectives and procedures","A library of common SOC 1 control objectives with mapped control activities and testing procedures.",[6762,6763,6764],"Control objectives library by domain","Testing procedures aligned to SSAE 18","Evidence organized per control activity",{"title":6766,"description":6767,"bullets":6768},"Carve-out and inclusive","Track subservice organizations with the carve-out or inclusive method.",[6769,6770,6771],"Carve-out subservice organization tracking","Inclusive method workflows for tightly coupled subservices","SOC 1 sub-processor risk reviews via TPRM",{"title":6773,"description":6774,"bullets":6775},"Cross-mapped to SOC 2","Many controls do double duty across SOC 1 and SOC 2. Map once, evidence once, report twice.",[6776,6777,6778],"Shared control library between SOC 1 and SOC 2","Single evidence locker","Auditor portal supports both engagement types",{"type":29,"value":6780,"toc":6803},[6781,6785,6788,6791,6795,6798,6800],[32,6782,6784],{"id":6783},"what-is-soc-1","What is SOC 1?",[37,6786,6787],{},"SOC 1 (System and Organization Controls 1) is the AICPA attestation report addressing a service organization's controls that are relevant to its user entities' Internal Control over Financial Reporting (ICFR). It is the modern descendant of SAS 70, now issued under SSAE 18 attestation standards.",[37,6789,6790],{},"SOC 1 reports come in two flavors: Type I (design of controls at a point in time) and Type II (design and operating effectiveness over a period, typically 6-12 months). External auditors of your customers rely on SOC 1 Type II reports when deciding whether to rely on your controls for their customers' financial-statement audits.",[32,6792,6794],{"id":6793},"who-needs-soc-1","Who needs SOC 1",[37,6796,6797],{},"Service organizations whose operations directly affect customers' financial reporting — payroll providers, billing systems, transaction processors, ERP hosting providers, fund administrators, and many SaaS companies serving regulated public-company customers. If your customers' external auditors regularly ask for your SOC 1, you need one.",[32,6799,126],{"id":125},[37,6801,6802],{},"SOC 1 and SOC 2 share substantial overlap in control activities — change management, access reviews, monitoring, and incident response are common to both. episki keeps the two engagements in one workspace with a unified control library and evidence locker, so you stop maintaining parallel programs.",{"title":141,"searchDepth":142,"depth":142,"links":6804},[6805,6806,6807],{"id":6783,"depth":142,"text":6784},{"id":6793,"depth":142,"text":6794},{"id":125,"depth":142,"text":126},{"title":6809,"description":6810,"items":6811},"SOC 1 readiness inside episki","From scoping to signed report — what you need preloaded.",[6812,6813,6814,6815,6816,6817],"Control objectives library scoped to your service","Subservice organization treatment (carve-out \u002F inclusive)","Complementary User Entity Controls (CUECs) documented","Type I or Type II report-period decision support","Auditor portal with PBC and walkthrough management","Cross-mapping to SOC 2 for shared scope",{"title":6819,"description":6820},"Issue SOC 1 in episki","Stand up the SOC 1 engagement alongside your SOC 2, sharing evidence and auditor workflows.",{"title":6822,"items":6823},"SOC 1 frequently asked questions",[6824,6826,6829,6832],{"label":6784,"content":6825},"SOC 1 (System and Organization Controls 1) is an AICPA attestation report addressing a service organization's controls relevant to its customers' Internal Control over Financial Reporting (ICFR). It's the modern successor to SAS 70, issued under SSAE 18.",{"label":6827,"content":6828},"SOC 1 vs SOC 2 — when do I need which?","SOC 1 is for services whose operation affects customers' financial reporting (e.g., payroll, billing, transaction processing, ERP hosting). SOC 2 covers controls relevant to security, availability, processing integrity, confidentiality, and privacy. Many SaaS companies issue both.",{"label":6830,"content":6831},"Type I vs Type II?","Type I is a point-in-time report (design of controls only). Type II covers a period (typically 6-12 months) and tests operating effectiveness. Most customers want Type II for financial-reporting reliance.",{"label":6833,"content":6834},"What are CUECs?","Complementary User Entity Controls are controls the user entity (your customer) must implement on their side for the service organization's controls to achieve their objectives. They're a standard part of a SOC 1 report and must be communicated to customers.",{"headline":6836,"title":6837,"description":6838,"links":6839},"SOC 1 without rebuilding SOC 2","Demonstrate effective ICFR for your customers","SOC 1 reports for service providers whose customers depend on you for financial reporting. Pre-mapped to SOC 2 for shared scope, with carve-out and user entity control workflows.",[6840,6841],{"label":183,"icon":184,"to":185},{"label":187,"icon":188,"color":189,"variant":190,"to":191,"target":192},{},"SOC 1 Type I\u002FII","\u002Fframeworks\u002Fsoc1",{"headline":6846,"title":6847,"description":6848,"items":6849},"SOC 1 accelerators","SOC 1 program accelerators","Issue your first SOC 1 without ripping up your SOC 2 program.",[6850,6852,6855],{"title":3057,"description":6851},"Determine relevant control objectives based on your service offering.",{"title":6853,"description":6854},"CUEC catalog","Pre-written Complementary User Entity Controls customizable per customer.",{"title":6856,"description":6857},"SOC 1 ↔ SOC 2 crosswalk","Reuse evidence across both engagements with a clear mapping.",{"title":6859,"description":6860},"SOC 1 Compliance Software","Issue SOC 1 Type I and Type II reports for customers that rely on your service for their financial reporting. Cross-mapped to SOC 2 to reuse evidence.","soc1",[6863,6866,6869],{"value":6864,"description":6865},"Type I + II","Both point-in-time and period-of-time SOC 1 reports supported.",{"value":6867,"description":6868},"SSAE 18","Reports built per the current AICPA SSAE 18 attestation standard.",{"value":6870,"description":6871},"CUEC","Complementary User Entity Control documentation tracked alongside your own controls.","5.frameworks\u002Fsoc1","sfYIsX3cTqHFLferYmKBZkNSZCDFy_gJ6MwEGvZ_GKU",{"id":6875,"title":6876,"advantages":6877,"body":6899,"checklist":7407,"cta":7416,"description":141,"extension":162,"faq":7419,"hero":7436,"lastUpdated":1048,"meta":7444,"name":7445,"navigation":196,"path":137,"resources":7446,"seo":7458,"slug":7461,"stats":7462,"stem":7472,"__hash__":7473},"frameworks\u002F5.frameworks\u002Fsoc2.md","Soc2",[6878,6885,6892],{"title":6879,"description":6880,"bullets":6881},"Mapped once, reused forever","Applies Trust Service Criteria to your existing controls and keeps overlaps synced.",[6882,6883,6884],"Control graph highlights reuse across security, availability, and confidentiality","AI suggests narratives and testing procedures","Version history shows every update for auditors",{"title":6886,"description":6887,"bullets":6888},"Evidence organized by control","Upload and track screenshots, configs, and exports in a structured evidence locker.",[6889,6890,6891],"Organized screenshots, configs, and test exports","Alerting when evidence expires or SLAs slip","Immutable locker with reviewer threads",{"title":6893,"description":6894,"bullets":6895},"Auditor collaboration hub","Invite your auditor with scoped access and keep Q&A right next to each control.",[6896,6897,6898],"Bulk requests & fulfillment tracking","Redacted file sharing with access controls","One-click SOC 2 summaries for customers",{"type":29,"value":6900,"toc":7389},[6901,6905,6908,6915,6923,6929,6933,6936,6942,6948,6963,6967,6972,6976,6979,6983,6991,6995,6998,7002,7010,7014,7021,7025,7028,7031,7048,7056,7060,7067,7109,7112,7116,7119,7122,7160,7168,7172,7175,7233,7236,7240,7243,7250,7257,7264,7274,7282,7286,7294,7326,7329,7333,7336,7339,7377],[32,6902,6904],{"id":6903},"what-is-soc-2","What is SOC 2?",[37,6906,6907],{},"SOC 2 (System and Organization Controls 2) is an auditing standard developed by the American Institute of Certified Public Accountants (AICPA) that evaluates how a service organization manages customer data. A SOC 2 report is the de facto security credential for modern SaaS companies — enterprise buyers request it before signing, procurement teams rely on it during vendor reviews, and auditors consult it when assessing outsourced systems. Unlike a prescriptive standard, SOC 2 is principle-based. It does not tell you which tools to deploy; it tells you which outcomes you must demonstrate and leaves the implementation details to you.",[37,6909,6910,6911,6914],{},"SOC 2 evolved from SAS 70, an older attestation framework used primarily for financial reporting systems. As technology service providers increased their role in handling sensitive data, the AICPA introduced the SOC reporting suite. SOC 1 continued to address controls relevant to financial reporting. SOC 2 and SOC 3 shifted attention to information security, availability, and related commitments. Today, SOC 2 is issued under the AICPA's AT-C 105 and AT-C 205 attestation standards, following the ",[118,6912,6867],{"href":6913},"\u002Fglossary\u002Fssae-18"," framework.",[37,6916,6917,6918,6922],{},"A SOC 2 engagement produces an opinion letter from a licensed CPA firm. That letter is the report buyers ask for. It documents the system under audit, the ",[118,6919,6921],{"href":6920},"\u002Fframeworks\u002Fsoc2\u002Ftrust-services-criteria","Trust Services Criteria"," selected, the controls in place, the testing the auditor performed, and any exceptions noted. A clean SOC 2 opinion signals to the market that a third party examined your controls and found them suitable — or in the case of Type II, found them operating effectively across a defined window.",[37,6924,6925,6926,6928],{},"SOC 2 is built on five ",[41,6927,6921],{},": security, availability, processing integrity, confidentiality, and privacy. Security is mandatory. The other four are optional and chosen based on your service commitments and customer expectations. Most first-time SOC 2 audits cover security alone or security plus one or two additional criteria. Scope expansion happens later, as the program matures.",[32,6930,6932],{"id":6931},"soc-2-type-i-vs-type-ii","SOC 2 Type I vs Type II",[37,6934,6935],{},"Every SOC 2 engagement is either Type I or Type II, and the difference matters.",[37,6937,2499,6938,6941],{},[41,6939,6940],{},"SOC 2 Type I"," report evaluates whether controls are suitably designed and implemented as of a single date. Think of it as a design review. The auditor confirms your policies exist, your technical controls are configured, and your processes are in place. Type I is the fastest path to a SOC 2 report and is useful when a deal is on the line, but it does not prove your controls work day after day.",[37,6943,2499,6944,6947],{},[41,6945,6946],{},"SOC 2 Type II"," report evaluates whether controls operated effectively across an observation period, typically three to twelve months. The auditor samples evidence from throughout the period — access reviews, change approvals, incident tickets, monitoring alerts — to confirm that controls were not just designed but consistently executed. Most enterprise buyers require a Type II, and many will not accept a Type I at all.",[37,6949,6950,6951,6955,6956,134,6960,416],{},"For a full comparison including cost benchmarks, observation period tradeoffs, and decision frameworks, see ",[118,6952,6954],{"href":6953},"\u002Fframeworks\u002Fsoc2\u002Ftype-1-vs-type-2","SOC 2 Type 1 vs Type 2",". Related glossary terms: ",[118,6957,6959],{"href":6958},"\u002Fglossary\u002Fsoc2-type-2","SOC 2 Type 2",[118,6961,6921],{"href":6962},"\u002Fglossary\u002Ftrust-services-criteria",[32,6964,6966],{"id":6965},"the-five-trust-services-criteria","The five Trust Services Criteria",[37,6968,39,6969,6971],{},[118,6970,6921],{"href":6920}," define the principles your controls must satisfy. Each criterion addresses a different aspect of how a service organization protects and manages customer data.",[610,6973,6975],{"id":6974},"security-common-criteria-required","Security (Common Criteria) — required",[37,6977,6978],{},"The security criterion, also called the Common Criteria, is required for every SOC 2 engagement. It evaluates whether the system is protected against unauthorized access — both logical and physical. The Common Criteria are organized into nine categories (CC1 through CC9) that map to the COSO internal control framework and cover governance, communication, risk assessment, monitoring, access control, system operations, change management, and vendor risk. Every SOC 2 report includes testing against these categories.",[610,6980,6982],{"id":6981},"availability","Availability",[37,6984,6985,6986,6990],{},"The availability criterion applies when an organization commits to specific uptime levels or recovery capabilities. It covers environmental protections, capacity planning, disaster recovery, and incident management for availability-impacting events. If your product has published SLAs or customers rely on continuous uptime, include availability. Read the ",[118,6987,6989],{"href":6988},"\u002Fframeworks\u002Fsoc2\u002Favailability-criteria","availability criteria deep dive"," for common controls and implementation patterns.",[610,6992,6994],{"id":6993},"processing-integrity","Processing integrity",[37,6996,6997],{},"Processing integrity focuses on whether the system processes data completely, validly, accurately, timely, and with proper authorization. This criterion is relevant for platforms that perform calculations, process financial transactions, or transform customer data. It is less common in first-time SOC 2 audits but important for fintech, billing platforms, and data pipelines that customers rely on for operational decisions.",[610,6999,7001],{"id":7000},"confidentiality","Confidentiality",[37,7003,7004,7005,7009],{},"The confidentiality criterion addresses information designated as confidential — distinct from personal information. It covers data classification, access restrictions, encryption, and secure disposal of confidential data. If you handle intellectual property, business plans, or other sensitive non-personal information on behalf of clients, include confidentiality. See the ",[118,7006,7008],{"href":7007},"\u002Fframeworks\u002Fsoc2\u002Fconfidentiality-criteria","confidentiality criteria deep dive"," for details.",[610,7011,7013],{"id":7012},"privacy","Privacy",[37,7015,7016,7017,416],{},"The privacy criterion applies to personal information — data that can identify an individual. It evaluates whether your data practices match your stated privacy commitments across notice, choice, collection, use, retention, disclosure, security, and accuracy. Privacy aligns closely with regulations like GDPR and CCPA and is the most demanding criterion in terms of control coverage. For a full walkthrough, see the ",[118,7018,7020],{"href":7019},"\u002Fframeworks\u002Fsoc2\u002Fprivacy-criteria","privacy criteria deep dive",[32,7022,7024],{"id":7023},"who-needs-soc-2-compliance","Who needs SOC 2 compliance?",[37,7026,7027],{},"SOC 2 is not legally mandated, but the market treats it as a cost of doing business. Any SaaS company, cloud service provider, managed service provider, or data processor that handles customer data is a likely SOC 2 candidate. If your customers are businesses and their security teams will scrutinize your controls before signing, SOC 2 is almost certainly on your roadmap.",[37,7029,7030],{},"Companies typically pursue SOC 2 when one or more of the following is true:",[427,7032,7033,7036,7039,7042,7045],{},[72,7034,7035],{},"Enterprise prospects are asking for a report during procurement or vendor reviews.",[72,7037,7038],{},"Sales cycles are slowing because buyers are blocking deals on security questionnaires.",[72,7040,7041],{},"Existing customers are requesting a current SOC 2 report during annual reviews.",[72,7043,7044],{},"Investors or partners are asking about the company's security posture.",[72,7046,7047],{},"The business is entering regulated verticals like financial services, healthcare, or government.",[37,7049,7050,7051,7055],{},"Industries that almost always require SOC 2 from their vendors include financial services, healthcare, legal technology, HR technology, martech that handles PII, and any B2B SaaS selling into enterprise accounts. For SaaS companies specifically, SOC 2 has become table stakes — see ",[118,7052,7054],{"href":7053},"\u002Fblog\u002Fsoc2-for-saas","SOC 2 for SaaS"," for a deeper discussion.",[32,7057,7059],{"id":7058},"the-soc-2-audit-process-overview","The SOC 2 audit process overview",[37,7061,39,7062,7066],{},[118,7063,7065],{"href":7064},"\u002Fframeworks\u002Fsoc2\u002Faudit-process","SOC 2 audit process"," follows a predictable sequence. Understanding each phase prevents surprises and helps you set realistic timelines with your team and auditor.",[69,7068,7069,7085,7091,7097,7103],{},[72,7070,7071,7074,7075,7079,7080,7084],{},[41,7072,7073],{},"Scoping and readiness assessment."," Define what systems and Trust Services Criteria are in scope, then perform a ",[118,7076,7078],{"href":7077},"\u002Fframeworks\u002Fsoc2\u002Freadiness-assessment","readiness assessment"," to compare current controls against ",[118,7081,7083],{"href":7082},"\u002Fframeworks\u002Fsoc2\u002Frequirements","SOC 2 requirements",". The output is a prioritized remediation plan.",[72,7086,7087,7090],{},[41,7088,7089],{},"Remediation."," Close the gaps identified during readiness. Common items include formalizing policies, enabling MFA everywhere, centralizing logging, documenting vendor risk processes, and running tabletop exercises.",[72,7092,7093,7096],{},[41,7094,7095],{},"Auditor selection."," SOC 2 audits must be performed by a CPA firm licensed to issue SOC reports. Request proposals from two to four firms, compare scope and pricing, and check references from similar companies.",[72,7098,7099,7102],{},[41,7100,7101],{},"Audit fieldwork."," For Type I, the auditor validates control design at a point in time. For Type II, the auditor samples evidence from across the observation period and tests operating effectiveness.",[72,7104,7105,7108],{},[41,7106,7107],{},"Report delivery and ongoing operation."," Once the report is issued, plan the next observation period so you maintain continuous coverage with no bridge gaps that buyers might question.",[37,7110,7111],{},"Most organizations complete their first Type I in three to six months and their first Type II in six to eighteen months, depending on starting maturity and observation period length.",[32,7113,7115],{"id":7114},"what-does-soc-2-cost","What does SOC 2 cost?",[37,7117,7118],{},"SOC 2 cost varies widely based on scope, starting maturity, and whether you pursue Type I, Type II, or both. Auditor fees are the largest line item, but they are not the only cost. You should budget for readiness consulting, compliance tooling, internal staff time, remediation work, and penetration testing.",[37,7120,7121],{},"Typical benchmarks for a first-time SOC 2 engagement:",[427,7123,7124,7130,7136,7142,7148,7154],{},[72,7125,7126,7129],{},[41,7127,7128],{},"Type I auditor fees",": $15,000 to $40,000",[72,7131,7132,7135],{},[41,7133,7134],{},"Type II auditor fees",": $25,000 to $80,000",[72,7137,7138,7141],{},[41,7139,7140],{},"Readiness consulting"," (optional): $10,000 to $40,000",[72,7143,7144,7147],{},[41,7145,7146],{},"Compliance platform",": $6,000 to $60,000 annually depending on vendor",[72,7149,7150,7153],{},[41,7151,7152],{},"Penetration testing",": $8,000 to $30,000 per test",[72,7155,7156,7159],{},[41,7157,7158],{},"Internal staff time",": 200 to 600 hours across the first cycle",[37,7161,7162,7163,7167],{},"Total first-year cost for most growth-stage SaaS companies lands between $40,000 and $200,000. See the full ",[118,7164,7166],{"href":7165},"\u002Fframeworks\u002Fsoc2\u002Fcost","SOC 2 cost breakdown"," for detailed ranges and cost-reduction strategies.",[32,7169,7171],{"id":7170},"common-soc-2-challenges","Common SOC 2 challenges",[37,7173,7174],{},"SOC 2 programs rarely fail because the audit is unfair. They fail because organizations underestimate the operational discipline required. The challenges show up in predictable places.",[427,7176,7177,7183,7189,7195,7201,7212,7223],{},[72,7178,7179,7182],{},[41,7180,7181],{},"Scope creep."," Teams add new systems mid-audit or expand Trust Services Criteria without revisiting the control set. Every addition extends timelines and evidence requirements.",[72,7184,7185,7188],{},[41,7186,7187],{},"Evidence gaps."," Screenshots expire. Configurations change. Ownership drifts between quarters. By the time the auditor asks, the evidence trail is broken.",[72,7190,7191,7194],{},[41,7192,7193],{},"Cross-team coordination."," SOC 2 touches engineering, IT, HR, legal, and finance. Without a single source of truth for control status, teams duplicate work or miss handoffs.",[72,7196,7197,7200],{},[41,7198,7199],{},"Policy drift."," Policies written for the audit do not match how the team actually operates. Auditors detect this quickly during interviews and walkthroughs.",[72,7202,7203,7206,7207,7211],{},[41,7204,7205],{},"Vendor oversight."," Third-party vendors handle critical data but are rarely monitored with the same rigor as internal systems. See ",[118,7208,7210],{"href":7209},"\u002Fframeworks\u002Fsoc2\u002Fvendor-management","vendor management"," for how to close this gap.",[72,7213,7214,7217,7218,7222],{},[41,7215,7216],{},"Change management."," Production changes bypass approval workflows, leaving no audit trail. ",[118,7219,7221],{"href":7220},"\u002Fframeworks\u002Fsoc2\u002Fchange-management","Change management"," is a frequent source of Type II exceptions.",[72,7224,7225,7228,7229,416],{},[41,7226,7227],{},"Incident response immaturity."," Teams have an incident response plan but have never tested it. Auditors look for evidence of real incidents handled end to end. See ",[118,7230,7232],{"href":7231},"\u002Fframeworks\u002Fsoc2\u002Fincident-response","incident response",[37,7234,7235],{},"A structured approach — mapping controls, evidence, and owners from day one — removes most of these friction points before they become audit findings.",[32,7237,7239],{"id":7238},"how-soc-2-compares-to-other-frameworks","How SOC 2 compares to other frameworks",[37,7241,7242],{},"SOC 2 is not the only security framework buyers may request. Understanding how SOC 2 relates to other standards helps you plan a cohesive compliance strategy rather than running parallel audits with overlapping work.",[37,7244,7245,7249],{},[41,7246,7247],{},[118,7248,133],{"href":132}," is an international certification focused on information security management systems. Unlike SOC 2, which produces an auditor's opinion letter, ISO 27001 results in a certificate issued by an accredited registrar. ISO 27001 is prescriptive about building an ISMS but the control set in Annex A overlaps heavily with the SOC 2 Common Criteria. Many mature companies pursue both and reuse evidence across them. ISO 27001 tends to be preferred by European and international buyers; SOC 2 is the North American standard.",[37,7251,7252,7256],{},[41,7253,7254],{},[118,7255,2776],{"href":2930}," is a US healthcare law that mandates specific safeguards for protected health information. HIPAA is a regulatory requirement rather than a voluntary attestation — there is no HIPAA certificate, but business associates and covered entities must comply. SOC 2 controls address many HIPAA administrative and technical safeguards, and a SOC 2 Type II report is often used as evidence of HIPAA compliance in vendor due diligence.",[37,7258,7259,7263],{},[41,7260,7261],{},[118,7262,5935],{"href":6383}," is the payment card industry's prescriptive standard for any organization that stores, processes, or transmits cardholder data. Unlike SOC 2, PCI DSS specifies exact controls down to firewall rules and encryption key rotation cadences. SOC 2 and PCI DSS share concepts like encryption, access control, and monitoring, but PCI DSS scope is narrower (cardholder data environment) and the requirements are more specific. Companies that process payments typically need both.",[37,7265,7266,488,7269,1182,7271,7273],{},[41,7267,7268],{},"NIST Cybersecurity Framework",[41,7270,1850],{},[41,7272,1050],{}," address additional specialized audiences — federal contractors, defense industrial base, and government-adjacent systems. These are out of scope for most commercial SaaS but worth mapping if your buyer base includes public sector.",[37,7275,7276,7277,7281],{},"If you are comparing SOC 2 tooling options, our ",[118,7278,7280],{"href":7279},"\u002Fcompare\u002Fvs\u002Fvanta-vs-drata","Vanta vs Drata comparison"," covers the leading compliance automation platforms.",[32,7283,7285],{"id":7284},"soc-2-readiness-checklist","SOC 2 readiness checklist",[37,7287,7288,7289,7293],{},"A readiness checklist keeps your team focused during the months before the audit begins. The ",[118,7290,7292],{"href":7291},"\u002Fframeworks\u002Fsoc2\u002Fchecklist","full SOC 2 checklist"," covers every category, but at a high level expect to address:",[427,7295,7296,7299,7302,7305,7308,7311,7314,7317,7320,7323],{},[72,7297,7298],{},"Governance and policies (information security policy, acceptable use, code of conduct)",[72,7300,7301],{},"Access control (SSO, MFA, role-based access, quarterly access reviews)",[72,7303,7304],{},"Change management (code review, deployment approvals, production change logs)",[72,7306,7307],{},"Vendor risk management (inventory, assessments, monitoring)",[72,7309,7310],{},"Incident response (documented plan, tested at least annually)",[72,7312,7313],{},"Business continuity and disaster recovery (plan with defined RPO\u002FRTO, tested)",[72,7315,7316],{},"Logging and monitoring (centralized logs, alerting, incident tickets)",[72,7318,7319],{},"Security awareness training (annual minimum, tracked completion)",[72,7321,7322],{},"HR controls (background checks, onboarding, offboarding, confidentiality agreements)",[72,7324,7325],{},"Risk assessment (annual risk review, risk register, treatment plans)",[37,7327,7328],{},"Most companies find that the readiness phase surfaces gaps they did not know existed. That is the point — better to discover them before the auditor arrives.",[32,7330,7332],{"id":7331},"getting-started-with-soc-2","Getting started with SOC 2",[37,7334,7335],{},"The best time to start a SOC 2 program is before the first buyer demands it. The second best time is now.",[37,7337,7338],{},"A reasonable starting sequence:",[69,7340,7341,7347,7353,7359,7365,7371],{},[72,7342,7343,7346],{},[41,7344,7345],{},"Pick your Trust Services Criteria."," Security is required. Add others only if you have customer commitments that map to them.",[72,7348,7349,7352],{},[41,7350,7351],{},"Decide Type I vs Type II."," If you need a report fast for a specific deal, start with Type I. If you have time and buyer pressure is general, skip straight to Type II.",[72,7354,7355,7358],{},[41,7356,7357],{},"Run a readiness assessment."," Either internally or with a consultant. The goal is a prioritized remediation list, not a polished report.",[72,7360,7361,7364],{},[41,7362,7363],{},"Remediate in priority order."," Address policy gaps, access control weaknesses, and logging first — these are the most common sources of findings.",[72,7366,7367,7370],{},[41,7368,7369],{},"Select an auditor."," Get proposals from two to four CPA firms. Check references from similar companies. Book early — good auditors are scheduled quarters in advance.",[72,7372,7373,7376],{},[41,7374,7375],{},"Operate, collect, and iterate."," Run your controls, collect evidence continuously, and prepare for fieldwork. Do not treat the audit as a one-time event.",[37,7378,7379,7380,4517,7385,7388],{},"episki was built for exactly this journey. The platform maps your controls to Trust Services Criteria, automates evidence collection, tracks ownership across teams, and gives your auditor structured access when fieldwork begins. ",[118,7381,7384],{"href":185,"rel":7382},[7383],"nofollow","Start a free trial",[118,7386,7387],{"href":191},"book a demo"," to see how SOC 2 looks with the scramble removed.",{"title":141,"searchDepth":142,"depth":142,"links":7390},[7391,7392,7393,7400,7401,7402,7403,7404,7405,7406],{"id":6903,"depth":142,"text":6904},{"id":6931,"depth":142,"text":6932},{"id":6965,"depth":142,"text":6966,"children":7394},[7395,7396,7397,7398,7399],{"id":6974,"depth":997,"text":6975},{"id":6981,"depth":997,"text":6982},{"id":6993,"depth":997,"text":6994},{"id":7000,"depth":997,"text":7001},{"id":7012,"depth":997,"text":7013},{"id":7023,"depth":142,"text":7024},{"id":7058,"depth":142,"text":7059},{"id":7114,"depth":142,"text":7115},{"id":7170,"depth":142,"text":7171},{"id":7238,"depth":142,"text":7239},{"id":7284,"depth":142,"text":7285},{"id":7331,"depth":142,"text":7332},{"title":7408,"description":7409,"items":7410},"SOC 2 readiness checklist inside episki","Everything is preloaded in your free trial so you can start assigning ownership and collecting proof immediately.",[7411,7412,7413,7414,7415],"Trust Service Criteria library with mapped controls","Policy templates and AI drafting assistant","Evidence library with structured ownership and review cadences","Emulated auditor workspace with sample requests","Customer-facing compliance portal template",{"title":7417,"description":7418},"Launch your SOC 2 workspace today","Import your controls, connect evidence, and invite your auditor in under an hour.",{"title":7420,"items":7421},"SOC 2 frequently asked questions",[7422,7425,7428,7431,7433],{"label":7423,"content":7424},"How long does a SOC 2 audit take?","A SOC 2 Type I audit typically takes 4-8 weeks of preparation plus the audit itself. Type II requires a 3-12 month observation period followed by the assessment. episki's automation can cut preparation time by up to 45 days.",{"label":7426,"content":7427},"What is the difference between SOC 2 Type I and Type II?","SOC 2 Type I evaluates whether controls are suitably designed at a single point in time. Type II tests whether those controls operated effectively over a sustained period, usually 3-12 months. Most enterprise buyers require a Type II report.",{"label":7429,"content":7430},"How much does SOC 2 compliance cost?","Total costs typically range from $20,000 to $100,000+ depending on scope, readiness, and auditor fees. episki covers the platform side at a flat $500\u002Fmonth with no per-seat charges, significantly reducing the software portion of that budget.",{"label":7024,"content":7432},"Any SaaS company, cloud service provider, or data processor handling customer data is a likely candidate. Enterprise buyers in financial services, healthcare, and technology frequently require a current SOC 2 report before signing contracts.",{"label":7434,"content":7435},"What are the SOC 2 Trust Services Criteria?","The five Trust Services Criteria are security (required), availability, processing integrity, confidentiality, and privacy. Security is mandatory for every SOC 2 audit; the other four are optional and selected based on the services you provide.",{"headline":7437,"title":7438,"description":7439,"links":7440},"SOC 2 without the scramble","Ship SOC 2 audits without slowing product velocity","episki maps Trust Service Criteria, automates evidence, and keeps auditors in sync so your team can focus on building.",[7441,7443],{"label":7442,"icon":184,"to":185},"Start SOC 2 trial",{"label":187,"icon":188,"color":189,"variant":190,"to":191,"target":192},{},"SOC 2 Type I\u002FII",{"headline":7447,"title":7447,"description":7448,"items":7449},"SOC 2 acceleration resources","Give execs and customers visibility into progress at every stage.",[7450,7452,7455],{"title":1057,"description":7451},"Summaries translate control work into risk reduction and deals unlocked.",{"title":7453,"description":7454},"Sales enablement kit","SOC 2 FAQ answers and trust collateral ready for GTM teams.",{"title":7456,"description":7457},"Audit retro template","Capture what worked, track remediations, and prep the next period.",{"title":7459,"description":7460},"SOC 2 Compliance Software","Get SOC 2 Type I and Type II audit-ready faster with episki's automated controls, evidence tracking, and auditor collaboration. Start your free 14-day trial.","soc2",[7463,7466,7469],{"value":7464,"description":7465},"45 days faster","Average time saved reaching Type II readiness with episki’s automation.",{"value":7467,"description":7468},"120+ controls","Pre-mapped control narratives with owners, evidence, and review cadences.",{"value":7470,"description":7471},"100% coverage","Auditor portal with control health dashboards and SOC 2 exports.","5.frameworks\u002Fsoc2","eBcx9G-2xhWCZsVCy9adJfst4ndXsM2V0PdGHY4LCCw",{"id":7475,"title":7476,"advantages":7477,"body":7499,"checklist":7569,"cta":7579,"description":141,"extension":162,"faq":7582,"hero":7596,"lastUpdated":193,"meta":7603,"name":7509,"navigation":196,"path":7604,"resources":7605,"seo":7618,"slug":7621,"stats":7622,"stem":7632,"__hash__":7633},"frameworks\u002F5.frameworks\u002Fsoc3.md","Soc3",[7478,7485,7492],{"title":7479,"description":7480,"bullets":7481},"SOC 2's public sibling","SOC 3 reports against the same criteria, in a shareable summary form.",[7482,7483,7484],"Same Trust Services Criteria as SOC 2","Summary report without detailed test results","Freely distributable to anyone",{"title":7486,"description":7487,"bullets":7488},"A marketing-ready artifact","Hand prospects proof of your controls without the NDA dance.",[7489,7490,7491],"Post it publicly on your trust page","Speeds up early sales conversations","Backs up your SOC 2 for buyers who can't see it",{"title":7493,"description":7494,"bullets":7495},"No extra program","SOC 3 reuses your SOC 2 work end to end.",[7496,7497,7498],"Same controls and evidence as SOC 2","Issued by the same CPA firm","Crosswalk to ISO 27001 and CSA STAR",{"type":29,"value":7500,"toc":7563},[7501,7505,7524,7528,7539,7543,7550,7552],[32,7502,7504],{"id":7503},"what-is-soc-3","What is SOC 3?",[37,7506,7507,5502,7510,7513,7514,7516,7517,7519,7520,7523],{},[41,7508,7509],{},"SOC 3",[41,7511,7512],{},"public, general-use report"," based on the AICPA's ",[41,7515,6921],{}," — the same criteria that underpin ",[118,7518,138],{"href":137},". The difference is the audience and the level of detail: a SOC 2 report is restricted and includes the auditor's detailed description of controls and test results, shared with customers under NDA, while a SOC 3 is a ",[41,7521,7522],{},"short, summary-level report you can freely distribute"," — post it on your website, hand it to any prospect, no NDA required.",[32,7525,7527],{"id":7526},"how-it-relates-to-soc-2","How it relates to SOC 2",[37,7529,7530,7531,7534,7535,7538],{},"A SOC 3 is built on the ",[41,7532,7533],{},"same controls, evidence, and audit period"," as a SOC 2 Type 2 and is ",[41,7536,7537],{},"issued by the same CPA firm",". In practice, organizations that already pursue SOC 2 add SOC 3 as a public-facing companion at little additional cost — it is not a separate program.",[32,7540,7542],{"id":7541},"why-publish-one","Why publish one",[37,7544,7545,7546,7549],{},"SOC 3 is a practical trust and marketing asset. It lets you demonstrate that an independent CPA firm examined your controls against the Trust Services Criteria ",[41,7547,7548],{},"without exposing the sensitive detail"," in your SOC 2. That makes it ideal for top-of-funnel sales, public trust pages, and buyers who want assurance early.",[32,7551,126],{"id":125},[37,7553,7554,7555,7557,7558,134,7560,7562],{},"episki maintains your Trust Services Criteria controls and evidence once and supports both outputs — your restricted ",[118,7556,138],{"href":137}," and your public SOC 3 — from the same program, with crosswalks to ",[118,7559,133],{"href":132},[118,7561,1116],{"href":1227}," so the same work proves trust everywhere.",{"title":141,"searchDepth":142,"depth":142,"links":7564},[7565,7566,7567,7568],{"id":7503,"depth":142,"text":7504},{"id":7526,"depth":142,"text":7527},{"id":7541,"depth":142,"text":7542},{"id":125,"depth":142,"text":126},{"title":7570,"description":7571,"items":7572},"SOC 3 readiness inside episki","What you need to add a SOC 3 to your SOC 2.",[7573,7574,7575,7576,7577,7578],"SOC 2 Type 2 program in place","Trust Services Criteria scoped (Security + any others)","Control evidence current and complete","CPA firm engaged for SOC 2 \u002F SOC 3","Public trust-page placement for the report","Crosswalks to ISO 27001 and CSA STAR",{"title":7580,"description":7581},"Add a SOC 3 in episki","Reuse your SOC 2 controls to publish a general-use trust report.",{"title":7583,"items":7584},"SOC 3 frequently asked questions",[7585,7587,7590,7593],{"label":7504,"content":7586},"SOC 3 is a public, general-use report based on the AICPA's Trust Services Criteria — the same criteria used for SOC 2. Unlike a SOC 2 report, which is restricted and detailed, a SOC 3 is a short, summary-level report that can be freely distributed, making it useful as a public trust artifact.",{"label":7588,"content":7589},"How is SOC 3 different from SOC 2?","Both evaluate controls against the Trust Services Criteria, but a SOC 2 report is detailed (including the auditor's tests and results) and shared under NDA with customers and prospects, while a SOC 3 omits those details and is general-use — you can publish it on your website. SOC 3 is typically issued from the same audit as a SOC 2 Type 2.",{"label":7591,"content":7592},"Do I need a separate audit for SOC 3?","Generally no. Most organizations obtain SOC 3 alongside their SOC 2 Type 2 from the same CPA firm, since both rely on the same controls and evidence over the same period.",{"label":7594,"content":7595},"Who should get a SOC 3?","SaaS and service organizations that want a public, shareable proof of their security posture — useful for marketing and for buyers who want assurance before they are far enough along to receive the full SOC 2 under NDA.",{"headline":7597,"title":7598,"description":7599,"links":7600},"A public trust report","Publish a SOC 3 from your SOC 2 program","SOC 3 is the freely distributable, general-use version of SOC 2 — same Trust Services Criteria, summary form. Produce it from the control evidence you already maintain.",[7601,7602],{"label":183,"icon":184,"to":185},{"label":187,"icon":188,"color":189,"variant":190,"to":191,"target":192},{},"\u002Fframeworks\u002Fsoc3",{"headline":7606,"title":7606,"description":7607,"items":7608},"SOC 3 accelerators","Turn your SOC 2 work into a public trust asset.",[7609,7612,7615],{"title":7610,"description":7611},"TSC evidence library","The same control evidence that supports your SOC 2.",{"title":7613,"description":7614},"Trust-page publishing","Place the general-use SOC 3 where prospects can find it.",{"title":7616,"description":7617},"SOC 2 crosswalk","Reuse your SOC 2 program directly for SOC 3.",{"title":7619,"description":7620},"SOC 3 Compliance Software","Produce a public, general-use SOC 3 report from the same Trust Services Criteria as your SOC 2 — a shareable trust artifact generated from live control evidence.","soc3",[7623,7626,7629],{"value":7624,"description":7625},"General use","A public report you can post on your website — no NDA required.",{"value":7627,"description":7628},"Same TSC","Built on the same Trust Services Criteria as SOC 2.",{"value":7630,"description":7631},"One audit","Typically issued alongside a SOC 2 Type 2 by the same CPA firm.","5.frameworks\u002Fsoc3","WgSnXqSRoVVY9IzxVMBISECcqm8w6enwXDOobNXj7vo",{"id":7635,"title":7636,"advantages":7637,"body":7664,"checklist":7697,"cta":7707,"description":141,"extension":162,"faq":7710,"hero":7724,"lastUpdated":322,"meta":7731,"name":7732,"navigation":196,"path":7733,"resources":7734,"seo":7748,"slug":7751,"stats":7752,"stem":7762,"__hash__":7763},"frameworks\u002F5.frameworks\u002Fsox.md","Sox",[7638,7650,7657],{"title":7639,"description":7640,"bullets":7641},"ITGC catalog","A library of IT General Controls organized by domain (access, change, operations, program development) and ready to scope per system.",[7642,7644,7646,7648],{"Access controls":7643},"provisioning, periodic review, termination",{"Change management":7645},"SDLC, code review, deployment",{"Computer operations":7647},"backup, scheduling, incident handling",{"Program development":7649},"testing, approval, segregation",{"title":7651,"description":7652,"bullets":7653},"Segregation of duties","SoD matrices tied to your identity provider data so conflicts surface in near-real time.",[7654,7655,7656],"Predefined conflict library","Custom conflict rules per environment","Quarterly review workflow",{"title":7658,"description":7659,"bullets":7660},"External auditor collaboration","Your external auditors get a scoped workspace with the evidence and walkthroughs they need.",[7661,7662,7663],"Walkthrough scheduling","PBC list management","Evidence rooms with watermarking",{"type":29,"value":7665,"toc":7692},[7666,7670,7673,7676,7680,7687,7689],[32,7667,7669],{"id":7668},"what-is-sox","What is SOX?",[37,7671,7672],{},"The Sarbanes-Oxley Act of 2002 — commonly \"SOX\" — is US federal legislation enacted in the wake of the Enron and WorldCom accounting scandals. Among other provisions, it imposes responsibilities on senior management of publicly traded companies for the accuracy of financial reporting and the effectiveness of internal controls over financial reporting (ICFR).",[37,7674,7675],{},"The most operationally significant provisions for IT and security teams are Section 302 (CEO\u002FCFO certifications) and Section 404 (management assessment plus external auditor attestation of ICFR). For most IT organizations, SOX work concentrates in IT General Controls (ITGCs) — access management, change management, computer operations, and program development controls — that support the application controls relied on for financial reporting.",[32,7677,7679],{"id":7678},"who-needs-sox","Who needs SOX",[37,7681,7682,7683,7686],{},"US public companies (and many foreign private issuers listed on US exchanges) must comply with SOX. Private companies typically start SOX readiness 12-18 months before an IPO. SaaS companies serving public-company customers often issue ",[118,7684,7685],{"href":6844},"SOC 1 Type II"," reports to support their customers' SOX programs.",[32,7688,126],{"id":125},[37,7690,7691],{},"SOX is a quarterly-cadence discipline. episki keeps the ITGC library, SoD matrices, test plans, and external auditor handoffs in the same workspace so SOX work runs as a continuous program instead of a quarterly fire drill.",{"title":141,"searchDepth":142,"depth":142,"links":7693},[7694,7695,7696],{"id":7668,"depth":142,"text":7669},{"id":7678,"depth":142,"text":7679},{"id":125,"depth":142,"text":126},{"title":7698,"description":7699,"items":7700},"SOX readiness inside episki","Built for SOX programs that need to actually run, not just exist.",[7701,7702,7703,7704,7705,7706],"ITGC library scoped to in-scope systems","Segregation-of-duties matrix per system","Management test plan with quarterly cadences","Deficiency tracking with remediation workflows","External auditor portal with PBC management","Walkthrough scheduling and documentation",{"title":7708,"description":7709},"Quiet your SOX quarter","Move ITGC, SoD, and external auditor management into one workspace.",{"title":7711,"items":7712},"SOX frequently asked questions",[7713,7715,7718,7721],{"label":7669,"content":7714},"The Sarbanes-Oxley Act of 2002 is US federal legislation that imposes financial-reporting and internal-control obligations on publicly traded companies. Section 404 requires management to assess and external auditors to attest to the effectiveness of internal controls over financial reporting (ICFR), including IT General Controls (ITGCs).",{"label":7716,"content":7717},"Who needs to comply with SOX?","US public companies (and many foreign private issuers listed on US exchanges) are subject to SOX. Private companies preparing for IPO often start SOX readiness 12-18 months before going public. SOX also flows down to material service providers via SOC 1 reports.",{"label":7719,"content":7720},"What are ITGCs?","IT General Controls are the controls in your IT environment that support the operation of application-level controls relevant to financial reporting. They typically include access provisioning, change management, computer operations, and program development controls.",{"label":7722,"content":7723},"How does SOX differ from SOC 1?","SOX is the regulation; SOC 1 is an attestation report a service provider issues to assure its customers that the provider's controls relevant to the customers' financial reporting are operating effectively. Many SaaS companies issue SOC 1 to support their customers' SOX programs.",{"headline":7725,"title":7726,"description":7727,"links":7728},"SOX, the quiet quarter","Manage SOX ITGC without losing the quarter","ITGC catalog with quarterly test cadences, segregation-of-duties tracking, walkthrough scheduling, and an external-auditor portal — so SOX season stops eating your engineering team.",[7729,7730],{"label":183,"icon":184,"to":185},{"label":187,"icon":188,"color":189,"variant":190,"to":191,"target":192},{},"SOX","\u002Fframeworks\u002Fsox",{"headline":7735,"title":7736,"description":7737,"items":7738},"SOX accelerators","SOX program accelerators","Cut SOX cycle time without compromising audit readiness.",[7739,7742,7745],{"title":7740,"description":7741},"ITGC scoping wizard","Identify in-scope systems based on financial materiality.",{"title":7743,"description":7744},"SoD conflict matrix","Pre-built conflict library, customizable per ERP\u002FHRIS.",{"title":7746,"description":7747},"Deficiency severity calibrator","Calibrate control deficiencies against PCAOB and SAS 145 guidance.",{"title":7749,"description":7750},"SOX (Sarbanes-Oxley) Compliance Software","Manage IT general controls (ITGC) and key reports for Sarbanes-Oxley with structured testing cycles, segregation-of-duties tracking, and external-auditor portals.","sox",[7753,7756,7759],{"value":7754,"description":7755},"ITGC","IT General Controls library covering access, change, operations, and program development.",{"value":7757,"description":7758},"Quarterly","Pre-built test cadences for management-testing cycles and external auditor handoffs.",{"value":7760,"description":7761},"SoD","Segregation-of-duties matrix and conflict detection tied to identity providers.","5.frameworks\u002Fsox","BfaoNUmZ0aDdukYchtF3X5h70NLOLgr0QUq7VBRi3JU",{"id":7765,"title":7766,"advantages":7767,"body":7787,"checklist":7859,"cta":7869,"description":141,"extension":162,"faq":7872,"hero":7886,"lastUpdated":193,"meta":7893,"name":7797,"navigation":196,"path":7894,"resources":7895,"seo":7907,"slug":7910,"stats":7911,"stem":7920,"__hash__":7921},"frameworks\u002F5.frameworks\u002Fstateramp.md","Stateramp",[7768,7774,7780],{"title":1761,"description":7769,"bullets":7770},"The same NIST 800-53 control work as FedRAMP, scoped to StateRAMP.",[7771,7772,7773],"Low, Moderate, and High baselines","SSP generated from control evidence","POA&M tracked to closure",{"title":1775,"description":7775,"bullets":7776},"The ongoing ConMon deliverables StateRAMP expects.",[7777,7778,7779],"Monthly vulnerability and POA&M reporting","Significant-change workflow","Security Snapshot and progressing status",{"title":7781,"description":7782,"bullets":7783},"FedRAMP reciprocity","Reuse FedRAMP evidence to accelerate StateRAMP, and vice versa.",[7784,7785,7786],"Shared 800-53 control library","3PAO assessment workspace","One program for federal and SLG buyers",{"type":29,"value":7788,"toc":7853},[7789,7793,7810,7814,7833,7836,7846,7848],[32,7790,7792],{"id":7791},"what-is-stateramp","What is StateRAMP?",[37,7794,7795,7798,7799,7802,7803,7805,7806,7809],{},[41,7796,7797],{},"StateRAMP"," is a nonprofit program that brings a standardized, FedRAMP-style approach to cloud security for ",[41,7800,7801],{},"state and local governments",". Like FedRAMP, it is based on the ",[41,7804,5147],{}," control catalog and uses accredited third-party assessment organizations (3PAOs), and it maintains an ",[41,7807,7808],{},"Authorized Product List (APL)"," of cloud offerings that government agencies can procure with confidence.",[32,7811,7813],{"id":7812},"baselines-and-status","Baselines and status",[37,7815,7816,7817,7820,7821,7824,7825,7828,7829,7832],{},"StateRAMP uses ",[41,7818,7819],{},"Low, Moderate, and High"," impact baselines drawn from NIST 800-53. Providers progress through recognized statuses — from an early-stage ",[41,7822,7823],{},"Security Snapshot"," to ",[41,7826,7827],{},"Ready"," and ultimately ",[41,7830,7831],{},"Authorized"," — reflecting how far an offering has advanced through assessment and continuous monitoring. Authorization requires a government sponsor or review through the StateRAMP PMO.",[32,7834,7781],{"id":7835},"fedramp-reciprocity",[37,7837,7838,7839,7841,7842,7845],{},"Because StateRAMP and ",[118,7840,1850],{"href":1851}," share the same NIST 800-53 foundation, StateRAMP offers ",[41,7843,7844],{},"reciprocity",": a provider's FedRAMP authorization work can be leveraged toward StateRAMP status, and a single 800-53 control program can serve both federal and state\u002Flocal buyers.",[32,7847,126],{"id":125},[37,7849,1170,7850,7852],{},[41,7851,1796],{}," baselines as living controls, generates the System Security Plan from real evidence, tracks the POA&M and monthly continuous-monitoring deliverables, and cross-maps everything to FedRAMP — so reaching the StateRAMP Authorized Product List builds on work you are already doing rather than starting a separate project.",{"title":141,"searchDepth":142,"depth":142,"links":7854},[7855,7856,7857,7858],{"id":7791,"depth":142,"text":7792},{"id":7812,"depth":142,"text":7813},{"id":7835,"depth":142,"text":7781},{"id":125,"depth":142,"text":126},{"title":7860,"description":7861,"items":7862},"StateRAMP readiness inside episki","What a cloud provider needs to reach the StateRAMP APL.",[7863,7864,7865,7866,7867,7868],"Impact-level determination (Low \u002F Moderate \u002F High)","NIST 800-53 baseline implemented as controls","System Security Plan from control evidence","3PAO assessment and POA&M tracking","Continuous monitoring cadences and reporting","Government sponsor or StateRAMP PMO path",{"title":7870,"description":7871},"Reach StateRAMP Authorized in episki","Build on your NIST 800-53 and FedRAMP work to serve state and local government.",{"title":7873,"items":7874},"StateRAMP frequently asked questions",[7875,7877,7880,7883],{"label":7792,"content":7876},"StateRAMP is a nonprofit program that standardizes cloud security assessment, authorization, and continuous monitoring for state and local governments — much as FedRAMP does for the federal government. It is based on NIST SP 800-53 and maintains an Authorized Product List of verified cloud offerings.",{"label":7878,"content":7879},"How does StateRAMP relate to FedRAMP?","Both are built on NIST 800-53 baselines and use accredited third-party assessors (3PAOs), and StateRAMP offers reciprocity — providers with FedRAMP authorization can leverage that work toward StateRAMP status. The main difference is the sponsoring government audience.",{"label":7881,"content":7882},"What are the status levels?","StateRAMP recognizes progressing and verified statuses — including a Security Snapshot for early-stage providers, 'Ready,' and 'Authorized' — reflecting how far a cloud offering has advanced through assessment and continuous monitoring.",{"label":7884,"content":7885},"Who needs StateRAMP?","Cloud service providers that sell to state and local government agencies, which increasingly require StateRAMP status (or equivalent) as a procurement condition for handling government data.",{"headline":7887,"title":7888,"description":7889,"links":7890},"StateRAMP, without the binders","Get authorized to serve state and local government","NIST 800-53 baselines for Low, Moderate, and High, a continuous-monitoring program, and FedRAMP reciprocity — managed as living controls for the StateRAMP Authorized Product List.",[7891,7892],{"label":183,"icon":184,"to":185},{"label":187,"icon":188,"color":189,"variant":190,"to":191,"target":192},{},"\u002Fframeworks\u002Fstateramp",{"headline":7896,"title":7897,"description":7898,"items":7899},"StateRAMP accelerators","StateRAMP authorization accelerators","Move from intent to the Authorized Product List faster.",[7900,7902,7904],{"title":1858,"description":7901},"Compose the System Security Plan from live control data.",{"title":1864,"description":7903},"Track your monthly continuous-monitoring obligations.",{"title":7905,"description":7906},"FedRAMP crosswalk","Reuse FedRAMP control evidence toward StateRAMP.",{"title":7908,"description":7909},"StateRAMP Compliance Software","Reach StateRAMP Authorized status for state and local government with NIST 800-53 baselines, continuous monitoring, and FedRAMP reciprocity — in one workspace.","stateramp",[7912,7914,7917],{"value":1872,"description":7913},"Low, Moderate, and High impact levels based on NIST 800-53.",{"value":7915,"description":7916},"APL listed","Reach Ready or Authorized status on the StateRAMP Authorized Product List.",{"value":7918,"description":7919},"FedRAMP reuse","Reciprocity lets FedRAMP work carry over to StateRAMP.","5.frameworks\u002Fstateramp","LBnaUWw9M3cyAtdU8lN_MARYSQQb2lfCExRYDURc-Go",{"id":7923,"title":7924,"advantages":7925,"body":7947,"checklist":8016,"cta":8026,"description":141,"extension":162,"faq":8029,"hero":8043,"lastUpdated":193,"meta":8050,"name":7957,"navigation":196,"path":8051,"resources":8052,"seo":8065,"slug":8068,"stats":8069,"stem":8078,"__hash__":8079},"frameworks\u002F5.frameworks\u002Ftisax.md","Tisax",[7926,7933,7940],{"title":7927,"description":7928,"bullets":7929},"VDA ISA as controls","The TISAX questionnaire implemented as a living control library.",[7930,7931,7932],"Information security control catalogue","Prototype protection where in scope","Data protection module aligned to GDPR",{"title":7934,"description":7935,"bullets":7936},"Scoped to the right level","Match the assessment level and labels your OEM or supplier requires.",[7937,7938,7939],"Assessment levels AL1, AL2, and AL3","Information security, prototype, and data protection labels","Maturity-based scoring per control",{"title":7941,"description":7942,"bullets":7943},"Reuse your security program","TISAX overlaps heavily with ISO 27001 controls you may already hold.",[7944,7945,7946],"Crosswalk to ISO 27001 Annex A","Evidence shared with SOC 2 and NIST CSF","One control set, multiple audiences",{"type":29,"value":7948,"toc":8010},[7949,7953,7973,7977,7991,7995,8002,8004],[32,7950,7952],{"id":7951},"what-is-tisax","What is TISAX?",[37,7954,7955,434,7958,7961,7962,7965,7966,7969,7970,416],{},[41,7956,7957],{},"TISAX",[41,7959,7960],{},"Trusted Information Security Assessment Exchange"," — is how the automotive industry assesses and shares information security maturity across its supply chain. It is governed by the ",[41,7963,7964],{},"ENX Association"," and built on the ",[41,7967,7968],{},"VDA ISA"," (Information Security Assessment) catalogue created by the German automotive industry association. Rather than each OEM auditing each supplier, suppliers undergo a single assessment by an accredited audit provider and ",[41,7971,7972],{},"exchange the results with partners on the ENX portal",[32,7974,7976],{"id":7975},"labels-and-assessment-levels","Labels and assessment levels",[37,7978,7979,7980,7983,7984,7987,7988,416],{},"A TISAX assessment is scoped by ",[41,7981,7982],{},"labels"," — information security, prototype protection (for organizations handling pre-series parts and vehicles), and data protection (aligned with GDPR) — and by ",[41,7985,7986],{},"assessment level (AL1, AL2, or AL3)",", which determines how rigorous the audit is. The OEM or customer requesting the assessment specifies the labels and level required. A successful assessment yields labels that are typically ",[41,7989,7990],{},"valid for three years",[32,7992,7994],{"id":7993},"how-tisax-relates-to-iso-27001","How TISAX relates to ISO 27001",[37,7996,7997,7998,8001],{},"The VDA ISA catalogue is closely aligned with ",[41,7999,8000],{},"ISO\u002FIEC 27001",", so an organization with a mature ISMS already meets a large share of TISAX requirements. The main differences are the automotive-specific prototype-protection controls and the maturity-based scoring model.",[32,8003,126],{"id":125},[37,8005,8006,8007,8009],{},"episki implements the VDA ISA catalogue as living controls with maturity scoring, helps you scope the right level and labels, and cross-maps the catalogue to your ",[118,8008,133],{"href":132}," program — so preparing for a TISAX assessment reuses the security work you already do and produces a clean evidence package for your audit provider.",{"title":141,"searchDepth":142,"depth":142,"links":8011},[8012,8013,8014,8015],{"id":7951,"depth":142,"text":7952},{"id":7975,"depth":142,"text":7976},{"id":7993,"depth":142,"text":7994},{"id":125,"depth":142,"text":126},{"title":8017,"description":8018,"items":8019},"TISAX readiness inside episki","What an automotive supplier needs in place.",[8020,8021,8022,8023,8024,8025],"Scope and assessment-level determination","VDA ISA information-security controls implemented","Prototype protection controls (if in scope)","Data protection module (if in scope)","Maturity-level evidence per control","Audit-provider evidence package and ENX exchange",{"title":8027,"description":8028},"Get TISAX-ready in episki","Implement the VDA ISA catalogue once and reuse your ISO 27001 evidence to get there.",{"title":8030,"items":8031},"TISAX frequently asked questions",[8032,8034,8037,8040],{"label":7952,"content":8033},"TISAX (Trusted Information Security Assessment Exchange) is the automotive industry's mechanism for assessing and sharing information security maturity. It is governed by the ENX Association and based on the VDA ISA (Information Security Assessment) catalogue developed by the German automotive industry. Suppliers are assessed by accredited audit providers and exchange results with partners on the ENX portal.",{"label":8035,"content":8036},"Is TISAX a certification?","Strictly speaking, TISAX produces an assessment result and a label rather than a certificate. A successful assessment yields labels (for information security, prototype protection, and\u002For data protection) that are shared with customers through the ENX portal and are typically valid for three years.",{"label":8038,"content":8039},"What are the assessment levels?","TISAX defines assessment levels AL1, AL2, and AL3 reflecting increasing rigor — from self-assessment-based to in-depth audits with evidence review and on-site or remote validation. The level and labels required are set by the OEM or customer requesting the assessment.",{"label":8041,"content":8042},"How does TISAX relate to ISO 27001?","The VDA ISA catalogue is closely aligned with ISO\u002FIEC 27001, so organizations with an existing ISMS already satisfy much of TISAX. episki maps your ISO 27001 controls to the ISA catalogue so the overlap is reused rather than rebuilt.",{"headline":8044,"title":8045,"description":8046,"links":8047},"TISAX, without the spreadsheet","Prepare for your TISAX assessment","The VDA ISA catalogue implemented as living controls, scoped to the right assessment level and labels, with evidence ready for your audit provider and the ENX portal.",[8048,8049],{"label":183,"icon":184,"to":185},{"label":187,"icon":188,"color":189,"variant":190,"to":191,"target":192},{},"\u002Fframeworks\u002Ftisax",{"headline":8053,"title":8054,"description":8055,"items":8056},"TISAX accelerators","TISAX readiness accelerators","Get assessment-ready and share results with partners faster.",[8057,8060,8063],{"title":8058,"description":8059},"ISA control library","The VDA ISA catalogue as living controls with maturity scoring.",{"title":8061,"description":8062},"Scope and label selector","Pick the assessment level and labels your customer requires.",{"title":1428,"description":8064},"Reuse your ISMS evidence against the ISA catalogue.",{"title":8066,"description":8067},"TISAX Compliance Software","Prepare for a TISAX assessment based on the VDA ISA catalogue — information security, prototype protection, and data protection — with controls and evidence in one workspace.","tisax",[8070,8072,8075],{"value":7968,"description":8071},"The automotive industry's Information Security Assessment catalogue, as controls.",{"value":8073,"description":8074},"AL1 \u002F AL2 \u002F AL3","Scope to the assessment level your customer requires.",{"value":8076,"description":8077},"ENX shared","Results exchanged with partners on the ENX portal, valid for three years.","5.frameworks\u002Ftisax","RpzR58DZc3BnAcaWAsqm7PIHOUK5ojALlWWk5SbkriY",1781409240169]