All of the control sets offered in our Control Repository are industry standard frameworks or regulations. Many of these control frameworks are typically managed by stakeholders within the IT Security, Privacy, or Compliance functions in organizations. Content in the Control Repository can be linked to any of your custom Applications or any of Risk Cloud's Application Templates.

Below are links to each content offering, along with high-level descriptions of each: 

  • ISO 27001* - standard providing requirements for an information security management system (ISMS) and a framework for managing IT security
  • ISO 27002* - collection of information security guidelines intended to help an organization implement, maintain, and improve its information security management (more detailed "control" content related to ISO 27001)
  • ISO 27018* - controls for implementing measures to protect Personally Identifiable Information (PII) in the public cloud
  • NIST Cybersecurity Framework - voluntary framework consisting of standards, guidelines, and best practices to manage cybersecurity-related risk
  • NIST 800-53 - information security controls for federal information systems and organizations
  • FedRAMP - information security recommendations in relation to Cloud Service Providers (CSP), broken down into different baseline levels to help implement NIST 800-53
  • NIST 800-171 - recommended security requirements for protecting the confidentiality of Controlled Unclassified Information (CUI) in nonfederal systems and organizations 
  • SOC 2 Trust Services Criteria - requirements for implementing systems to assure the security, availability, processing integrity, confidentiality, and privacy of customer data
  • PCI DSS - information security standard for organizations that handle payment cards (e.g., credit cards, debit cards) to protect cardholder data
  • The 20 CIS Controls - cybersecurity best practices for defense against common threats
  • 23 NYCRR 500 - cybersecurity regulation affecting entities regulated by the New York State Department of Financial Services
  • HIPAA Security Standards (Subpart C) - national standards to protect individuals’ electronic personal health information
  • GDPR - regulation to protect the personal data and privacy of EU citizens
  • CCPA - statute to enhance privacy rights and consumer protection for residents of the state of California
  • CMMC - a standard developed by the Department of Defense, designed to certify that contractors have controls in place to protect sensitive data
  • FFIEC CAT - declarative statements from the cybersecurity assessment tool created by the FFIEC to help institutions identify risks and determine cybersecurity preparedness (*please note that the FFIEC CAT content mappings can be made available through the Secure Controls Framework, but do not currently exist for the HITRUST CSF)
  • HITRUST CSF® - a framework of integrated controls derived from security and privacy related regulations, standards, and frameworks–including ISO, NIST, PCI, HIPAA, COBIT and more–to ensure a comprehensive set of security and privacy controls. The HITRUST CSF is continually updated and maintained by HITRUST®.

Control Mappings

We can provide mappings between the control sets listed above via the Secure Controls Framework, a comprehensive catalog of controls that maps across various statutory, regulatory, and contractual frameworks. 

Risk Cloud can also support control mappings via the HITRUST CSF® for any customers who have their own, current HITRUST MyCSF® subscription.

Obtaining Control Repository Content

If you're interested in having any of these control sets loaded to your environment, please contact us at or chat us via the in-app messenger. 

*Please note that before any ISO content may be loaded in your environment, we will require confirmation that you have a valid license to the content.

Your organization is required to have a current HITRUST MyCSF subscription to access HITRUST CSF® content in Risk Cloud.

Did this answer your question?