Skip to content
Cybsis

Standards

One platform, any number of frameworks.

The catalogue spans 28 frameworks across 9 categories — from ISMS and privacy to AI governance, sector-specific operations, and sustainability reporting. Each pack is €600/year. We map any framework into your instance on request — typically in about two weeks, whether or not it is already in the catalogue — after which it joins for everyone at the same price. No upper limit on concurrent standards in one installation.

Cybersecurity & ISMS · 8

The information-security backbone.

The frameworks most Cybsis installs anchor on — ISO 27001 and the Estonian E-ITS at the centre, with risk-management (27005), cloud (27017/18), NIS2 obligations, and the US NIST family running alongside.

  • E-ITS

    Estonia

    Estonian Information Security Standard (E-ITS) 2024

    The mandatory Estonian information security standard, ~1,600 measures across the catalogue.

    Available now

    Learn more →
  • Cybsis Baseline

    Universal

    Cybsis Baseline — the essential information-security controls every organisation should run

    The essential security baseline, included with every Cybsis installation at no extra charge.

    Always included · no line item

    Learn more →
  • BSI GS++

    Germany

    BSI IT-Grundschutz (BSI-Standards 200-1/200-2/200-3 + IT-Grundschutz-Kompendium)

    The German federal information-security baseline — IT-Grundschutz building blocks mapped to a working ISMS, with Basis-, Standard- and Kern-Absicherung scoping.

    Available now

    Learn more →
  • ISO 27001

    International

    ISO/IEC 27001:2022 — Information security management systems

    The international ISMS certification standard.

    Available now

    Learn more →
  • ISO 27005

    International

    ISO/IEC 27005:2022 — Information security risk management

    The risk-management methodology companion to ISO 27001.

    Available now

    Learn more →
  • NIS2

    EU

    NIS2 Directive (EU) 2022/2555

    The EU's flagship cybersecurity directive — risk management, incident reporting, supply-chain security for essential and important entities.

    Available now

    Learn more →
  • ISO 27017 + ISO 27018

    International

    ISO/IEC 27017 (Cloud security) + ISO/IEC 27018 (Cloud PII processor)

    The two cloud-specific extensions to ISO 27001 — security controls for cloud services and PII protection in public-cloud processors.

    On request · ~2 weeks

    Learn more →
  • NIST family

    US

    NIST CSF 2.0 + SP 800-53 + SP 800-171 + CMMC

    The US federal and DoD cybersecurity framework family — Cybersecurity Framework, two control catalogues, and the CMMC maturity model.

    On request · ~2 weeks

    Learn more →

Privacy & data protection · 4

Regulator-grade records and rights.

GDPR Article 30 records, US state-level requirements (CCPA/CPRA, HIPAA), and ISO 27701 as the PIMS extension on top of an existing ISMS.

  • GDPR

    EU

    General Data Protection Regulation (EU) 2016/679

    The EU's data protection regulation, plus the Article 30 records work.

    Available now

    Learn more →
  • ISO 27701

    International

    ISO/IEC 27701:2019 — Privacy information management (PIMS)

    The privacy extension to ISO 27001. Bridges ISMS and GDPR with a Privacy Information Management System.

    On request · ~2 weeks

    Learn more →
  • HIPAA

    US

    Health Insurance Portability and Accountability Act

    The US healthcare privacy and security regime — Privacy Rule, Security Rule, Breach Notification Rule.

    On request · ~2 weeks

    Learn more →
  • CCPA / CPRA

    US-CA

    California Consumer Privacy Act + California Privacy Rights Act

    The Californian consumer privacy regime — the template for the wave of US state privacy laws.

    On request · ~2 weeks

    Learn more →

AI governance · 2

The new compliance surface.

EU AI Act with ISO 42001 as the operating standard, and the US NIST AI RMF — both shipped pre-mapped so AI-system inventories, conformity assessments, and risk reviews don't start from scratch.

  • EU AI Act + ISO 42001

    EU + International

    EU AI Act (Reg. 2024/1689) + ISO/IEC 42001:2023 (AIMS)

    The EU's risk-tier AI regulation plus the international AI Management System standard. Sold together because the document sets overlap.

    Available now

    Learn more →
  • NIST AI RMF + Privacy Framework

    US

    NIST AI Risk Management Framework 1.0 + NIST Privacy Framework 1.0

    Two voluntary supplemental NIST frameworks — AI risk management and privacy — using the NIST "Profile" pattern.

    On request · ~2 weeks

    Learn more →

Financial sector · 4

Rules with timestamps and auditors.

DORA for EU financial entities, PCI DSS for card data, SOX for US listed companies, and SWIFT CSP for inter-bank messaging — the four that come with hard deadlines and external attestation.

  • DORA

    EU

    Digital Operational Resilience Act (Reg. EU 2022/2554)

    The EU financial-sector operational resilience regulation. ICT risk management, incident reporting, third-party oversight, threat-led penetration testing.

    Available now

    Learn more →
  • PCI DSS 4.0.1

    International

    Payment Card Industry Data Security Standard, version 4.0.1

    The payment-card data security standard. Mandatory by card-brand contract for anyone storing, processing, or transmitting cardholder data.

    On request · ~2 weeks

    Learn more →
  • SOX

    US

    Sarbanes-Oxley Act of 2002

    US public-company internal controls over financial reporting. Section 302/404/906 certifications and IT general controls.

    On request · ~2 weeks

    Learn more →
  • SWIFT CSP

    International

    SWIFT Customer Security Programme (CSCF v2024)

    The banking-interconnect security framework. Mandatory annual self-attestation against the Customer Security Controls Framework.

    On request · ~2 weeks

    Learn more →

Sector-specific · 3

Industry frameworks Cybsis maps for you.

ISO 13485 for medical devices, NERC CIP for North-American bulk electric, TISAX for automotive supply chains — niche by default, expensive to map from scratch if you don't already have them.

  • TISAX

    Germany

    Trusted Information Security Assessment Exchange (VDA ISA 6.0.4)

    The German automotive information-security framework. Contractually mandatory for suppliers handling OEM information.

    On request · ~2 weeks

    Learn more →
  • ISO 13485

    International

    ISO 13485:2016 — Medical devices QMS

    The medical-devices quality management standard. Mandatory for CE marking under EU MDR/IVDR and FDA registration in the US.

    On request · ~2 weeks

    Learn more →
  • NERC CIP

    US + Canada

    North American Electric Reliability Corporation — Critical Infrastructure Protection

    The US/Canada bulk electric system cybersecurity standard. FERC-enforced with civil penalties up to $1M per day per violation.

    On request · ~2 weeks

    Learn more →

Quality & integrity management · 2

Management systems beyond security.

ISO 9001 for quality management, ISO 37001 for anti-bribery — both share Annex SL with ISO 27001, so a single ISMS doesn't fight against them.

  • ISO 9001

    International

    ISO 9001:2015 — Quality management systems

    The international quality management standard.

    Available now

    Learn more →
  • ISO 37001

    International

    ISO 37001:2016 — Anti-bribery management systems (ABMS)

    The international anti-bribery management standard. Annex SL family, sells alongside ISO 9001 and ISO 27001.

    On request · ~2 weeks

    Learn more →

Environmental & sustainability · 3

Carbon, energy, and EU disclosure.

ISO 14001 EMS, ISO 50001 EnMS, and CSRD/ESRS with EU Taxonomy alignment — the reporting regime EU listed and large unlisted companies are now inside.

  • ISO 14001

    International

    ISO 14001:2015 — Environmental management systems

    The international environmental management standard.

    Available now

    Learn more →
  • ISO 50001

    International

    ISO 50001:2018 — Energy management systems (EnMS)

    The energy-management Annex SL standard. Data feeds the CSRD E1 climate disclosure.

    On request · ~2 weeks

    Learn more →
  • CSRD / ESRS / EU Taxonomy

    EU

    Corporate Sustainability Reporting Directive + European Sustainability Reporting Standards + EU Taxonomy Regulation

    The EU sustainability reporting regime. Double-materiality assessment + 12 ESRS topical standards + Taxonomy-alignment disclosure.

    On request · ~2 weeks

    Learn more →

Business continuity · 1

BCMS and ICT continuity.

The ISO 22300 family — BCMS, crisis management, ICT continuity readiness — sold as one pack.

  • ISO 22300 series

    International

    ISO 22301 (BCMS) + ISO 22361 (Crisis management) + ISO 27031 (ICT readiness)

    The business continuity family — BCMS, crisis management, and ICT readiness for business continuity. Sold as one pack.

    Available now

    Learn more →

Audit & assurance · 1

Attestation, not a control catalogue.

SOC 2 — auditor-driven attestation against the Trust Services Criteria. Different in kind from the rest; included so customers serving US enterprise can run it alongside their primary ISMS.

  • SOC 2

    US

    SOC 2 — AICPA Trust Services Criteria

    The US enterprise-vendor audit framework. Auditor-driven attestation against the Trust Services Criteria — not a control catalogue.

    On request · ~2 weeks

    Learn more →

Before you configure

Two things worth knowing.

Cybsis Baseline ships with every instance

Every Cybsis instance ships with Cybsis Baseline active by default — the essential security floor every instance starts from. It doesn't count toward the combo's included-standard allowance, doesn't appear on the invoice, and can't be unchecked in the configurator.

It's the security floor worth having regardless of which certifications you pursue — assign it a scope and it's working, then layer any other framework on top whenever you're ready.

Combo bundling and the €600/year pack

Essential and Reasonable each include 1 standard of your choice; Complete bundles 3. Every additional framework is €600/year per pack, no upper limit on concurrent standards in one installation.

The configurator shows the running total as you tick frameworks on and off, so you see the marginal cost of adding ISO 27001 alongside NIS2 in the same view you pick them.

Need something not in the catalogue?

Industry-specific schemes (ISO 14971, IEC 62443, AS9100, HITRUST CSF, FDA 21 CFR Part 820 …), national variants of frameworks already covered, or a contractual framework specific to your customers — mention it in the quote request. Catalogue ingestion, control mapping, and seeding takes us about two weeks, after which it joins the catalogue for everyone at €600/year per pack.

Request a quote →

Pick the frameworks. The platform runs them side-by-side.

One ISMS surface, one set of controls, one evidence library — even when half a dozen frameworks are live in the same installation. The configurator shows you what each additional pack adds to the bill before you commit.