Standards
One platform, any number of frameworks.
The catalogue spans 28 frameworks across 9 categories — from ISMS and privacy to AI governance, sector-specific operations, and sustainability reporting. Each pack is €600/year. We map any framework into your instance on request — typically in about two weeks, whether or not it is already in the catalogue — after which it joins for everyone at the same price. No upper limit on concurrent standards in one installation.
9 categories
What each kind of framework covers.
Frameworks group naturally into 9 categories. Most installs anchor on one ISMS standard, add the privacy framework their data demands, and layer sector-specific or AI-governance packs on top as scope grows.
Cybersecurity & ISMS
8
The information-security backbone.
Jump down ↓
Privacy & data protection
4
Regulator-grade records and rights.
Jump down ↓
AI governance
2
The new compliance surface.
Jump down ↓
Financial sector
4
Rules with timestamps and auditors.
Jump down ↓
Sector-specific
3
Industry frameworks Cybsis maps for you.
Jump down ↓
Quality & integrity management
2
Management systems beyond security.
Jump down ↓
Environmental & sustainability
3
Carbon, energy, and EU disclosure.
Jump down ↓
Business continuity
1
BCMS and ICT continuity.
Jump down ↓
Audit & assurance
1
Attestation, not a control catalogue.
Jump down ↓
Cybersecurity & ISMS · 8
The information-security backbone.
The frameworks most Cybsis installs anchor on — ISO 27001 and the Estonian E-ITS at the centre, with risk-management (27005), cloud (27017/18), NIS2 obligations, and the US NIST family running alongside.
E-ITS
EstoniaEstonian Information Security Standard (E-ITS) 2024
The mandatory Estonian information security standard, ~1,600 measures across the catalogue.
Available now
Learn more →Cybsis Baseline
UniversalCybsis Baseline — the essential information-security controls every organisation should run
The essential security baseline, included with every Cybsis installation at no extra charge.
Always included · no line item
Learn more →BSI GS++
GermanyBSI IT-Grundschutz (BSI-Standards 200-1/200-2/200-3 + IT-Grundschutz-Kompendium)
The German federal information-security baseline — IT-Grundschutz building blocks mapped to a working ISMS, with Basis-, Standard- and Kern-Absicherung scoping.
Available now
Learn more →ISO 27001
InternationalISO/IEC 27001:2022 — Information security management systems
The international ISMS certification standard.
Available now
Learn more →ISO 27005
InternationalISO/IEC 27005:2022 — Information security risk management
The risk-management methodology companion to ISO 27001.
Available now
Learn more →NIS2
EUNIS2 Directive (EU) 2022/2555
The EU's flagship cybersecurity directive — risk management, incident reporting, supply-chain security for essential and important entities.
Available now
Learn more →ISO 27017 + ISO 27018
InternationalISO/IEC 27017 (Cloud security) + ISO/IEC 27018 (Cloud PII processor)
The two cloud-specific extensions to ISO 27001 — security controls for cloud services and PII protection in public-cloud processors.
On request · ~2 weeks
Learn more →NIST family
USNIST CSF 2.0 + SP 800-53 + SP 800-171 + CMMC
The US federal and DoD cybersecurity framework family — Cybersecurity Framework, two control catalogues, and the CMMC maturity model.
On request · ~2 weeks
Learn more →
Privacy & data protection · 4
Regulator-grade records and rights.
GDPR Article 30 records, US state-level requirements (CCPA/CPRA, HIPAA), and ISO 27701 as the PIMS extension on top of an existing ISMS.
GDPR
EUGeneral Data Protection Regulation (EU) 2016/679
The EU's data protection regulation, plus the Article 30 records work.
Available now
Learn more →ISO 27701
InternationalISO/IEC 27701:2019 — Privacy information management (PIMS)
The privacy extension to ISO 27001. Bridges ISMS and GDPR with a Privacy Information Management System.
On request · ~2 weeks
Learn more →HIPAA
USHealth Insurance Portability and Accountability Act
The US healthcare privacy and security regime — Privacy Rule, Security Rule, Breach Notification Rule.
On request · ~2 weeks
Learn more →CCPA / CPRA
US-CACalifornia Consumer Privacy Act + California Privacy Rights Act
The Californian consumer privacy regime — the template for the wave of US state privacy laws.
On request · ~2 weeks
Learn more →
AI governance · 2
The new compliance surface.
EU AI Act with ISO 42001 as the operating standard, and the US NIST AI RMF — both shipped pre-mapped so AI-system inventories, conformity assessments, and risk reviews don't start from scratch.
EU AI Act + ISO 42001
EU + InternationalEU AI Act (Reg. 2024/1689) + ISO/IEC 42001:2023 (AIMS)
The EU's risk-tier AI regulation plus the international AI Management System standard. Sold together because the document sets overlap.
Available now
Learn more →NIST AI RMF + Privacy Framework
USNIST AI Risk Management Framework 1.0 + NIST Privacy Framework 1.0
Two voluntary supplemental NIST frameworks — AI risk management and privacy — using the NIST "Profile" pattern.
On request · ~2 weeks
Learn more →
Financial sector · 4
Rules with timestamps and auditors.
DORA for EU financial entities, PCI DSS for card data, SOX for US listed companies, and SWIFT CSP for inter-bank messaging — the four that come with hard deadlines and external attestation.
DORA
EUDigital Operational Resilience Act (Reg. EU 2022/2554)
The EU financial-sector operational resilience regulation. ICT risk management, incident reporting, third-party oversight, threat-led penetration testing.
Available now
Learn more →PCI DSS 4.0.1
InternationalPayment Card Industry Data Security Standard, version 4.0.1
The payment-card data security standard. Mandatory by card-brand contract for anyone storing, processing, or transmitting cardholder data.
On request · ~2 weeks
Learn more →SOX
USSarbanes-Oxley Act of 2002
US public-company internal controls over financial reporting. Section 302/404/906 certifications and IT general controls.
On request · ~2 weeks
Learn more →SWIFT CSP
InternationalSWIFT Customer Security Programme (CSCF v2024)
The banking-interconnect security framework. Mandatory annual self-attestation against the Customer Security Controls Framework.
On request · ~2 weeks
Learn more →
Sector-specific · 3
Industry frameworks Cybsis maps for you.
ISO 13485 for medical devices, NERC CIP for North-American bulk electric, TISAX for automotive supply chains — niche by default, expensive to map from scratch if you don't already have them.
TISAX
GermanyTrusted Information Security Assessment Exchange (VDA ISA 6.0.4)
The German automotive information-security framework. Contractually mandatory for suppliers handling OEM information.
On request · ~2 weeks
Learn more →ISO 13485
InternationalISO 13485:2016 — Medical devices QMS
The medical-devices quality management standard. Mandatory for CE marking under EU MDR/IVDR and FDA registration in the US.
On request · ~2 weeks
Learn more →NERC CIP
US + CanadaNorth American Electric Reliability Corporation — Critical Infrastructure Protection
The US/Canada bulk electric system cybersecurity standard. FERC-enforced with civil penalties up to $1M per day per violation.
On request · ~2 weeks
Learn more →
Quality & integrity management · 2
Management systems beyond security.
ISO 9001 for quality management, ISO 37001 for anti-bribery — both share Annex SL with ISO 27001, so a single ISMS doesn't fight against them.
ISO 9001
InternationalISO 9001:2015 — Quality management systems
The international quality management standard.
Available now
Learn more →ISO 37001
InternationalISO 37001:2016 — Anti-bribery management systems (ABMS)
The international anti-bribery management standard. Annex SL family, sells alongside ISO 9001 and ISO 27001.
On request · ~2 weeks
Learn more →
Environmental & sustainability · 3
Carbon, energy, and EU disclosure.
ISO 14001 EMS, ISO 50001 EnMS, and CSRD/ESRS with EU Taxonomy alignment — the reporting regime EU listed and large unlisted companies are now inside.
ISO 14001
InternationalISO 14001:2015 — Environmental management systems
The international environmental management standard.
Available now
Learn more →ISO 50001
InternationalISO 50001:2018 — Energy management systems (EnMS)
The energy-management Annex SL standard. Data feeds the CSRD E1 climate disclosure.
On request · ~2 weeks
Learn more →CSRD / ESRS / EU Taxonomy
EUCorporate Sustainability Reporting Directive + European Sustainability Reporting Standards + EU Taxonomy Regulation
The EU sustainability reporting regime. Double-materiality assessment + 12 ESRS topical standards + Taxonomy-alignment disclosure.
On request · ~2 weeks
Learn more →
Business continuity · 1
BCMS and ICT continuity.
The ISO 22300 family — BCMS, crisis management, ICT continuity readiness — sold as one pack.
ISO 22300 series
InternationalISO 22301 (BCMS) + ISO 22361 (Crisis management) + ISO 27031 (ICT readiness)
The business continuity family — BCMS, crisis management, and ICT readiness for business continuity. Sold as one pack.
Available now
Learn more →
Audit & assurance · 1
Attestation, not a control catalogue.
SOC 2 — auditor-driven attestation against the Trust Services Criteria. Different in kind from the rest; included so customers serving US enterprise can run it alongside their primary ISMS.
SOC 2
USSOC 2 — AICPA Trust Services Criteria
The US enterprise-vendor audit framework. Auditor-driven attestation against the Trust Services Criteria — not a control catalogue.
On request · ~2 weeks
Learn more →
Before you configure
Two things worth knowing.
Cybsis Baseline ships with every instance
Every Cybsis instance ships with Cybsis Baseline active by default — the essential security floor every instance starts from. It doesn't count toward the combo's included-standard allowance, doesn't appear on the invoice, and can't be unchecked in the configurator.
It's the security floor worth having regardless of which certifications you pursue — assign it a scope and it's working, then layer any other framework on top whenever you're ready.
Combo bundling and the €600/year pack
Essential and Reasonable each include 1 standard of your choice; Complete bundles 3. Every additional framework is €600/year per pack, no upper limit on concurrent standards in one installation.
The configurator shows the running total as you tick frameworks on and off, so you see the marginal cost of adding ISO 27001 alongside NIS2 in the same view you pick them.
Need something not in the catalogue?
Industry-specific schemes (ISO 14971, IEC 62443, AS9100, HITRUST CSF, FDA 21 CFR Part 820 …), national variants of frameworks already covered, or a contractual framework specific to your customers — mention it in the quote request. Catalogue ingestion, control mapping, and seeding takes us about two weeks, after which it joins the catalogue for everyone at €600/year per pack.
Request a quote →Pick the frameworks. The platform runs them side-by-side.
One ISMS surface, one set of controls, one evidence library — even when half a dozen frameworks are live in the same installation. The configurator shows you what each additional pack adds to the bill before you commit.