URIP Compliance Frameworks
Last updated: 2026-04-29
Status: Stable
Total frameworks: 20
Total controls: ~1,476
Overview
URIP's compliance module is a native Sprinto-equivalent implementation on the same data layer as the risk register. When a connector finds a CVE that violates a SOC 2 control, the compliance dashboard shows the exact CVE causing the failure — no manual mapping required.
Framework grades:
| Grade | Meaning |
|---|---|
| Audit-grade | Controls formally mapped to standard language; suitable for real audit evidence |
| Preview | Controls paraphrased from public summaries; suitable for readiness gap analysis; not a substitute for formal audit mapping |
Activating a framework:
1. Navigate to /compliance-frameworks.html
2. Click the framework tile
3. Framework activates immediately; controls are evaluated against your connected data within one hour
4. No additional configuration needed unless you want to customise control-to-connector mappings
Framework List
1. SOC 2 (Trust Services Criteria 2017 + 2022)
| Attribute | Value |
|---|---|
| Grade | Audit-grade |
| Controls | ~60 |
| Issuer | AICPA |
| Scope | Security, Availability, Processing Integrity, Confidentiality, Privacy trust service categories |
| Who needs it | SaaS companies, cloud service providers; required by enterprise customers as part of vendor due diligence |
What URIP evaluates: - CC6.1 Logical and physical access controls (mapped to Entra ID / Okta risk events) - CC7.2 System monitoring (mapped to SIEM alerts, connector health) - CC8.1 Change management (mapped to ITSM connector change tickets) - A1.2 Availability monitoring (uptime and SLA data)
2. ISO 27001:2022
| Attribute | Value |
|---|---|
| Grade | Audit-grade |
| Controls | ~93 (Annex A controls) |
| Issuer | ISO / IEC |
| Scope | Information security management system (ISMS) |
| Who needs it | Enterprises seeking international ISMS certification; required by many government and financial sector RFPs |
What URIP evaluates: - A.8 Technological controls — vulnerability management, access control, data masking - A.5 Organisational controls — policies, roles, responsibilities - Links directly from failing controls to the CVEs causing failure
3. GDPR (General Data Protection Regulation)
| Attribute | Value |
|---|---|
| Grade | Audit-grade |
| Controls | ~40 |
| Issuer | EU Parliament |
| Scope | Personal data processing for EU data subjects; applies globally to any organisation processing EU resident data |
| Who needs it | Any company processing EU personal data |
What URIP evaluates: - Article 32 security measures (encryption, pseudonymisation — mapped to DLP and DSPM) - Article 33/34 breach notification readiness (SIEM + incident response controls) - Data minimisation principles (DSPM connector data)
4. HIPAA (Health Insurance Portability and Accountability Act)
| Attribute | Value |
|---|---|
| Grade | Audit-grade |
| Controls | ~54 |
| Issuer | US Department of Health and Human Services |
| Scope | Protected Health Information (PHI) — healthcare providers, health plans, business associates |
| Who needs it | US healthcare entities and any vendor touching PHI |
What URIP evaluates: - §164.312 Technical safeguards (access control, encryption, audit controls) - §164.308 Administrative safeguards (workforce training — KnowBe4/Hoxhunt, risk management) - PHI exposure findings from DSPM connectors (BigID, Varonis)
5. PCI DSS v4.0
| Attribute | Value |
|---|---|
| Grade | Audit-grade |
| Controls | ~250+ requirements |
| Issuer | PCI Security Standards Council |
| Scope | Organisations that store, process, or transmit cardholder data |
| Who needs it | E-commerce, fintech, any business accepting card payments |
What URIP evaluates: - Requirement 6 — Vulnerability management (Tenable/Qualys findings) - Requirement 10 — Logging and monitoring (SIEM alerts) - Requirement 11 — Security testing (DAST/EASM findings) - Requirement 7 — Access restriction (Entra ID / Okta controls)
6. India DPDP Act 2023
| Attribute | Value |
|---|---|
| Grade | Audit-grade |
| Controls | ~30 |
| Issuer | Government of India (Ministry of Electronics and IT) |
| Scope | Personal data of Indian residents; applies to any organisation processing such data |
| Who needs it | Any company with Indian users or operating in India |
What URIP evaluates: - Section 8 obligations for Data Fiduciaries (security safeguards) - Section 9 children's data processing controls - Breach notification readiness - Data localisation and transfer controls
7. NIST CSF 2.0
| Attribute | Value |
|---|---|
| Grade | Audit-grade |
| Controls | ~108 subcategories across 6 functions |
| Issuer | NIST (US National Institute of Standards and Technology) |
| Scope | Voluntary framework for critical infrastructure and general cybersecurity risk management |
| Who needs it | US federal contractors; widely adopted as a risk management baseline globally |
6 Functions: - Govern (GV) — policies, roles, risk strategy - Identify (ID) — asset management, risk assessment - Protect (PR) — access control, data security, training - Detect (DE) — anomalies, continuous monitoring - Respond (RS) — incident response - Recover (RC) — recovery planning
All 108 subcategories are mapped to URIP's connector data model.
8. ISO 42001 (AI Management System)
| Attribute | Value |
|---|---|
| Grade | Audit-grade |
| Controls | ~40 |
| Issuer | ISO / IEC |
| Scope | Artificial Intelligence management system — AI system development and deployment |
| Who needs it | Organisations developing or deploying AI systems |
What URIP evaluates: - AI system inventory controls - AI risk assessment processes - Supply chain security for AI dependencies (Snyk SCA on ML packages) - Data governance for AI training data (DSPM)
9. EU AI Act
| Attribute | Value |
|---|---|
| Grade | Audit-grade |
| Controls | ~35 |
| Issuer | EU Parliament |
| Scope | AI systems placed on EU market; risk-tiered (prohibited / high-risk / limited-risk / minimal-risk) |
| Who needs it | Any organisation developing or deploying AI in the EU |
What URIP evaluates: - Article 9 Risk Management System requirements - Article 10 Data governance requirements - Article 17 Quality management system controls - Article 72 post-market monitoring
10. DORA (EU Digital Operational Resilience Act)
| Attribute | Value |
|---|---|
| Grade | Audit-grade |
| Controls | ~45 |
| Issuer | European Parliament (Regulation 2022/2554) |
| Scope | Financial entities operating in the EU: banks, insurers, investment firms, crypto-asset service providers |
| Who needs it | All EU financial entities; effective January 2025 |
What URIP evaluates: - Article 5 ICT risk management framework - Article 10 Detection (SIEM/SOC connectivity) - Article 11 Response and recovery (IR playbooks) - Article 25 Third-party ICT risk (vendor risk module)
11. NIS2 (Network and Information Systems Directive 2)
| Attribute | Value |
|---|---|
| Grade | Audit-grade |
| Controls | ~40 |
| Issuer | European Parliament (Directive 2022/2555) |
| Scope | Essential and important entities in critical infrastructure sectors (energy, transport, health, digital infra) |
| Who needs it | EU critical infrastructure operators; transposed into national law by October 2024 |
What URIP evaluates: - Article 21 Security measures (vulnerability management, access control, MFA) - Article 23 Incident reporting (24h/72h notification requirements) - Supply chain risk (vendor risk module)
12. ISO 27017 (Cloud Security)
| Attribute | Value |
|---|---|
| Grade | Preview |
| Controls | ~37 |
| Issuer | ISO / IEC |
| Scope | Information security controls for cloud services |
| Who needs it | Cloud service providers and cloud service customers |
Cloud-specific controls: CLD.6 (cloud service customer controls), CLD.9 (asset management in cloud), CLD.12 (supplier relationship management for cloud).
13. ISO 27018 (PII in Cloud)
| Attribute | Value |
|---|---|
| Grade | Preview |
| Controls | ~25 |
| Issuer | ISO / IEC |
| Scope | Processing personally identifiable information (PII) in public cloud services |
| Who needs it | Cloud service providers that process customer PII |
14. ISO 27701 (Privacy Information Management)
| Attribute | Value |
|---|---|
| Grade | Preview |
| Controls | ~49 |
| Issuer | ISO / IEC |
| Scope | Privacy information management system (PIMS) — extension to ISO 27001 |
| Who needs it | Organisations acting as data controllers or processors under GDPR/privacy laws |
15. CIS Controls v8
| Attribute | Value |
|---|---|
| Grade | Preview |
| Controls | ~153 safeguards across 18 controls |
| Issuer | Center for Internet Security |
| Scope | Prescriptive security control catalogue for enterprise organisations |
| Who needs it | Any organisation looking for a structured, actionable security baseline |
18 CIS Controls: Inventory of Enterprise Assets, Software Assets, Data Protection, Secure Config, Account Management, Access Control Management, Continuous Vulnerability Management, Audit Log Management, Email and Web Browser Protections, Malware Defenses, Data Recovery, Network Infrastructure Management, Network Monitoring, Security Awareness Training, Service Provider Management, Application Software Security, Incident Response Management, Penetration Testing.
16. SEC Cybersecurity Disclosure
| Attribute | Value |
|---|---|
| Grade | Audit-grade |
| Controls | ~30 |
| Issuer | SEC (17 CFR 229, 232, 239, 240, 249) |
| Scope | US public companies (registrants) |
| Who needs it | SEC-registered public companies and those planning to go public in the US |
4 Pillars: 1. Item 1.05 — 4-day 8-K material incident reporting 2. Item 106(b) — Annual risk management disclosure 3. Item 106(c) — Board governance of cybersecurity 4. Materiality assessment — processes for determining incident materiality
17. CMMC 2.0 (Cybersecurity Maturity Model Certification)
| Attribute | Value |
|---|---|
| Grade | Audit-grade |
| Controls | 151 practices (L1: 17, L2: 110, L3: 24) |
| Issuer | US Department of Defense (32 CFR Part 170) |
| Scope | Defense Industrial Base (DIB) contractors handling Controlled Unclassified Information (CUI) |
| Who needs it | Any contractor bidding on DoD contracts |
3 Levels: - Level 1 — 17 practices from FAR 52.204-21 (basic safeguarding) - Level 2 — 110 practices from NIST SP 800-171 r2 (advanced) - Level 3 — 24 additional practices from NIST SP 800-172 (specialist)
18. HITRUST CSF v11
| Attribute | Value |
|---|---|
| Grade | Preview |
| Controls | e1: 44 requirements, r2: 156 control objectives |
| Issuer | HITRUST Alliance |
| Scope | Healthcare and business associates; information security and privacy |
| Who needs it | Healthcare covered entities, business associates, and their technology vendors |
Note: HITRUST canonical control text is paywalled. URIP's HITRUST implementation uses paraphrased control objectives from public HITRUST summaries. For formal certification, use the official HITRUST MyCSF platform.
19. SOC 1 (SSAE 18 / ICFR)
| Attribute | Value |
|---|---|
| Grade | Preview |
| Controls | ~120 |
| Issuer | AICPA (AT-C 320) |
| Scope | Service organisations' internal controls relevant to user entities' financial reporting (ICFR) |
| Who needs it | Service organisations (payroll processors, data centres, cloud providers) whose controls affect customers' financial statements |
20. ISO 22301:2019 (Business Continuity Management)
| Attribute | Value |
|---|---|
| Grade | Preview |
| Controls | ~73 across 7 clauses |
| Issuer | ISO |
| Scope | Business continuity management system (BCMS) |
| Who needs it | Organisations requiring formal business continuity certification or seeking to demonstrate resilience |
7 Clauses: Context, Leadership, Planning, Support, Operation, Performance Evaluation, Improvement.
Framework Summary Table
| # | Framework | Grade | Controls | Issuer |
|---|---|---|---|---|
| 1 | SOC 2 | Audit-grade | ~60 | AICPA |
| 2 | ISO 27001:2022 | Audit-grade | ~93 | ISO/IEC |
| 3 | GDPR | Audit-grade | ~40 | EU Parliament |
| 4 | HIPAA | Audit-grade | ~54 | US HHS |
| 5 | PCI DSS v4.0 | Audit-grade | 250+ | PCI SSC |
| 6 | India DPDP 2023 | Audit-grade | ~30 | GoI MeitY |
| 7 | NIST CSF 2.0 | Audit-grade | ~108 | NIST |
| 8 | ISO 42001 | Audit-grade | ~40 | ISO/IEC |
| 9 | EU AI Act | Audit-grade | ~35 | EU Parliament |
| 10 | DORA | Audit-grade | ~45 | EU Parliament |
| 11 | NIS2 | Audit-grade | ~40 | EU Parliament |
| 12 | ISO 27017 | Preview | ~37 | ISO/IEC |
| 13 | ISO 27018 | Preview | ~25 | ISO/IEC |
| 14 | ISO 27701 | Preview | ~49 | ISO/IEC |
| 15 | CIS Controls v8 | Preview | ~153 | CIS |
| 16 | SEC Cyber Disclosure | Audit-grade | ~30 | SEC |
| 17 | CMMC 2.0 | Audit-grade | 151 | US DoD |
| 18 | HITRUST CSF v11 | Preview | 200 | HITRUST Alliance |
| 19 | SOC 1 (SSAE 18) | Preview | ~120 | AICPA |
| 20 | ISO 22301:2019 | Preview | ~73 | ISO |
| Total | ~1,476 |
Compliance Workflow
- Activate a framework from
/compliance-frameworks.html - URIP evaluates all controls against your connected data
- Review pass/fail per control at
/compliance-controls.html - Upload evidence at
/compliance-evidence.html - Invite auditors at
/compliance-auditor-invitations.html - Generate audit-ready report at
/compliance-reports.html
See guides/compliance.md for the complete step-by-step guide.
See Also
- guides/compliance.md — Full compliance workflow
- USER_GUIDE.md — Compliance
- TROUBLESHOOTING.md — Framework Not Found