LowerPlane supports 50+ compliance frameworks covering security, privacy, financial, healthcare, government, and industry-specific regulations. You can enable one or more frameworks depending on your organization’s regulatory requirements.

Enabling Frameworks

Navigate to Compliance > Frameworks and toggle the frameworks you need. When you enable a framework:
  1. The framework’s controls are added to your control library
  2. Required evidence types are mapped to your evidence tracker
  3. Policy requirements are surfaced in your policy center
  4. Your compliance dashboard begins tracking readiness
You can enable additional frameworks at any time. LowerPlane will automatically calculate how much of the new framework is already satisfied by your existing controls, evidence, and policies — typically 80-90% overlap.

Core Frameworks

93 controls across 14 control categories (Annex A). The gold standard for information security management systems (ISMS). Required by many enterprise customers and increasingly expected in vendor security reviews.
64 trust services criteria across 5 categories: Security, Availability, Processing Integrity, Confidentiality, and Privacy. Essential for SaaS companies and service providers in North America.
18 safeguards covering administrative, physical, and technical controls for protecting health information (PHI). Required for healthcare organizations and their business associates.
99 articles covering data protection, privacy rights, consent management, and cross-border data transfers. Required for organizations processing EU/EEA personal data.
12 requirements with 200+ sub-requirements for protecting cardholder data. Required for any organization that processes, stores, or transmits payment card data. Includes SAQ-A and SAQ-D self-assessment variants.

Government & Federal Frameworks

Comprehensive catalog of security and privacy controls for federal information systems. Used by US government agencies and their contractors.
Voluntary framework for managing cybersecurity risk. Widely adopted across industries as a best-practice baseline. Organized into Identify, Protect, Detect, Respond, and Recover functions.
Controls for protecting Controlled Unclassified Information (CUI) in non-federal systems. Required for Department of Defense contractors.
Framework for managing risks from artificial intelligence systems. Covers governance, mapping, measuring, and managing AI risks.
Federal Risk and Authorization Management Program. Multiple baselines available: Low, Moderate, High, LI-SaaS, and the new Rev 5 and 20x variants. Required for cloud services used by US federal agencies.
Cybersecurity Maturity Model Certification for the defense industrial base. Three levels of maturity with increasing control requirements.
Security policy for criminal justice information and law enforcement data. Required for organizations accessing FBI CJIS systems.
Cybersecurity regulation for financial services companies operating in New York State.

Industry-Specific Frameworks

Risk-based framework that integrates and harmonizes multiple standards (HIPAA, ISO 27001, NIST, PCI DSS). Popular in healthcare and insurance industries.
IT controls for financial reporting integrity. Required for publicly traded companies and their service providers.
Information security standard for the automotive industry. Required by major automotive manufacturers for their supply chain partners.
EU regulation for ICT risk management in the financial sector. Covers ICT governance, incident reporting, resilience testing, and third-party risk.
EU directive for cybersecurity across essential and important entities. Covers supply chain security, incident reporting, and risk management.
Security and privacy requirements for Microsoft suppliers and partners.
AWS Partner Network security review requirements for SaaS solutions running on AWS.

ISO Family

Cloud-specific security controls extending ISO 27001. Guidance for both cloud service providers and customers.
Controls for protecting personally identifiable information (PII) in public cloud computing environments.
Extension to ISO 27001/27002 for privacy management. Maps to GDPR requirements.
Management system standard for artificial intelligence. Covers AI governance, risk management, and responsible AI practices.
Requirements for planning, establishing, implementing, and maintaining a business continuity management system.
Quality management system standard. Demonstrates consistent delivery of products and services that meet customer requirements.

Security Benchmarks

Center for Internet Security critical security controls. Three implementation groups: IG1 (essential), IG2 (foundational), IG3 (organizational). Practical, prioritized security controls.
Eight essential mitigation strategies from the Australian Cyber Security Centre. Baseline cybersecurity for Australian organizations.
UK government-backed scheme for protection against common cyber attacks. Plus certification includes hands-on technical verification.
APRA prudential standard for information security in the Australian financial services industry.
Financial services cybersecurity profile that harmonizes regulatory expectations across multiple financial regulators.
Minimum security baseline for B2B software. Lightweight checklist for startups and emerging vendors.

Additional Frameworks

European regulation on artificial intelligence. Risk-based approach to AI governance with requirements varying by risk category.
UK’s post-Brexit version of GDPR. Substantially similar to EU GDPR with UK-specific supervisory authority (ICO).
Emerging US state-level data privacy requirements covering California (CCPA/CPRA), Virginia, Colorado, Connecticut, and other states.
Security standard for open banking and financial data sharing.

Cross-Framework Mapping

LowerPlane automatically maps controls across frameworks. When you implement a control for one framework, it can satisfy requirements in multiple others:
Control AreaFrameworks Covered
Access ControlISO 27001, SOC 2, HIPAA, GDPR, PCI DSS, NIST 800-53, CMMC, FedRAMP
EncryptionISO 27001, SOC 2, HIPAA, PCI DSS, NIST 800-171, DORA
Incident ResponseAll frameworks
Risk ManagementISO 27001, SOC 2, NIST CSF, DORA, NIS2, CRI Profile
Vendor ManagementISO 27001, SOC 2, HIPAA, GDPR, PCI DSS, DORA
Start with the framework your customers request most frequently. As you add more frameworks, you’ll find that 80-90% of the work is already done through control overlap.