Compliance Frameworks
Achieve and maintain compliance with leading security and privacy frameworks. Bastion automates evidence collection and streamlines your path to certification.
Get Started
SOC 2
SOC 2 is the gold standard for demonstrating your security posture to customers and partners.
SOC 2 (System and Organization Controls 2) is an auditing procedure that ensures your service providers securely manage your data to protect the interests of your organization and the privacy of its clients. SOC 2 compliance is based on five Trust Services Criteria: Security, Availability, Processing Integrity, Confidentiality, and Privacy.
Read the guideWhy get SOC 2 with Bastion?
- Build trust with enterprise customers
- Demonstrate security commitment
- Streamline sales cycles
- Reduce security questionnaires
ISO 27001
The international standard for information security management systems (ISMS).
ISO 27001 is the world's best-known standard for information security management systems (ISMS). It provides a framework of policies and procedures that includes all legal, physical and technical controls involved in an organization's information risk management processes.
Read the guideWhy get ISO 27001 with Bastion?
- Internationally recognized certification
- Comprehensive security framework
- Risk-based approach to security
- Continuous improvement model
GDPR
The European Union's comprehensive data protection regulation.
The General Data Protection Regulation (GDPR) is a regulation in EU law on data protection and privacy for all individuals within the European Union and the European Economic Area. It addresses the transfer of personal data outside the EU and EEA areas.
Read the guideWhy get GDPR with Bastion?
- Operate legally in the EU
- Build customer trust
- Avoid significant fines
- Improve data governance
HIPAA
US healthcare data protection for covered entities and business associates.
The Health Insurance Portability and Accountability Act (HIPAA) sets the standard for sensitive patient data protection. Companies that deal with protected health information (PHI) must have physical, network, and process security measures in place and follow them.
Read the guideWhy get HIPAA with Bastion?
- Handle healthcare data compliantly
- Partner with healthcare organizations
- Protect patient privacy
- Avoid HIPAA violations and fines
ISO 42001
The new international standard for AI management systems.
ISO/IEC 42001 is the first international standard for AI management systems, providing a framework for organizations to manage risks and opportunities associated with AI. It helps ensure AI systems are developed and used responsibly.
Read the guideWhy get ISO 42001 with Bastion?
- Demonstrate responsible AI practices
- Manage AI-related risks
- Build stakeholder confidence
- Prepare for AI regulations
ISO 27701
Privacy extension to ISO 27001 for managing personal data.
ISO 27701 is an extension to ISO 27001 and ISO 27002 for privacy information management. It provides guidance for establishing, implementing, maintaining and continually improving a Privacy Information Management System (PIMS).
Read the guideWhy get ISO 27701 with Bastion?
- Extend ISO 27001 with privacy controls
- Support GDPR compliance
- Manage personal data systematically
- Demonstrate privacy commitment
DORA
Digital Operational Resilience Act for EU financial services.
The Digital Operational Resilience Act (DORA) is an EU regulation that creates a binding, comprehensive framework on digital operational resilience for EU financial entities. It addresses ICT risk management, incident reporting, and third-party risk management.
Read the guideWhy get DORA with Bastion?
- Comply with EU financial regulations
- Strengthen operational resilience
- Manage ICT third-party risk
- Improve incident response
AI Act
The European Union's comprehensive AI regulation framework.
The EU AI Act is the first comprehensive legal framework for artificial intelligence worldwide. It establishes rules for AI systems based on their risk level, from minimal risk to unacceptable risk, with specific requirements for high-risk AI applications.
Read the guideWhy get AI Act with Bastion?
- Prepare for AI regulation
- Classify AI systems by risk
- Implement required safeguards
- Operate AI legally in the EU
NIS 2
Enhanced EU cybersecurity directive for essential and important entities.
The NIS 2 Directive (Network and Information Security Directive 2) expands cybersecurity requirements across the EU. It covers more sectors, introduces stricter security requirements, and establishes more significant penalties for non-compliance.
Read the guideWhy get NIS 2 with Bastion?
- Meet EU cybersecurity requirements
- Improve incident reporting
- Strengthen supply chain security
- Avoid significant penalties
Cyber Essentials
UK government-backed cybersecurity certification scheme.
Cyber Essentials is a UK government-backed scheme that helps organizations protect against common cyber attacks. It provides a clear statement of the basic controls organizations should have in place to protect against the most common cyber threats.
Read the guideWhy get Cyber Essentials with Bastion?
- Qualify for UK government contracts
- Protect against common attacks
- Demonstrate security basics
- Cost-effective certification
PCI DSS
Payment card industry data security standard for handling card data.
The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards designed to ensure that all companies that accept, process, store, or transmit credit card information maintain a secure environment.
Read the guideWhy get PCI DSS with Bastion?
- Process payments securely
- Protect cardholder data
- Reduce fraud risk
- Meet merchant requirements
CCPA
California Consumer Privacy Act for protecting consumer data rights.
The California Consumer Privacy Act (CCPA) gives California residents more control over their personal information. It requires businesses to disclose data collection practices and gives consumers the right to access, delete, and opt-out of the sale of their data.
Read the guideWhy get CCPA with Bastion?
- Operate legally in California
- Respect consumer privacy rights
- Avoid CCPA penalties
- Build consumer trust
ISO 27017
Cloud security controls extending ISO 27001 for cloud service providers and customers.
ISO 27017 provides guidelines for information security controls applicable to the provision and use of cloud services. It builds on ISO 27001 and ISO 27002, offering cloud-specific guidance for both cloud service providers and their customers.
Why get ISO 27017 with Bastion?
- Demonstrate cloud security maturity
- Extend ISO 27001 with cloud controls
- Build trust with cloud customers
- Address shared responsibility model
ISO 27018
Protection of personally identifiable information (PII) in public cloud services.
ISO 27018 establishes commonly accepted control objectives and guidelines for protecting personally identifiable information (PII) in public cloud computing environments. It extends ISO 27001 with privacy-focused requirements for cloud providers acting as PII processors.
Why get ISO 27018 with Bastion?
- Protect customer PII in the cloud
- Support GDPR compliance efforts
- Differentiate as a privacy-focused provider
- Build trust with privacy-conscious customers
SOC 3
Publicly shareable security report based on SOC 2 Trust Services Criteria.
SOC 3 is a general-use report based on the same Trust Services Criteria as SOC 2. Unlike SOC 2, SOC 3 reports can be freely distributed and published, making them ideal for marketing purposes and building public trust without sharing detailed control information.
Why get SOC 3 with Bastion?
- Share security posture publicly
- Use for marketing and sales collateral
- Build trust with prospects quickly
- Complement your SOC 2 certification
Bill 25
Quebec's privacy law modernizing personal information protection for organizations.
Bill 25 (Law 25) modernizes Quebec's privacy legislation, introducing new requirements for organizations handling personal information of Quebec residents. It includes mandatory privacy impact assessments, breach notification requirements, and enhanced consent rules.
Why get Bill 25 with Bastion?
- Operate legally in Quebec
- Meet Canadian privacy standards
- Implement privacy by design
- Avoid significant penalties
BSI C5
German federal cloud security standard for cloud service providers.
The BSI Cloud Computing Compliance Criteria Catalogue (C5) is a German government-backed attestation scheme for cloud service providers. It defines minimum security requirements that cloud providers must meet to serve German federal agencies and enterprises.
Why get BSI C5 with Bastion?
- Access German public sector market
- Demonstrate cloud security excellence
- Meet strict German standards
- Build trust with EU enterprises
Custom Frameworks
Build and manage custom compliance frameworks tailored to your needs.
Beyond standard frameworks, Bastion supports custom compliance requirements. Whether you need to meet client-specific security questionnaires, industry-specific standards, or internal policies, we help you build and track custom frameworks alongside your certifications.
Why get Custom Frameworks with Bastion?
- Meet client-specific requirements
- Track internal security policies
- Consolidate all compliance in one place
- Adapt to evolving needs
Other platforms check the box
We secure the box
Get in touch and learn why hundreds of companies trust Bastion to manage their security and fast-track their compliance.
Get Started