TrustCyberStart Free Assessment

Compliance Coverage

How TrustCyber maps to the frameworks your auditors require

Every TrustCyber assessment automatically maps findings and remediation guidance to the control frameworks your organisation is measured against — so your security programme speaks the same language as your compliance team. Framework mappings are included in every report at no additional cost.

Cybersecurity Framework

NIST Cybersecurity Framework

The NIST Cybersecurity Framework (CSF) is the most widely adopted voluntary framework for managing cybersecurity risk. Organised around five core functions — Identify, Protect, Detect, Respond, and Recover — it gives organisations a common language to assess and improve their security posture.

How TrustCyber Covers This Framework

Every TrustCyber assessment maps each finding to the relevant NIST CSF function and subcategory. Your report shows exactly where your Microsoft 365 environment falls short across all five functions, with prioritised remediation steps tied directly to the framework's recommended activities.

What We Assess

  • Identify — asset inventory, risk assessment, governance gaps
  • Protect — access control, data security, awareness training
  • Detect — anomaly detection, continuous monitoring
  • Respond — response planning, communications, mitigation
  • Recover — recovery planning, improvements, communications

Best for: IT leaders, CISOs, security teams, and organisations preparing for cyber insurance or board-level reporting.

Center for Internet Security

CIS Critical Security Controls v8

The CIS Critical Security Controls (v8) are a prioritised set of 18 safeguards developed by the Center for Internet Security. Organised into three Implementation Groups (IG1–IG3), they provide a practical, risk-based roadmap that scales from small businesses to large enterprises.

How TrustCyber Covers This Framework

TrustCyber maps your Microsoft 365 findings to the specific CIS Controls and sub-controls relevant to your implementation group. Whether you are targeting IG1 for basic hygiene or IG3 for advanced defence, your report shows exactly which controls are met, partially met, or missing.

What We Assess

  • IG1 (Essential) — MFA, patching, email/web browser protections
  • IG2 (Foundational) — data recovery, secure configuration, audit log management
  • IG3 (Organisational) — penetration testing, incident response, application security
  • All 18 controls assessed against your Microsoft 365 tenant configuration

Best for: Security teams, MSPs, and organisations seeking a practical, actionable security baseline.

Information Security Management

ISO/IEC 27001 Information Security Management

ISO/IEC 27001 is the international standard for information security management systems (ISMS). It defines 93 controls across 11 domains in Annex A, covering everything from access control and cryptography to supplier relationships and incident management.

How TrustCyber Covers This Framework

TrustCyber surfaces control gaps against ISO 27001 Annex A domains so your team can prioritise remediation before a formal audit. Each finding in your report is tagged to the relevant Annex A clause, giving your auditors a clear evidence trail and your team a structured remediation roadmap.

What We Assess

  • Annex A.5 — Organisational controls (policies, roles, responsibilities)
  • Annex A.6 — People controls (screening, training, disciplinary process)
  • Annex A.7 — Physical controls (physical security, clear desk)
  • Annex A.8 — Technological controls (access, cryptography, logging, monitoring)

Best for: Organisations pursuing ISO 27001 certification, or those maintaining an existing ISMS.

Trust Services Criteria

SOC 2 — Trust Services Criteria

SOC 2 is an auditing standard developed by the AICPA that evaluates service organisations against five Trust Services Criteria: Security, Availability, Processing Integrity, Confidentiality, and Privacy. A SOC 2 Type II report is increasingly required by enterprise customers and investors.

How TrustCyber Covers This Framework

TrustCyber identifies evidence gaps across the Security, Availability, and Confidentiality criteria — the three most commonly required by enterprise buyers. Your report highlights which Microsoft 365 controls are missing or misconfigured, giving your team a clear list of items to remediate before engaging an auditor.

What We Assess

  • CC6 — Logical and physical access controls
  • CC7 — System operations and anomaly detection
  • CC8 — Change management processes
  • CC9 — Risk mitigation and vendor management
  • A1 — Availability and capacity management

Best for: SaaS companies, cloud service providers, and any organisation handling customer data that needs to demonstrate security to enterprise buyers.

Health Data Privacy

Health Insurance Portability and Accountability Act

HIPAA requires covered entities and business associates to implement administrative, physical, and technical safeguards to protect electronic protected health information (ePHI). Non-compliance carries civil and criminal penalties and significant reputational risk.

How TrustCyber Covers This Framework

TrustCyber assesses the technical safeguard requirements of the HIPAA Security Rule within your Microsoft 365 environment — including access controls, audit controls, integrity controls, and transmission security. Your report identifies gaps and provides remediation guidance aligned to each safeguard category.

What We Assess

  • Administrative safeguards — security officer, workforce training, access management
  • Physical safeguards — workstation use, device controls
  • Technical safeguards — access control, audit logs, encryption in transit and at rest
  • Breach notification readiness — detection and response capabilities

Best for: Healthcare providers, health plans, healthcare clearinghouses, and their business associates.

California Privacy Rights

California Consumer Privacy Act

The California Consumer Privacy Act (CCPA), as amended by the CPRA, grants California residents broad rights over their personal information and imposes significant data governance obligations on businesses that collect, process, or sell that data.

How TrustCyber Covers This Framework

TrustCyber identifies data governance and access control weaknesses in your Microsoft 365 environment that create CCPA exposure — including overly broad data access, insufficient audit logging, and gaps in data retention and deletion controls. Your report maps findings to the specific CCPA obligations they affect.

What We Assess

  • Data access controls — who can access personal information and under what conditions
  • Audit logging — evidence of data access and processing activities
  • Data retention — policies and technical controls for deletion and minimisation
  • Third-party data sharing — vendor access controls and contractual safeguards

Best for: Businesses subject to CCPA/CPRA, particularly those handling significant volumes of California resident data.

Government Cloud Security

GovRAMP — Government Cloud Security

GovRAMP (formerly StateRAMP) provides a standardised approach to security assessment, authorisation, and continuous monitoring for cloud service providers serving state and local government clients. It is modelled on FedRAMP and is increasingly required for government contracts.

How TrustCyber Covers This Framework

TrustCyber maps your Microsoft 365 security posture against the GovRAMP control baseline, identifying gaps that could prevent or delay government contract awards. Your report provides the evidence and remediation roadmap needed to progress toward GovRAMP authorisation.

What We Assess

  • Access control and identity management
  • Configuration management and change control
  • Incident response and contingency planning
  • System and communications protection
  • Audit and accountability controls

Best for: Cloud service providers, SaaS vendors, and technology companies pursuing state and local government contracts.

Financial Data Protection

FTC Safeguards Rule — Financial Data Protection

The updated FTC Safeguards Rule (effective 2023) requires non-bank financial institutions — including mortgage brokers, auto dealers, tax preparers, and accountants — to implement a comprehensive information security programme with specific technical controls.

How TrustCyber Covers This Framework

TrustCyber assesses your Microsoft 365 environment against the nine required elements of the updated Safeguards Rule, including access controls, encryption, multi-factor authentication, and incident response. Your report identifies gaps and provides a prioritised remediation plan to achieve and maintain compliance.

What We Assess

  • Access controls — least privilege, MFA for all remote access
  • Encryption — data in transit and at rest
  • Secure development — change management and testing
  • Monitoring and testing — continuous monitoring, penetration testing
  • Incident response — written plan with defined roles and procedures

Best for: Non-bank financial institutions subject to FTC jurisdiction, including mortgage companies, auto dealers, tax preparers, and financial advisors.

Ready to see your gaps?

See your framework gaps in 7 minutes

Run a free assessment and get a prioritised report showing exactly where your Microsoft 365 environment falls short across every framework above — with a clear remediation roadmap.

Start Free Assessment