Multiple frameworks without multiplying the work

Vanta has the specialized compliance frameworks required to support the evolving needs of companies scaling their security and privacy programs.

As the sophistication of your security and privacy programs grows, the number of tools needed to manage them doesn't have to. Vanta provides one centralized location to track progress and monitor any framework, from custom-built to in-demand and highly-specialized top security and privacy frameworks and certifications.

Vanta supports each framework with the guided scoping, policies, controls, automated evidence collection, and continuous monitoring needed to get ready for audit or prove attestation in minimal time.

Vanta supports the following security and privacy frameworks:

Security Frameworks


AICPA standardized framework to prove a company’s security posture to prospective customers.

ISO 27001:2022

Global benchmark to demonstrate an elective Information Security Management System (ISMS). For businesses selling to customers outside of the US.

ISO 27017

ISO 27017 provides guidelines for information security controls applicable to the provision and use of cloud services.


Industry-mandated requirements to secure Credit Card data. SAQ D, SP and ROC prep support.


NIST CSF 2.0 provides voluntary guidance, guidelines, and practices, for organizations of all kinds to better manage and reduce cybersecurity risk, with a focus on governance and supply chain risks.

NIST 800-171

NIST 800-171 provides recommended requirements for protecting the confidentiality of controlled unclassified information (CUI) for those working with the US government.

NIST 800-53

NIST 800-53 is a catalog of security and privacy controls for all U.S. federal information systems except those related to national security.


FedRAMP requires cloud service providers and cloud-based products to comply with this security framework in order to serve US Federal Agencies.

AWS Foundational Technical Review (FTR)

AWS FTR is a mandatory requirement for access to several AWS Partner benefits including, the AWS Competency Program and the AWS ISV Accelerate Program.

Minimum Viable Secure Product (MVSP)

MVSP is a minimalistic security checklist for B2B software and business process outsourcing suppliers.


The Open Finance Data Security Standard (OFDSS) is a cloud-first security framework that enhances data security for FinTech companies.


NIST AI Risk Management Framework is a structured guideline developed by NIST aimed at mitigating risks associated with the design, development, use, and evaluation of AI products, services, and systems.

ISO 42001

An Artificial Intelligence Management System (AIMS) that helps organizations responsibly develop and use AI, emphasizing ethical considerations, transparency, and the necessity of continuous learning.


HITRUST e1 helps organizations establish the necessary precautions when it comes to handling cybersecurity, including protected health information (PHI).

Privacy Frameworks


European Union (EU) regulation to protect personal data and privacy of its citizens.

GDPR with EU-US Data Privacy

For entities operating under the jurisdiction of the US Federal Trade Commission or Department of Trade.


United States (US) regulation to secure Protected Health Information (PHI).


California regulation that gives residents new data privacy rights.

ISO 27701

ISO 27701 is an extension of ISO 27001 that specifies the requirements for establishing, implementing, maintaining and continually improving a privacy information management system (PIMS).

ISO 27018

ISO 27018 establishes controls to protect Personally Identifiable Information (PII) in public cloud computing environments.

Microsoft SSPA

Microsoft SSPA is a mandatory compliance program for Microsoft suppliers working with Personal Data and/or Microsoft Confidential Data.

US Data Privacy (USDP)

Based on the Fair Information Practice Principles, our US Data Privacy framework centralizes and allows you to attest to privacy regulations in CA, CO, CT, UT, and VA and any new state privacy regulations as they’re introduced.

Other Compliance Frameworks, including Custom Frameworks

Custom Frameworks

Create and monitor custom frameworks and controls. Use Vanta's templates to import your existing requirements or build new ones to meet your organization's maturing needs.


SOX ITGC is a set of IT controls required to be compliant with the Sarbanes-Oxley Act.

Cyber Essentials

Commonly used and accepted requirements from the UK's NCSC for hardening IT environments against attacks. Specifically designed to impose technical cost on attackers as opposed to being a broad information security and compliance governance framework.

Essential Eight

Commonly used and accepted requirements from the ACSC in Australia for hardening IT environments against attacks. Specifically designed to impose technical cost on attackers as opposed to being a broad information security and compliance governance framework.

ISO 9001

ISO 9001 is a globally recognized standard for quality management and helps organizations of all sizes and sectors improve their performance, meet customer expectations, and demonstrate their commitment to quality.


Learn about Vanta and trust management

Product updates

IDC Analyst Report: Vanta Announces Additions to Trust Center

IDC analysts discuss the addition of Questionnaire Automation and Vanta AI to Trust Center and why Trust Centers are increasingly important for organizations.

Company news

VantaCon UK highlights: See the future of trust in an AI world

From product announcements to panel discussions, watch highlights and recordings from VantaCon UK.

Product updates

Announcing Vanta’s industry-first partnership to automate HITRUST e1

Vanta has partnered with HITRUST to be the first automated compliance solution of the HITRUST e1 Assessment, helping you demonstrate your commitment to information protection.

Get compliant and
build trust, fast.

Two wind turbines on a white background.
Get compliant and build trust,
Get started