Every Framework We Navigate With You.
Compliance frameworks overview
One unified compliance program across US Federal, US State, EU/UK, and Latin American regimes — plus the industry standards your enterprise clients require and the controls cyber insurance carriers expect. Every framework below links to the engagement that handles it.
GDPR & UK GDPR
The most prescriptive privacy regime in the world — and the one your EU customers and partners will require you to comply with regardless of where you are headquartered.
GDPR — EU General Data Protection Regulation
Articles 5, 25, 30, 33, and 35 compliance — lawful basis mapping, data minimization, privacy by design, RoPA, breach notification readiness, DPIA. Cross-border data transfer compliance (SCCs, adequacy, TIAs). UK GDPR & Data Protection Act 2018 alignment.
See GDPR engagement →Federal & Sector Regulations
Federal and sector-specific obligations that apply to healthcare, financial services, federal contractors, and any organization choosing a recognized cybersecurity framework as their baseline.
HIPAA — Health Insurance Portability & Accountability Act
Security Rule technical & administrative safeguards, Privacy Rule, Breach Notification Rule. BAA review, risk analysis (45 CFR 164.308), PHI inventory, encryption posture, sanction policy, workforce training.
See HIPAA engagement →GLBA — Gramm-Leach-Bliley Act
Safeguards Rule compliance for financial services. Information security program, written policies, risk assessment, FTC GLBA amendments (encryption, MFA, access controls, vendor oversight, change management).
See GLBA engagement →NIST CSF 2.0
Cybersecurity Framework alignment — Govern, Identify, Protect, Detect, Respond, Recover functions. Current-state profile, target profile, gap analysis, implementation roadmap, executive reporting.
See NIST CSF engagement →NIST AI RMF
AI Risk Management Framework — Govern, Map, Measure, Manage functions. AI inventory, risk classification, model documentation, bias & fairness assessment, third-party AI vendor governance.
See NIST AI RMF engagement →CIS Controls v8
Implementation Group 1, 2, and 3 controls. Practical, prioritized controls baseline — particularly effective for SMB and mid-market organizations needing a defensible security program without a full NIST or ISO build-out.
See CIS Controls engagement →State Privacy & Consumer Protection Laws
Twenty-plus state privacy regimes and counting — most operationalizable under a single program if scoped correctly from the start.
CCPA / CPRA — California
Consumer rights operationalization (DSAR, right to delete, opt-out of sale/share), notice at collection, sensitive personal information handling, automated decision-making disclosures, contractual flow-down to service providers and contractors.
See CCPA engagement →State Privacy Laws — VA, CO, CT, UT, TX, OR + emerging
Virginia VCDPA, Colorado CPA, Connecticut CTDPA, Utah UCPA, Texas TDPSA, Oregon OCPA — plus tracking emerging state regimes (Florida FDBR, Tennessee TIPA, Indiana ICDPA, and others). Multi-state operational alignment under one program.
See state privacy engagement →LATAM Data Protection Regimes
Sitoo Advisory operates across the LATAM data protection landscape, with particular depth in Brazilian and Mexican regimes — the two largest LATAM markets and the most operationalized regulatory frameworks in the region.
LGPD — Brazil
Lei Geral de Proteção de Dados. Lawful basis mapping (Article 7), data subject rights, DPO (encarregado) appointment, ANPD breach notification, international transfers, RIPD (relatório de impacto à proteção de dados).
See LGPD engagement →LFPDPPP — Mexico
Ley Federal de Protección de Datos Personales en Posesión de los Particulares. Aviso de privacidad, ARCO rights (Acceso, Rectificación, Cancelación, Oposición), consent management, INAI breach notification, third-party data sharing.
See LFPDPPP engagement →Audit-Ready Compliance Programs
The voluntary standards your enterprise clients will require you to demonstrate — and the attestations your cyber insurance carrier will demand at renewal.
SOC 2 Type I & II
AICPA Trust Services Criteria — Security, Availability, Processing Integrity, Confidentiality, Privacy. Framework scoping, controls implementation, evidence library, auditor coordination, observation period management.
See SOC 2 engagement →ISO 27001 / 27002
Information Security Management System certification. ISMS scope definition, Annex A controls implementation, risk treatment plan, internal audit, management review, certification body selection.
See ISO 27001 engagement →PCI DSS v4.0
Payment Card Industry Data Security Standard. SAQ scoping, segmentation validation, controls baseline (12 requirements), evidence collection, QSA coordination for Level 1 organizations.
See PCI DSS engagement →Cyber Insurance — Carrier Attestation
Carrier-required controls (MFA, EDR, immutable backups, IR plan, employee training, vendor risk management). Application readiness, control attestation, gap remediation, renewal preparation.
See cyber insurance engagement →Which Framework Applies to You?
Many organizations face overlapping obligations — GDPR plus SOC 2 plus state privacy plus cyber insurance attestation. We map the overlap, scope the work, and run one unified program. We confirm fit before any work begins.