Scapien supports compliance by proving that exploitable risks are identified, prioritized, remediated, and verified.
CISOs gain defensible evidence. Security teams gain clarity. IT teams and third parties receive executable remediation with clear ownership.
Compliance reporting is derived from exploit-validated risk and verified closure — not checklists.
Global
We've listed some examples of globally accepted compliance standards below. The list is comprehensive, but not exhaustive.
ISO/IEC 27001 - Information Security Management System
ISO/IEC 27002 - Code of Practice for Information Security Controls
ISO/IEC 27005 - Information Security Risk Management
ISO/IEC 27017 - Cloud Computing Security and Privacy Controls
ISO/IEC 27018 - Protection of Personal Data in Public Clouds
ISO/IEC 27032 - Cybersecurity Guidelines
ISO/IEC 27034 - Application Security
ISO/IEC 27035 - Information Security Incident Management
ISO/IEC 27701 - Privacy Information Management System
NIST Cybersecurity Framework
NIST SP 800-53 - Security and Privacy Controls for Federal Information Systems
NIST SP 800-171 - Protecting Controlled Unclassified Information in Nonfederal Systems
SOC 2 - Service Organization Control 2
CSA STAR - Cloud Security Alliance Security, Trust, Assurance, and Ris
COBIT - Control Objectives for Information and Related Technologies
ITIL - Information Technology Infrastructure Library
IEC 62443 - Industrial Automation and Control System (IACS) Security
Americas
CPRA
The GDPR and CCPA were the first major cybersecurity compliance regulations to impact markets in the EU and the US. Most subsequent legislation are based on either GDPR, CCPA or both. Non-compliance with these regulations can result in significant fines and legal penalties, damaging the organization's financial standing and credibility.
The CPRA creates a new enforcement agency, the California Privacy Protection Agency, to oversee and enforce privacy regulations. The CPRA increases the fines and penalties for non-compliance with privacy regulations. The CPRA went into effect on January 1, 2023, and applies to companies that do business with California residents and meet certain size or revenue thresholds. Other US states have adopted similar regulations, with a national data privacy bill possible in the near-mid term future.
We've listed some examples of Americas cybersecurity and data privacy legislation below. The list is comprehensive, but not exhaustive.
United States
California Consumer Privacy Act (CCPA),
Amended by the California Privacy Rights Act (CPRA)
Health Insurance Portability and Accountability Act (HIPAA)
Sarbanes-Oxley Act (SOX)
Federal Information Security Management Act (FISMA)
Gramm-Leach-Bliley Act (GLBA)
Payment Card Industry Data Security Standard (PCI DSS)
Children's Online Privacy Protection Act (COPPA)
Cybersecurity Maturity Model Certification (CMMC)
New York Department of Financial Services (NYDFS)
Cybersecurity Regulation (23 NYCRR 500)
Other North & South American Countries
Brazil: General Data Protection Law (GDPL)
Canada: Personal Information Protection and Electronic Documents Act (PIPEDA)
Mexico: Federal Law on the Protection of Personal Data Held by Private Parties
Europe
GDPR
The GDPR and CCPA were the first major cybersecurity compliance regulations to impact markets in the EU and the US. Most subsequent legislation are based on either GDPR, CCPA or both. Non-compliance with these regulations can result in significant fines and legal penalties, damaging the organization's financial standing and credibility.
The GDPR (General Data Protection Regulation) is a set of data protection regulations that apply to all companies processing the personal data of individuals in the European Union (EU). It aims to strengthen individuals' rights and unify data protection laws across the EU. Norway, the UK and other European countries outside of the EU have also adopted the GDPR.
The GDPR requires companies to obtain consent from individuals before collecting and using their personal data and mandates that companies take measures to protect this data. Non-compliance with the GDPR can result in significant fines and reputational damage. The GDPR went into effect on May 25, 2018, and applies to companies of all sizes and industries.
We've listed some examples of European cybersecurity and data privacy legislation below. The list is comprehensive, but not exhaustive.
European Union Regulations
General Data Protection Regulation (GDPR)
Digital Services Act (DSA)
Digital Markets Act (DMA)
Network and Information Systems (NIS)
Non-EU State Regulations
Norway: Law on the Processing of Personal Data
UK: Data Protection Act (DPA)
Iceland: Law on the Processing of Personal Data
Switzerland: Federal Act on Data Protection
Ukraine: Personal Data Protection
APAC
Asia represents a growing market for all businesses. There is currently no Asian supranational regulatory equivalent to GDPR, instead individual countries sign their own acts into law.
We've listed some examples of Asian cybersecurity and data privacy legislation below. The list is comprehensive, but not exhaustive.
APAC
Australia: Privacy Act
India: Personal Data Protection Bill
Indonesia: Personal Data Protection Bill (PDPB)
Japan: Act on the Protection of Personal Information (APPI)
Pakistan: Prevention of Electronic Crimes Act (PECA)
Phillipines: Data Privacy Act (DPA)
Malaysia: Personal Data Protection Act (PDPA)
New Zealand: Privacy Act 2020
Singapore: Personal Data Protection Act (PDPA)
South Korea: Personal Information Protection Act (PIPA)
Thailand: Personal Data Protection Act (PDPA)
Taiwan: Personal Data Protection Act (PDPA)
MEA
The Africa and Middle East regions are home to rapidly expanding markets with diverse regulatory frameworks. Unlike regions with centralized frameworks like GDPR, compliance requirements vary significantly by country.
Below, we've listed examples of cybersecurity and data privacy legislation across Africa and the Middle East. This list is comprehensive but not exhaustive.
Africa
South Africa: Protection of Personal Information Act (POPIA)
Kenya: Data Protection Act
Nigeria: Nigeria Data Protection Regulation (NDPR)
Egypt: Data Protection Law
Morocco: Law No. 09-08 on Personal Data Protection
Ghana: Data Protection Act
Tanzania: Cybercrimes Act
Middle East
United Arab Emirates (UAE): Federal Personal Data Protection Law
Saudi Arabia: Personal Data Protection Law (PDPL)
Qatar: Protection of Personal Data Law
Bahrain: Personal Data Protection Law
Oman: Electronic Transactions Law
Kuwait: Electronic Media Law
