| ISO 27001-2013 | International or National Standard | 60 | 16 | 12 |
| ISO/IEC 27002:2013(E) | International or National Standard | 31 | 2 | 5 |
| PCI DSS Requirements and Security Assessment Procedures | Contractual Obligation | 22 | 0 | 0 |
| CobiT | Safe Harbor | 20 | 13 | 6 |
| NIST SP 800-53 R4 | International or National Standard | 20 | 4 | 4 |
| NIST Framework for Improving Critical Infrastructure Cybersecurity | International or National Standard | 17 | 9 | 7 |
| Sarbanes Oxley SOX | Regulation or Statute | 17 | 15 | 11 |
| AICPA Reporting on Controls at a Service Organization SOC-2 | Safe Harbor | 16 | 8 | 3 |
| NIST SP 800-53 R4 Moderate Impact | International or National Standard | 16 | 5 | 4 |
| NIST SP 800-53 | International or National Standard | 14 | 5 | 3 |
| PCI DSS 3.1 | Contractual Obligation | 14 | 2 | 2 |
| FFIEC Information Security | Best Practice Guideline | 13 | 5 | 3 |
| NIST SP 800-53 R4 Low Impact | International or National Standard | 13 | 4 | 2 |
| HIPAA | Bill or Act | 12 | 11 | 7 |
| NIST SP 800 66 | Safe Harbor | 11 | 9 | 6 |
| NIST SP 800-171 | International or National Standard | 11 | 2 | 1 |
| NIST SP 800-53 R4 High Impact | International or National Standard | 11 | 5 | 2 |
| Gramm Leach Bliley | Bill or Act | 10 | 7 | 4 |
| ISO 31000 R 2009 | International or National Standard | 10 | 7 | 3 |
| AICPA Trust Services | Audit Guideline | 9 | 4 | 2 |
| ISO 27002 | International or National Standard | 9 | 8 | 5 |
| ISO 27005 R 2011 | International or National Standard | 9 | 7 | 5 |
| PCI DSS 3.1 SAQ D Service Provider | Contractual Obligation | 9 | 1 | 2 |
| California OPP Notification of Security Breach | Safe Harbor | 8 | 7 | 4 |
| CIS 20 Critical Security Controls | Best Practice Guideline | 8 | 0 | 0 |
| COSO Internal Control - Integrated Framework | Self-Regulatory Body Requirement | 8 | 0 | 0 |
| Shared Assessments SIG - A. Risk Management | Audit Guideline | 8 | 6 | 3 |
| Shared Assessments SIG - P. Privacy | Audit Guideline | 8 | 6 | 3 |
| 45 CFR Part 164 | Regulation or Statute | 7 | 8 | 4 |
| FedRAMP Baseline Security Controls | Audit Guideline | 7 | 7 | 3 |
| FFIEC Management | Best Practice Guideline | 7 | 3 | 0 |
| HIPAA Electronic Health Record Technology | Regulation or Statute | 7 | 4 | 1 |
| HIPAA HCFA | Best Practice Guideline | 7 | 7 | 2 |
| IIA GTAG 1 | Best Practice Guideline | 7 | 4 | 2 |
| Massachusetts 201 CMR 17.00 Standards for The Protection of Personal Information of Residents of the Commonwealth of Massachusetts | Regulation or Statute | 7 | 7 | 4 |
| NIST SP 800-61 | International or National Standard | 7 | 4 | 1 |
| PCI DSS 3.0 Requirements | Self-Regulatory Body Requirement | 7 | 8 | 6 |
| PCI DSS Wireless Guideline | Safe Harbor | 7 | 6 | 4 |
| PCI SAQ A v3.1 | Contractual Obligation | 7 | 2 | 1 |
| Shared Assessments SIG - B. Security Policy | Audit Guideline | 7 | 6 | 3 |
| Shared Assessments SIG - C. Organizational Security | Audit Guideline | 7 | 6 | 3 |
| Shared Assessments SIG - D. Asset Management | Audit Guideline | 7 | 6 | 3 |
| Shared Assessments SIG - E. Human Resource Security | Audit Guideline | 7 | 6 | 3 |
| Shared Assessments SIG - F. Physical and Environmental | Audit Guideline | 7 | 6 | 3 |
| Shared Assessments SIG - G. Communications and Operations Management | Audit Guideline | 7 | 6 | 3 |
| Shared Assessments SIG - H. Access Control | Audit Guideline | 7 | 6 | 3 |
| Shared Assessments SIG - I. Information Systems Acquisition Development Maintenance | Audit Guideline | 7 | 6 | 3 |
| Shared Assessments SIG - J. Incident Event and Communications Management | Audit Guideline | 7 | 6 | 3 |
| Shared Assessments SIG - K. Business Continuity and Disaster Recovery | Audit Guideline | 7 | 6 | 3 |
| Shared Assessments SIG - L. Compliance | Audit Guideline | 7 | 6 | 3 |
