Don't see the framework your buyer wants? We likely do it
Beyond our six flagship frameworks, we deliver the ones below in the same managed model. Controls overlap heavily — the second framework always costs less than the first.
Kaamel's control framework maps each standard's requirements onto one shared control set: organize the evidence once and several frameworks benefit at the same time. If yours isn't listed, just ask.
Automation built on Vanta and Drata · Trusted by nearly 100 companies going global
Also in scope
PCI DSS
Table stakes for card data. SAQ self-assessment or a full ROC audit, scoped to your transaction volume.
SOC 1
The attestation for financial-reporting controls, often required when serving public companies or their supply chains.
SOC 3
The public summary of SOC 2 — postable on your website, no NDA required.
ISO 42001
The international AI management system standard; the next certificate for AI companies, closely aligned with the EU AI Act.
ISO 27017 / 27018
Cloud security and cloud privacy extensions built on 27001 — a differentiator for cloud providers.
ISO 22301
Business continuity management, appearing in enterprise due diligence more and more often.
NIST CSF / 800-171
The reference baseline for US enterprise and government supply chains, and a frequent questionnaire anchor.
CMMC
The entry requirement for the US defense supply chain.
FedRAMP / StateRAMP
The authorization path for selling cloud services to US government — long cycles, plan early.
TISAX
Automotive information security assessment; the pass into European OEM supply chains.
CSA STAR
The Cloud Security Alliance trust registry, based on the CCM matrix and synergistic with ISO 27001.
HITRUST
The comprehensive certification for US healthcare, plannable alongside HIPAA and SOC 2.
Why adding a framework costs less than you think
Controls are built once
Access control, logging, change management — the core controls overlap heavily across frameworks. We organize the overlap once; each new framework adds only its increment.
Evidence reuses automatically
Vanta and Drata map evidence across frameworks natively, so one piece of evidence satisfies several standards at once.
We sequence it for you
Order follows your pipeline: whichever certificate a customer is waiting on comes first, and later frameworks ride on what's already built.



