Essential Eight
Australia · All Australian organisations
ASD's eight strategies, with phishing simulation and training mapped to ML1, ML2 and ML3.
See Essential Eightcoverage →Compliance frameworks
One programme. Every major security framework covered.
Vigil runs phishing simulation, awareness training and human-risk scoring once. The same evidence then maps to whichever framework your assessor, auditor or insurer references, Essential Eight, ISO 27001, SOC 2, APRA, ASIC, NIS2, DORA, DPDP, SEBI CSCRF, HIPAA, PCI DSS and more.
Frameworks Vigil covers
APRA CPS 234
Australia · APRA-regulated entities
Information-security capability evidence for paragraphs 21, 22, 25-26, 28 and 35, aligned with CPS 230 and FAR.
See APRA CPS 234coverage →ISO 27001
Global · Certified or pursuing ISMS
Annex A.6.3 awareness, education and training evidence for Stage 1 and Stage 2 audits.
See ISO 27001coverage →SOC 2
USA / Global · Service organisations
Common Criteria CC1.4, CC2.2, CC6.6 and CC7.2 awareness evidence for Type I and Type II.
See SOC 2coverage →ASIC Cyber Resilience
Coming soonAustralia · AFSL holders, dealer groups
REP 716 and REP 776 alignment, FIIG-standard evidence, and PI-insurer-ready reports.
Request early access →NIS2
Coming soonEuropean Union · Essential and important entities
Article 21 awareness training and incident reporting evidence for EU operators.
Request early access →DORA
Coming soonEuropean Union · Financial entities
ICT risk management awareness training and continuous monitoring evidence.
Request early access →DPDP Act
Coming soonIndia · Data fiduciaries
Section 8 reasonable safeguards awareness training for Indian data fiduciaries.
Request early access →SEBI CSCRF
Coming soonIndia · SEBI-regulated entities
Cyber Security and Cyber Resilience Framework awareness and simulation evidence.
Request early access →HIPAA
Coming soonUSA · Covered entities and business associates
164.308(a)(5) Security Awareness and Training evidence for HHS audits.
Request early access →PCI DSS
Coming soonGlobal · Cardholder-data handlers
Requirement 12.6 security awareness programme evidence for PCI 4.0.
Request early access →Common questions
How does one platform cover this many frameworks?
Most frameworks share the same human-layer expectations, ongoing awareness training, role-based content, phishing simulation, and evidence the programme is operating. Vigil runs the underlying programme once and maps the evidence to each framework's specific control IDs. One programme, multiple compliance outputs.
Can I prioritise one framework over another?
Yes. Pin a primary framework in the dashboard and Vigil weights content, simulation cadence and evidence emphasis to match. For dual-track work (e.g. SOC 2 plus ISO 27001) you can pin two without losing detail.
Do I need separate evidence packs for each framework or one combined?
Both options. Generate one combined evidence pack with cross-references, or generate framework-specific packs for audits where the assessor wants a single-framework view.
Which framework should an Australian SMB start with?
Essential Eight at Maturity Level 1 for most SMBs. APRA-regulated entities go with CPS 234. AFSL holders go with the ASIC cyber resilience track. ISO 27001 and SOC 2 are typically driven by customer or vendor-due-diligence requirements.
Are coming-soon frameworks on a public roadmap?
Yes. NIS2 and DORA are Q3 2026 priorities. DPDP, SEBI CSCRF, HIPAA and PCI DSS follow in Q4. Contact us if you need a specific framework on a particular timeline.
One programme. Every framework. Day-one evidence.
30-day free trial. No credit card. Pick your primary framework and Vigil generates the programme.