NIST 800-53: Security and Privacy Controls for Information Systems and Organizations (Any company that does business with the U.S. federal government)

NIST 800-63: Digital Identity Guidelines (Any company that does business with the U.S. federal government)

NIST CSF 2.0: Cybersecurity Framework (Any company that does business with the U.S. federal government)

ISO/IEC 27001: Information Security Management (Not legally required, but suggested for organizations)

ISO/IEC 27002: Information Security Controls (Not legally required, but suggested for organizations)

SOC 2: System and Organization Controls (Not legally required, but suggested for service organizations that stores, processes, or transmits customer data)

GDPR: General Data Protection Regulation (Any company that processes personal data of individuals in the E.U. and E.E.A)

CCPA: California Consumer Privacy Act (Any company that processes personal data of residents in California)

PCI DSS: Payment Card Industry Data Security Standard (All entities that store, process, and/or transmit cardholder data)

HIPAA: Health Insurance Portability and Accountability Act (Healthcare institutions and individuals in healthcare)

GLBA: Gramm-Leach-Bliley Act (Any company that offers financial products or services like loans, financial or investment advice, or insurance to consumers)

SOX: Sarbanes-Oxley Act (All publicly traded companies)

FERPA: Family Educational Rights and Privacy Act (Any educational institution that receives Dept. of Education funding)