From compliance automation through audit, the Thoropass compliance delivery platform helps you get and stay compliant.
Modern audits delivered by expert auditors
Maintain compliance with real-time monitoring and alerts
Identify vulnerabilities with CREST-accredited pentest experts
Leverage AI for smarter compliance solutions
Streamline audits and improve accuracy with evidence automation
Simplify user reviews to enhance security
Automate responses to security questionnaires
Track and mitigate security risks in one place
Build trust with a professional, public-facing portal
Seamlessly connect your tools for streamlined compliance
Audits done the modern way. Leverage AI-powered compliance solutions with expert guidance for seamless, scalable audits.
From controls to audit, rapidly achieve infosec compliance with a single vendor
Manage your risk and streamline compliance
Meet your auditor on day 1 and eliminate any surprises
Discover proven compliance outcomes in the words of our customers.
Catch up on the latest industry trends and expert insights
Watch the latest webinar or meet us in person
Expert-curated resources for your compliance journey
A "true crime" styled podcast for anyone in the compliance industry
Actionable tools for your compliance journey
Implement audit-ready compliance solutions for friction-free infosec compliance outcomes.
Go beyond readiness with unmatched expertise
Stay updated with the latest Thoropass news and insights
Join the team that's reimagining compliance
Let's make compliance easier—together
We're committed to unbiased audits and superior service
At Thoropass, we’re on a mission to make security compliance and audit simple, scalable, and powerful for growing businesses. That means meeting our customers where they are—and helping them grow into what’s next.
This month, we’re excited to roll out eight new frameworks, all designed to expand your compliance coverage, unlock new markets, and reduce the complexity of staying audit-ready year-round.
Now available in Thoropass:
Each one is seamlessly supported in our unified platform, with deep alignment to our multi-framework control architecture. Let’s break them down.
What it is:The Cloud Security Alliance (CSA) Security, Trust, Assurance, and Risk (STAR) program is a cloud-specific assurance framework built on ISO 27001 and enhanced with cloud control requirements from CSA’s Cloud Controls Matrix.
Why it matters:Cloud-native businesses need to show customers and partners that they meet rigorous cloud security expectations. STAR delivers that assurance—and with Thoropass, you can align ISO 27001 and STAR in a single workflow.
Who it’s for:Cloud service providers (CSPs) and SaaS companies pursuing transparency, trust, and competitive advantage in cloud security.
What it is:The EU’s Digital Operational Resilience Act (DORA) mandates that financial entities maintain resilient information and communication technology (ICT) systems to prevent and respond to cyber threats.
Why it matters:If you’re a financial firm operating in the EU, DORA compliance is no longer optional. Thoropass helps you implement technical, operational, and third-party risk controls aligned with DORA—without the heavy lift.
Who it’s for:Banks, fintechs, insurance companies, and any ICT providers supporting EU financial services.
What it is:The Family Educational Rights and Privacy Act (FERPA) governs access to student education records in the U.S., ensuring privacy rights are protected.
Why it matters:Edtech platforms and institutions handling student data must comply with FERPA to operate in the education sector. Thoropass provides FERPA-aligned workflows, evidence tracking, and automated monitoring.
Who it’s for:Education providers, student information systems, and edtech companies working with U.S. educational institutions.
What it is:The Web Content Accessibility Guidelines (WCAG) 2 define how to make digital content accessible to users with disabilities.
Why it matters:Accessibility is a legal, ethical, and business imperative. With Thoropass, you can track WCAG compliance efforts, document accessible design controls, and demonstrate alignment across web properties.
Who it’s for:SaaS and web-facing organizations committed to inclusive design—and compliance with regulations like ADA, Section 508, and EAA.
What it is:C5 (Cloud Computing Compliance Criteria Catalogue) is Germany’s federal framework for cloud security, developed by BSI.
Why it matters:C5 is increasingly adopted by European enterprises and government buyers. With Thoropass, cloud providers can meet C5 requirements while leveraging overlap with frameworks like ISO 27001 and SOC 2.
Who it’s for:Cloud service providers operating in or targeting the German market or public sector.
What it is:An extension to ISO 27001, ISO 27017 provides additional cloud-specific security controls for both cloud service customers and providers.
Why it matters:ISO 27017 bridges the gap between traditional information security and modern cloud operations. With Thoropass, you can operationalize ISO 27017 alongside your ISO 27001 program—without starting over.
Who it’s for:SaaS companies, cloud infrastructure teams, and any organization building security controls in a multi-tenant environment.
What it is:NIST Special Publication 800-53 provides a catalog of security and privacy controls for U.S. federal systems and beyond.
Why it matters:800-53 is the gold standard for federal IT systems—and increasingly adopted by enterprises building robust security programs. Thoropass helps you scope, implement, and maintain 800-53 with automation and expert oversight.
Who it’s for:Government contractors, federal agencies, and large enterprises aligning with FedRAMP, FISMA, or high-assurance cybersecurity frameworks.
What it is:NIST SP 800-171 defines the security requirements for protecting Controlled Unclassified Information (CUI) in non-federal information systems. It’s the foundation for CMMC Level 2 and required for contractors working with sensitive federal data.
Why it matters:Organizations handling CUI must comply with NIST 800-171 to qualify for many federal contracts. With Thoropass, you can map, implement, and monitor all 110 required controls—using automation, templates, and expert support to simplify what can otherwise be a heavy lift.
Who it’s for:Federal contractors and subcontractors that store, process, or transmit CUI—and need to demonstrate compliance with DFARS and CMMC Level 2 standards.
As organizations scale, so do their compliance obligations. With these eight new frameworks, Thoropass is expanding the possibilities for international certification, public sector growth, and new market entry. Thoropass helps you move forward with confidence.
All eight frameworks are available now—fully integrated into the Thoropass platform. To learn more, get in touch with Thoropass today.
