SOC 2 (Service Organization Control 2)
Best for: SaaS companies, cloud service providers, technology companies
Overview: SOC 2 is the most common compliance framework for technology companies. Developed by the AICPA (American Institute of CPAs), it focuses on how organizations handle customer data across five Trust Service Criteria.
Trust Service Criteria:
Security (mandatory): Protection against unauthorized access
Availability (optional): System uptime and accessibility
Processing Integrity (optional): Accurate, timely, authorized processing
Confidentiality (optional): Protection of confidential information
Privacy (optional): Personal information handling per commitments
Typical Timeline: 3-6 months for first audit.
Audit Type: Type I (point-in-time) or Type II (3+ months continuous monitoring) Common Requirements: ~60-80 controls depending on criteria selected
Why choose SOC 2: Required by most enterprise customers evaluating SaaS vendors. The de facto standard for demonstrating security practices in B2B technology.
ISO 27001
Best for: Organizations seeking international recognition, companies with global customers
Overview: ISO 27001 is an international standard for information security management systems (ISMS). It provides a systematic approach to managing sensitive information and is recognized globally.
Key Components:
Information Security Management System (ISMS)
Risk assessment and treatment
114 controls across 14 categories
Continuous improvement methodology
Typical Timeline: 6-12 months for certification.
Audit Type: Stage 1 (documentation review) and Stage 2 (implementation audit) Common Requirements: ~40-80 applicable controls after scoping
Why choose ISO 27001: International credibility, increasingly required for European and global contracts, comprehensive security program foundation.
Overlap with SOC 2: ~70% control overlap, making dual certification efficient
ISO 27017
Best for: Cloud service providers wanting to demonstrate cloud-specific security
Overview: ISO 27017 extends ISO 27001 with cloud-specific controls. It addresses security for both cloud service providers and cloud customers.
Additional Controls: 37 controls specific to cloud computing environments Prerequisite: ISO 27001 certification
Typical Timeline: 2-3 months additional after ISO 27001
Why choose ISO 27017: Demonstrates cloud-specific security expertise, required by some enterprise cloud customers.
ISO 27018
Best for: Organizations processing personal data in cloud environments
Overview: ISO 27018 focuses on privacy controls for cloud computing, specifically addressing personal data protection in public clouds.
Focus Areas:
Consent and choice for personal data
Purpose limitation and retention
Transparency of data processing
Communication to data subjects
Prerequisite: ISO 27001 certification Typical Timeline: 1-2 months additional after ISO 27001
Why choose ISO 27018: Demonstrates commitment to privacy in cloud services, complements GDPR compliance.
Privacy & Data Protection Frameworks
GDPR (General Data Protection Regulation)
Best for: Any organization handling EU residents' personal data
Overview: EU regulation governing personal data protection and privacy. Mandatory for organizations processing EU personal data, with significant penalties for non-compliance.
Key Requirements:
Lawful basis for data processing
Data subject rights (access, deletion, portability)
Privacy by design and default
Data breach notification within 72 hours
Data Protection Impact Assessments (DPIAs)
Typical Timeline: 4-8 months for compliance program
Audit Type: Self-attestation with potential regulatory audits
Common Requirements: ~50-60 controls plus documentation
Why choose GDPR: Legal requirement if serving EU customers, increasingly expected globally, demonstrates privacy commitment.
CCPA/CPRA (California Consumer Privacy Act)
Best for: Businesses serving California residents with revenue over thresholds
Overview: California's comprehensive privacy law grants consumers rights over their personal information.
Key Rights:
Right to know what data is collected
Right to delete personal information
Right to opt out of data sales
Right to non-discrimination
Typical Timeline: 2-4 months for compliance Audit Type: Self-attestation with regulatory oversight Common Requirements: ~30-40 controls focused on consumer rights
Why choose CCPA: Legal requirement for qualifying businesses, good privacy foundation, even if not legally required.
HIPAA (Health Insurance Portability and Accountability Act)
Best for: Healthcare providers, health insurance companies, healthcare technology companies
Overview: US federal law protects sensitive patient health information (PHI). Mandatory for covered entities and business associates handling PHI.
Key Components:
Privacy Rule: PHI handling requirements
Security Rule: Technical and administrative safeguards
Breach Notification Rule: Incident reporting requirements
Typical Timeline: 6-9 months for compliance Audit Type: Self-attestation with potential HHS audits Common Requirements: ~50-70 controls across privacy and security
Why choose HIPAA: Legal requirement for the healthcare industry, customers may require attestation, and it demonstrates healthcare data security.
Financial & Payment Security
PCI DSS (Payment Card Industry Data Security Standard)
Best for: Organizations storing, processing, or transmitting credit card data
Overview: Security standard for protecting cardholder data. Required by credit card brands (Visa, Mastercard, etc.) for merchants and service providers.
Compliance Levels:
Level 1: 6M+ transactions annually (requires annual audit)
Level 2: 1-6M transactions (self-assessment)
Level 3-4: <1M transactions (self-assessment)
Typical Timeline: 4-8 months, depending on level. Audit Type: Self-Assessment Questionnaire (SAQ) or full audit. Common Requirements: 12 requirements, ~200+ sub-requirements
Why choose PCI DSS: Mandatory for card processing, reduces breach liability, required by payment processors.
Government & Sector-Specific Frameworks
FedRAMP (Federal Risk and Authorization Management Program)
Best for: Cloud service providers selling to the US federal government
Overview: Standardized approach to security assessment and authorization for cloud services used by US government agencies.
Impact Levels:
Low: Minimal public information
Moderate: Most federal data
High: Critical national security information
Typical Timeline: 12-24 months for authorization
Audit Type: Third-party assessment by FedRAMP-approved assessors Common Requirements: 300+ controls based on NIST 800-53
Why choose FedRAMP: Required for federal government contracts, enables public sector sales.
NIST CSF (Cybersecurity Framework)
Best for: Organizations seeking a comprehensive security framework, government contractors
Overview: Framework for improving critical infrastructure cybersecurity. Widely adopted beyond its original critical infrastructure focus.
Five Functions:
Identify: Asset and risk identification
Protect: Safeguards implementation
Detect: Security event detection
Respond: Incident response
Recover: Recovery planning
Typical Timeline: 6-12 months for implementation
Audit Type: Self-assessment, potential third-party validation
Common Requirements: ~100+ controls across functions
Why choose NIST CSF: Flexible risk-based approach, government contractor expectation, strong security foundation.
CMMC (Cybersecurity Maturity Model Certification)
Best for: Department of Defense contractors and suppliers
Overview: Unified cybersecurity standard for DoD contractors, replacing multiple previous requirements.
Maturity Levels:
Level 1: Basic cyber hygiene (foundational)
Level 2: Advanced cyber hygiene (most contractors)
Level 3: Expert level (sensitive programs)
Typical Timeline: 6-18 months, depending on level
Audit Type: Third-party certified assessor
Common Requirements: 110-130 practices at Level 2
Why choose CMMC: Required for DoD contracts, mandatory for the defense industry supply chain.
Choosing Your Framework Path
Starting Point Recommendations
Early-Stage SaaS: Start with SOC 2 Type I
International Business: Begin with ISO 27001
Healthcare Tech: HIPAA first, then SOC 2
E-commerce with EU customers: GDPR + PCI DSS
Government Contractors: NIST CSF or CMMC, depending on agency
Multi-Framework Progression
Year 1: Core framework (SOC 2 or ISO 27001)
Year 2: Add geographic requirements (GDPR if EU customers)
Year 3: Add industry-specific as needed
Ongoing: Maintain all certifications, add new ones as business expands
Framework Comparison Matrix
Scope:
SOC 2: Narrow (trust criteria focus)
ISO 27001: Broad (comprehensive ISMS)
GDPR: Focused (privacy-specific)
Geography:
SOC 2: North America-centric
ISO 27001: Global recognition
GDPR: EU requirement, global influence
Timeline:
SOC 2 Type I: 3-4 months
ISO 27001: 6-12 months
HIPAA: 6-9 months
Overlap:
SOC 2 + ISO 27001: 70% overlap
SOC 2 + HIPAA: 50% overlap
ISO 27001 + GDPR: 60% overlap
Next Steps
To select your frameworks:
Identify customer requirements from contracts and RFPs
Review geographic and regulatory obligations
Consider industry standards and competitor certifications
Evaluate framework overlap for efficient multi-certification
Activate your priority framework in DSALTA to begin
The next section covers Controls—the specific security requirements within each framework.