COMPLIANCE FRAMEWORKS AND STANDARDS
What do you need help complying with?
SOC 2
Examines a service organization's security and operational controls, and provides attestation reporting on the design / operational effectiveness.
System Organization Controls (SOC 2) is an industry-agnostic, widely accepted, IT framework often required of service providers by their clients that do business in the United States.
If you are a service provider, we recommend having a completed SOC 2 to prove your security, confidentiality, availability, processing integrity and / or privacy practices to your clients. This is the baseline framework that we recommend starting with in most cases.
ISO 27001
An internationally recognized framework providing assurance over an organization's information security management system (ISMS).
ISO 27001 is a globally recognized, international standard published by the International Standardization Organization (ISO). It is a framework for organizations to use in developing and managing their information security management system (ISMS).
Getting ISO 27001 certified involves assessing and monitoring your security risks, threats, vulnerabilities, and impacts to your ISMS. For assurance and to demonstrate to your customers or partners that your company is following leading practices for information security, we recommend you comply with ISO 27001.
ISO 27701
ISO/IEC 27701 provides guidelines for managing privacy information and implementing a privacy information management system (PIMS) within organizations.
ISO 27701 is a privacy extension to the ISO 27001 standard. It provides guidelines for implementing, maintaining, and continually improving a Privacy Information Management System (PIMS). The standard aims to help organizations protect the privacy of personal information they process, and to demonstrate general compliance with privacy regulations and laws.
When it comes to data protection, controllers, joint controllers, and processors have specific obligations to ensure privacy compliance.
GDPR
A regulation to protect European personal data.
The General Data Protection Regulation (GDPR) a regulation in EU on data protection and privacy for all individuals within the European Union (EU) and the European Economic Area (EEA). came into effect on 25, 2018, and aims to give individuals control over their personal data and to simplify the regulatory environment for international. The GDPR applies to all companies processing the personal data of individuals residing in the EU, regardless of the company's location.
SARBANES OXLEY 404
A U.S. law requiring publicly traded companies assurance over the accuracy of their financial statements.
Section 404 of the Sarbanes Oxley Act (SOX) requires management of public companies and their external auditor to report on the adequacy of the company’s internal controls over financial reporting (ICOFR).
If you are a publicly traded company or are getting ready to go public with an IPO, you need SOX compliance.
HIPAA
A U.S. law protecting patient healthcare information.
HIPAA, the Health Insurance Portability and Accountability Act, is a law that sets standards for protecting sensitive patient health information. It applies to covered entities, including healthcare providers, health plans, and healthcare clearinghouses, as well as to business associates who perform functions like billing or claims processing on behalf of these entities. Both covered entities and business associates are required to implement safeguards to protect patient privacy and security, and to provide patients with specific rights regarding their health information.
NIST 800-171
A U.S. mandate protecting unclassified government information by a non-government entity in the private sector.
The National Institute of Standards and Technology (NIST) special publication 800-171 applies to the protection of Controlled Unclassified Information (CUI) shared by the federal government with a nonfederal entity. When a federal entity shares information with a private company, they need assurance over protection of the information.
If you conduct business directly or indirectly as a supplier with a federal entity (defense, government, or subcontractor selling to a government supplier), then you need to comply with the NIST 800-171.
PCI
A standard protecting credit card information.
The Payment Card Industry Security Standards Council (PCI SSC) created a comprehensive set of security standards for protecting cardholder data. The standards are updated on an ongoing basis. The number and type of transactions processed determines the requirements for adhering to the PCI Data Security Standard (DSS).
If you are a merchant, service provider or payment application that stores, processes or transmits credit card data, you are required by your credit card issuer to be PCI compliant.
ISO 42001
ISO/IEC 42001 provides guidelines for managing AI technologies responsibly, ethically, and securely.
ISO/IEC 42001 is an international standard that offers comprehensive guidelines for managing and governing AI technologies within organizations. As the first global standard focused on responsible AI implementation, it is designed to help companies developing AI systems ensure their technology is used in a responsible, ethical, and secure manner.