Compliance Frameworks, Compared in Plain English
ISO 27001, SOC 2, CMMC, NIST CSF, GDPR, PCI-DSS — what each cybersecurity compliance framework requires, who actually asks for it, and what it costs a small business.
Which compliance framework do you need?
You rarely choose a framework in a vacuum — something triggers it. Find your trigger:
“A big customer sent a security questionnaire or asked for "proof of compliance"”
→ SOC 2 if they're a U.S. enterprise, ISO 27001 if they're internationalSOC 2 guideISO 27001 guide
“You have (or want) DoD or federal defense contracts”
→ CMMC — Level 1 if you only handle ordinary contract info (FCI), Level 2 if you handle CUICMMC guide
“You handle patient or health data”
→ HIPAA — it's U.S. law, not optionalHIPAA guide
“You accept card payments”
→ PCI-DSS — required by the card networks via your payment processorPCI-DSS guide
“You have customers or users in the EU”
→ GDPR — a legal obligation for handling EU personal dataGDPR guide
“Nobody is asking yet — you just want a sane security structure”
→ NIST CSF or CIS Controls — voluntary frameworks that insurers and partners recognizeNIST CSF guideCIS Controls guide
Compliance frameworks at a glance
Costs and timelines are typical small-business ranges — audited frameworks cost real money; self-assessed ones mostly cost documentation discipline.
| Framework | Who requires it | Proof required | Typical cost | Timeline |
|---|---|---|---|---|
| ISO 27001 | International enterprise customers | Certification audit by an accredited body | $25k–$75k+ first year (if certifying) | 6–18 months |
| SOC 2 | U.S. enterprise customers | CPA attestation report (Type I / Type II) | $20k–$60k+ first year | 3–12 months |
| CMMC Level 1 | DoD contracts handling FCI | Annual self-assessment + SPRS affirmation | Mostly internal time | Weeks |
| CMMC Level 2 | DoD contracts handling CUI | Third-party (C3PAO) assessment | ~$100k+ first year | 6–18 months |
| NIST CSF | Voluntary; insurers and partners | Self-assessment | Internal time | Ongoing |
| PCI-DSS | Card networks (via your processor) | SAQ or QSA audit, based on volume | Varies by transaction volume | Ongoing annual |
| GDPR | EU law (personal data of EU residents) | Regulatory obligation — no certificate | Varies | Ongoing |
| HIPAA | U.S. law (protected health information) | Regulatory obligation — no official cert | Varies | Ongoing |
Framework guides
SOC 2 Compliance
A plain-English SOC 2 guide for startups and small businesses—what it is, who needs it, what auditors expect, and how to get ready without chaos.
ISO 27001 Compliance for Small Business: The Plain-English Guide (2026)
What ISO 27001 compliance really involves, whether you need certification or alignment, and how a small business gets audit-ready for $49/mo — not a $10k platform or a five-figure consultant.
NIST Cybersecurity Framework (CSF)
A plain-English guide to the NIST Cybersecurity Framework for startups and growing companies—what it is, how it's structured, and how to use it as a foundation for security maturity.
CMMC Compliance
A plain-English guide to the Cybersecurity Maturity Model Certification (CMMC) for defense contractors—what it is, the three levels, and how to prepare for assessment.
PCI DSS Compliance
Understanding PCI DSS requirements for businesses that handle payment card data. Learn about the 12 requirements and compliance levels.
GDPR Compliance
A practical guide to GDPR compliance for businesses handling EU personal data. Understand data subject rights, legal bases, and key requirements.
CCPA and CPRA: California Privacy Compliance
Navigate California's Consumer Privacy Act and Privacy Rights Act. Understand consumer rights, business obligations, and required policies for handling California residents' data.
CIS Controls: A Practical Security Framework
The CIS Controls provide a prioritized set of security actions to defend against cyberattacks. Learn how Implementation Groups help small businesses start with the essentials.
Cyber Essentials: UK Certification for SMBs
Cyber Essentials is a UK government-backed certification for baseline cybersecurity. Understand the five controls, certification levels, and why companies serving UK clients should consider it.
FedRAMP Compliance for Cloud Service Providers
A plain-English guide to the Federal Risk and Authorization Management Program for cloud providers selling to US government agencies. Understand authorization levels, the process, and policy requirements.
HIPAA Compliance for Small Healthcare Businesses
A practical guide to HIPAA security requirements for small healthcare providers, clinics, and health tech startups. Understand the Security Rule, required policies, and how to pass audits.
Compliance framework FAQs
What is a compliance framework?
A compliance framework is a structured set of security requirements — controls, policies, and evidence — that an organization follows to prove it protects data. Some are laws (HIPAA, GDPR), some are contractual (PCI-DSS, CMMC), and some are voluntary trust signals customers ask for (SOC 2, ISO 27001, NIST CSF).
Which cybersecurity compliance framework should a small business start with?
Start with whichever one someone is actually asking you for: SOC 2 for U.S. enterprise customers, ISO 27001 for international customers, CMMC for DoD contracts, HIPAA for health data, PCI-DSS for card payments. If nobody is asking yet, NIST CSF or CIS Controls give you a recognized structure without an audit.
What is the difference between a certification and a self-assessment?
A certification (ISO 27001) or attestation (SOC 2) means an independent auditor examined your program and issued a report — it costs more and takes months. A self-assessment (CMMC Level 1, NIST CSF) means you evaluate your own program against the requirements and affirm the result — far cheaper, but you still need documentation and evidence to back it up.
How much does compliance cost for a small business?
It ranges from mostly internal time (CMMC Level 1, NIST CSF self-assessments) to $20k–$75k+ first year for audited frameworks like SOC 2 or ISO 27001 certification — consultants and audit fees are the big line items. Doing the documentation, gap analysis, and policy work with software before engaging auditors is the main way small businesses cut that cost.
Can one set of security policies cover multiple compliance frameworks?
Yes — the frameworks overlap heavily. Access control, incident response, risk assessment, and vendor management appear in nearly all of them. A control library mapped across frameworks (CyberPolicify maps 70 universal controls to ISO 27001, SOC 2, NIST CSF, and CMMC) lets you write policies once and show each framework its own view.
Start with a framework-ready baseline
Generate policies and procedures mapped to the framework you choose—then close gaps with a clear plan.