Compliance Frameworks

Compliance Frameworks, Compared in Plain English

ISO 27001, SOC 2, CMMC, NIST CSF, GDPR, PCI-DSS — what each cybersecurity compliance framework requires, who actually asks for it, and what it costs a small business.

Which compliance framework do you need?

You rarely choose a framework in a vacuum — something triggers it. Find your trigger:

A big customer sent a security questionnaire or asked for "proof of compliance"

SOC 2 if they're a U.S. enterprise, ISO 27001 if they're internationalSOC 2 guideISO 27001 guide

You have (or want) DoD or federal defense contracts

CMMC — Level 1 if you only handle ordinary contract info (FCI), Level 2 if you handle CUICMMC guide

You handle patient or health data

HIPAA — it's U.S. law, not optionalHIPAA guide

You accept card payments

PCI-DSS — required by the card networks via your payment processorPCI-DSS guide

You have customers or users in the EU

GDPR — a legal obligation for handling EU personal dataGDPR guide

Nobody is asking yet — you just want a sane security structure

NIST CSF or CIS Controls — voluntary frameworks that insurers and partners recognizeNIST CSF guideCIS Controls guide

Compliance frameworks at a glance

Costs and timelines are typical small-business ranges — audited frameworks cost real money; self-assessed ones mostly cost documentation discipline.

FrameworkWho requires itProof requiredTypical costTimeline
ISO 27001International enterprise customersCertification audit by an accredited body$25k–$75k+ first year (if certifying)6–18 months
SOC 2U.S. enterprise customersCPA attestation report (Type I / Type II)$20k–$60k+ first year3–12 months
CMMC Level 1DoD contracts handling FCIAnnual self-assessment + SPRS affirmationMostly internal timeWeeks
CMMC Level 2DoD contracts handling CUIThird-party (C3PAO) assessment~$100k+ first year6–18 months
NIST CSFVoluntary; insurers and partnersSelf-assessmentInternal timeOngoing
PCI-DSSCard networks (via your processor)SAQ or QSA audit, based on volumeVaries by transaction volumeOngoing annual
GDPREU law (personal data of EU residents)Regulatory obligation — no certificateVariesOngoing
HIPAAU.S. law (protected health information)Regulatory obligation — no official certVariesOngoing

Framework guides

🔒

SOC 2 Compliance

A plain-English SOC 2 guide for startups and small businesses—what it is, who needs it, what auditors expect, and how to get ready without chaos.

SOC 2Trust Services CriteriaType I
Learn More
🌐

ISO 27001 Compliance for Small Business: The Plain-English Guide (2026)

What ISO 27001 compliance really involves, whether you need certification or alignment, and how a small business gets audit-ready for $49/mo — not a $10k platform or a five-figure consultant.

ISO 27001ISMSRisk Assessment
Learn More
🏛️

NIST Cybersecurity Framework (CSF)

A plain-English guide to the NIST Cybersecurity Framework for startups and growing companies—what it is, how it's structured, and how to use it as a foundation for security maturity.

NIST CSFCybersecurity FrameworkRisk Management
Learn More
🛡️

CMMC Compliance

A plain-English guide to the Cybersecurity Maturity Model Certification (CMMC) for defense contractors—what it is, the three levels, and how to prepare for assessment.

CMMCDoDDefense Industrial Base
Learn More
💳

PCI DSS Compliance

Understanding PCI DSS requirements for businesses that handle payment card data. Learn about the 12 requirements and compliance levels.

PCI DSSPayment SecurityCredit Cards
Learn More
🇪🇺

GDPR Compliance

A practical guide to GDPR compliance for businesses handling EU personal data. Understand data subject rights, legal bases, and key requirements.

GDPRPrivacyData Protection
Learn More
📋

CCPA and CPRA: California Privacy Compliance

Navigate California's Consumer Privacy Act and Privacy Rights Act. Understand consumer rights, business obligations, and required policies for handling California residents' data.

CCPACPRACalifornia Privacy
Learn More
📋

CIS Controls: A Practical Security Framework

The CIS Controls provide a prioritized set of security actions to defend against cyberattacks. Learn how Implementation Groups help small businesses start with the essentials.

CIS ControlsCybersecurity FrameworkSecurity Controls
Learn More
📋

Cyber Essentials: UK Certification for SMBs

Cyber Essentials is a UK government-backed certification for baseline cybersecurity. Understand the five controls, certification levels, and why companies serving UK clients should consider it.

Cyber EssentialsUK CybersecuritySMB Security
Learn More
🇺🇸

FedRAMP Compliance for Cloud Service Providers

A plain-English guide to the Federal Risk and Authorization Management Program for cloud providers selling to US government agencies. Understand authorization levels, the process, and policy requirements.

FedRAMPGovernment CloudCloud Security
Learn More
🏥

HIPAA Compliance for Small Healthcare Businesses

A practical guide to HIPAA security requirements for small healthcare providers, clinics, and health tech startups. Understand the Security Rule, required policies, and how to pass audits.

HIPAAHealthcare SecurityPHI
Learn More

Compliance framework FAQs

What is a compliance framework?

A compliance framework is a structured set of security requirements — controls, policies, and evidence — that an organization follows to prove it protects data. Some are laws (HIPAA, GDPR), some are contractual (PCI-DSS, CMMC), and some are voluntary trust signals customers ask for (SOC 2, ISO 27001, NIST CSF).

Which cybersecurity compliance framework should a small business start with?

Start with whichever one someone is actually asking you for: SOC 2 for U.S. enterprise customers, ISO 27001 for international customers, CMMC for DoD contracts, HIPAA for health data, PCI-DSS for card payments. If nobody is asking yet, NIST CSF or CIS Controls give you a recognized structure without an audit.

What is the difference between a certification and a self-assessment?

A certification (ISO 27001) or attestation (SOC 2) means an independent auditor examined your program and issued a report — it costs more and takes months. A self-assessment (CMMC Level 1, NIST CSF) means you evaluate your own program against the requirements and affirm the result — far cheaper, but you still need documentation and evidence to back it up.

How much does compliance cost for a small business?

It ranges from mostly internal time (CMMC Level 1, NIST CSF self-assessments) to $20k–$75k+ first year for audited frameworks like SOC 2 or ISO 27001 certification — consultants and audit fees are the big line items. Doing the documentation, gap analysis, and policy work with software before engaging auditors is the main way small businesses cut that cost.

Can one set of security policies cover multiple compliance frameworks?

Yes — the frameworks overlap heavily. Access control, incident response, risk assessment, and vendor management appear in nearly all of them. A control library mapped across frameworks (CyberPolicify maps 70 universal controls to ISO 27001, SOC 2, NIST CSF, and CMMC) lets you write policies once and show each framework its own view.

Start with a framework-ready baseline

Generate policies and procedures mapped to the framework you choose—then close gaps with a clear plan.

No Credit Card RequiredSetup in 2 Minutes11 Frameworks Covered