Stop drowning in compliance complexity

ISO 27001:2022 is the international standard for Information Security Management Systems (ISMS), published by ISO/IEC. It provides a systematic approach to managing sensitive information through risk assessment, security controls, and continuous improvement. The 2022 revision restructured Annex A into 4 themes with 93 controls, replacing the previous 14 domains and 114 controls.

SOC 2 is an audit framework developed by the American Institute of Certified Public Accountants (AICPA) for evaluating an organisation's controls relevant to security, availability, processing integrity, confidentiality, and privacy. It is the dominant compliance standard for SaaS companies and technology service providers in North America, with reports issued by licensed CPA firms.

The NIST Cybersecurity Framework (CSF) 2.0, published by the National Institute of Standards and Technology in February 2024, provides a taxonomy of high-level cybersecurity outcomes organised into six functions: Govern, Identify, Protect, Detect, Respond, and Recover. CSF 2.0 expanded its scope beyond critical infrastructure to all organisations and added the Govern function to emphasise cybersecurity governance and supply chain risk management.

The General Data Protection Regulation (GDPR) is the European Union's comprehensive data protection law that took effect on 25 May 2018. It grants individuals extensive rights over their personal data, imposes strict obligations on organisations that process personal data, and applies to any entity worldwide that offers goods or services to, or monitors the behaviour of, individuals in the EU. Maximum penalties reach 4% of global annual turnover or 20 million euros.

The HIPAA Security Rule establishes national standards for protecting electronic Protected Health Information (ePHI) in the United States. Published by the U.S. Department of Health and Human Services, it requires covered entities and business associates to implement administrative, physical, and technical safeguards. The rule applies to health plans, healthcare clearinghouses, healthcare providers that transmit health information electronically, and their business associates.

PCI DSS v4.0 is the global security standard for organisations that store, process, or transmit cardholder data, published by the PCI Security Standards Council. Version 4.0, released in March 2022 with full enforcement from 31 March 2025, introduced a customised approach to validation, expanded multi-factor authentication requirements, and added 64 new requirements. It contains 63 top-level controls across 12 requirement areas.