Security Compliance: SOC 2, ISO 27001, GDPR, and PCI DSS
Security compliance is often viewed as a checkbox exercise, but mature organizations treat it as a framework for operational excellence. The global compliance software market reached $52 billion in 2025, driven by increasingly stringent regulations and customer demand for security assurance. This guide covers the major compliance frameworks — SOC 2, ISO 27001, GDPR, PCI DSS, and HIPAA — including their requirements, certification processes, and automation strategies.
SOC 2
SOC 2 (Service Organization Control 2), developed by the American Institute of CPAs (AICPA), is the most widely adopted security framework for SaaS companies. It evaluates controls against five Trust Service Criteria: Security, Availability, Processing Integrity, Confidentiality, and Privacy.
SOC 2 Type I vs Type II
SOC 2 Type I reports on control design at a point in time — are the controls properly designed? Type II reports on operating effectiveness over a period (typically 6-12 months) — are the controls operating as designed? Most customers require Type II reports. The average SOC 2 Type II readiness timeline is 6-9 months for organizations starting from scratch.
Common Criteria
The “Security” criterion is mandatory and covers: logical and physical access controls, system monitoring, change management, risk mitigation, and incident response. The CC1 (Control Environment) criteria align with COSO internal control principles. Common evidence requirements include: access review evidence, penetration test reports, vulnerability scan results, incident logs, and backup restoration test results.
SOC 2 Automation
Manual evidence collection is the primary cost driver in SOC 2 compliance. Automation platforms — Vanta, Drata, Secureframe, Thoropass — integrate with cloud providers (AWS, Azure, GCP), HR systems (Workday, Rippling), and code repositories (GitHub, GitLab) to continuously collect evidence. These platforms reduce annual compliance costs by 40-60% according to the 2025 Compliance Automation Benchmark.
ISO 27001
ISO/IEC 27001 is the international standard for Information Security Management Systems (ISMS). Unlike SOC 2, which is a point-in-time attestation, ISO 27001 is a certifiable standard with external audits by accredited certification bodies (BSI, DNV, SGS).
ISMS Requirements
Clause 4-10 of ISO 27001:2022 define the ISMS requirements: context of the organization (Clause 4), leadership (5), planning (6), support (7), operation (8), performance evaluation (9), and improvement (10). Annex A lists 93 controls across 4 themes: organizational (37 controls), people (8), physical (14), and technological (34). Controls are not all mandatory — the Statement of Applicability (SoA) justifies which controls are in scope and why.
Risk Assessment Methodology
ISO 27001 requires a documented risk assessment process. The methodology must define: risk criteria, asset identification, threat identification, vulnerability identification, impact analysis, likelihood assessment, risk level determination, and risk treatment decisions (accept, mitigate, transfer, avoid). Many organizations use ISO 27005 or NIST SP 800-30 as methodology references.
Certification Process
The certification process involves: Stage 1 audit (documentation review), Stage 2 audit (implementation effectiveness), annual surveillance audits, and recertification every 3 years. The initial certification timeline is typically 6-12 months. After ISO 27001:2022 transition (deadline October 2025), all certified organizations must have migrated from the 2013 standard.
GDPR
The General Data Protection Regulation (GDPR) — Regulation (EU) 2016/679 — governs personal data processing for EU residents, with extraterritorial reach applying to any organization offering goods/services to EU data subjects or monitoring their behavior.
Key Principles
GDPR establishes seven data protection principles: lawfulness/fairness/transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity/confidentiality, and accountability. The accountability principle requires organizations to demonstrate compliance through documentation (Records of Processing Activities — RoPA), Data Protection Impact Assessments (DPIA), and Data Processing Agreements (DPA) with processors.
Data Subject Rights
Individuals have rights under GDPR: right to access (Article 15), rectification (16), erasure/right to be forgotten (17), restriction of processing (18), data portability (20), and objection to processing (21). Compliance requires technical capabilities to identify and export/delete personal data across all systems within the mandated response times (30 days, extendable to 60 days for complex requests).
Breach Notification
Article 33 requires notification to the supervisory authority within 72 hours of becoming aware of a personal data breach. Article 34 requires communication to affected data subjects if the breach poses high risk to their rights and freedoms. The 2025 EDPB guidelines clarify that “becoming aware” occurs when the organization has reasonable certainty the breach occurred, not after full investigation.
PCI DSS
The Payment Card Industry Data Security Standard (PCI DSS v4.0, effective March 2024) applies to any entity that stores, processes, or transmits cardholder data.
Requirements Overview
PCI DSS v4.0 defines 12 requirements across 6 goals: build and maintain a secure network (firewalls, secure configurations), protect cardholder data (encryption at rest and in transit), maintain a vulnerability management program (antivirus, secure coding, patch management), implement strong access control measures (need-to-know, unique IDs, physical security), regularly monitor and test networks (logging, penetration testing), and maintain an information security policy.
SAQ and QSA
Self-Assessment Questionnaires (SAQ) are for lower-volume merchants. Level 1 merchants (over 6 million transactions annually) require a Report on Compliance (ROC) by a Qualified Security Assessor (QSA). The 2025 PCI Security Standards Council update extended the deadline for v4.0 custom implementation requirements to March 2026.
HIPAA
The Health Insurance Portability and Accountability Act (HIPAA) Security Rule (45 CFR Part 160 and Subparts A and C of Part 164) protects electronic Protected Health Information (ePHI).
Administrative, Physical, and Technical Safeguards
HIPAA Security Rule requires: administrative safeguards (risk analysis, security management process, workforce training), physical safeguards (facility access controls, workstation security, device and media controls), and technical safeguards (access control, audit controls, integrity controls, person/entity authentication, and transmission security). The 2025 OCR enforcement update increased maximum civil monetary penalties to $1.9 million per violation category per calendar year.
Compliance Automation and Continuous Monitoring
Traditional compliance — point-in-time audits with manual evidence collection — is giving way to continuous compliance monitoring. CSPM tools (Wiz, Prisma Cloud) map cloud configurations to compliance frameworks in real-time. Infrastructure as Code (Terraform, Pulumi) with policy-as-code (Checkov, Sentinel) enforces compliance requirements at deployment. Automated evidence collection feeds audit platforms, reducing manual burden by 70%+. Compliance automation also enables continuous audit readiness — instead of scrambling before annual audits, organizations maintain a constant state of compliance evidence availability. The 2025 Gartner Compliance Automation Market Guide projects that 45% of enterprises will adopt continuous compliance monitoring by 2027.
FedRAMP and Government Compliance
The Federal Risk and Authorization Management Program (FedRAMP) provides a standardized approach for cloud service providers serving US government agencies.
FedRAMP Impact Levels
FedRAMP defines three impact levels aligned with FIPS 199: Low (limited adverse effect), Moderate (serious adverse effect), and High (severe/catastrophic adverse effect). FedRAMP Moderate is the most common baseline, requiring 325+ controls from NIST SP 800-53 Rev. 5. The authorization process requires: a Third-Party Assessment Organization (3PAO) to conduct an independent assessment; a complete System Security Plan (SSP); continuous monitoring with monthly vulnerability scans and annual assessments; and a Joint Authorization Board (JAB) or Agency Authorization. The average FedRAMP Moderate timeline is 12-18 months with costs ranging from $1-5 million.
StateRAMP
StateRAMP adapts FedRAMP for state and local government procurement. StateRAMP requires FedRAMP-equivalent security controls but offers a faster authorization path for CSPs already FedRAMP-authorized. As of 2025, 28 states had adopted StateRAMP, with several making it mandatory for state government cloud procurement.
SOX Compliance for Public Companies
The Sarbanes-Oxley Act (SOX) Section 404 requires management and external auditor assessment of internal controls over financial reporting (ICFR). ITGC (IT General Controls) controls relevant to SOX include: access management (user provisioning, deprovisioning, access reviews), change management (code promotion, change approval, emergency changes), computer operations (job scheduling, backup, monitoring), and program development (SDLC methodology, testing, segregation of duties). SOX does not mandate specific controls — auditors evaluate the design and operating effectiveness of controls the organization has designed.
FAQ
Which compliance framework should I start with? SOC 2 is the most common starting point for SaaS companies. If you operate globally, layer GDPR requirements. ISO 27001 is appropriate if you need a certifiable standard for international credibility.
Can I be SOC 2 compliant without automation? Yes, but the manual effort is substantial — expect 200-400 hours per year for evidence collection. Automation platforms reduce this to 40-80 hours.
What is the difference between SOC 2 and ISO 27001? SOC 2 is a point-in-time attestation by a CPA firm about control effectiveness. ISO 27001 is a certifiable management system standard with ongoing surveillance audits and mandatory risk assessment.
How long does ISO 27001 certification take? 6-12 months for most organizations. The process includes: gap analysis (4-6 weeks), risk assessment (4-8 weeks), control implementation (8-12 weeks), internal audit (2-4 weeks), and Stage 1/2 audits (4-8 weeks).
What are the penalties for GDPR non-compliance? Up to the greater of €20 million or 4% of annual global turnover. Fines have increased steadily — the 2025 total GDPR fines exceeded €5 billion across EEA member states.
For foundational security knowledge, start with our Security Guide. Learn about Incident Response for breach notification requirements. Understand IAM Guide for access control compliance.