Security Frameworks & Compliance

The $2M deal that froze for six months

DataPulse, a 30-person analytics startup, just closed the biggest deal in company history: a $2M annual contract with a Fortune 500 healthcare company. Champagne. High-fives. The CEO starts planning the hiring spree.

Then the customer's procurement team sends an email: "Before we can finalize, please share your SOC 2 Type II report, HIPAA compliance documentation, and data processing addendum."

DataPulse has none of these. They didn't even know what SOC 2 was.

The deal pauses. Six months pass while DataPulse scrambles to get SOC 2 certified — at a cost of $150K in auditor fees, tooling, and lost engineering time. Two engineers spend four months rewriting infrastructure to meet the controls. The customer nearly walks.

Compliance is not a "nice to have." It is a sales blocker, a legal requirement, and — increasingly — a competitive advantage. The companies that treat it as an afterthought pay the most.

💡What you'll walk away with

By the end of this module you will be able to explain the six NIST CSF functions, distinguish SOC 2 Type I from Type II, match any company to the frameworks it needs, identify which regulations apply to health data, card data, and EU personal data, and outline the four phases of a first-time security audit. These are the frameworks that turn good security practices into provable, sellable trust.

150KUSD average cost of first SOC 2 certification

6motypical time to achieve SOC 2 Type II

83%of enterprise buyers require security certifications before purchasing

Why frameworks exist

Without standards, every company invents its own definition of "secure." One company encrypts everything. Another stores passwords in plaintext and calls it "proprietary security." A third has a 200-page policy nobody reads.

Everything you have learned so far — the CIA Triad from Module 1, the threat recognition from Module 2, the network defenses from Module 3, the encryption from Module 4, the access controls from Module 5 — these are all controls. Frameworks organize those controls into auditable systems that prove to customers, regulators, and auditors that you are doing security right.

Security frameworks solve this by providing standardized, battle-tested checklists created by people who learned the hard way — through breaches, lawsuits, and regulatory failures.

Think of it this way: building codes exist because buildings used to fall down. Security frameworks exist because companies used to (and still do) lose millions of records of personal data. They're not bureaucracy for its own sake — they're the distilled wisdom of every security disaster that came before you.

There Are No Dumb Questions

"Do I need ALL of these frameworks?"

No. Which frameworks you need depends on your industry, your customers, and what data you handle. A SaaS startup selling to enterprises needs SOC 2. A healthcare app needs HIPAA. A company processing credit cards needs PCI-DSS. An EU-facing business needs GDPR. Most companies need two or three, not all of them.

"Can't I just say 'we take security seriously' on our website?"

You can — and nobody will believe you. Frameworks provide third-party verification. When a customer asks "are you secure?" they don't want your opinion. They want an auditor's report.

NIST Cybersecurity Framework — the gold standard

The National Institute of Standards and Technology (NIST) Cybersecurity Framework is the most widely referenced security framework in the United States. It's free, voluntary, and applies to any organization of any size.

NIST organizes cybersecurity into six core functions:

GOVERN — Establish and monitor the organization's cybersecurity risk management strategy, expectations, and policy. Added in CSF 2.0 (February 2024), this function sits at the center — informing and being informed by all other functions.

IDENTIFY — Know what you have. Asset inventory, risk assessment, business environment. You can't protect what you don't know exists.

PROTECT — Put up defenses. Access control, encryption, training, data security. Build the walls.

DETECT — Spot when something goes wrong. Monitoring, anomaly detection, continuous surveillance. Alarms on the walls.

RESPOND — Act when a breach happens. Incident response plan, communication, mitigation. The fire drill you practiced.

RECOVER — Get back to normal. Backup restoration, lessons learned, improvements. Rebuild stronger.

Why it matters: NIST isn't a certification — nobody audits you against it. But it's the foundation that other frameworks build on. If you understand NIST's six functions, you understand the skeleton of every other framework.

🔑NIST is a map, not a destination

NIST tells you WHAT to do but not exactly HOW to do it. It's intentionally flexible so that a 10-person startup and a 10,000-person bank can both use it. Think of it as a curriculum outline — the specific lesson plans are up to you.

ISO 27001 — the international standard

ISO 27001 is an international standard for an Information Security Management System (ISMS). Unlike NIST, ISO 27001 is a certifiable standard — an accredited auditor evaluates your organization and issues a certificate.

Aspect	Details
What it is	A framework for managing information security risks systematically
Who needs it	Companies selling to European enterprises, global organizations, government contractors
How you get it	Hire an accredited certification body to audit your ISMS
How long it takes	6-12 months for initial certification
How long it lasts	3 years, with annual surveillance audits
Cost	$20K-$100K+ depending on organization size

ISO 27001 requires you to document everything: your risks, your controls, your policies, your incident response procedures. The auditor checks not just that you have policies, but that you actually follow them.

The key difference from NIST: ISO 27001 is prescriptive where NIST is descriptive. NIST says "you should have access control." ISO 27001 says "here are the 93 specific controls you must evaluate, and you need to justify any you exclude."

SOC 2 — the SaaS standard

If you're a SaaS company selling to other businesses, SOC 2 is the framework you'll encounter first. It's not a law — it's an auditing standard created by the American Institute of CPAs (AICPA).

SOC 2 evaluates your organization against five Trust Services Criteria:

Criteria	What it covers	Required?
Security	Protection against unauthorized access	Yes (always)
Availability	System uptime and reliability	Optional
Processing Integrity	Accurate and complete data processing	Optional
Confidentiality	Protection of confidential information	Optional
Privacy	Collection, use, and disposal of personal information	Optional

Security is always required. The other four are optional — you choose which ones apply to your business.

✗ SOC 2 Type I

✗Point-in-time snapshot
✗Are controls designed properly?
✗Evaluated on a single date
✗Faster to obtain (2-3 months)
✗Less trusted by enterprise buyers

✓ SOC 2 Type II

✓Period-of-time evaluation
✓Are controls operating effectively?
✓Evaluated over 3-12 months
✓Takes longer (6-12 months)
✓The standard enterprise buyers expect

Type I says "on this specific date, your controls looked good." Type II says "over the last 6-12 months, your controls actually worked." Enterprise buyers almost always want Type II — because anyone can look good for a day.

🔒

Framework Matcher

25 XP

Match each scenario to the framework that company needs MOST urgently. **Categories:** SOC 2 | HIPAA | ISO 27001 | PCI-DSS 1. A SaaS startup just got asked for a security report by their first enterprise customer → ___ 2. A US hospital is building a patient portal → ___ 3. A European bank needs to prove its security program to regulators across 12 countries → ___ 4. A small e-commerce shop starts accepting credit card payments directly → ___ _Hint: Think about what DATA each company handles and who is ASKING for proof. The hospital handles health records. The SaaS company has an enterprise customer. The bank is multi-country. The e-commerce shop handles card numbers._

HIPAA — healthcare data protection

The Health Insurance Portability and Accountability Act (HIPAA) protects PHI — Protected Health Information. If your company touches health data in any way, HIPAA applies to you.

PHI includes: names, addresses, dates of birth, Social Security numbers, medical record numbers, health plan numbers, and any other information that could identify a patient and relates to their health condition, treatment, or payment.

Rule	What it requires
Privacy Rule	Limits who can access PHI and how it can be used
Security Rule	Technical, physical, and administrative safeguards for electronic PHI
Breach Notification Rule	Notify affected individuals within 60 days of a breach

⚠️HIPAA fines are severe

Penalties range from $100 to $50,000 per violation, with a maximum of $1.5M per year per violation category. In 2023, the HHS Office for Civil Rights settled a case with a health plan for $4.75M after a breach affecting 9.4 million individuals. If you handle PHI, compliance is not optional.

Business Associate Agreements (BAAs): If you're a vendor handling PHI on behalf of a healthcare provider, you must sign a BAA. This makes you legally responsible for protecting that data. Cloud providers like AWS, Google Cloud, and Azure all offer BAAs — but signing one doesn't make you compliant. It makes you liable.

PCI-DSS — payment card data

The Payment Card Industry Data Security Standard (PCI-DSS) applies to any company that stores, processes, or transmits credit card data. It's mandated by the card networks (Visa, Mastercard, Amex) — not the government.

PCI-DSS has 12 core requirements organized into 6 categories:

Build and maintain a secure network — Firewalls, no default passwords
Protect cardholder data — Encryption at rest and in transit
Maintain a vulnerability management program — Antivirus, secure development
Implement strong access control — Need-to-know basis, unique IDs
Regularly monitor and test networks — Logging, penetration testing
Maintain an information security policy — Documented, enforced, updated

There Are No Dumb Questions

"My company uses Stripe/PayPal — do I still need PCI-DSS?"

Using a payment processor like Stripe dramatically reduces your PCI scope because card numbers never touch your servers. But you're not off the hook entirely — you still need to fill out a Self-Assessment Questionnaire (SAQ) to confirm you're handling the integration securely. The easiest path: use Stripe Elements or PayPal's hosted checkout so card data never enters your environment.

"What happens if I'm not PCI compliant?"

The card networks can fine your acquiring bank $5,000-$100,000 per month — and the bank passes those fines to you. After a breach, you can also lose the ability to accept credit cards entirely. For a business, that's often a death sentence.

GDPR — EU data privacy

The General Data Protection Regulation (GDPR) is the EU's comprehensive data privacy law. It applies to any organization that handles personal data of EU residents — regardless of where the organization is based.

GDPR is built on seven principles:

Lawfulness, fairness, transparency — You need a legal basis to process data, and you must tell people what you're doing with it

Purpose limitation — Collect data only for specified, legitimate purposes

Data minimization — Collect only what you actually need

Accuracy — Keep data correct and up to date

Storage limitation — Don't keep data longer than necessary

Integrity and confidentiality — Protect data with appropriate security

Accountability — Document everything and be able to prove compliance

Key rights GDPR gives individuals:

Right	What it means	Example
Right to access	People can request a copy of all data you hold on them	"Send me everything you know about me"
Right to erasure	People can ask you to delete their data	"Delete my account and all my data"
Right to portability	People can request their data in a machine-readable format	"Export my data so I can move to a competitor"
Right to object	People can opt out of certain processing	"Stop using my data for marketing"

The fine structure: Up to 4% of global annual revenue or 20 million EUR — whichever is higher. Meta was fined 1.2 billion EUR in 2023 for transferring EU user data to the US without adequate protections.

🔒

Data Protection Classifier

25 XP

For each data type, identify which framework primarily governs its protection. **Categories:** HIPAA | GDPR | PCI-DSS | Multiple 1. A patient's blood test results stored in a US hospital system → ___ 2. A French customer's email address in your marketing database → ___ 3. A credit card number entered during online checkout → ___ 4. An employee's Social Security number in your HR system → ___ _Hint: Think about what KIND of data it is. Health data has its own US law. EU personal data has its own EU regulation. Card data has an industry standard. Employee SSNs could fall under multiple frameworks depending on context._

How to choose: which frameworks apply to YOU?

Not every framework applies to every company. Here's a decision tree:

The practical answer for most companies:

Company type	Start here	Add later
SaaS startup (US customers)	SOC 2 Type II	NIST as internal framework
SaaS startup (EU customers)	SOC 2 + GDPR	ISO 27001
Healthcare tech	HIPAA + SOC 2	NIST, HITRUST
E-commerce	PCI-DSS + GDPR (if EU)	SOC 2 if B2B
Enterprise software	SOC 2 + ISO 27001	NIST, GDPR, industry-specific

🔑Start with one, expand from there

Don't try to tackle three frameworks at once. Most controls overlap — SOC 2 and ISO 27001 share roughly 70% of their requirements. Get one certification solid, then map the gaps to the next framework. The second certification is always faster and cheaper than the first.

The audit process: what to expect

Whether you're pursuing SOC 2, ISO 27001, or any other certification, the process follows a similar pattern:

Phase 1: Readiness assessment (1-2 months)

An auditor (or consultant) reviews your current state against the framework's requirements and identifies gaps. This is where most companies discover they're missing basics: no formal access review process, no incident response plan, no employee security training.

Phase 2: Remediation (2-6 months)

Fix the gaps. This is where the real work happens:

Write policies (acceptable use, incident response, data classification)
Implement technical controls (encryption, logging, access management)
Train employees (security awareness, data handling)
Establish processes (access reviews, vendor assessments, change management)

Phase 3: Audit (1-2 months)

The auditor comes back and tests your controls. For SOC 2 Type II, they sample evidence over the observation period. For ISO 27001, they interview staff and review documentation.

Phase 4: Report and certification

You receive your report (SOC 2) or certificate (ISO 27001). Share it with customers. Update your website. Start the cycle again — because these are ongoing, not one-time.

Common gaps that trip up first-time audits:

Gap	Why it's a problem	Quick fix
No access reviews	Can't prove you enforce least privilege	Schedule quarterly access reviews
No incident response plan	Can't prove you know how to respond to a breach	Write and tabletop-test a plan
No employee training	Can't prove staff know security policies	Run annual security awareness training
No vendor risk assessment	Can't prove third-party tools are secure	Create a vendor security questionnaire
Shared credentials	Can't prove individual accountability	Enforce unique accounts + MFA

🔒

Audit Readiness Check

50 XP

You're the new security lead at a 50-person SaaS company. Your CEO just told you the company's biggest prospect requires a SOC 2 Type II report before signing a $500K contract. Write out your action plan: What are the first five things you would do, in order, to get the company from zero to SOC 2 Type II? For each step, include an estimated timeline. _Hint: You can't audit what doesn't exist — so what needs to be BUILT before an auditor can EVALUATE it? Think about the four phases above. Your first step should be understanding where you stand today._

Back to DataPulse

DataPulse's $2M deal froze for six months because they had never heard of SOC 2. The $150K in auditor fees, the four months of engineering rework, and the customer who nearly walked — all of it was avoidable. If DataPulse had started SOC 2 preparation twelve months earlier, the certification would have been ready before the Fortune 500 prospect ever sent that procurement email. Compliance is not a crisis to manage after the deal arrives; it is infrastructure to build before the deal arrives.

Key takeaways

Frameworks are checklists from people who learned the hard way. They exist to standardize what "secure" means so you don't have to reinvent it.
NIST is the foundation — six functions (Govern, Identify, Protect, Detect, Respond, Recover) that every other framework builds on.
SOC 2 is the SaaS standard — if you sell to businesses, enterprise buyers will ask for your Type II report.
HIPAA, PCI-DSS, and GDPR are non-negotiable — if you handle health data, card data, or EU personal data, the corresponding framework is a legal requirement, not a suggestion.
Start with one framework, expand from there. Most controls overlap. The second certification is faster and cheaper than the first.
Compliance is a sales accelerator, not just a cost center. The companies that invest early close deals faster.

Next up: Frameworks tell you what controls to put in place. But what happens when those controls fail and the breach actually happens? In the next module, you will learn the six-phase incident response playbook — from that 3 AM phone call to the post-incident review that prevents it from happening again.

Knowledge Check

1.A SaaS company sells project management software to US enterprise customers. No healthcare data, no credit card processing (they use Stripe), no EU customers. Which framework should they prioritize FIRST?

2.What is the key difference between SOC 2 Type I and SOC 2 Type II?

3.Under GDPR, a French user asks your US-based company to delete all their personal data. Which GDPR right are they exercising, and does it apply to your company?

4.Which of the six NIST Cybersecurity Framework functions focuses on getting back to normal operations after a security incident?