Scrolls
7 min read
On this page

Compliance Frameworks

Compliance is not security. You can be fully compliant and thoroughly breached. But security enables compliance, and compliance provides a structured baseline that prevents the most common failures. Frameworks like SOC 2, ISO 27001, and GDPR give organizations a checklist of controls they should implement — and for companies selling to enterprises, healthcare, or handling payment data, compliance is not optional. It is a prerequisite for doing business.

SOC 2

SOC 2 (System and Organization Controls 2) is the de facto compliance standard for SaaS companies selling to enterprise customers. If your B2B customer asks for a "SOC 2 report," they want assurance that your organization handles their data responsibly.

What SOC 2 Covers

SOC 2 is organized around five Trust Service Criteria:

Security (required):     Protection against unauthorized access
Availability:            System uptime and disaster recovery
Processing Integrity:    Accurate, complete data processing
Confidentiality:         Protection of confidential information
Privacy:                 Collection, use, and disposal of personal data

Security is the only mandatory criterion. Most companies start with Security and Availability, adding others based on customer requirements.

Type I vs. Type II

Type I evaluates whether your controls are properly designed at a specific point in time. It is a snapshot — "On March 15, 2024, these controls were in place."

Type II evaluates whether your controls operated effectively over a period (typically 6-12 months). It is a track record — "From March 2024 to March 2025, these controls were consistently followed."

Type I is faster and cheaper to obtain. Type II is what enterprise customers actually want because it demonstrates sustained commitment, not a one-time effort.

What SOC 2 Requires in Practice

# Common SOC 2 controls
- Access control: role-based access, MFA, access reviews
- Change management: code reviews, approval workflows
- Monitoring: logging, alerting, incident response
- Encryption: data at rest and in transit
- Vendor management: third-party risk assessments
- Employee security: background checks, training
- Business continuity: backups, disaster recovery
- Risk assessment: annual risk identification and treatment

SOC 2 does not prescribe specific technologies. It requires that you define policies, implement controls, and prove they work. You can use any tool or process as long as it meets the criteria.

ISO 27001

ISO 27001 is the international standard for information security management systems (ISMS). It is recognized globally and often required by European and Asian enterprise customers.

How ISO 27001 Works

ISO 27001 requires organizations to establish, implement, maintain, and continually improve an ISMS. The standard follows a risk-based approach: identify your risks, select controls to mitigate them, and verify the controls work.

# ISO 27001 structure
Clauses 4-10: Management system requirements
  - Context, leadership, planning, support
  - Operation, performance evaluation, improvement

Annex A: 93 security controls across 4 categories
  - Organizational controls (37 controls)
  - People controls (8 controls)
  - Physical controls (14 controls)
  - Technological controls (34 controls)

Certification

ISO 27001 certification requires an external audit by an accredited certification body. The audit verifies that your ISMS meets the standard's requirements and that your selected controls are implemented and effective. Certification is valid for three years with annual surveillance audits.

The certification process typically takes 6-12 months for a mid-size organization, including gap analysis, control implementation, internal audit, and external audit.

GDPR

The General Data Protection Regulation is the European Union's data protection law, enforceable since May 2018. It applies to any organization that processes personal data of EU residents, regardless of where the organization is based.

Core Principles

Lawfulness:          Process data only with a legal basis
Purpose limitation:  Collect data only for specified purposes
Data minimization:   Collect only what is necessary
Accuracy:            Keep data accurate and up to date
Storage limitation:  Do not keep data longer than needed
Integrity:           Protect data from unauthorized access
Accountability:      Demonstrate compliance proactively

Key Requirements

Consent. When consent is the legal basis for processing, it must be freely given, specific, informed, and unambiguous. Pre-checked boxes do not count. Users must be able to withdraw consent as easily as they gave it.

Data subject rights. Individuals have the right to access their data, correct inaccuracies, request deletion ("right to be forgotten"), and receive their data in a portable format.

Breach notification. Report personal data breaches to the supervisory authority within 72 hours. Notify affected individuals "without undue delay" if the breach is likely to result in high risk.

Data Protection Officer (DPO). Required for organizations that process large amounts of sensitive data or systematically monitor individuals.

Penalties

GDPR fines are severe: up to 20 million euros or 4% of global annual revenue, whichever is higher. Meta was fined 1.2 billion euros in 2023 for data transfers to the US. Amazon was fined 746 million euros in 2021 for advertising practices.

HIPAA

The Health Insurance Portability and Accountability Act governs the protection of health information in the United States. It applies to healthcare providers, health plans, healthcare clearinghouses, and their business associates.

What HIPAA Protects

Protected Health Information (PHI) is any health-related data that can identify an individual: medical records, lab results, billing information, and even the fact that someone is a patient.

# HIPAA safeguard categories
Administrative:  Policies, training, risk analysis
Physical:        Facility access, workstation security
Technical:       Access controls, encryption, audit logs

Key Requirements

Risk analysis. Conduct regular assessments of potential risks to PHI confidentiality, integrity, and availability.

Access controls. Implement role-based access ensuring that users only access the minimum PHI necessary for their job function.

Audit trails. Log all access to PHI. Be able to demonstrate who accessed what data, when, and why.

Business Associate Agreements (BAAs). Any vendor that handles PHI must sign a BAA accepting HIPAA obligations. Your cloud provider, email service, and analytics tools all need BAAs if they touch PHI.

Breach notification. Report breaches affecting 500+ individuals to HHS and the media within 60 days. Smaller breaches are reported annually.

PCI DSS

The Payment Card Industry Data Security Standard applies to any organization that stores, processes, or transmits credit card data. It is mandated by card brands (Visa, Mastercard, etc.) and enforced through acquiring banks.

The 12 Requirements

# PCI DSS requirements (summarized)
1.  Install and maintain network security controls
2.  Apply secure configurations to all components
3.  Protect stored account data
4.  Encrypt cardholder data in transit
5.  Protect systems from malicious software
6.  Develop and maintain secure systems
7.  Restrict access to cardholder data by business need
8.  Identify users and authenticate access
9.  Restrict physical access to cardholder data
10. Log and monitor all access to system components
11. Test security of systems and networks regularly
12. Support information security with policies and programs

Reducing PCI Scope

The most effective PCI strategy is to minimize your exposure. Use a payment processor (Stripe, Adyen, Braintree) that handles card data so your systems never touch it. When card data never enters your environment, most PCI requirements do not apply to your systems.

# PCI scope reduction
Full scope:      You store and process card numbers
                 (all 12 requirements apply)

Reduced scope:   You use hosted payment pages
                 (iframe or redirect to processor)

Minimal scope:   You use a fully hosted checkout
                 (only SAQ-A, simplest questionnaire)

Which Frameworks You Need

The frameworks you need depend on your customers, market, and the data you handle.

# Framework selection guide
Selling to US enterprises:       SOC 2
Selling internationally:         ISO 27001
Handling EU personal data:       GDPR
Handling US health data:         HIPAA
Processing credit cards:         PCI DSS
US government contracts:         FedRAMP
Financial services:              SOC 2 + specific regulations

Most B2B SaaS companies start with SOC 2 because it is the most frequently requested. International expansion adds ISO 27001. GDPR applies if you have any EU users. HIPAA and PCI DSS apply only if you handle the specific data types they govern.

Compliance Is Not Security

Compliance frameworks define a minimum baseline. They tell you what controls to implement but not how well to implement them. A company can have SOC 2 Type II certification and still have critical vulnerabilities — the controls exist but may not cover every attack vector.

Real-world examples:

  • Target (2013). PCI DSS compliant when attackers stole 40 million credit card numbers through a compromised HVAC vendor with network access.
  • Equifax (2017). Maintained multiple compliance certifications while 147 million records were stolen through an unpatched Apache Struts vulnerability.
  • Capital One (2019). SOC 2 and PCI DSS compliant when a misconfigured WAF allowed access to 100 million customer records.

Compliance provides structure and accountability. Security provides actual protection. You need both.

Common Pitfalls

  • Treating compliance as the goal. Compliance is a baseline, not a ceiling. Being compliant does not mean being secure.
  • Starting compliance work too late. SOC 2 Type II requires 6-12 months of operating history. Start early, especially if enterprise sales depend on it.
  • Over-scoping. Trying to achieve all five SOC 2 Trust Service Criteria or all ISO 27001 controls simultaneously is overwhelming. Start with the minimum required and expand.
  • Manual evidence collection. Compliance requires extensive documentation. Automate evidence collection (Vanta, Drata, Secureframe) or you will drown in spreadsheets.
  • Ignoring the framework your customers care about. Spending a year on ISO 27001 when your customers are asking for SOC 2 is misallocated effort.
  • Assuming compliance is one-time. Certifications require ongoing maintenance, annual audits, and continuous control operation.

Key Takeaways

  • SOC 2 is the standard for US B2B SaaS. Start with Security and Availability criteria.
  • ISO 27001 is the international standard, often required by European and Asian customers.
  • GDPR applies to any organization processing EU residents' data, with fines up to 4% of global revenue.
  • HIPAA governs US healthcare data, requiring risk analysis, access controls, and business associate agreements.
  • PCI DSS applies to credit card data — reduce scope by using a payment processor that handles card data.
  • Choose frameworks based on your customers, market, and the data types you handle.
  • Compliance is not security — compliant organizations get breached regularly. Security enables compliance, not the other way around.