Compliance Guides

Plain-English guides to what SOC 2, ISO 27001, and HIPAA require — and how to prepare.

By Jonathan Major, Founder of Risk and Response · Updated July 2026

What is SOC 2?

SOC 2 (Service Organization Control 2) is an auditing framework developed by the American Institute of Certified Public Accountants (AICPA). It’s designed to ensure service providers securely manage data to protect their organization’s and clients’ interests. SOC 2 is particularly relevant for technology and cloud computing companies that offer online services and store customer data in the cloud. It is an attestation, not a certification: a licensed CPA firm examines your controls and issues a report — there is no SOC 2 “certificate.”

Trust Services Criteria

  • 1Security — Protection against unauthorized access, both physical and logical. Required for every SOC 2 audit.
  • 2Availability — System uptime and performance as committed or agreed.
  • 3Processing Integrity — System processing is complete, valid, accurate, timely, and authorized.
  • 4Confidentiality — Information designated as confidential is protected as committed or agreed.
  • 5Privacy — Personal information lifecycle management from collection through disposal.

Types of SOC 2 Reports

  • Type I — Evaluates whether your control design is suitable to meet relevant trust principles at a specific point in time.
  • Type II — Evaluates the operational effectiveness of those controls over a period of time (typically 3–12 months).

Benefits of SOC 2 Compliance

  • Builds trust with enterprise clients and partners
  • Improves risk management and security posture
  • Provides a competitive advantage in sales cycles
  • Streamlines security questionnaire responses
  • Demonstrates commitment to data protection

Ready to get SOC 2 audit-ready?

We take you from current state to audit-ready. Start with a free scoping call.

Learn about our SOC 2 readiness program

What is ISO 27001?

ISO/IEC 27001 is the international standard for information security management systems (ISMS). The current version, ISO 27001:2022, defines how an organization systematically manages information security risk: the ISMS requirements live in Clauses 4–10, supported by 93 Annex A controls across four themes. Unlike SOC 2, ISO 27001 is a certification — an accredited certification body audits your ISMS and issues a certificate that is valid for three years.

What the Standard Covers

  • 1ISMS Core (Clauses 4–10) — Organizational context, leadership, risk planning, support, operation, performance evaluation, and continual improvement.
  • 2Organizational Controls (37) — Policies, roles, asset management, access control, supplier relationships, and incident management.
  • 3People Controls (8) — Screening, awareness training, disciplinary processes, and remote working security.
  • 4Physical Controls (14) — Security perimeters, entry controls, equipment protection, and secure disposal.
  • 5Technological Controls (34) — Endpoint security, access rights, cryptography, logging, network security, and secure development.

How Certification Works

  • Stage 1 — The certification body reviews your ISMS documentation (scope, risk assessment, Statement of Applicability, policies) and confirms you’re ready for the full audit.
  • Stage 2 — The certification audit itself: the auditor tests that your controls are implemented and operating.
  • Surveillance — Annual surveillance audits in years one and two, then recertification in year three.
  • Internal audit — Clause 9.2 requires an impartial internal audit of your ISMS before certification and on an ongoing cadence — see our independent internal audit practice.

Building toward ISO 27001 certification?

We build and mature your ISMS — from risk assessment through Statement of Applicability to certification body engagement.

Learn about our ISO 27001 readiness program

What is HIPAA?

HIPAA (Health Insurance Portability and Accountability Act) is the United States federal law that sets national standards for protecting sensitive patient health information. It applies to covered entities — health plans, healthcare clearinghouses, and providers — and to business associates: any vendor that creates, receives, maintains, or transmits protected health information (PHI) on their behalf. If a healthcare customer asks you to sign a Business Associate Agreement, HIPAA applies to you directly. Enforcement falls to the HHS Office for Civil Rights (OCR), which investigates complaints and breaches and can impose civil monetary penalties.

The Three Rules

  • 1Security Rule — Administrative, physical, and technical safeguards for electronic PHI, anchored by a documented risk analysis.
  • 2Privacy Rule — How PHI may be used and disclosed, minimum necessary standards, and patients’ rights over their records.
  • 3Breach Notification Rule — Breach risk assessment and notification obligations, including 60-day notification deadlines.

Key Things to Know

  • There is no official HIPAA certification — compliance is demonstrated through documented safeguards, a current risk analysis, training records, and executed Business Associate Agreements.
  • The risk analysis is the foundational requirement — and the first document OCR requests in an investigation.
  • An existing SOC 2 program accelerates HIPAA readiness, but the HIPAA-specific pieces — BAAs, Privacy Rule policies, breach procedures — still have to be built.

Handling PHI and need a HIPAA program?

We build and validate the administrative, physical, and technical safeguards HIPAA requires — including your risk analysis.

Learn about our HIPAA readiness program

SOC 2 vs. ISO 27001: Which Do You Need?

The short answer: it depends on who’s asking. US enterprise customers usually request a SOC 2 report; international and European customers more often expect ISO 27001 certification. The controls overlap substantially, so many companies satisfy both frameworks from a single control set.

SOC 2ISO 27001
What it isAn attestation: a CPA firm examines your controls and issues a report with its opinionA certification: an accredited certification body audits your ISMS and issues a certificate
Who audits youA licensed CPA firmAn accredited certification body
Where it's expectedPrimarily North American enterprise customersInternational and European customers and partners
What you receiveA SOC 2 report (Type I or Type II) you share under NDAA certificate, valid for three years, you can reference publicly
Ongoing cadenceA new examination each year (Type II covers an observation period)Surveillance audits in years one and two, recertification in year three
Control modelCriteria-based — you design controls that meet the Trust Services Criteria in scopePrescriptive — ISMS requirements (Clauses 4–10) plus the 93 Annex A controls

If you’re choosing your first framework, start with whichever your largest prospects are asking for. If both markets matter, pursuing SOC 2 and ISO 27001 together from one control set is usually cheaper than doing them sequentially — a GRC platform like Drata or Vanta maps one set of controls to both frameworks.

Not sure which framework fits?

Book a 30-minute scoping call and we'll help you decide based on your customers, market, and timeline.

Explore our readiness programs