Key Takeaways
- SOC 2 = trust for SaaS companies
- ISO 27001 = global security standard
- GDPR = European data protection
- Continuous compliance > annual audits
Contents
1. Security Compliance Overview
Compliance frameworks provide structured requirements for security programs. They help organizations prove security to customers, meet regulatory requirements, and reduce risk.
2. SOC 2 Compliance
SOC 2 Trust Service Criteria
- Security: Protection against unauthorized access (required)
- Availability: System uptime and performance
- Processing Integrity: Data accuracy and completeness
- Confidentiality: Data protection
- Privacy: Personal information handling
Type I: Point-in-time design assessment
Type II: Operational effectiveness over time (3-12 months)
3. ISO 27001
# ISO 27001 structure:
# Clause 4: Context of organization
# Clause 5: Leadership
# Clause 6: Planning (risk assessment)
# Clause 7: Support
# Clause 8: Operation
# Clause 9: Performance evaluation
# Clause 10: Improvement
# Annex A: 93 controls across 4 themes
# Organizational, People, Physical, Technological
# Certification: 3-year cycle with surveillance audits4. GDPR
- Lawful basis: Consent, contract, legal obligation, etc.
- Data subject rights: Access, rectification, erasure, portability
- Breach notification: 72 hours to authority
- DPO requirement: For large-scale processing
- Fines: Up to 4% annual revenue or €20M
5. PCI DSS
# PCI DSS 4.0 Requirements (12 total):
# 1. Network security controls
# 2. Secure configurations
# 3. Protect cardholder data
# 4. Encrypt transmission
# 5. Protect from malware
# 6. Secure systems and software
# 7. Restrict access (need-to-know)
# 8. Identify users and authenticate
# 9. Physical access controls
# 10. Log and monitor access
# 11. Test security regularly
# 12. Information security policy6. HIPAA
- Privacy Rule: Protected Health Information (PHI)
- Security Rule: Administrative, physical, technical safeguards
- Breach Rule: Notification requirements
- BAA: Business Associate Agreements required
7. Continuous Compliance
# Move from annual audit to continuous:
# - Automated evidence collection
# - Continuous control monitoring
# - Policy-as-code
# - Compliance dashboards
# Tools:
# - Vanta, Drata, Secureframe (SOC 2 automation)
# - Cloud compliance (AWS Config, Azure Policy)
# - GRC platforms (ServiceNow, Archer)8. Audit Preparation
- ✅ Document all policies and procedures
- ✅ Evidence collection automation
- ✅ Gap assessment before formal audit
- ✅ Assign control owners
- ✅ Regular internal audits
- ✅ Remediation tracking
FAQ
Which compliance should we start with?
For B2B SaaS: SOC 2. For EU customers: GDPR. For payments: PCI DSS. For healthcare: HIPAA. Many organizations need multiple, so build a unified control framework.