Compliance Services
Compliance frameworks help demonstrate security maturity to customers, partners, and regulators. We help organizations achieve and maintain compliance as part of building comprehensive security programs - ensuring your controls serve both compliance requirements and actual security needs.
Frameworks We Support
SOC 2
The most common compliance framework for SaaS and technology companies. SOC 2 Type II demonstrates that your security controls have been operating effectively over time.
Common use: Enterprise B2B sales, vendor risk management requirements
HIPAA
Required for healthcare organizations and companies handling Protected Health Information (PHI). Covers privacy, security, and breach notification requirements.
Common use: Healthcare providers, healthtech companies, business associates
HITRUST
A comprehensive certification framework that harmonizes HIPAA, ISO 27001, NIST, and other standards. Often required by enterprise healthcare customers.
Common use: Healthcare enterprises, health insurance companies
ISO 27001
International standard for information security management systems (ISMS). Widely recognized globally and demonstrates mature security practices.
Common use: International customers, European markets, government contracts
FedRAMP
Federal Risk and Authorization Management Program. Required for cloud service providers selling to US federal government agencies.
Common use: Federal government sales, cloud service providers
StateRAMP
State Risk and Authorization Management Program. Provides standardized security authorization for state and local government cloud services.
Common use: State and local government sales
Our Approach
Compliance Within a Security Program
We approach compliance as one component of comprehensive security program development:
- Gap assessment against your target frameworks and business risk profile
- Control design that satisfies multiple frameworks where possible
- Security program integration so compliance controls also reduce real risk
- Audit preparation and coordination for efficient certification
- Ongoing maintenance through fractional CISO services
Most compliance work happens as part of broader security program design or fractional CISO engagements where certification is one objective alongside risk reduction and operational security.
Common Questions
Which compliance framework do I need?
It depends on your customers and market. SOC 2 is most common for B2B SaaS companies. Healthcare requires HIPAA (and often HITRUST). Government sales typically require FedRAMP or StateRAMP. International customers may require ISO 27001. We help you prioritize based on your business needs.
Can I pursue multiple frameworks at once?
Yes, and it's often more efficient. Many frameworks share common controls, so pursuing SOC 2 and ISO 27001 together (for example) requires less incremental effort than doing them separately. We design controls to satisfy multiple frameworks where possible.
What's the difference between SOC 2 Type I and Type II?
Type I evaluates control design at a single point in time. Type II evaluates both design and operating effectiveness over a period (typically 6-12 months). Enterprise customers almost always require Type II because it demonstrates controls work consistently over time, not just on audit day.
What's the difference between HIPAA and HITRUST?
HIPAA is a federal law requiring healthcare organizations to protect PHI through administrative, physical, and technical safeguards. HITRUST is a certification framework that includes HIPAA requirements plus additional security controls from ISO 27001, NIST, and other standards. Many enterprise healthcare customers require HITRUST as it demonstrates a more comprehensive security program.
When should we start working toward compliance?
Start building security processes and operations before you're under pressure. When enterprise customers consistently ask for compliance reports, move forward with formal certification. If you're being bombarded by client requests, it's time to start.
Need Help with Compliance?
Let's discuss your compliance requirements and how they fit into your broader security program.