With so many IT security frameworks out there, figuring out which one applies to your organization can be confusing. Below, you'll find details about common frameworks to help you determine which might be right for your organization. The good news is that many frameworks overlap. The even better news is that Strike Graph's multi-framework approach allows your busy team to upload evidence just once and apply it to many compliance initiatives.

SOC 2

What is it:
SOC stands for System and Organization Controls. SOC 2 is based on five Trust Service Principles — security, availability, confidentiality, processing integrity, and privacy. SOC 2 is technically an attestation (although you'll probably hear it casually called a certification) issued by outside auditors.

Governing body:
SOC 2 was developed by the American Institute of CPAs (AICPA), a national professional organization for certified public accountants.

Who needs it:
SOC 2 is becoming a requirement for security-conscious enterprises that rely on cloud service providers, such as software as a service (SaaS) vendors, managed service providers, banking and financial services, data centers, and cloud storage providers.

How Strike Graph can help:
Strike Graph’s SOC 2 solution simplifies the compliance process and gets you audit ready faster and with less frustration.

ISO 27001/2 (ISMS)

What is it:
ISO 27001 is an international standard that provides requirements for information security management systems (ISMSs). 

Governing body:
ISO stands for International Organization for Standardization. The organization has developed over 24,090 standards, ranging from environmental to information technology.

Who needs it:
ISO certification is recommended if you will be marketing or selling your products to consumers outside the United States. It improves customer confidence by documenting your commitment to keeping confidential and sensitive information secure.

How Strike Graph can help:
Strike Graph’s audit-proven policy templates, implementation guidance from experts, and automated, ongoing evidence collection makes compliance more efficient and seamless.

HIPAA

What is it:
The Health Insurance Portability and Accountability Act, or HIPAA, was enacted in 1996. One of its purposes is to ensure the protection of personal health information (PHI).

Governing body:
HIPAA is regulated by the Department of Health and Human Services’ Office for Civil Rights (OCR). As this is a law, adhering to it is self-assessed. However, some auditors do offer attestation audits similar to a SOC 2.

Who needs it:
The law is specific to Covered Entities (those that directly handle electronic PHI) and those that do business with them, also referred to as Business Associates.  

How Strike Graph can help:
Strike Graph has tools, templates, and experts to position you for an independent assurance or external audit.

HITRUST CSF

What is it:
HITRUST CSF is a mishmash of regulations and standards combined under a single framework. CSF stands for “common security framework.”

Governing body:
HITRUST CSF was developed by the Health Information Trust Alliance (HITRUST), a collection of healthcare Information security professionals.

Who needs it:
Consider HITRUST if you handle protected health information (PHI) or if a customer asks for it. It is very expensive.

How Strike Graph can help:
Strike Graph starts you with HIPAA and then adds a HITRUST layer on top.

PCI DSS

What is it:
The Payment Card Industry Data Security Standard (or PCI DSS) applies to any organization that processes credit cards. Companies fall into one of four compliance tiers based on volume of transactions. These range from Self Assessments (low volume) up to Level One, which requires an audit from a Qualified Security Assessor, or QSA.

Governing body:
PCI DSS is governed by the major credit card companies — American Express, Discover, JCB International, MasterCard, and Visa Inc. 

Who needs it:
If your organization processes or plans to process credit cards, regardless of volume, you will need to be compliant to avoid being banned or fined by a major credit card company.

How Strike Graph can help:
Strike Graph facilitates the annual PCI check (either self-assessed or audited) with control reminders, setting you up for success in not only reaching but also maintaining PCI compliance.  

ISO 27701 (Privacy)

What is it:
ISO 27701 is an add-on to ISO 27001 and is specific to privacy. It expands your ISMS and creates a privacy information management system (or PIMS).  

Governing body:
ISO stands for International Organization for Standardization. The organization has developed over 24,090 standards, ranging from environmental to information technology.

Who needs it:
Many organizations implement 27701 to assist in privacy compliance with laws such as CCPA or GDPR.

How Strike Graph can help:
The Strike Graph ISO suite includes the 27701 framework, which by extension, includes GDPR.

NIST-CSF

What is it:
The NIST Cybersecurity Framework (or CSF) was a result of an Obama-era executive order and is the U.S. Government's take on cybersecurity and data protection best practices pulled from other frameworks. NIST comes in multiple flavors, for example NIST 800-53 (for US Federal Government Agencies) and NIST 800-171 (for government contractors and subcontractors).

Governing body:
The NIST (National Institute of Standards and Technology) is a government-funded agency under the Department of Commerce. 

Who needs it:
NIST is required for doing business with the US government and many state agencies.

How Strike Graph can help:
Strike Graph’s evidence collection reminders help keep you on track, so annual reassessment of compliance won’t sneak up on you.

FedRAMP

What is it:
The Federal Risk and Management Program (or FedRAMP) relies heavily on the NIST 800-53 framework and lays out a certification pathway for organizations doing business with Federal Agencies.

Governing body:
FedRAMP was designed by the US Office of Management and Budget (OMB). Organizations must meet specific criteria and then obtain provisional authorization from the Joint Authorization Board (JAB) or an individual agency.

Who needs it:
FedRAMP is for cloud service providers who want to do business with the federal government.

How Strike Graph can help:
(Strike Graph does not support FedRAMP, but can assist with meeting NIST 800-53.)

CCM

What is it:
Cloud Controls Matrix (or CCM) is a vendor-agnostic collection of security controls that helps businesses and prospective cloud customers assess the risk associated with cloud implementation. Essentially, it is a spreadsheet of domains broken out into controls.

Governing body:
The Cloud Security Alliance (CSA) established CCM as a tool for the systematic assessment of a cloud implementation.

Who needs it:
CCM is specific to cloud computing. Cloud providers who wish to submit their service to the Security, Trust, Assurance, and Risk (STAR) Registry, as well as companies looking to evaluate cloud providers, could benefit from the CCM. 

How Strike Graph can help:
Strike Graph does not currently support CCM specifically, but our flexible compliance platform allows you to assign controls and evidence to any framework.

CMMC

What is it:
CMMC stands for Cybersecurity Maturity Model Certification. It comprises 3 levels of certification, and each layer builds upon the level below. Organizations become certified after undergoing an audit.

Governing body:
CMMC was established by the Department of Defense (DoD) to protect controlled unclassified information (or CUI) that resides on contractor or subcontractor systems or networks of suppliers.

Who needs it:
CMMC is a requirement if you plan to contract any work with the U.S. Department of Defense.

How Strike Graph can help:
Strike Graph does not currently support CCM specifically, but our flexible compliance platform allows you to assign controls and evidence to any framework.