Compliance and regulatory requirements
Compliance has a reputation for being bureaucratic checkbox-ticking. It can be. But approached correctly, compliance frameworks provide structure for building mature security—and open doors to enterprise customers who won't work with you otherwise.
This chapter helps you understand major frameworks, choose what's relevant, and prepare for your first audit without drowning in paperwork.
Why compliance matters for small companies
The business case
-
Sales enablement: Enterprise customers require SOC 2 or ISO 27001 before signing contracts. Without certification, you're locked out of deals.
-
Competitive advantage: Among companies your size, being certified differentiates you. "We're SOC 2 compliant" beats "We take security seriously."
-
Investor due diligence: Investors increasingly ask about security posture. Compliance demonstrates maturity.
-
Reduced insurance costs: Cyber insurance premiums drop when you can prove security controls.
-
Incident preparedness: The work you do for compliance—documentation, monitoring, procedures—helps when incidents happen.
The risk case
-
Regulatory fines: GDPR can levy fines up to 4% of global revenue. For a $10M company, that's $400K.
-
Contractual penalties: Many contracts include security requirements. Non-compliance = breach of contract.
-
Liability: If you suffer a breach without basic security controls, negligence claims become easier.
Major frameworks overview
Quick comparison
| Framework | Type | Focus | Who needs it | Cost to achieve |
|---|---|---|---|---|
| GDPR | Regulation (mandatory) | Personal data protection | Anyone handling EU personal data | Low-Medium |
| SOC 2 | Audit/Attestation | Trust services (security, availability, etc.) | B2B SaaS, service providers | Medium-High |
| ISO 27001 | Certification | Information security management | Global enterprises, regulated industries | High |
| PCI DSS | Industry standard | Payment card data | Anyone processing card payments | Medium-High |
| HIPAA | Regulation (mandatory) | Health information | US healthcare and business associates | Medium-High |
| NIST CSF | Framework (voluntary) | Cybersecurity risk management | Self-assessment, government contracts | Low |
| CIS Controls | Framework (voluntary) | Prioritized security actions | Self-assessment, baseline security | Free |
GDPR (General Data Protection Regulation)
What it is: EU regulation governing personal data handling.
Who it applies to: Any organization processing personal data of EU residents—regardless of where you're located.
Key requirements:
- Lawful basis for processing (consent, contract, legitimate interest)
- Data subject rights (access, deletion, portability)
- Data breach notification (72 hours to authority)
- Privacy by design
- Data Protection Impact Assessments for high-risk processing
- Records of processing activities
Small company focus:
- Map what personal data you collect and why
- Implement deletion/export capabilities
- Have a breach notification process
- Privacy policy that's actually accurate
- Data Processing Agreements with vendors
Resources:
- ICO GDPR Guide — UK regulator's comprehensive guide
- GDPR.eu — Plain-language explanation
- CNIL GDPR Guide for Developers — Technical implementation guidance
SOC 2 (System and Organization Controls)
What it is: Audit report demonstrating controls over Trust Service Criteria.
Who needs it: B2B SaaS companies, cloud service providers, anyone handling customer data.
Trust Service Criteria:
- Security (required) — Protection against unauthorized access
- Availability — Systems available as agreed
- Processing integrity — Processing is complete, accurate, timely
- Confidentiality — Information designated as confidential is protected
- Privacy — Personal information is collected, used, retained properly
SOC 2 Type I vs Type II:
- Type I: Point-in-time assessment (controls exist as of a date)
- Type II: Period assessment (controls operated effectively over 6-12 months)
Type I is faster and cheaper but less valuable. Most customers want Type II.
Timeline and cost:
- Preparation: 3-6 months
- Audit: 2-4 weeks
- Cost: $30K-$100K (auditor fees + tooling + internal effort)
Small company approach:
- Start with SOC 2 Type I to prove you have controls
- After 6 months of operation, pursue Type II
- Most startups start with Security only, add criteria later
Resources:
- AICPA SOC 2 Overview — Official source
- Vanta, Drata, Secureframe — Compliance automation platforms
ISO 27001
What it is: International standard for Information Security Management Systems (ISMS).
Who needs it: Companies with global customers, regulated industries, government contractors.
Key elements:
- Documented ISMS with policies and procedures
- Risk assessment and treatment
- Statement of Applicability (controls you implement)
- Internal audit program
- Management review
- Continuous improvement
Timeline and cost:
- Preparation: 6-12 months
- Certification audit: 1-2 weeks
- Cost: $50K-$200K (depends on size, complexity)
- Annual surveillance audits required
Small company reality: ISO 27001 is significant undertaking. Consider it after SOC 2, or when specific customers require it.
Resources:
- ISO 27001 Standard — Official (paid)
- ISO 27001 Toolkit — Templates (paid)
- ISO 27001 Security — Free guidance
PCI DSS (Payment Card Industry Data Security Standard)
What it is: Security standard for handling credit card data.
Who needs it: Anyone who stores, processes, or transmits cardholder data.
Small company approach: Avoid PCI scope entirely. Use Stripe, Square, or similar payment processors that handle card data. You only need to complete a Self-Assessment Questionnaire (SAQ-A) which is minimal.
If you must handle card data:
- PCI DSS has 12 requirements with ~300 controls
- Annual assessment required
- Cost and complexity scale with transaction volume
Resources:
- PCI SSC Document Library — Official guidance
- SAQ Navigator — Determine your SAQ type
HIPAA (Health Insurance Portability and Accountability Act)
What it is: US regulation protecting health information.
Who needs it: Healthcare providers, health plans, and their business associates.
Key requirements:
- Administrative safeguards (policies, training, risk analysis)
- Physical safeguards (facility access, workstation security)
- Technical safeguards (access control, audit logs, encryption)
- Business Associate Agreements with vendors
Small company approach: If you handle PHI (Protected Health Information), HIPAA applies. No certification exists—compliance is demonstrated through documentation and assessments.
Resources:
- HHS HIPAA Guidance — Official guidance
- HIPAA Security Rule Summary — Technical requirements
Self-assessment frameworks
Before pursuing certification, assess your current state using free frameworks.
CIS Controls
The Center for Internet Security Controls provide prioritized, actionable security guidance.
Structure:
- 18 Controls (down from 20 in v7)
- Implementation Groups (IG1, IG2, IG3) based on risk profile
- IG1 is "essential cyber hygiene" — start here
IG1 Controls (essential for all organizations):
| Control | Description | Quick check |
|---|---|---|
| 1 | Inventory of Enterprise Assets | Do you know every device on your network? |
| 2 | Inventory of Software Assets | Do you know every application in use? |
| 3 | Data Protection | Is sensitive data identified and protected? |
| 4 | Secure Configuration | Are defaults changed? Hardening applied? |
| 5 | Account Management | Are accounts managed, orphans removed? |
| 6 | Access Control Management | Is access granted on need-to-know? |
| 7 | Continuous Vulnerability Management | Are you scanning and patching? |
| 8 | Audit Log Management | Are logs collected and reviewed? |
| 14 | Security Awareness Training | Are employees trained? |
| 17 | Incident Response Management | Can you respond to incidents? |
Self-assessment approach:
- Download CIS Controls (free registration)
- Score each IG1 sub-control: Not Implemented / Partially / Fully
- Calculate percentage implementation
- Prioritize gaps
Resources:
- CIS Controls v8 — Free download
- CIS Controls Self-Assessment Tool — Free assessment tool
NIST Cybersecurity Framework (CSF)
NIST CSF provides a risk-based approach organized around five functions.
The five functions:
| Function | Key categories |
|---|---|
| Identify | Asset management, business environment, governance, risk assessment, supply chain |
| Protect | Access control, awareness training, data security, protective technology, maintenance |
| Detect | Anomalies and events, continuous monitoring, detection processes |
| Respond | Response planning, communications, analysis, mitigation, improvements |
| Recover | Recovery planning, improvements, communications |
Self-assessment approach:
- For each category, rate your maturity: 1 (Partial) to 4 (Adaptive)
- Create target profile (where you want to be)
- Gap analysis identifies priorities
Resources:
- NIST CSF Official — Framework and guidance
- NIST CSF 2.0 — Latest version (2024)
- NIST CSF Quick Start Guide — Implementation guidance
Choosing your framework
Decision tree
- Do you handle EU personal data? → GDPR compliance required
- Do you handle credit card data? → PCI DSS applies (consider outsourcing to avoid scope)
- Do you handle US health information? → HIPAA applies
- Do you sell to enterprise B2B customers? → SOC 2 Type II should be priority
- Do you sell to global enterprises? → ISO 27001 may be required
- None of the above? → Use CIS Controls IG1 for baseline security
Typical small company path
Year 1:
- GDPR compliance (if applicable)
- CIS Controls IG1 self-assessment
- Address critical gaps
- Begin SOC 2 preparation
Year 2:
- SOC 2 Type I certification
- Maintain and mature controls
- Build documentation and evidence collection
Year 3:
- SOC 2 Type II certification
- Consider ISO 27001 if customer demand exists
- Expand to additional Trust Service Criteria
Preparing for your first audit
6 months before: foundation
Documentation:
- Security policies (access control, incident response, etc.)
- Risk assessment documentation
- Asset inventory
- Vendor list with security assessments
- Employee security training records
Technical controls:
- MFA on all critical systems
- Encryption at rest and in transit
- Logging and monitoring
- Vulnerability scanning
- Backup and recovery tested
Processes:
- Change management process
- Access review process (quarterly)
- Incident response plan
- Business continuity plan
3 months before: evidence collection
What auditors want:
- Screenshots of configurations
- Policy documents with version history
- Training completion records
- Access review evidence
- Vulnerability scan reports
- Incident logs (even if no incidents)
- Change tickets
Evidence collection tips:
- Automate where possible — Compliance tools like Vanta, Drata, Secureframe pull evidence automatically
- Screenshot methodology — Capture full screen with date/time visible
- Evidence repository — Organized folder structure by control
- Continuous collection — Don't scramble at audit time
1 month before: readiness assessment
Internal audit:
- Walk through each control
- Verify evidence exists
- Identify gaps
- Remediate what's fixable
Auditor selection:
- For SOC 2: Choose from AICPA-registered CPA firms
- Get quotes from 3 firms
- Check references with similar companies
- Understand timeline and scope
Team preparation:
- Identify control owners
- Brief everyone on audit process
- Schedule availability during audit window
During the audit
What to expect:
- Document request list (evidence)
- Walkthroughs (demonstrate processes)
- Technical testing (sample-based)
- Interviews with key personnel
- Findings and remediation discussions
Tips:
- Assign a single point of contact for auditor
- Respond to requests within 24 hours
- Don't volunteer extra information
- If you don't know, say so—don't guess
- Document any findings for remediation
Compliance automation tools
For small companies, compliance automation platforms significantly reduce effort.
| Platform | Starting price | Best for | Key features |
|---|---|---|---|
| Vanta | ~$10K/year | Startups, SOC 2 focus | Automated evidence, integrations |
| Drata | ~$10K/year | Multi-framework | Continuous monitoring |
| Secureframe | ~$10K/year | Startups | Fast implementation |
| Sprinto | ~$8K/year | Budget-conscious | Good value |
| Tugboat Logic | ~$15K/year | Content-focused | Policy templates |
| OneTrust | Enterprise | Large companies | Full GRC suite |
Is automation worth it?
Without automation:
- 200+ hours of manual evidence collection
- Spreadsheet tracking
- Risk of missing evidence
- Repetitive work each audit cycle
With automation:
- Continuous evidence collection
- Integrations with your tools (AWS, GitHub, Okta, etc.)
- Gap identification
- Auditor portal for evidence sharing
For most startups pursuing SOC 2, the $10-15K/year investment pays back in reduced internal effort and faster time to certification.
Security questionnaires: before you have SOC 2
Before certification, you'll face security questionnaires from potential customers. They can be brutal—200+ questions about controls you may not have.
Common questionnaire formats
| Format | Questions | Typical turnaround | How to handle |
|---|---|---|---|
| Custom questionnaire | 50-200 | 1-2 weeks | Answer honestly, note gaps |
| SIG (Standard Info Gathering) | 800+ | 2-4 weeks | Use SIG Lite if offered |
| CAIQ (CSA) | 300 | 2 weeks | Focus on cloud security |
| VSAQ (Google) | Varies | 1 week | Developer-focused |
Questionnaire survival guide
1. Build a response library: Create a master document with answers to common questions. Reuse for each questionnaire.
## Access control
Q: Do you enforce MFA for all users?
A: Yes. We enforce MFA via [Okta/Google Workspace] for all employee
accounts. MFA is required for access to production systems,
source code repositories, and cloud consoles. Hardware security
keys are required for administrative access.
Evidence: [Screenshot of IdP MFA policy]
Q: How often do you review user access?
A: Quarterly. Access reviews are conducted by department managers
and tracked in [tool]. Terminated employees are deprovisioned
within 24 hours via automated HRIS integration.
Evidence: [Access review log, offboarding procedure]
2. Be honest about gaps: "We don't currently have X, but it's on our roadmap for Q2" is better than lying. Customers respect honesty; they catch lies.
3. Offer compensating controls: "We don't have SIEM, but we have centralized logging in CloudWatch with alerting for critical events."
4. Use "N/A" appropriately: Some questions don't apply. "Do you have physical data centers?" — N/A for cloud-native companies.
5. Request their SOC 2 first: If they're asking for your SOC 2, ask for theirs. Fair is fair.
Fast-track: what to implement before questionnaires
| Control | Why it's asked | How to implement fast |
|---|---|---|
| MFA | #1 security question | 1-week rollout with IdP |
| Encryption at rest | Data protection | Enable in cloud console |
| Encryption in transit | Data protection | HTTPS everywhere, check TLS config |
| Vulnerability scanning | Continuous security | Set up Trivy, Dependabot |
| Background checks | Insider threat | Add to hiring process |
| Security training | Awareness | Deploy basic training |
| Access reviews | Least privilege | Quarterly calendar reminder |
| Incident response plan | Readiness | Write 2-page IRP |
These eight controls answer 60%+ of questionnaire questions.
Typical audit findings (and how to avoid them)
Auditors see the same issues repeatedly. Avoid these:
Finding 1: Orphaned accounts
What auditors find: Former employees still have active accounts.
Why it happens: No offboarding process, or manual process with gaps.
How to prevent:
- Automate offboarding with HRIS integration
- Quarterly access reviews catch stragglers
- Document terminated date vs. deprovisioned date
Finding 2: Missing evidence
What auditors find: Policy says quarterly access reviews, but no evidence reviews happened.
Why it happens: Process exists but isn't documented.
How to prevent:
- Screenshot evidence at time of activity
- Use ticketing system for audit trail
- Set calendar reminders for periodic controls
Finding 3: Inconsistent MFA
What auditors find: MFA policy exists, but 5% of users don't have it enabled.
Why it happens: Exceptions granted, forgotten, or enforcement not working.
How to prevent:
- Enable MFA enforcement in IdP (not just encouragement)
- Audit MFA status monthly
- Document any exceptions with VP approval
Finding 4: Outdated policies
What auditors find: Policy last updated 3 years ago, doesn't reflect current reality.
Why it happens: Policies written once and forgotten.
How to prevent:
- Annual policy review on calendar
- Version control for policies
- Policy owner assigned to each document
Finding 5: No change management evidence
What auditors find: Production changes without approval trail.
Why it happens: "We move fast" without process.
How to prevent:
- Require PR approvals in Git settings
- Link deployments to tickets
- Even a simple log of "what changed, when, by who" helps
Finding 6: Vulnerability management gaps
What auditors find: Vulnerabilities exist longer than SLA allows.
Why it happens: No SLA defined, or no tracking.
How to prevent:
- Define SLAs (7 days critical, 30 days high)
- Track in issue tracker with due dates
- Report on SLA compliance monthly
Real audit stories
Story 1: The 11th-hour save
A startup scheduled SOC 2 Type I for Monday. On Friday, they realized their access review "process" was an email saying "hey, check access." No evidence of reviews ever happening.
Weekend scramble: They ran an access review Saturday, documented it properly, and showed auditors a new quarterly schedule. Finding: observation (not exception) for "process recently implemented."
Lesson: Even recently implemented controls count. Better late than not at all.
Story 2: The scope negotiation
A 20-person company was quoted $75K for SOC 2 because the auditor scoped all systems. The Security Champion pushed back:
- Production only (not dev/staging)
- Customer-facing systems only (not internal tools)
- Security criteria only (not availability, confidentiality)
New quote: $35K. Same certification value for customer requirements.
Lesson: Scope is negotiable. Start narrow.
Story 3: The automation ROI
Company A did SOC 2 manually: 300 hours internal effort, spreadsheet tracking, scrambling before audit.
Company B used Drata: 80 hours internal effort, continuous evidence, automated tracking.
Both passed. Company B's Security Champion had 220 hours back for actual security work.
Lesson: Automation pays for itself in the first audit cycle.
Story 4: The honest gap
During audit, the Security Champion was asked about penetration testing. They didn't have a pentest.
Bad response: "We're planning to do one soon."
Actual response: "We don't have a pentest yet. We do automated scanning, code review, and bug bounty triage. Formal pentest is planned for Q2 with budget approved."
Result: Exception noted, but with clear remediation plan. Auditor respected the honesty and concrete plan.
Lesson: Auditors prefer honest gaps with plans over vague assurances.
Common compliance mistakes
-
Treating it as one-time project — Compliance is ongoing. Controls must operate continuously, not just at audit time.
-
Documentation without implementation — Policies exist but aren't followed. Auditors test actual practice, not just documents.
-
Scope creep — Including everything in scope. Start narrow (key systems only) and expand.
-
Waiting until customer demands it — SOC 2 takes 6-12 months. By then, you've lost deals.
-
Choosing cheap auditors — Inexperienced auditors miss issues that bite you later. Or they're overly strict because they don't understand startups.
-
No evidence collection process — Scrambling to gather evidence before each audit wastes time and misses items.
-
Security theater — Implementing controls that look good but don't actually reduce risk.
-
Ignoring exceptions — Every company has exceptions to policies. Document them, don't hide them.
Expert tips
Start with the audit scope
Before any certification, define scope carefully:
In scope:
- Production systems
- Systems handling customer data
- Key SaaS tools (identity, source control)
Out of scope (often acceptable for first audit):
- Development environments
- Internal tools
- Marketing systems
Smaller scope = less work = faster certification = lower cost. Expand scope later.
Use framework mappings
Controls overlap across frameworks. A single control can satisfy multiple requirements:
| Your control | SOC 2 | ISO 27001 | CIS Controls | NIST CSF |
|---|---|---|---|---|
| MFA enforcement | CC6.1 | A.9.4.2 | 6.3, 6.4 | PR.AC-7 |
| Encryption at rest | CC6.1 | A.10.1.1 | 3.11 | PR.DS-1 |
| Vulnerability scanning | CC7.1 | A.12.6.1 | 7.1-7.7 | DE.CM-8 |
| Security training | CC1.4 | A.7.2.2 | 14.1-14.9 | PR.AT |
Implement once, satisfy many.
The "trust but verify" approach
Auditors trust documentation but verify through testing. For each control:
- Policy exists (document)
- Process is defined (procedure)
- Evidence proves operation (logs, screenshots)
- Exceptions are documented (with approval)
If any piece is missing, the control fails.
Compliance as competitive intelligence
Your competitors' SOC 2 reports are often available on request. Ask for them (as a prospective customer) to see:
- What they include in scope
- What exceptions they've documented
- How mature their controls are
This benchmarks your own efforts.
Workshop: CIS Controls self-assessment
Part 1: IG1 assessment (2 hours)
For each IG1 control, rate your implementation:
Rating scale:
0 - Not implemented
1 - Partially implemented (ad-hoc, inconsistent)
2 - Mostly implemented (documented, mostly followed)
3 - Fully implemented (documented, monitored, measured)
Assessment template:
| Control | Sub-control | Rating | Evidence | Gap/Action needed |
|---|---|---|---|---|
| 1.1 | Establish asset inventory | ? | ||
| 1.2 | Address unauthorized assets | ? | ||
| 2.1 | Establish software inventory | ? | ||
| ... | ... | ? |
Part 2: Gap prioritization (1 hour)
- List all controls rated 0 or 1
- Score each gap for risk impact (H/M/L)
- Score each for implementation effort (H/M/L)
- Prioritize: High impact + Low effort first
Part 3: Roadmap development (1 hour)
Create a 12-month roadmap:
| Quarter | Controls to implement | Resources needed | Success criteria |
|---|---|---|---|
| Q1 | 1.1, 1.2, 4.1 | 40 hrs, $2K tools | Inventory complete, baselines set |
| Q2 | 5.1, 5.2, 6.1 | 30 hrs | Access reviews running |
| Q3 | 7.1-7.3, 8.1 | 50 hrs, $5K tools | Vuln scanning active, logs centralized |
| Q4 | 14.1-14.6, 17.1 | 20 hrs, $3K training | Training program live, IR plan tested |
Deliverables
- Completed IG1 self-assessment
- Gap analysis with prioritization
- 12-month compliance roadmap
- Resource requirements summary
- Brief for leadership
How to explain this to leadership
The pitch:
"Compliance isn't about checking boxes—it's about proving to customers, partners, and investors that we handle their data responsibly. Right now, we can't compete for enterprise deals because we don't have SOC 2. I want to change that."
The business case:
"Three deals in the last quarter required SOC 2. Combined value: $250K ARR. SOC 2 Type II costs approximately $50K all-in (tooling + audit + effort). ROI is positive on the first enterprise deal we close."
The ask:
"I need approval for a compliance automation tool ($12K/year) and 100 hours of my time over 6 months. In exchange, we'll have SOC 2 Type I in 6 months and Type II a year from now."
What they get:
- Enterprise sales qualification
- Reduced security questionnaire burden (SOC 2 report answers most questions)
- Demonstrated maturity for investors
- Lower cyber insurance premiums
- Foundation for future certifications
Conclusion
Compliance is not security. But compliance frameworks create structure, enforce documentation, and require you to verify that controls actually work — which makes your security program more rigorous whether you want it to or not.
Pick the framework your customers care about. Build toward it incrementally. The certification is the output, not the goal.
What's next
Next: working with third parties and vendors — your security is only as strong as your weakest vendor.