AlignTrust
Compliance & Regulation

Compliance Framework

A structured set of guidelines, standards, and controls that organisations use to meet regulatory, legal, or industry security requirements.

What Is a Compliance Framework?

A compliance framework is a structured collection of guidelines, standards, policies, and controls that organisations implement to meet legal, regulatory, contractual, or industry security requirements. Frameworks provide a systematic, repeatable way to build and demonstrate security maturity.

Rather than building a security programme from scratch, organisations use frameworks as blueprints — defining what controls are needed, how to implement them, and how to evidence compliance.

Common Security Compliance Frameworks

| Framework | Audience | Issued By | |-----------|----------|-----------| | ISO 27001 | All industries, international | ISO/IEC | | SOC 2 | US SaaS and service companies | AICPA | | GDPR | Any org with EU customer data | EU | | NIS2 | EU critical infrastructure + supply chains | EU | | Cyber Essentials | UK businesses | NCSC (UK) | | NIST CSF | US organisations (guidance, not mandatory) | NIST | | PCI DSS | Any org handling card payments | PCI SSC | | HIPAA | US healthcare and covered entities | HHS (US) |

Framework vs Certification vs Audit

  • Framework: The standard or guidelines (e.g., ISO 27001 the standard)
  • Certification: Formal third-party validation (e.g., achieving ISO 27001 certification)
  • Audit: An independent assessment (e.g., a SOC 2 audit produces a report, not a certificate)
  • Self-assessment: Completing a framework's controls without third-party verification

Many frameworks support both self-assessment and formal certification.

Choosing the Right Framework

Start by asking:

  • Where are your customers? EU customers prioritise GDPR and ISO 27001. US enterprise buyers want SOC 2.
  • What does your sector require? Healthcare needs HIPAA, payment processing needs PCI DSS, critical infrastructure in the EU falls under NIS2.
  • What do your contracts require? Enterprise sales contracts and cyber insurance policies often specify frameworks.

For most SMBs, starting with Cyber Essentials (UK) or NIST CSF basics, then progressing to ISO 27001 or SOC 2 as sales demand requires, is the right path.

Related Terms

ISO 27001SOC 2GDPR (General Data Protection Regulation)NIS2 DirectiveSecurity Risk Assessment

Related Articles

← Back to Security Glossary