Frameworks Explained

Plain-language guides to the security frameworks we work with most. Understand what each one covers, who it's for, and how to know if it applies to your organization.

SOC 2

System and Organization Controls 2

Who needs it

SaaS providers, cloud service providers, and any company handling customer data on behalf of enterprise clients. Provides a competitive sales advantage.

Type 1 vs Type 2

Type 1 reports on control design at a point in time. Type 2 reports on operating effectiveness over a 3-12 month observation window.

What it covers

Five Trust Services Criteria: Security is mandatory. Availability, Processing Integrity, Confidentiality, and Privacy are optional additions for evaluation.

Typical timeline

3-6 months for Type 1 readiness. 9-15 months for Type 2 readiness and audit completion, due to requirement for controls to be operational for 3 months.

How we help

Whether you're pursuing SOC 2 for the first time or maintaining an existing program, we support organizations at every stage of the process:

  • Readiness assessment to identify gaps before the audit

  • Control implementation across the relevant Trust Services Criteria

  • Documentation of policies, procedures, and evidence collection processes

  • Ongoing maintenance through our managed services to stay audit-ready year over year

NIST CSF 2.0

NIST Cybersecurity Framework, Version 2.0

Who needs it

Any organization looking to build, improve, or measure a security program. Used widely across critical infrastructure, financial services, healthcare, manufacturing, and by businesses of all sizes.

What it covers

Six core functions that span the full security lifecycle: Govern, Identify, Protect, Detect, Respond, and Recover. Each function breaks down into categories and subcategories that describe specific outcomes.

Voluntary, not certifiable

NIST CSF is a voluntary framework, not a certification. There's no audit or formal compliance status. Instead, organizations self-assess maturity and use it to guide program development and decisions.

Typical timeline

Initial gap assessment in 6-10 weeks. Maturity improvement is ongoing, with most organizations targeting incremental progress across the six functions over 12-24 months with a re-evaluation following.

How we help

We help organizations use NIST CSF 2.0 as the foundation to build of a structured, defensible security program:

  • Maturity assessment against all six functions to establish your baseline and prioritize improvement areas

  • Target state planning to define where your program needs to be in 12, 24, and 36 months

  • Program development across governance, risk management, and operational controls aligned to CSF categories

  • Ongoing measurement through our managed services to track maturity progress over time

ISO 27001

International Standard for Information Security Management System

Who needs it

SaaS providers, cloud service providers, and any company handling customer data on behalf of enterprise clients. Popular for organizations operating internationally.

What it covers

A structured Information Security Management System (ISMS) covering risk management, governance, and a defined set of controls across 14 domains in Annex A.

Certification Process

A formal certification awarded by an accredited body following a two-stage audit. Once issued, certification is valid for three years with annual surveillance audits.

Typical timeline

3-9 months for ISMS implementation and internal readiness. Stage 1 and Stage 2 audits typically add 2-4 months. Most organizations achieve certification within 9-15 months

How we help

We help organizations build, certify, and maintain an ISO 27001 program that aligns with your business rather than fighting it:

  • Gap assessment against the standard and Annex A controls to identify what's missing and what's already in place

  • ISMS development including scope definition, risk assessment methodology, policies, and procedures

  • Implementation support for the controls and processes needed to satisfy the standard

  • Audit preparation and coordination through Stage 1 and Stage 2, working alongside your chosen certification body

  • Ongoing maintenance through our managed services to keep the ISMS effective between surveillance audits

CMMC 2.0

Cybersecurity Maturity Model Certification, version 2.0

Who needs it

DoD contractors and subcontractors handling Federal Contract Information (FCI) or Controlled Unclassified Information (CUI). As well as Defense Industrial Base organizations bidding on contracts.

What it covers

A tiered model with three levels of increasing rigor. Level 1 covers basic FCI safeguarding. Level 2 aligns with NIST 800-171 for most CUI-handling contractors. Level 3 applies to the most sensitive programs.

Assessment

Level 1 requires an annual self-assessment. Level 2 is self-assessment or third-party, depending on the contract language and requirements. Level 3 requires a government-led assessment.

Typical timeline

1-3 months for Level 1 readiness. 3-6 months for Level 2 readiness and third-party certification. Level 3 timelines vary significantly based on program scope and government assessment scheduling.

How we help

Whether you're pursuing SOC 2 for the first time or maintaining an existing program, we support organizations at every stafe of the process:

  • Readiness assessment to identify gaps before the audit

  • Control implementation across the relevant Trust Services Criteria

  • Documentation of policies, procedures, and evidence collection processes

  • Ongoing maintenance through our managed services to stay audit-ready year over year

PCI DSS

Payment Card Industry Data Security Standard

Who needs it

Any organization that stores, processes, or transmits cardholder data. Required for merchants, payment processors, service providers, and any business that accepts credit or debit card payments, regardless of size.

What it covers

Twelve core requirements organized into six control objectives, spanning network security, data protection, access control, monitoring, and policy. The current version (4.0) introduces a more flexible, outcomes-based approach.

SAQ vs ROC

Smaller merchants typically validate compliance through a Self-Assessment Questionnaire (SAQ). Larger merchants and service providers require a Report on Compliance (ROC) completed by a Qualified Security Assessor (QSA).

Typical timeline

3-6 months for SAQ-based readiness. 9-12 months for ROC-based readiness and assessment. Compliance is validated annually, with quarterly external vulnerability scans required throughout the year.

How we help

Whether you're pursuing SOC 2 for the first time or maintaining an existing program, we support organizations at every stage of the process:

  • Readiness assessment to identify gaps before the audit

  • Control implementation across the relevant Trust Services Criteria

  • Documentation of policies, procedures, and evidence collection processes

  • Ongoing maintenance through our managed services to stay audit-ready year over year

NIST 800-37/RMF

Risk Management Framework

Who needs it

Federal agencies, contractors, and any organization required to authorize information systems for operation under federal oversight. Some commercial organizations also adopt RMF voluntarily as the foundation for their security program.

What it covers

A seven-step process for managing security and privacy risk throughout the system lifecycle: Prepare, Categorize, Select, Implement, Assess, Authorize, and Monitor. RMF integrates security into system development.

The Control Catalog

The Risk Management Framework (NIST 800-37) is the process for managing risk. NIST 800-53 is the catalog of controls organizations apply. RMF tells you how to make risk decisions, 800-53 tells you which controls to consider.

Typical timeline

6-12 months to reach an initial Authorization to Operate (ATO) for a new system, depending on system complexity and categorization. Continuous monitoring is ongoing once authorized.

How we help

We help organizations navigate RMF from initial preparation through ongoing authorization maintenance:

  • System categorization using FIPS 199 to determine the appropriate control baseline

  • Control selection and tailoring from NIST 800-53 based on system categorization and organizational context

  • Implementation support for the controls required to meet the authorization baseline

  • Assessment preparation including documentation, evidence collection, and System Security Plan (SSP) development

  • Authorization package support coordinating with assessors and authorizing officials toward ATO

  • Continuous monitoring through our managed services to maintain authorization

Get in Touch

Tell us about your goals and we'll follow up with next steps.