Frameworks Explained
Plain-language guides to the security frameworks we work with most. Understand what each one covers, who it's for, and how to know if it applies to your organization.
SOC 2
System and Organization Controls 2
Who needs it
SaaS providers, cloud service providers, and any company handling customer data on behalf of enterprise clients. Provides a competitive sales advantage.
Type 1 vs Type 2
Type 1 reports on control design at a point in time. Type 2 reports on operating effectiveness over a 3-12 month observation window.
What it covers
Five Trust Services Criteria: Security is mandatory. Availability, Processing Integrity, Confidentiality, and Privacy are optional additions for evaluation.
Typical timeline
3-6 months for Type 1 readiness. 9-15 months for Type 2 readiness and audit completion, due to requirement for controls to be operational for 3 months.
How we help
Whether you're pursuing SOC 2 for the first time or maintaining an existing program, we support organizations at every stage of the process:
Readiness assessment to identify gaps before the audit
Control implementation across the relevant Trust Services Criteria
Documentation of policies, procedures, and evidence collection processes
Ongoing maintenance through our managed services to stay audit-ready year over year
NIST CSF 2.0
NIST Cybersecurity Framework, Version 2.0
Who needs it
Any organization looking to build, improve, or measure a security program. Used widely across critical infrastructure, financial services, healthcare, manufacturing, and by businesses of all sizes.
What it covers
Six core functions that span the full security lifecycle: Govern, Identify, Protect, Detect, Respond, and Recover. Each function breaks down into categories and subcategories that describe specific outcomes.
Voluntary, not certifiable
NIST CSF is a voluntary framework, not a certification. There's no audit or formal compliance status. Instead, organizations self-assess maturity and use it to guide program development and decisions.
Typical timeline
Initial gap assessment in 6-10 weeks. Maturity improvement is ongoing, with most organizations targeting incremental progress across the six functions over 12-24 months with a re-evaluation following.
How we help
We help organizations use NIST CSF 2.0 as the foundation to build of a structured, defensible security program:
Maturity assessment against all six functions to establish your baseline and prioritize improvement areas
Target state planning to define where your program needs to be in 12, 24, and 36 months
Program development across governance, risk management, and operational controls aligned to CSF categories
Ongoing measurement through our managed services to track maturity progress over time
ISO 27001
International Standard for Information Security Management System
Who needs it
SaaS providers, cloud service providers, and any company handling customer data on behalf of enterprise clients. Popular for organizations operating internationally.
What it covers
A structured Information Security Management System (ISMS) covering risk management, governance, and a defined set of controls across 14 domains in Annex A.
Certification Process
A formal certification awarded by an accredited body following a two-stage audit. Once issued, certification is valid for three years with annual surveillance audits.
Typical timeline
3-9 months for ISMS implementation and internal readiness. Stage 1 and Stage 2 audits typically add 2-4 months. Most organizations achieve certification within 9-15 months
How we help
We help organizations build, certify, and maintain an ISO 27001 program that aligns with your business rather than fighting it:
Gap assessment against the standard and Annex A controls to identify what's missing and what's already in place
ISMS development including scope definition, risk assessment methodology, policies, and procedures
Implementation support for the controls and processes needed to satisfy the standard
Audit preparation and coordination through Stage 1 and Stage 2, working alongside your chosen certification body
Ongoing maintenance through our managed services to keep the ISMS effective between surveillance audits
CMMC 2.0
Cybersecurity Maturity Model Certification, version 2.0
Who needs it
DoD contractors and subcontractors handling Federal Contract Information (FCI) or Controlled Unclassified Information (CUI). As well as Defense Industrial Base organizations bidding on contracts.
What it covers
A tiered model with three levels of increasing rigor. Level 1 covers basic FCI safeguarding. Level 2 aligns with NIST 800-171 for most CUI-handling contractors. Level 3 applies to the most sensitive programs.
Assessment
Level 1 requires an annual self-assessment. Level 2 is self-assessment or third-party, depending on the contract language and requirements. Level 3 requires a government-led assessment.
Typical timeline
1-3 months for Level 1 readiness. 3-6 months for Level 2 readiness and third-party certification. Level 3 timelines vary significantly based on program scope and government assessment scheduling.
How we help
Whether you're pursuing SOC 2 for the first time or maintaining an existing program, we support organizations at every stafe of the process:
Readiness assessment to identify gaps before the audit
Control implementation across the relevant Trust Services Criteria
Documentation of policies, procedures, and evidence collection processes
Ongoing maintenance through our managed services to stay audit-ready year over year
PCI DSS
Payment Card Industry Data Security Standard
Who needs it
Any organization that stores, processes, or transmits cardholder data. Required for merchants, payment processors, service providers, and any business that accepts credit or debit card payments, regardless of size.
What it covers
Twelve core requirements organized into six control objectives, spanning network security, data protection, access control, monitoring, and policy. The current version (4.0) introduces a more flexible, outcomes-based approach.
SAQ vs ROC
Smaller merchants typically validate compliance through a Self-Assessment Questionnaire (SAQ). Larger merchants and service providers require a Report on Compliance (ROC) completed by a Qualified Security Assessor (QSA).
Typical timeline
3-6 months for SAQ-based readiness. 9-12 months for ROC-based readiness and assessment. Compliance is validated annually, with quarterly external vulnerability scans required throughout the year.
How we help
Whether you're pursuing SOC 2 for the first time or maintaining an existing program, we support organizations at every stage of the process:
Readiness assessment to identify gaps before the audit
Control implementation across the relevant Trust Services Criteria
Documentation of policies, procedures, and evidence collection processes
Ongoing maintenance through our managed services to stay audit-ready year over year
NIST 800-37/RMF
Risk Management Framework
Who needs it
Federal agencies, contractors, and any organization required to authorize information systems for operation under federal oversight. Some commercial organizations also adopt RMF voluntarily as the foundation for their security program.
What it covers
A seven-step process for managing security and privacy risk throughout the system lifecycle: Prepare, Categorize, Select, Implement, Assess, Authorize, and Monitor. RMF integrates security into system development.
The Control Catalog
The Risk Management Framework (NIST 800-37) is the process for managing risk. NIST 800-53 is the catalog of controls organizations apply. RMF tells you how to make risk decisions, 800-53 tells you which controls to consider.
Typical timeline
6-12 months to reach an initial Authorization to Operate (ATO) for a new system, depending on system complexity and categorization. Continuous monitoring is ongoing once authorized.
How we help
We help organizations navigate RMF from initial preparation through ongoing authorization maintenance:
System categorization using FIPS 199 to determine the appropriate control baseline
Control selection and tailoring from NIST 800-53 based on system categorization and organizational context
Implementation support for the controls required to meet the authorization baseline
Assessment preparation including documentation, evidence collection, and System Security Plan (SSP) development
Authorization package support coordinating with assessors and authorizing officials toward ATO
Continuous monitoring through our managed services to maintain authorization
Get in Touch
Tell us about your goals and we'll follow up with next steps.