When starting on your compliance journey, you might start by asking, "Which compliance standard is best for us?" But once you explore the realm of standards, it's common to land on more than one!
You might have customers asking about multiple standards. Or you might operate across different geographies and industries and have a mix of regulations and customer requirements. Everyone knows there’s duplication across standards, so it often makes sense to do them together.
Our modern audit pathways are popular for that reason; why not achieve multiple business outcomes from a single project with a marginal extra cost and effort?
Here are the 10 standards commonly considered by cloud services companies looking to satisfy their global customers across industries.
SOC 2 is referred to as the most accepted standard. It works best to open doors by providing a base level of maturity for information security and satisfies most customers' needs to start doing business with them. Its flexibility also enables various ways to expand it, with optional trust services criteria for availability, confidentiality, processing integrity, and privacy that can be added to the base criteria for security.
It’s also commonly used for “SOC 2 +” to combine other bespoke requirements or regulations into a single report. SOC 2’s flexible criteria and practical focus make it an adaptable standard that any business can achieve.
Prevalence: 9/10
Difficulty rating: 4/10
This international information security standard has a best practice focus. Its prescriptive nature in terms of the requirements to comply, and the audits conducted, tend to Give the illusion that this standard is ‘harder’ to achieve.
It can be very painful with a broad and stringent set of requirements, and several days of business disruption for the audits. It’s not easy to achieve, but it is viewed favorably around the world by large enterprises. Our flexible approach means you can still achieve ISO 27001 compliance in a way that works for your business. There are additional ISO standards like ISO/IEC 27701 (Privacy), ISO/IEC 42001 (AI Management Systems), and ISO/IEC 22316 (Resilience) to cover other areas, much in the way the SOC 2 Trust Services Criteria offers optional additions within the same standard.
Prevalence 9/10
Difficulty: 7/10
HIPAA is the de facto expectation for doing business in the healthcare industry. Although it’s a regulation that applies to American patient data, in practice it’s often used to satisfy non-American healthcare customers and to verify service providers even where there’s no collection or use of patient data. It has some prescribed requirements and a broad set of regulatory criteria that can be daunting for those without experience in this regulation.
Since there’s no formal certification scheme or accreditation, it allows a lot of flexibility with how it’s achieved and demonstrated to stakeholders, which makes it a little easier to combine with other standards and work with a preferred audit partner.
Prevalence: 5/10
Difficulty: 5/10
The European Union’s General Data Protection Regulation (GDPR), introduced in 2018, was a sweeping step forward in consumers' privacy rights. Various countries and states have taken their own steps forward in refining or introducing new privacy regulations. But GDPR is seen as the global benchmark. It applies to EU citizens' data, regardless of the location or type of service, and therefore impacts most global technology companies. It provides a key point of consideration for ambitious growing companies.
The key difference based on your type of service is. If you’re B2C, you’re regulated and may be fined for non-compliance. If you’re B2B, that also applies, but perhaps more significantly you need to prove your compliance to larger customers to satisfy their obligations and mitigate their risk of non-compliance.
Prevalence: 8/10
Difficulty: 6/10
The California Privacy Rights Act (CPRA), which amends and expands the earlier California Consumer Privacy Act (CCPA), introduces more rigorous regulatory requirements for organizations handling personal data of California residents. In addition to aligning with many principles of the GDPR, the CPRA establishes new consumer rights, such as the right to correct inaccurate personal information and the right to limit the use of sensitive personal data.
Businesses that meet certain thresholds—such as having annual gross revenues over $25 million, processing personal information of 100,000 or more consumers or households, or deriving 50% or more of their revenue from selling or sharing personal information—must comply.
Importantly, the CPRA places greater emphasis on accountability through mandatory risk assessments, enhanced contractual obligations with service providers, and expanded transparency in data-sharing practices.
Prevalence: 4/10
Difficulty: 4/10
The Consumer Data Right is Australia’s Open Data scheme, which requires compliance to receive data from those covered by the scheme (e.g., banks, and in time, economy-wide enterprises that collect consumer data). Although this is an Australian slant, similar regimes are anticipated or already in action in other countries (e.g., the UK, with compliance rules built on PSD2).
These have a similar focus on core information security and privacy to ensure consumers' rights are protected through the data sharing and use of that data. It’s early stages for open data standards but are widely anticipated to transform the tech industry’s products and use of data.
Prevalence: 2/10
Difficulty: 5/10
The System and Organizational Control standards are the oldest on this list, dating back to the early 2000s. SOC 1 was the first generation of these standards, which had various iterations and country-specific versions (FRAG21, SAS70, ISAE/ASAE 3402, SSAE 18, and so on).
These standards are focused on financial reporting objectives to report on the controls at a service organization with the general purpose of satisfying external audit requirements that may include Sarbanes-Oxley internal controls. It became more broadly used for information security before SOC 2 was introduced for that general purpose. SOC 1 continues to be common where you have publicly listed enterprise customers.
Prevalence: 510
Difficulty: 5/10
The Cloud Security Alliance (CSA), Security Trust, Assurance, and Risk (STAR) program includes a Level 1 self-assessment, Level 2 certification (or attestation), and Level 3 continuous auditing certification based on the cloud controls matrix (CCM). This program and standard are rapidly growing as cloud security threats evolve. Level 2 is where CSA STAR is most used to satisfy stakeholders, including customers, that the security practices satisfy their requirements.
Prevalence: 4/10
Difficulty: 8/10
HI-TRUST Alliance
HITRUST is a private organization that developed a master standard designed to provide an all-inclusive approach. Enterprise healthcare in particular drives this standard to ensure their interests and compliance requirements are covered. That often includes HIPAA as a subcomponent, general information security like what’s covered in ISO/IEC 27001, and generally a rigorous, best practice, focus on governance, risk, and compliance.
Prevalence: 3/10
Difficulty: 9/10
ESG Reporting (Environmental, Social, Governance)
The list can’t be complete without a mention of environmental, social, governance. ESG is quickly becoming as significant as information security assurance as public pressure mounts and enterprises need to satisfy their commitments (including their use of third parties and those impacts by extension).
ESG is not a standard per se, it’s an area of growing importance. We’ve developed our own ESG standard to plug a market gap and enable any business to report their ESG practices to satisfy customers and other stakeholders. In the broader market, there’s GRI, SASB, CDP, B Labs, and B-Corporation as a few of the main standards and certification schemes.
Prevalence: 5/10
Difficulty: 3/10
Most B2B cloud services businesses comply with at least one of the above standards. Most commonly that's starting with SOC 2 or ISO/IEC 27001. These standards benefit from broad recognition. They establish a baseline of information security and compliance practices that lays a good foundation for working with enterprise customers and the other compliance standards on the list.
About 50-70% of those companies also comply with one or more other standards from the list above. Despite being very similar, SOC 2 and ISO/IEC 27001 are often both achieved to satisfy varying customer preferences. SOC 1, HIPAA and the Consumer Data Right (CDR) all fit seamlessly with the SOC 2 standard and are largely also addressed by ISO/IEC 27001.
It's common that these are added to the baseline to satisfy large publicly listed companies (SOC 1), healthcare customers (HIPAA), or to achieve accreditation to participate in Open Banking as a Fintech (CDR). For companies operating globally and collecting some form of personal data (most cloud services businesses), the privacy regulations apply based on region; the GDPR in Europe, and CPRA in California.
Then there's a smaller ~10% that see compliance as a competitive advantage, or otherwise just want to ensure all bases are covered to reduce the friction in selling into and serving enterprise customers. That's where CSA STAR, HITRUST, and/or ESG reporting are used to bolster the compliance program and demonstrate best-in-class compliance.
After reading this list, you may still be wondering, “What's involved in each standard? How long would it take to achieve? What sort of cost can you expect (including your team's time)? Is it realistic and achievable for your business?”
The good news is, we've created free software to help you answer those questions. In ~60-90 minutes you can assess the above standards to see exactly where you do and don't comply. The tailored outputs will give you a baseline of your existing state, with recommendations to solve the gaps and achieve compliance.
Our software is a world-first to remove the significant duplication between these standards, so there's no harm starting with a longer list of potential standards, then narrowing it down later. Check it out.