[{"data":1,"prerenderedAt":5798},["ShallowReactive",2],{"\u002Findustry\u002Feducation":3,"related-frameworks-all":202,"related-glossary-grc-soc2-iso27001-hipaa":3544,"explore-glossary-none-\u002Findustry\u002Feducation":4543,"explore-topics-none-\u002Findustry\u002Feducation":5237,"explore-hub-none":5238,"explore-compare-vs-\u002Findustry\u002Feducation":5239,"explore-compare-\u002Findustry\u002Feducation":5405,"explore-blog-none-\u002Findustry\u002Feducation":5522,"explore-industry-none":5717},{"id":4,"title":5,"advantages":6,"body":28,"checklist":128,"cta":137,"description":34,"extension":140,"faq":141,"hero":153,"meta":169,"name":170,"navigation":171,"path":172,"resources":173,"seo":186,"slug":189,"stats":190,"stem":200,"__hash__":201},"industries\u002F6. industry\u002F8.education.md","Education",[7,14,21],{"title":8,"description":9,"bullets":10},"Student data governance","Map controls to FERPA, COPPA, and state student privacy laws with a single evidence set.",[11,12,13],"Data inventory linking student records to systems, processors, and storage","Consent and parental rights tracking with documentation","De-identification and data minimization controls with evidence",{"title":15,"description":16,"bullets":17},"District and state compliance","Meet the security requirements that school districts demand before procurement.",[18,19,20],"State student privacy pledge and DPA tracking with renewal alerts","Prebuilt responses for common district security questionnaires","SOC 2 and state compliance evidence reusable across district reviews",{"title":22,"description":23,"bullets":24},"Vendor and integration oversight","Track third-party risk across LMS integrations, cloud providers, and data processors.",[25,26,27],"Vendor risk assessments for edtech integrations and APIs","Data sharing agreements tracked with expiration and compliance status","Shared responsibility documentation for cloud-hosted student data",{"type":29,"value":30,"toc":122},"minimark",[31,35,49,54,57,65,69,119],[32,33,34],"p",{},"Education technology companies and institutions handle vast amounts of sensitive student data. FERPA governs how education records are protected at the federal level, but a growing patchwork of state student privacy laws adds complexity for any edtech company operating nationally.",[32,36,37,38,43,44,48],{},"episki helps education teams manage ",[39,40,42],"a",{"href":41},"\u002Fframeworks\u002Fsoc2","SOC 2",", ",[39,45,47],{"href":46},"\u002Fframeworks\u002Fnistcsf","NIST CSF",", and student privacy requirements in a single workspace, turning compliance from a barrier to a competitive advantage in district procurement.",[50,51,53],"h2",{"id":52},"the-education-compliance-landscape","The education compliance landscape",[32,55,56],{},"School districts increasingly require edtech vendors to demonstrate robust security before procurement. State laws like California's SOPIPA, New York's Education Law 2-d, and Illinois' SOPPA impose specific requirements for student data handling, breach notification, and transparency.",[32,58,59,60,64],{},"At the same time, edtech platforms integrate with learning management systems, student information systems, and dozens of third-party tools, each expanding the ",[39,61,63],{"href":62},"\u002Fglossary\u002Frisk-register","risk"," surface for student data.",[50,66,68],{"id":67},"how-episki-supports-education-teams","How episki supports education teams",[70,71,72,80,86,97,108],"ul",{},[73,74,75,79],"li",{},[76,77,78],"strong",{},"FERPA control mapping",": Track controls for education record protections, directory information handling, and parental consent requirements with structured evidence and ownership.",[73,81,82,85],{},[76,83,84],{},"State privacy law tracking",": Manage compliance across 50 states with varying student data privacy requirements, including Data Processing Agreement (DPA) obligations and vendor transparency mandates.",[73,87,88,91,92,96],{},[76,89,90],{},"District procurement readiness",": Answer district security questionnaires with organized evidence and give reviewers scoped portal access to your ",[39,93,95],{"href":94},"\u002Fglossary\u002Fgrc","compliance"," posture.",[73,98,99,102,103,43,105,107],{},[76,100,101],{},"Cross-framework efficiency",": Map controls once and reuse evidence across ",[39,104,42],{"href":41},[39,106,47],{"href":46},", and state privacy requirements without duplicating work.",[73,109,110,113,114,118],{},[76,111,112],{},"Vendor risk management",": Track ",[39,115,117],{"href":116},"\u002Fglossary\u002Fthird-party-risk","third-party risk"," across LMS integrations, cloud providers, and data processors with assessment workflows and expiration alerts.",[32,120,121],{},"Whether you are an edtech startup pursuing your first district contracts or a university managing institutional compliance, episki keeps student data protections documented, monitored, and shareable.",{"title":123,"searchDepth":124,"depth":124,"links":125},"",2,[126,127],{"id":52,"depth":124,"text":53},{"id":67,"depth":124,"text":68},{"title":129,"description":130,"items":131},"Education compliance checklist","Use this during your trial to organize student data protections and prepare for district reviews.",[132,133,134,135,136],"FERPA compliance mapping with education record classifications","Student data inventory across platforms, integrations, and storage","State student privacy law tracker with jurisdiction-specific requirements","Data Processing Agreement (DPA) tracker with district-specific terms","Incident response plan with FERPA breach notification procedures",{"title":138,"description":139},"Win district trust with provable protections","Map your controls, document student data flows, and answer district reviews with confidence.","md",{"title":142,"items":143},"Education compliance FAQ",[144,147,150],{"label":145,"content":146},"Does episki support FERPA compliance tracking?","Yes. episki maps controls to FERPA requirements including education record protections, directory information handling, and parental consent obligations. You can track compliance across all systems that touch student data.",{"label":148,"content":149},"How does episki handle state student privacy laws?","episki tracks state-by-state student privacy requirements including data processing agreement obligations, breach notification rules, and vendor transparency mandates, alerting you to gaps when state laws differ from your baseline controls.",{"label":151,"content":152},"Can edtech companies manage SOC 2 and FERPA in one workspace?","Absolutely. episki's cross-framework mapping lets you maintain shared controls and evidence for SOC 2 and FERPA requirements, so district security reviews and auditor assessments draw from the same verified evidence.",{"headline":154,"title":155,"description":156,"links":157},"Student data protection that scales with your platform","Keep FERPA, state privacy laws, and SOC 2 controls provable across every system","episki maps controls to FERPA, state student privacy laws, and SOC 2 so edtech teams can win district contracts while protecting student data.",[158,162],{"label":159,"icon":160,"to":161},"Start free trial","i-lucide-rocket","https:\u002F\u002Fepiski.app\u002Fauth\u002Fregister",{"label":163,"icon":164,"color":165,"variant":166,"to":167,"target":168},"Book a demo","i-lucide-message-circle","neutral","subtle","https:\u002F\u002Fcalendly.com\u002Fjustinleapline\u002Fepiski-demo","_blank",{},"education and edtech",true,"\u002Findustry\u002Feducation",{"headline":174,"title":174,"description":175,"items":176},"Education enablement kit","Give districts, parents, and leadership confidence in your student data protections.",[177,180,183],{"title":178,"description":179},"District security brief","Summarize your compliance posture, certifications, and student data controls.",{"title":181,"description":182},"Privacy practices overview","Document data collection, use, sharing, and retention in plain language.",{"title":184,"description":185},"District collaboration portal","Shared workspace for procurement reviews, DPAs, and compliance evidence.",{"title":187,"description":188},"GRC Software for Education and EdTech","Manage FERPA, student data privacy, and state compliance in one workspace. Automate evidence, track controls, and pass audits faster. Try episki free.","education",[191,194,197],{"value":192,"description":193},"50-state coverage","Track student data privacy laws across all states with varying requirements.",{"value":195,"description":196},"FERPA mapped","Controls mapped to FERPA requirements for education records and directory information.",{"value":198,"description":199},"District-ready portals","Give school districts scoped access to your security posture and compliance evidence.","6. industry\u002F8.education","fEheGYt-dc7Sp_FPUCFK7HWYxbC5S5Si16X1oawMOD0",[203,714,1300,1800,2424,2939],{"id":204,"title":205,"advantages":206,"body":228,"checklist":644,"cta":653,"description":123,"extension":140,"faq":656,"hero":674,"meta":682,"name":683,"navigation":171,"path":684,"resources":685,"seo":698,"slug":701,"stats":702,"stem":712,"__hash__":713},"frameworks\u002F5.frameworks\u002Fcmmc.md","Cmmc",[207,214,221],{"title":208,"description":209,"bullets":210},"NIST 800-171 control mapping","Every CMMC Level 2 practice is linked to its NIST SP 800-171 source requirement with pre-written narratives.",[211,212,213],"14 control families mapped to 110 security requirements","AI-drafted implementation narratives and testing procedures","Gap analysis highlights missing controls before your assessment",{"title":215,"description":216,"bullets":217},"Assessment preparation workspace","Whether you self-assess or engage a C3PAO, episki organizes evidence and scoring in one place.",[218,219,220],"POA&M tracking with 180-day close-out reminders","Scoring methodology aligned to DoD assessment guide","Assessor portal with scoped read-only access",{"title":222,"description":223,"bullets":224},"Cross-framework reuse","Controls mapped to CMMC automatically satisfy overlapping NIST CSF, ISO 27001, and FedRAMP requirements.",[225,226,227],"Unified control graph eliminates duplicate documentation","Evidence collected once, reused across every framework","Framework coverage dashboard shows gaps at a glance",{"type":29,"value":229,"toc":626},[230,234,237,240,245,252,263,274,278,286,318,321,325,337,348,352,355,372,385,388,392,395,406,413,417,432,435,439,447,473,477,505,509,517,521,529,533,541,545,548,587,591,623],[50,231,233],{"id":232},"what-is-cmmc","What is CMMC?",[32,235,236],{},"The Cybersecurity Maturity Model Certification (CMMC) is the Department of Defense's verification program for ensuring that every organization in the defense industrial base adequately protects sensitive federal information. CMMC takes the cybersecurity standards the DoD has required for years and turns them into a verifiable certification that contractors must hold before a contract can be awarded.",[32,238,239],{},"Before CMMC, defense contractors were expected to comply with DFARS clause 252.204-7012 and the 110 security requirements in NIST SP 800-171 on the honor system. They self-attested. A 2018 DoD Inspector General report and the 2019 MITRE \"Deliver Uncompromised\" study both found the self-attestation model was failing — contractors claimed compliance they had not achieved, and nation-state adversaries were quietly stealing terabytes of Controlled Unclassified Information (CUI) from the supply chain. CMMC is the DoD's response: instead of trust, the Pentagon now requires verification.",[241,242,244],"h3",{"id":243},"cmmc-10-to-cmmc-20","CMMC 1.0 to CMMC 2.0",[32,246,247,248,251],{},"The first version of CMMC — sometimes called CMMC 1.0 — was announced in January 2020. It had ",[76,249,250],{},"five maturity levels",", added its own unique practices and maturity processes on top of NIST SP 800-171, and would have required third-party assessment for almost everyone in the defense supply chain. Industry pushback was substantial. Small businesses said the compliance burden was unaffordable. Cybersecurity teams argued that the custom CMMC practices and \"maturity processes\" diverged from established standards without clear security benefit.",[32,253,254,255,258,259,262],{},"In November 2021 the DoD announced ",[76,256,257],{},"CMMC 2.0",", a streamlined successor. CMMC 2.0 collapsed the five levels into ",[76,260,261],{},"three",", eliminated the custom CMMC practices, and aligned Level 2 directly with NIST SP 800-171 so there is no daylight between the two. It also re-introduced self-assessment as a compliant path for many contracts — a concession to cost that CMMC 1.0 did not allow.",[32,264,265,266,269,270,273],{},"The CMMC 2.0 program rule (32 CFR Part 170) was published in the Federal Register on October 15, 2024, and took effect on ",[76,267,268],{},"December 16, 2024",". The companion DFARS rule (48 CFR) was published on September 10, 2025, and took effect on ",[76,271,272],{},"November 10, 2025"," — the moment CMMC moved from a program on paper to an enforceable contract requirement. When we talk about \"CMMC\" today, we mean CMMC 2.0 as enforced through DFARS.",[241,275,277],{"id":276},"the-three-cmmc-levels","The three CMMC levels",[32,279,280,281,285],{},"CMMC uses a tiered model so that a small contractor handling a bill of materials gets a proportionate requirement, while a prime contractor engineering a weapons system gets a much heavier one. Each CMMC level builds on the one below it. ",[39,282,284],{"href":283},"\u002Fframeworks\u002Fcmmc\u002Flevels","See the full breakdown of CMMC levels"," for control counts, assessment types, and scoping rules.",[70,287,288,298,308],{},[73,289,290,293,294,297],{},[76,291,292],{},"Level 1 — Foundational."," Covers the basic safeguarding of Federal Contract Information (FCI). It requires 17 practices drawn directly from FAR 52.204-21. Any organization that processes FCI under a DoD contract must meet Level 1. It is verified through an ",[76,295,296],{},"annual self-assessment"," with a senior official affirming the results in the Supplier Performance Risk System (SPRS).",[73,299,300,303,304,307],{},[76,301,302],{},"Level 2 — Advanced."," Protects Controlled Unclassified Information (CUI). It requires all ",[76,305,306],{},"110 security requirements"," from NIST SP 800-171 Rev 2 across 14 control families. Level 2 has two assessment paths — self-assessment for less sensitive CUI, and third-party C3PAO assessment for more sensitive CUI or critical programs. Level 2 is where most defense contractors will land.",[73,309,310,313,314,317],{},[76,311,312],{},"Level 3 — Expert."," Reserved for the most sensitive DoD programs where advanced persistent threats are a credible risk. It includes every Level 2 requirement ",[76,315,316],{},"plus 24 enhanced requirements"," selected from NIST SP 800-172. Level 3 is verified through a government-led DIBCAC assessment and requires a valid Level 2 C3PAO certification as a prerequisite.",[32,319,320],{},"The CMMC level you need is determined by the specific solicitation or contract — not by company size or industry. A small engineering firm with a CUI-sensitive subcontract may need Level 2 C3PAO, while a larger prime on a less sensitive contract may only need Level 1.",[241,322,324],{"id":323},"nist-sp-800-171-is-the-heart-of-cmmc","NIST SP 800-171 is the heart of CMMC",[32,326,327,328,331,332,336],{},"CMMC Level 2 is a ",[76,329,330],{},"direct one-to-one mapping"," to NIST SP 800-171 Rev 2. There are no extra practices, no CMMC-specific maturity processes, no layered-on requirements. Every CMMC Level 2 practice corresponds to a single NIST SP 800-171 security requirement. This alignment was intentional: it made CMMC easier to implement and easier to audit, and it meant organizations that had been working toward ",[39,333,335],{"href":334},"\u002Fglossary\u002Fnist","NIST"," SP 800-171 compliance since 2017 did not have to start over.",[32,338,339,340,344,345,347],{},"The 110 requirements are organized into 14 control families including Access Control, Audit and Accountability, Configuration Management, Identification and Authentication, Incident Response, System and Communications Protection, and System and Information Integrity. CMMC Level 3 layers 24 additional enhanced requirements on top, drawn from NIST SP 800-172. ",[39,341,343],{"href":342},"\u002Fframeworks\u002Fcmmc\u002Fnist-800-171-mapping","See the detailed NIST SP 800-171 mapping"," for the full control family breakdown and cross-framework overlap with ",[39,346,47],{"href":46}," and ISO 27001.",[241,349,351],{"id":350},"who-needs-cmmc","Who needs CMMC?",[32,353,354],{},"Any organization that processes, stores, or transmits FCI or CUI as part of a DoD contract or subcontract will need CMMC certification. That is a much broader population than \"defense contractors\" in the traditional sense. CMMC applies to:",[70,356,357,360,363,366,369],{},[73,358,359],{},"Prime contractors holding contracts directly with the DoD",[73,361,362],{},"Subcontractors at every tier in the supply chain",[73,364,365],{},"Cloud service providers hosting DoD contractor data",[73,367,368],{},"Managed service providers and IT vendors with access to FCI or CUI",[73,370,371],{},"Foreign suppliers in the defense industrial base handling covered information",[32,373,374,375,379,380,384],{},"CMMC flow-down is one of the most important operational realities. If a prime contractor shares CUI with a subcontractor, that subcontractor must hold the same CMMC level. If that subcontractor further shares CUI with a tier-three supplier, the tier-three supplier must also be certified. CMMC's reach extends deep into the supply chain. ",[39,376,378],{"href":377},"\u002Fframeworks\u002Fcmmc\u002Fwho-needs-cmmc","See who needs CMMC"," for detailed scoping guidance, and our ",[39,381,383],{"href":382},"\u002Findustry\u002Fgovernment","government industry page"," for broader public-sector compliance context.",[32,386,387],{},"Roughly 80,000 organizations are expected to pursue CMMC Level 2, and a few thousand the most stringent CMMC Level 3 — numbers from the DoD's own economic analysis of the CMMC rule.",[241,389,391],{"id":390},"the-cmmc-assessment-process","The CMMC assessment process",[32,393,394],{},"CMMC assessments come in three flavors that align to the three CMMC levels: self-assessment, C3PAO third-party assessment, and DIBCAC government-led assessment. Regardless of type, the assessment methodology is the same — scoring is based on the DoD Assessment Methodology and NIST SP 800-171A objectives.",[32,396,397,398,401,402,405],{},"A CMMC Level 2 C3PAO assessment typically runs through five stages: scoping, readiness review, evidence collection and review, on-site or virtual assessment, and scoring with any final findings. A Level 2 assessment starts with a score of 110 and subtracts points for each unmet objective. A score of 110 yields full certification. A score of ",[76,399,400],{},"88 or above"," with remaining gaps documented in a Plan of Action and Milestones (POA&M) yields a ",[76,403,404],{},"conditional"," certification with a 180-day remediation window. A score below 88 yields no certification at all.",[32,407,408,412],{},[39,409,411],{"href":410},"\u002Fframeworks\u002Fcmmc\u002Fassessment-process","See the full CMMC assessment process"," for scoring details, POA&M rules, and what you can and cannot defer.",[241,414,416],{"id":415},"c3paos-and-certified-assessors","C3PAOs and certified assessors",[32,418,419,420,423,424,427,428,431],{},"Third-party CMMC assessments are conducted by ",[76,421,422],{},"CMMC Third-Party Assessment Organizations (C3PAOs)"," accredited by the Cyber AB (the Cyber Accreditation Body, formerly the CMMC Accreditation Body). C3PAOs employ ",[76,425,426],{},"Certified CMMC Assessors (CCAs)"," and ",[76,429,430],{},"Certified CMMC Professionals (CCPs)"," who conduct the actual assessment work. CCAs must pass a certification exam administered by the Cyber AB and complete ongoing professional development.",[32,433,434],{},"The pool of accredited C3PAOs is deliberately limited — growing from just a handful at the start of 2024 to several dozen by early 2026. That scarcity matters. As CMMC Phase 2 enforcement begins in November 2026 and more contracts require C3PAO assessment, assessor availability will tighten. Organizations that wait to begin CMMC preparation until a contract requires it will likely find assessment slots booked six to twelve months out.",[241,436,438],{"id":437},"cmmc-implementation-timeline","CMMC implementation timeline",[32,440,441,442,446],{},"CMMC enforcement follows a four-phase rollout under the DFARS rule. The rollout gradually expands CMMC requirements over four years so the assessor ecosystem can scale and contractors have time to prepare. ",[39,443,445],{"href":444},"\u002Fframeworks\u002Fcmmc\u002Fimplementation-timeline","See the full CMMC implementation timeline"," for dates and milestones.",[70,448,449,455,461,467],{},[73,450,451,454],{},[76,452,453],{},"Phase 1 (November 2025 – November 2026)."," Active now. CMMC Level 1 and Level 2 self-assessments appear as conditions of award in select solicitations. A limited number of contracts require Level 2 C3PAO assessments at DoD discretion.",[73,456,457,460],{},[76,458,459],{},"Phase 2 (November 2026 – November 2027)."," CMMC Level 2 C3PAO certification requirements expand significantly. Level 3 requirements begin appearing in select solicitations.",[73,462,463,466],{},[76,464,465],{},"Phase 3 (November 2027 – November 2028)."," CMMC Level 2 and Level 3 requirements appear broadly across applicable DoD contracts.",[73,468,469,472],{},[76,470,471],{},"Phase 4 (November 2028 onward)."," All DoD contracts requiring FCI or CUI handling include the appropriate CMMC level as a condition of award. Full CMMC enforcement.",[241,474,476],{"id":475},"cmmc-and-dfars","CMMC and DFARS",[32,478,479,480,483,484,427,487,490,491,494,495,499,500,504],{},"CMMC is the certification. DFARS is the contractual mechanism that makes the certification binding. ",[76,481,482],{},"DFARS 252.204-7012"," has required safeguarding of covered defense information and rapid incident reporting since 2017. ",[76,485,486],{},"DFARS 252.204-7019",[76,488,489],{},"-7020"," added the requirement to post NIST SP 800-171 assessment scores to SPRS. ",[76,492,493],{},"DFARS 252.204-7021",", effective November 10, 2025, added the requirement to hold the specific CMMC level called out in the solicitation before contract award. ",[39,496,498],{"href":497},"\u002Fframeworks\u002Fcmmc\u002Fdfars-relationship","See how CMMC and DFARS relate"," for the full clause-by-clause picture. For blog-length coverage of DFARS and CMMC in context, see our ",[39,501,503],{"href":502},"\u002Fnow\u002Fcompliance-framework-comparison","compliance framework comparison",".",[241,506,508],{"id":507},"self-assessment-vs-third-party-assessment","Self-assessment vs third-party assessment",[32,510,511,512,516],{},"Not every CMMC obligation requires bringing in a C3PAO. CMMC Level 1 is always a self-assessment. CMMC Level 2 splits — some contracts accept self-assessment, and some require C3PAO certification. CMMC Level 3 is always government-led by DIBCAC. Self-assessment is cheaper and faster, but it comes with False Claims Act exposure if the attestation misrepresents your posture. Third-party CMMC assessment is more expensive but produces a defensible certification. ",[39,513,515],{"href":514},"\u002Fframeworks\u002Fcmmc\u002Fself-assessment-vs-third-party","Compare CMMC self-assessment vs third-party"," to decide which applies to you and how to budget.",[241,518,520],{"id":519},"handling-cui-the-cmmc-way","Handling CUI the CMMC way",[32,522,523,524,528],{},"Controlled Unclassified Information sits at the center of CMMC Level 2 and CMMC Level 3. Identifying CUI in your environment, marking it correctly, applying the right access controls, and documenting the CUI boundary are all preconditions for a successful CMMC assessment. FCI and CUI are not the same thing, and the differences drive which CMMC level you need. ",[39,525,527],{"href":526},"\u002Fframeworks\u002Fcmmc\u002Fcui-handling","See CUI handling under CMMC"," for marking rules, scoping guidance, and common mistakes.",[241,530,532],{"id":531},"subcontractor-requirements","Subcontractor requirements",[32,534,535,536,540],{},"CMMC flow-down affects nearly every defense prime. If you share FCI or CUI with a subcontractor, the subcontractor must hold the required CMMC level before you share the data. That means primes need to track subcontractor CMMC status across their supply chain, verify SPRS entries, and plan for the long tail of small suppliers that may not have started their CMMC journey. ",[39,537,539],{"href":538},"\u002Fframeworks\u002Fcmmc\u002Fsubcontractor-requirements","See CMMC subcontractor requirements"," for the full flow-down model and how to reduce the burden.",[241,542,544],{"id":543},"getting-cmmc-ready","Getting CMMC ready",[32,546,547],{},"CMMC readiness is not a last-mile sprint. Most organizations need 6 to 18 months to close gaps across all 110 NIST SP 800-171 requirements and prepare for CMMC Level 2. The high-leverage moves to start today:",[549,550,551,557,563,569,575,581],"ol",{},[73,552,553,556],{},[76,554,555],{},"Scope your CMMC environment."," Map where FCI and CUI enter, flow through, and are stored in your systems. Your CMMC assessment boundary is only as good as your scoping work.",[73,558,559,562],{},[76,560,561],{},"Complete your SSP."," A System Security Plan that documents every NIST SP 800-171 requirement — implementation status, responsible party, and evidence reference — is the backbone of any CMMC assessment.",[73,564,565,568],{},[76,566,567],{},"Submit a SPRS score."," Even before any contract requires CMMC, a current SPRS score demonstrates good faith and exposes gaps early. DoD agencies increasingly reference SPRS scores in source selection.",[73,570,571,574],{},[76,572,573],{},"Stand up a POA&M register."," Track every gap with an owner, a remediation plan, and a 180-day countdown. CMMC conditional certification lives or dies on POA&M closure.",[73,576,577,580],{},[76,578,579],{},"Review your flow-down."," Inventory every subcontractor, cloud service provider, and managed service provider that touches FCI or CUI. Confirm they are on their own CMMC path.",[73,582,583,586],{},[76,584,585],{},"Schedule a readiness review."," A mock CMMC assessment — internal or with a consultant or C3PAO — surfaces problems while there is still time to fix them.",[241,588,590],{"id":589},"common-cmmc-challenges","Common CMMC challenges",[70,592,593,599,605,611,617],{},[73,594,595,598],{},[76,596,597],{},"Scoping complexity."," Determining which systems, people, and processes handle CUI is often the hardest first step and the source of the most CMMC assessment rework.",[73,600,601,604],{},[76,602,603],{},"NIST SP 800-171 gaps."," Many contractors self-attested NIST SP 800-171 compliance for years but never closed all 110 requirements. CMMC exposes that gap.",[73,606,607,610],{},[76,608,609],{},"POA&M management."," Tracking remediation across teams within a 180-day window is hard without tooling. CMMC conditional certifications are revoked when POA&Ms go stale.",[73,612,613,616],{},[76,614,615],{},"Subcontractor flow-down."," Primes must verify subcontractor CMMC status continuously, not once at onboarding.",[73,618,619,622],{},[76,620,621],{},"Evidence organization."," A CMMC assessment can touch hundreds of evidence artifacts. Without a single source of truth, assessors burn billable hours chasing documents.",[32,624,625],{},"A structured approach that maps controls to NIST SP 800-171, reuses evidence across CMMC and other frameworks, tracks POA&M progress, and monitors the assessment timeline removes most of this friction — and that is exactly what the episki CMMC workspace is designed for.",{"title":123,"searchDepth":124,"depth":124,"links":627},[628],{"id":232,"depth":124,"text":233,"children":629},[630,632,633,634,635,636,637,638,639,640,641,642,643],{"id":243,"depth":631,"text":244},3,{"id":276,"depth":631,"text":277},{"id":323,"depth":631,"text":324},{"id":350,"depth":631,"text":351},{"id":390,"depth":631,"text":391},{"id":415,"depth":631,"text":416},{"id":437,"depth":631,"text":438},{"id":475,"depth":631,"text":476},{"id":507,"depth":631,"text":508},{"id":519,"depth":631,"text":520},{"id":531,"depth":631,"text":532},{"id":543,"depth":631,"text":544},{"id":589,"depth":631,"text":590},{"title":645,"description":646,"items":647},"CMMC readiness checklist inside episki","Everything is preloaded in your free trial so you can start scoping your assessment and closing gaps immediately.",[648,649,650,651,652],"NIST SP 800-171 control library with mapped CMMC practices","Level 1, 2, and 3 scoping guidance and practice sets","POA&M register with risk-ranked remediation priorities","System Security Plan (SSP) template with AI drafting","Evidence library organized by control family",{"title":654,"description":655},"Launch your CMMC workspace today","Import your NIST 800-171 controls, map them to CMMC levels, and start closing gaps before your next assessment.",{"title":657,"items":658},"CMMC frequently asked questions",[659,662,665,668,671],{"label":660,"content":661},"What is CMMC 2.0?","CMMC 2.0 (Cybersecurity Maturity Model Certification) is the Department of Defense's program for verifying that defense contractors protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). The final program rule took effect December 16, 2024, and DFARS contract enforcement began November 10, 2025.",{"label":663,"content":664},"What are the three CMMC levels?","Level 1 requires 17 basic safeguarding practices for FCI based on FAR 52.204-21. Level 2 requires 110 security practices aligned to NIST SP 800-171 Rev 2 for CUI. Level 3 adds 24 enhanced practices from NIST SP 800-172 for the most sensitive programs. Each level builds on the one below it.",{"label":666,"content":667},"How much does CMMC certification cost?","Costs vary by level and organization size. Level 1 requires only an annual self-assessment. Level 2 self-assessments are free but require significant preparation effort. Level 2 C3PAO assessments typically range from $50,000 to $150,000+ depending on scope. episki reduces preparation costs by automating evidence collection and control documentation.",{"label":669,"content":670},"When will CMMC be required in contracts?","CMMC is being phased into DoD contracts over four phases. Phase 1 began November 10, 2025, requiring Level 1 and Level 2 self-assessments in select solicitations. Phase 2 (November 2026) expands Level 2 C3PAO requirements. Phase 3 (November 2027) adds Level 3. By Phase 4 (November 2028), all applicable DoD contracts will require the appropriate CMMC level.",{"label":672,"content":673},"Who needs CMMC certification?","Any organization that processes, stores, or transmits FCI or CUI as part of a DoD contract or subcontract needs CMMC certification. This includes prime contractors, subcontractors at all tiers, and cloud service providers hosting DoD data. The required level depends on the sensitivity of information handled.",{"headline":675,"title":676,"description":677,"links":678},"CMMC without the guesswork","Get assessment-ready for CMMC without rebuilding your security program","episki maps NIST SP 800-171 and 800-172 controls to CMMC levels, automates evidence collection, and keeps your POA&M current so your team can focus on winning contracts.",[679,681],{"label":680,"icon":160,"to":161},"Start CMMC trial",{"label":163,"icon":164,"color":165,"variant":166,"to":167,"target":168},{},"CMMC","\u002Fframeworks\u002Fcmmc",{"headline":686,"title":686,"description":687,"items":688},"CMMC acceleration resources","Give leadership and contracting officers visibility into your cybersecurity posture at every stage.",[689,692,695],{"title":690,"description":691},"Executive scorecard","Translate control work into CMMC readiness percentages and contract eligibility status.",{"title":693,"description":694},"Assessment readiness kit","Pre-assessment checklist, evidence package review, and mock scoring aligned to DIBCAC methodology.",{"title":696,"description":697},"Subcontractor flow-down tracker","Monitor which subcontractors need their own CMMC certification and track their progress.",{"title":699,"description":700},"CMMC Compliance Software","Prepare for CMMC Level 1, 2, and 3 assessments with pre-mapped NIST 800-171 controls, automated evidence collection, and C3PAO-ready workspaces. Start your free 14-day trial.","cmmc",[703,706,709],{"value":704,"description":705},"3 maturity levels","Pre-mapped practices for Level 1, Level 2, and Level 3 with assessment-type guidance for each.",{"value":707,"description":708},"110 practices","Full NIST SP 800-171 Rev 2 control set mapped to CMMC Level 2 objectives out of the box.",{"value":710,"description":711},"Phase 1 live now","DFARS enforcement began November 2025. Level 1 and Level 2 self-assessments already required in select solicitations.","5.frameworks\u002Fcmmc","APy1MM_8-5_unEn-D_R-70YqqDsOLlJ3S3APZbab4kY",{"id":715,"title":716,"advantages":717,"body":739,"checklist":1231,"cta":1240,"description":123,"extension":140,"faq":1243,"hero":1261,"meta":1269,"name":1116,"navigation":171,"path":1270,"resources":1271,"seo":1284,"slug":1287,"stats":1288,"stem":1298,"__hash__":1299},"frameworks\u002F5.frameworks\u002Fhipaa.md","Hipaa",[718,725,732],{"title":719,"description":720,"bullets":721},"Safeguards mapped to your stack","Every HIPAA standard comes with plain-language owners, SLAs, and tests.",[722,723,724],"Assign compliance, engineering, and ops leads to each safeguard","Playbooks explain what “good” looks like for each requirement","Timeline view keeps renewals and reviews on schedule",{"title":726,"description":727,"bullets":728},"PHI-aware evidence locker","Secure uploads, access controls, and audit trails keep regulators satisfied.",[729,730,731],"Granular permissions for internal and external reviewers","Automated retention and deletion policies","Download tracking and access audit trails",{"title":733,"description":734,"bullets":735},"Vendor & incident workflows","Track BAAs, vendor attestations, and incidents from discovery to closure.",[736,737,738],"BAA repository tied to vendor risk levels","Incident response runbooks with reminders","Post-incident reports aligned to HIPAA timelines",{"type":29,"value":740,"toc":1204},[741,745,748,761,764,768,771,814,818,821,826,830,833,837,845,865,868,872,879,887,891,894,898,901,904,917,921,924,927,931,949,953,965,969,972,980,984,987,990,997,1001,1008,1011,1015,1022,1025,1048,1052,1055,1058,1064,1068,1071,1097,1100,1103,1107,1110,1129,1132,1136,1142,1146,1149,1178,1186,1190,1193,1201],[50,742,744],{"id":743},"what-is-hipaa","What is HIPAA?",[32,746,747],{},"HIPAA, the Health Insurance Portability and Accountability Act of 1996, is the cornerstone US federal law governing the privacy and security of patient health information. Signed into law by President Bill Clinton, the act was originally designed to improve the portability of health insurance coverage when workers changed jobs, combat fraud and waste in healthcare, and simplify the administration of health insurance through standardized electronic transactions. Over the decades since, HIPAA has evolved into the defining US regulation for how healthcare organizations and their partners handle sensitive patient data.",[32,749,750,751,755,756,760],{},"At its core, the law establishes national standards that protect sensitive patient information — known as ",[39,752,754],{"href":753},"\u002Fglossary\u002Fphi","protected health information",", or PHI — from unauthorized use and disclosure. Any organization that creates, receives, maintains, or transmits PHI must comply, whether that organization is a hospital, a health plan, a billing clearinghouse, or a SaaS vendor providing services to healthcare customers. The ",[39,757,759],{"href":758},"\u002Fglossary\u002Fhipaa","HIPAA glossary entry"," provides a concise definition, while this page walks through the full regulatory landscape so you understand how each HIPAA rule fits together.",[32,762,763],{},"Enforcement falls to the US Department of Health and Human Services (HHS) through its Office for Civil Rights (OCR). State attorneys general also have authority to bring enforcement actions under powers granted by the HITECH Act. The law applies across all 50 states and preempts weaker state privacy laws, though state laws that provide greater protection remain in force.",[50,765,767],{"id":766},"a-brief-history-of-hipaa","A brief history of HIPAA",[32,769,770],{},"HIPAA was enacted in 1996, but its privacy and security requirements were not finalized overnight. The act directed HHS to develop implementing regulations, and the major rules were rolled out over more than a decade.",[70,772,773,779,785,791,802,808],{},[73,774,775,778],{},[76,776,777],{},"1996"," — Congress passes HIPAA, directing HHS to issue regulations on privacy, security, and electronic transactions.",[73,780,781,784],{},[76,782,783],{},"2000"," — The HIPAA Privacy Rule is published; it takes full effect in 2003.",[73,786,787,790],{},[76,788,789],{},"2003"," — The HIPAA Security Rule is finalized, with compliance required by 2005 for most entities.",[73,792,793,796,797,801],{},[76,794,795],{},"2009"," — The Health Information Technology for Economic and Clinical Health Act (",[39,798,800],{"href":799},"\u002Fframeworks\u002Fhipaa\u002Fhitech-and-omnibus","HITECH",") is signed into law as part of the American Recovery and Reinvestment Act, extending HIPAA obligations to business associates and introducing breach notification requirements.",[73,803,804,807],{},[76,805,806],{},"2013"," — The HIPAA Omnibus Rule implements HITECH and further strengthens HIPAA enforcement, fines, and patient rights.",[73,809,810,813],{},[76,811,812],{},"2024 and beyond"," — HHS continues to update HIPAA guidance, most recently around cybersecurity expectations, reproductive health privacy, and the proposed modernization of the HIPAA Security Rule to reflect modern threats.",[241,815,817],{"id":816},"hitech-and-the-omnibus-rule","HITECH and the Omnibus Rule",[32,819,820],{},"The HITECH Act of 2009 was a watershed moment. Before HITECH, HIPAA obligations technically applied only to covered entities, and business associates were bound solely by contract. HITECH changed that by making business associates directly liable. It also introduced the federal Breach Notification Rule, increased civil monetary penalties, and funded the nationwide adoption of electronic health records — which dramatically expanded the volume of electronic PHI requiring protection.",[32,822,823,824,504],{},"The 2013 Omnibus Rule then translated HITECH into binding regulation. It extended the Privacy and Security Rules to business associates and their subcontractors, tightened the definition of a breach, strengthened individual rights to access electronic health records, and aligned the law with the Genetic Information Nondiscrimination Act (GINA). For a deeper breakdown of what changed, read ",[39,825,817],{"href":799},[50,827,829],{"id":828},"who-hipaa-applies-to","Who HIPAA applies to",[32,831,832],{},"HIPAA applies to two broad categories of organizations: covered entities and business associates. Understanding which category your organization falls into is the first and most important step in any HIPAA compliance program.",[241,834,836],{"id":835},"covered-entities","Covered entities",[32,838,839,840,844],{},"A ",[39,841,843],{"href":842},"\u002Fglossary\u002Fcovered-entity","covered entity"," is any of the following:",[70,846,847,853,859],{},[73,848,849,852],{},[76,850,851],{},"Health plans"," — health insurance companies, HMOs, employer-sponsored group health plans, government programs like Medicare and Medicaid, and long-term care insurers.",[73,854,855,858],{},[76,856,857],{},"Healthcare providers"," — hospitals, clinics, physician practices, dentists, pharmacies, psychologists, and any other provider that transmits health information electronically for billing or eligibility purposes.",[73,860,861,864],{},[76,862,863],{},"Healthcare clearinghouses"," — entities that process nonstandard health information into standard formats (or vice versa), such as billing services and repricing companies.",[32,866,867],{},"If your organization directly delivers healthcare or finances it, you are almost certainly a covered entity.",[241,869,871],{"id":870},"business-associates","Business associates",[32,873,839,874,878],{},[39,875,877],{"href":876},"\u002Fglossary\u002Fbusiness-associate","business associate"," is any person or organization that performs a function or activity on behalf of a covered entity that involves the use or disclosure of PHI. Typical business associates include cloud hosting providers, billing vendors, EHR vendors, IT service providers, analytics firms, legal counsel, accounting firms, transcription services, and SaaS platforms that process PHI on behalf of covered entities.",[32,880,881,882,886],{},"Most modern SaaS companies serving healthcare customers are business associates. If your product ingests, stores, processes, or transmits PHI for a covered entity, HIPAA applies to you directly — regardless of whether you consider yourself a \"healthcare company.\" Subcontractors of business associates are themselves business associates and are bound by the same obligations. Signing a ",[39,883,885],{"href":884},"\u002Fglossary\u002Fbaa","business associate agreement"," with every upstream and downstream partner that touches PHI is non-negotiable.",[241,888,890],{"id":889},"who-is-not-covered-by-hipaa","Who is not covered by HIPAA?",[32,892,893],{},"Not every organization that handles health information is subject to the law. Consumer wellness apps, fitness trackers, direct-to-consumer genetic testing services, employers (in their role as employers), life insurers, and schools generally fall outside its reach unless they act on behalf of a covered entity. That said, many of these organizations still face FTC oversight, state privacy laws, and customer expectations that mirror HIPAA protections.",[50,895,897],{"id":896},"the-hipaa-privacy-rule","The HIPAA Privacy Rule",[32,899,900],{},"The HIPAA Privacy Rule sets national standards for the protection of PHI in all forms — electronic, paper, and oral. It establishes when PHI may be used and disclosed, defines patient rights over their own health data, and imposes the minimum necessary standard on most disclosures. The Privacy Rule applies to covered entities directly and to business associates through their BAAs.",[32,902,903],{},"Key Privacy Rule concepts include the Notice of Privacy Practices, patient access rights (including the right to an electronic copy of an electronic health record within 30 days), the right to request amendments and accounting of disclosures, the minimum necessary standard, permitted uses for treatment, payment, and operations, and the authorization requirements for marketing and sale of PHI.",[32,905,906,907,911,912,916],{},"For a comprehensive walkthrough of the HIPAA Privacy Rule, permitted disclosures, and patient rights, read the dedicated ",[39,908,910],{"href":909},"\u002Fframeworks\u002Fhipaa\u002Fprivacy-rule","HIPAA Privacy Rule"," guide. For more on the narrowly tailored access principle that governs day-to-day PHI handling, see the ",[39,913,915],{"href":914},"\u002Fframeworks\u002Fhipaa\u002Fminimum-necessary-rule","minimum necessary rule"," page.",[50,918,920],{"id":919},"the-hipaa-security-rule","The HIPAA Security Rule",[32,922,923],{},"The HIPAA Security Rule establishes the national floor for protecting electronic PHI (ePHI). While the Privacy Rule covers every form of PHI, the Security Rule is scoped to electronic data — which, in 2026, is effectively every record of clinical or financial relevance inside a modern healthcare organization.",[32,925,926],{},"The Security Rule organizes its requirements into three categories of safeguards. Every covered entity and business associate must implement each category based on a documented HIPAA risk analysis.",[241,928,930],{"id":929},"administrative-safeguards","Administrative safeguards",[32,932,933,934,938,939,943,944,948],{},"Administrative safeguards are the policies, procedures, and organizational measures that govern your HIPAA program. They include security management processes, a designated security official, ",[39,935,937],{"href":936},"\u002Fframeworks\u002Fhipaa\u002Fworkforce-training","workforce training",", a ",[39,940,942],{"href":941},"\u002Fframeworks\u002Fhipaa\u002Fsanctions-policy","sanctions policy"," for workforce violations, access management, ",[39,945,947],{"href":946},"\u002Fframeworks\u002Fhipaa\u002Fcontingency-planning","contingency planning",", periodic evaluations, and BAAs with every downstream partner. These typically consume the most effort because they touch every corner of the business.",[241,950,952],{"id":951},"physical-safeguards","Physical safeguards",[32,954,955,956,43,960,964],{},"Physical safeguards protect the facilities, workstations, devices, and media that house ePHI. This category covers ",[39,957,959],{"href":958},"\u002Fframeworks\u002Fhipaa\u002Ffacility-access-controls","facility access controls",[39,961,963],{"href":962},"\u002Fframeworks\u002Fhipaa\u002Fworkstation-and-device-controls","workstation and device controls",", and media disposal. For cloud-first SaaS companies, physical safeguards increasingly translate into inherited controls from hyperscale cloud providers, but every regulated organization still needs defensible answers for the laptops, offices, and portable media its workforce uses.",[241,966,968],{"id":967},"technical-safeguards","Technical safeguards",[32,970,971],{},"Technical safeguards are the technology controls that protect ePHI and govern access to it. They include unique user identification, automatic logoff, encryption and decryption of ePHI at rest and in transit, audit controls that log system activity, integrity controls that prevent improper alteration, and person or entity authentication.",[32,973,974,975,979],{},"For a deep dive into the complete Security Rule standards, required versus addressable implementation specifications, and how to pass an OCR audit of your ePHI safeguards, read the ",[39,976,978],{"href":977},"\u002Fframeworks\u002Fhipaa\u002Fsecurity-rule","HIPAA Security Rule"," guide.",[50,981,983],{"id":982},"the-hipaa-breach-notification-rule","The HIPAA Breach Notification Rule",[32,985,986],{},"The Breach Notification Rule, added by HITECH and finalized in the Omnibus Rule, requires covered entities and business associates to notify affected individuals, HHS, and in some cases the media when unsecured PHI is breached. A breach is presumed whenever PHI is used or disclosed in a way that is not permitted under the Privacy Rule, unless the organization can demonstrate through a four-factor risk assessment that there is a low probability the PHI has been compromised.",[32,988,989],{},"Notifications must be made without unreasonable delay and in no case later than 60 calendar days after discovery. Business associates must notify their covered entity clients, who in turn notify affected individuals. Breaches involving 500 or more individuals must be reported to HHS within 60 days and listed on the public OCR \"Wall of Shame,\" while smaller breaches may be reported in an annual log.",[32,991,992,993,979],{},"For full details on timelines, content requirements, and documentation expectations, see the ",[39,994,996],{"href":995},"\u002Fframeworks\u002Fhipaa\u002Fbreach-notification","HIPAA Breach Notification Rule",[50,998,1000],{"id":999},"business-associate-agreements","Business associate agreements",[32,1002,1003,1004,1007],{},"No PHI should ever leave a covered entity — or a business associate — without a properly executed BAA in place. A ",[39,1005,885],{"href":1006},"\u002Fframeworks\u002Fhipaa\u002Fbusiness-associate-agreements"," is a legally binding contract that defines permitted uses and disclosures of PHI, requires implementation of appropriate safeguards, obligates breach notification, mandates BAA flow-down to subcontractors, and establishes termination rights when a business associate violates the agreement.",[32,1009,1010],{},"In practice, BAA management is one of the most common HIPAA failure modes for growing SaaS companies. Deals close, engineering ships, and PHI starts flowing before legal has countersigned the BAA — creating exposure for both sides. A disciplined BAA intake process, a BAA repository with renewal reminders, and clear ownership of vendor risk are table stakes for any serious compliance program.",[50,1012,1014],{"id":1013},"hipaa-compliance-checklist","HIPAA compliance checklist",[32,1016,1017,1018,1021],{},"Translating the regulatory language into day-to-day operations is where most programs struggle. The ",[39,1019,1014],{"href":1020},"\u002Fframeworks\u002Fhipaa\u002Fcompliance-checklist"," walks through every major obligation — from assigning a security official through finalizing your Notice of Privacy Practices — as a sequenced program of work.",[32,1023,1024],{},"At a high level, a complete HIPAA program includes:",[70,1026,1027,1030,1033,1036,1039,1042,1045],{},[73,1028,1029],{},"A current risk analysis and documented risk management plan.",[73,1031,1032],{},"Written policies and procedures covering Privacy, Security, and Breach Notification obligations.",[73,1034,1035],{},"A signed BAA with every vendor, subcontractor, and customer that exchanges PHI.",[73,1037,1038],{},"Workforce training at hire and at least annually thereafter, with documented completion.",[73,1040,1041],{},"Access control, audit logging, encryption, and contingency planning for every system that touches ePHI.",[73,1043,1044],{},"An incident response runbook aligned to the Breach Notification Rule.",[73,1046,1047],{},"Documentation retained for at least six years from creation or last effective date, whichever is later.",[50,1049,1051],{"id":1050},"hipaa-risk-analysis","HIPAA risk analysis",[32,1053,1054],{},"Every HIPAA Security Rule program begins with a risk analysis. Under 45 CFR §164.308(a)(1)(ii)(A), covered entities and business associates must conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI. HHS has repeatedly stated that a missing or superficial risk analysis is among the most common findings in OCR enforcement actions.",[32,1056,1057],{},"A defensible risk analysis inventories every system that creates, receives, maintains, or transmits ePHI, identifies threats and vulnerabilities affecting each system, measures the likelihood and impact of each risk, and feeds directly into the Security Management Process that prioritizes mitigation. Most mature programs align their methodology to NIST Special Publication 800-30, which OCR cites favorably.",[32,1059,1060,1061,979],{},"For a full breakdown of methodology, documentation requirements, and common pitfalls, read the ",[39,1062,1051],{"href":1063},"\u002Fframeworks\u002Fhipaa\u002Frisk-analysis",[50,1065,1067],{"id":1066},"penalties-and-enforcement","Penalties and enforcement",[32,1069,1070],{},"Enforcement is administered by OCR, with parallel criminal enforcement authority held by the Department of Justice and civil enforcement authority held by state attorneys general. HIPAA penalties are tiered by culpability.",[70,1072,1073,1079,1085,1091],{},[73,1074,1075,1078],{},[76,1076,1077],{},"Tier 1 — Unknowing violation"," — $100 to $50,000 per violation; annual cap $25,000 for identical violations.",[73,1080,1081,1084],{},[76,1082,1083],{},"Tier 2 — Reasonable cause"," — $1,000 to $50,000 per violation; annual cap $100,000.",[73,1086,1087,1090],{},[76,1088,1089],{},"Tier 3 — Willful neglect, corrected"," — $10,000 to $50,000 per violation; annual cap $250,000.",[73,1092,1093,1096],{},[76,1094,1095],{},"Tier 4 — Willful neglect, uncorrected"," — $50,000 per violation; annual cap $1.5 million per violation category.",[32,1098,1099],{},"Penalty amounts are adjusted annually for inflation. Criminal penalties can reach $250,000 and 10 years of imprisonment for offenses involving intent to sell, transfer, or use PHI for commercial advantage, personal gain, or malicious harm.",[32,1101,1102],{},"OCR enforcement tends to cluster around predictable themes: missing or inadequate risk analyses, lost unencrypted devices, failure to terminate workforce access, insufficient BAAs, delayed breach notifications, and refusal to provide patient access to records. Organizations that can demonstrate a mature, well-documented program — with evidence of ongoing risk analysis, training, and monitoring — consistently receive more favorable resolutions.",[50,1104,1106],{"id":1105},"hipaa-vs-hitech-vs-hitrust","HIPAA vs HITECH vs HITRUST",[32,1108,1109],{},"These three acronyms sit close together in healthcare conversations and are often conflated. They are related but distinct.",[70,1111,1112,1118,1123],{},[73,1113,1114,1117],{},[76,1115,1116],{},"HIPAA"," is the underlying federal law and its implementing regulations (Privacy, Security, Breach Notification, and Enforcement Rules). HIPAA defines the legal obligations.",[73,1119,1120,1122],{},[76,1121,800],{}," is a 2009 federal law that strengthened HIPAA — extending it to business associates, introducing breach notification, increasing penalties, and funding EHR adoption. HITECH is part of HIPAA's regulatory stack, not a separate framework.",[73,1124,1125,1128],{},[76,1126,1127],{},"HITRUST"," is a private-sector certification maintained by the HITRUST Alliance. The HITRUST CSF is a control framework that maps HIPAA, NIST, ISO 27001, PCI DSS, and other standards into a single certifiable set of controls. HITRUST is a common way to demonstrate HIPAA compliance to sophisticated healthcare customers, but HITRUST certification is not itself required by HIPAA.",[32,1130,1131],{},"A healthcare SaaS company might pursue HITRUST CSF certification as a commercial asset while its underlying legal obligation remains HIPAA compliance under HITECH-amended rules.",[241,1133,1135],{"id":1134},"hipaa-and-soc-2","HIPAA and SOC 2",[32,1137,1138,1139,1141],{},"Many SaaS companies pursue ",[39,1140,42],{"href":41}," alongside HIPAA. The two frameworks complement each other: SOC 2 evaluates security, availability, confidentiality, processing integrity, and privacy trust services criteria, while HIPAA is a statutory requirement for handling PHI. A well-designed control environment can satisfy both with substantial overlap.",[50,1143,1145],{"id":1144},"getting-hipaa-compliant","Getting HIPAA compliant",[32,1147,1148],{},"The most successful HIPAA programs treat compliance as a continuous operating rhythm rather than a once-a-year scramble. A typical rollout for a SaaS company serving healthcare customers looks like this.",[549,1150,1151,1154,1157,1160,1163,1166,1169,1172,1175],{},[73,1152,1153],{},"Confirm your status as a covered entity, business associate, or both, and inventory the PHI you handle today.",[73,1155,1156],{},"Appoint a security official and a privacy official (the same person may hold both roles at small companies).",[73,1158,1159],{},"Conduct a risk analysis scoped to every system that creates, receives, maintains, or transmits ePHI.",[73,1161,1162],{},"Implement the administrative, physical, and technical safeguards required by the Security Rule, informed by your risk analysis.",[73,1164,1165],{},"Draft and publish policies and procedures covering Privacy, Security, and Breach Notification obligations.",[73,1167,1168],{},"Execute BAAs with every vendor that touches PHI, and require a signed BAA before onboarding any new customer that qualifies as a covered entity.",[73,1170,1171],{},"Deliver workforce training at hire and annually thereafter, and document completion.",[73,1173,1174],{},"Stand up an incident response runbook aligned to the Breach Notification Rule.",[73,1176,1177],{},"Operate the program: review access quarterly, test contingency plans at least annually, refresh your risk analysis whenever material change occurs, and retain documentation for at least six years.",[32,1179,1180,1181,1185],{},"For companies operating in the broader ",[39,1182,1184],{"href":1183},"\u002Findustry\u002Fhealthcare","healthcare industry",", HIPAA is rarely the only regulation in scope. State privacy laws, the 21st Century Cures Act, FDA software-as-a-medical-device requirements, and payor-specific security reviews often run in parallel — which is why most compliance programs are built into a broader GRC operating model.",[50,1187,1189],{"id":1188},"how-episki-helps-with-hipaa-compliance","How episki helps with HIPAA compliance",[32,1191,1192],{},"episki is the HIPAA compliance platform for healthtech teams that need to ship fast without losing control of PHI. We map Privacy, Security, and Breach Notification obligations directly to your systems, automate evidence collection for every safeguard, manage BAAs across your vendor ecosystem, and keep risk analyses current as your stack evolves.",[32,1194,1195,1196,1200],{},"Our platform was designed by practitioners who have led HIPAA programs at healthcare organizations and audited them as consultants. The result is a workspace that makes it obvious what is done, what is due, and what is drifting — so you can spend less time reconstructing evidence the week before a customer audit and more time building product. Read the ",[39,1197,1199],{"href":1198},"\u002Fnow\u002Fhipaa-compliance-healthtech","HIPAA for healthtech"," playbook for a closer look at how modern SaaS companies operate HIPAA at startup speed.",[32,1202,1203],{},"Ready to tighten your HIPAA program? Start a free trial or book a demo from the top of this page.",{"title":123,"searchDepth":124,"depth":124,"links":1205},[1206,1207,1210,1215,1216,1221,1222,1223,1224,1225,1226,1229,1230],{"id":743,"depth":124,"text":744},{"id":766,"depth":124,"text":767,"children":1208},[1209],{"id":816,"depth":631,"text":817},{"id":828,"depth":124,"text":829,"children":1211},[1212,1213,1214],{"id":835,"depth":631,"text":836},{"id":870,"depth":631,"text":871},{"id":889,"depth":631,"text":890},{"id":896,"depth":124,"text":897},{"id":919,"depth":124,"text":920,"children":1217},[1218,1219,1220],{"id":929,"depth":631,"text":930},{"id":951,"depth":631,"text":952},{"id":967,"depth":631,"text":968},{"id":982,"depth":124,"text":983},{"id":999,"depth":124,"text":1000},{"id":1013,"depth":124,"text":1014},{"id":1050,"depth":124,"text":1051},{"id":1066,"depth":124,"text":1067},{"id":1105,"depth":124,"text":1106,"children":1227},[1228],{"id":1134,"depth":631,"text":1135},{"id":1144,"depth":124,"text":1145},{"id":1188,"depth":124,"text":1189},{"title":1232,"description":1233,"items":1234},"HIPAA launch kit","Guided steps keep privacy, security, and ops in sync from day one.",[1235,1236,1237,1238,1239],"Safeguard library with ownership matrix","Evidence tracking for access logs and configs","BAA tracker with renewal reminders","Incident and breach response templates","Stakeholder portal with PHI redaction controls",{"title":1241,"description":1242},"Launch HIPAA monitoring in minutes","Kick off the free trial and invite stakeholders before your next diligence call.",{"title":1244,"items":1245},"HIPAA compliance frequently asked questions",[1246,1249,1252,1255,1258],{"label":1247,"content":1248},"Who needs to comply with HIPAA?","HIPAA applies to covered entities (health plans, healthcare providers, clearinghouses) and business associates — any vendor or subcontractor that creates, receives, maintains, or transmits protected health information (PHI). SaaS companies serving healthcare customers almost always qualify as business associates.",{"label":1250,"content":1251},"What is a Business Associate Agreement (BAA)?","A BAA is a legally required contract between a covered entity and a business associate that establishes permitted uses and disclosures of PHI, requires appropriate safeguards, and outlines breach notification responsibilities. No PHI should be shared with a vendor before a BAA is signed.",{"label":1253,"content":1254},"What are the penalties for HIPAA violations?","HIPAA penalties range from $100 to $50,000 per violation depending on the level of negligence, with annual maximums up to $1.5 million per violation category. Criminal penalties can include fines up to $250,000 and imprisonment. The HHS Office for Civil Rights enforces compliance.",{"label":1256,"content":1257},"Does HIPAA apply to SaaS companies?","Yes. Any SaaS company that handles, stores, or transmits PHI on behalf of a healthcare organization is considered a business associate under HIPAA and must comply with the Security Rule, Privacy Rule, and Breach Notification Rule.",{"label":1259,"content":1260},"What are the three HIPAA safeguard categories?","HIPAA requires administrative safeguards (policies, training, risk assessments), physical safeguards (facility access, workstation security), and technical safeguards (access controls, encryption, audit logging) to protect electronic PHI.",{"headline":1262,"title":1263,"description":1264,"links":1265},"HIPAA-ready cloud teams","Stay HIPAA compliant while shipping product weekly","episki maps administrative, physical, and technical safeguards to your systems and keeps PHI protections verifiable.",[1266,1268],{"label":1267,"icon":160,"to":161},"Start HIPAA trial",{"label":163,"icon":164,"color":165,"variant":166,"to":167,"target":168},{},"\u002Fframeworks\u002Fhipaa",{"headline":1272,"title":1272,"description":1273,"items":1274},"HIPAA enablement","Keep leadership, customers, and partners aligned.",[1275,1278,1281],{"title":1276,"description":1277},"Board-ready posture report","Shows maturity score, risk trends, and upcoming audits.",{"title":1279,"description":1280},"Customer FAQ pack","Answers the most common HIPAA diligence questions.",{"title":1282,"description":1283},"Ops automation guide","Explains how to plug security tasks into existing tools.",{"title":1285,"description":1286},"HIPAA Compliance Management Software","Map HIPAA safeguards, track PHI evidence, and manage BAAs in one secure workspace. Get audit-ready in 30 days with episki's free trial.","hipaa",[1289,1292,1295],{"value":1290,"description":1291},"30-day rollout","Average time to production monitoring across safeguards.",{"value":1293,"description":1294},"PHI-safe sharing","Role-based portals keep sensitive documents organized and protected.",{"value":1296,"description":1297},"24\u002F7 alerts","Continuous monitoring for access, logging, and vendor risks.","5.frameworks\u002Fhipaa","kCp_xKHobI3ImW1d3oQnreKycgEB8pRTkldsfQQSaso",{"id":1301,"title":1302,"advantages":1303,"body":1325,"checklist":1730,"cta":1741,"description":123,"extension":140,"faq":1744,"hero":1762,"meta":1770,"name":1336,"navigation":171,"path":1771,"resources":1772,"seo":1785,"slug":1788,"stats":1789,"stem":1798,"__hash__":1799},"frameworks\u002F5.frameworks\u002Fiso27001.md","Iso27001",[1304,1311,1318],{"title":1305,"description":1306,"bullets":1307},"Statement of Applicability in minutes","Generate and maintain your SoA directly from your control graph with justification notes for every inclusion and exclusion.",[1308,1309,1310],"Auto-populate applicability status from existing controls","Link each control to risk treatment decisions","Export auditor-ready SoA documents on demand",{"title":1312,"description":1313,"bullets":1314},"Risk-driven control management","Connect your risk register to Annex A controls so treatment plans and evidence stay aligned as threats evolve.",[1315,1316,1317],"Risk assessment templates following ISO 27005 guidance","Heat maps show residual risk by domain","Treatment plans tie directly to control tasks and owners",{"title":1319,"description":1320,"bullets":1321},"Surveillance audit confidence","Keep your ISMS current between certification cycles with continuous monitoring and internal audit workflows.",[1322,1323,1324],"Automated evidence refresh and expiration alerts","Internal audit scheduling with finding tracking","Management review templates with trend data",{"type":29,"value":1326,"toc":1712},[1327,1331,1343,1346,1349,1352,1356,1359,1362,1365,1369,1372,1385,1389,1392,1399,1402,1406,1414,1417,1425,1429,1437,1440,1448,1452,1455,1499,1507,1515,1519,1522,1525,1532,1536,1539,1542,1554,1558,1561,1569,1573,1576,1583,1587,1590,1616,1623,1627,1630,1638,1642,1645,1653,1657,1660,1681,1687,1691,1694,1706,1709],[50,1328,1330],{"id":1329},"what-is-iso-27001","What is ISO 27001?",[32,1332,1333,1337,1338,1342],{},[39,1334,1336],{"href":1335},"\u002Fglossary\u002Fiso27001","ISO 27001"," is the world's most widely adopted international standard for information security management. Formally titled ISO\u002FIEC 27001, it defines the requirements for establishing, implementing, maintaining, and continually improving an Information Security Management System, or ",[39,1339,1341],{"href":1340},"\u002Fglossary\u002Fisms","ISMS",". Organizations that align with ISO 27001 commit to a risk-based, process-driven approach to protecting the confidentiality, integrity, and availability of the information they hold on behalf of customers, employees, and business partners.",[32,1344,1345],{},"The standard is published jointly by two bodies. The International Organization for Standardization (ISO), headquartered in Geneva, develops consensus-based standards across nearly every industry. The International Electrotechnical Commission (IEC) is its counterpart for electrotechnical and information technology standards. Together, their joint technical committee ISO\u002FIEC JTC 1\u002FSC 27 maintains the ISO 27001 family, which includes supporting documents such as ISO 27002 (implementation guidance) and ISO 27005 (risk management guidance).",[32,1347,1348],{},"ISO 27001 was first released in 2005, revised in 2013, and most recently updated in October 2022. The 2022 revision is now the only version against which new ISO 27001 certifications are issued. Any discussion of ISO 27001 today should default to this edition, which reorganized the control set and introduced eleven new controls addressing modern risks like threat intelligence, data masking, and secure coding.",[32,1350,1351],{},"At the heart of ISO 27001 is the concept of an ISMS. An ISMS is not a product you can buy or a checklist you can run through once. It is the living combination of policies, processes, people, and technology that your organization uses to identify information security risks, decide how to treat them, implement controls, measure effectiveness, and continually improve. ISO 27001 provides the blueprint. Your ISMS is the thing you build from that blueprint.",[50,1353,1355],{"id":1354},"why-iso-27001-matters","Why ISO 27001 matters",[32,1357,1358],{},"ISO 27001 is recognized in more than 160 countries and frequently shows up as a procurement requirement for enterprise technology contracts, financial services partnerships, public sector work, and any organization selling into European or APAC markets. Unlike self-attested programs, ISO 27001 certification is issued by an independent accredited certification body, which gives customers and regulators external assurance that your security practices are real and not marketing.",[32,1360,1361],{},"Beyond procurement, ISO 27001 brings discipline. Many organizations treat security as a reactive function that only activates after an incident or failed audit. The ISO 27001 approach forces proactive risk identification, documented decisions, and measurable effectiveness. Even teams that never pursue certification often adopt the ISO 27001 framework as an internal operating model because it is mature, well-documented, and maps cleanly to other standards.",[32,1363,1364],{},"ISO 27001 also signals organizational maturity to investors. Due diligence for Series B and later funding rounds almost always includes a security review. Holding an ISO 27001 certificate short-circuits much of that review and accelerates close.",[50,1366,1368],{"id":1367},"the-iso-27001-certification-process","The ISO 27001 certification process",[32,1370,1371],{},"ISO 27001 certification follows a standardized two-stage audit model used worldwide. A Stage 1 audit reviews your ISMS documentation and readiness. A Stage 2 audit evaluates whether your ISMS is actually implemented and effective in practice. If there are no major nonconformities, the certification body recommends certification and a three-year certificate is issued. Annual surveillance audits follow, with full recertification every three years.",[32,1373,1374,1375,1379,1380,1384],{},"For a deep walkthrough of every phase of the journey, including timelines, auditor expectations, and common pitfalls, see the ",[39,1376,1378],{"href":1377},"\u002Fframeworks\u002Fiso27001\u002Fcertification-process","ISO 27001 certification process guide",". If you are still evaluating whether to pursue ISO 27001 at all, the ",[39,1381,1383],{"href":1382},"\u002Fnow\u002Fiso27001-certification-guide","ISO 27001 certification guide"," covers the business case and sequencing decisions.",[50,1386,1388],{"id":1387},"iso-270012022-what-changed","ISO 27001:2022 — What changed",[32,1390,1391],{},"The 2022 revision is the current version of the standard. Two changes matter most for teams implementing ISO 27001 today.",[32,1393,1394,1395,1398],{},"First, the control set was restructured. The 2013 edition had 114 controls across 14 domains. ISO 27001:2022 consolidates these into ",[76,1396,1397],{},"93 controls across four themes",": organizational (37 controls), people (8 controls), physical (14 controls), and technological (34 controls). Eleven entirely new controls were introduced, including threat intelligence, information security for cloud services, ICT readiness for business continuity, physical security monitoring, configuration management, information deletion, data masking, data leakage prevention, monitoring activities, web filtering, and secure coding.",[32,1400,1401],{},"Second, the clause-level requirements in sections 4 through 10 received targeted updates around planning, leadership commitment, and operational control. The Plan-Do-Check-Act structure remains, but the language is tighter and more aligned with other ISO management system standards such as ISO 9001 and ISO 14001. Organizations holding ISO 27001:2013 certificates were given a transition window, and most have now migrated. New certifications are assessed exclusively against ISO 27001:2022.",[50,1403,1405],{"id":1404},"annex-a-controls","Annex A controls",[32,1407,1408,1409,1413],{},"Annex A of ISO 27001 is the reference control set. The ",[39,1410,1412],{"href":1411},"\u002Fglossary\u002Fannex-a","93 Annex A controls"," are organized under the four themes described above and represent the universe of possible safeguards your ISMS might apply. Every control must be evaluated for applicability and either implemented or formally excluded with justification.",[32,1415,1416],{},"Organizational controls cover governance, policy, third-party management, incident response, and business continuity. People controls address screening, training, responsibilities, and remote working. Physical controls protect buildings, equipment, and storage media. Technological controls handle access control, cryptography, logging, vulnerability management, secure development, and cloud security.",[32,1418,1419,1420,1424],{},"For a full breakdown of every theme, example controls in each, and how to prioritize implementation, see the ",[39,1421,1423],{"href":1422},"\u002Fframeworks\u002Fiso27001\u002Fannex-a-controls","ISO 27001 Annex A controls reference",". ISO 27002:2022 provides detailed implementation guidance for each control and is invaluable as a companion reference, though it is not mandatory to follow prescriptively.",[50,1426,1428],{"id":1427},"statement-of-applicability-soa","Statement of Applicability (SoA)",[32,1430,1431,1432,1436],{},"The ",[39,1433,1435],{"href":1434},"\u002Fglossary\u002Fstatement-of-applicability","Statement of Applicability"," is arguably the single most important document in your ISO 27001 program. The SoA lists every Annex A control, records whether it is applicable to your ISMS, explains why, and summarizes how the control is implemented. It is the document auditors will open first, and it is the document customers may ask to see.",[32,1438,1439],{},"A well-built SoA ties directly to your risk assessment output. Controls are marked applicable because they treat identified risks, satisfy legal or contractual requirements, or reflect business decisions. Controls marked not applicable require a short but credible justification. Auditors routinely sample SoA entries during Stage 2 and ask for corresponding evidence.",[32,1441,1442,1443,1447],{},"See the dedicated guide on the ",[39,1444,1446],{"href":1445},"\u002Fframeworks\u002Fiso27001\u002Fstatement-of-applicability","ISO 27001 Statement of Applicability"," for format examples, justification patterns, and common SoA mistakes.",[50,1449,1451],{"id":1450},"building-your-isms","Building your ISMS",[32,1453,1454],{},"Implementing ISO 27001 is primarily an exercise in building a functioning ISMS. The standard walks through this in clauses 4 through 10:",[70,1456,1457,1463,1469,1475,1481,1487,1493],{},[73,1458,1459,1462],{},[76,1460,1461],{},"Clause 4 — Context of the organization."," Understand internal and external issues, interested parties, and define the ISMS scope.",[73,1464,1465,1468],{},[76,1466,1467],{},"Clause 5 — Leadership."," Top management must demonstrate commitment, approve the information security policy, and assign roles.",[73,1470,1471,1474],{},[76,1472,1473],{},"Clause 6 — Planning."," Identify risks and opportunities, set information security objectives, and plan how to achieve them.",[73,1476,1477,1480],{},[76,1478,1479],{},"Clause 7 — Support."," Provide resources, competence, awareness, communication, and documented information.",[73,1482,1483,1486],{},[76,1484,1485],{},"Clause 8 — Operation."," Execute the risk assessment and risk treatment process and operate the ISMS on an ongoing basis.",[73,1488,1489,1492],{},[76,1490,1491],{},"Clause 9 — Performance evaluation."," Monitor, measure, analyze, evaluate, conduct internal audits, and hold management reviews.",[73,1494,1495,1498],{},[76,1496,1497],{},"Clause 10 — Improvement."," Handle nonconformities and drive continual improvement.",[32,1500,1501,1502,1506],{},"Each clause has mandatory documented information and mandatory activities. The ",[39,1503,1505],{"href":1504},"\u002Fframeworks\u002Fiso27001\u002Fisms-implementation","ISO 27001 ISMS implementation guide"," breaks down exactly what to produce at each stage.",[32,1508,1509,1510,1514],{},"Scope definition deserves special attention. A scope that is too narrow can fail to satisfy customers. A scope that is too broad inflates audit cost and implementation effort. The ",[39,1511,1513],{"href":1512},"\u002Fframeworks\u002Fiso27001\u002Fisms-scope","ISMS scope"," guide walks through how to draw the right boundaries for your business.",[50,1516,1518],{"id":1517},"iso-27001-risk-assessment","ISO 27001 risk assessment",[32,1520,1521],{},"Risk assessment is the engine that drives control selection in ISO 27001. The standard requires a documented, repeatable methodology. Most organizations use a qualitative or semi-quantitative approach that evaluates likelihood and impact across confidentiality, integrity, and availability. ISO 27005 provides detailed guidance but is not mandatory.",[32,1523,1524],{},"Outputs of the risk assessment feed directly into the risk treatment plan, which in turn feeds the Statement of Applicability. This chain is why ISO 27001 auditors spend significant time tracing from a risk to a treatment decision to a control to evidence of operation. Break this chain and you create nonconformities.",[32,1526,1527,1528,504],{},"For methodology, risk register structure, treatment options, and residual risk handling, see the ",[39,1529,1531],{"href":1530},"\u002Fframeworks\u002Fiso27001\u002Frisk-assessment","ISO 27001 risk assessment guide",[50,1533,1535],{"id":1534},"internal-audits-and-management-review","Internal audits and management review",[32,1537,1538],{},"Two activities inside Clause 9 are frequent failure points for first-time ISO 27001 certifiers. Clause 9.2 requires internal audits of the ISMS at planned intervals. Clause 9.3 requires a formal management review with defined inputs and outputs. Both must be complete before your Stage 2 audit.",[32,1540,1541],{},"Internal audits must cover every clause of ISO 27001 and every applicable Annex A control across your audit cycle. Auditors must be objective and impartial, which typically means the person who built a control cannot audit it. Findings must be documented, communicated, and tracked to closure.",[32,1543,1544,1545,1549,1550,504],{},"Management reviews force leadership engagement. Inputs include audit results, risk changes, nonconformities, and stakeholder feedback. Outputs include decisions on resources, improvement opportunities, and changes to the ISMS. Detailed coverage lives in the ",[39,1546,1548],{"href":1547},"\u002Fframeworks\u002Fiso27001\u002Finternal-audit","internal audit guide"," and the ",[39,1551,1553],{"href":1552},"\u002Fframeworks\u002Fiso27001\u002Fmanagement-review","management review guide",[50,1555,1557],{"id":1556},"nonconformities-and-corrective-action","Nonconformities and corrective action",[32,1559,1560],{},"When something in your ISMS does not meet ISO 27001 requirements, your own policies, or customer obligations, that is a nonconformity. Clauses 10.1 and 10.2 require you to react, contain the consequences, perform root cause analysis, implement corrective action, and verify effectiveness.",[32,1562,1563,1564,1568],{},"Mature organizations treat nonconformities as valuable signals rather than failures. The ",[39,1565,1567],{"href":1566},"\u002Fframeworks\u002Fiso27001\u002Fnonconformity-and-corrective-action","nonconformity and corrective action"," guide walks through the full CAPA workflow auditors expect to see.",[50,1570,1572],{"id":1571},"continual-improvement","Continual improvement",[32,1574,1575],{},"Clause 10.3 requires continual improvement of the suitability, adequacy, and effectiveness of the ISMS. This is not about constantly changing controls. It is about demonstrating measurable progress over time through metrics, KPIs, trend analysis, and lessons learned.",[32,1577,1578,1579,504],{},"Learn how to set ISMS metrics that auditors respect and leadership actually uses in the ",[39,1580,1582],{"href":1581},"\u002Fframeworks\u002Fiso27001\u002Fcontinual-improvement","continual improvement guide",[50,1584,1586],{"id":1585},"cost-and-timeline","Cost and timeline",[32,1588,1589],{},"ISO 27001 certification costs vary by scope, organization size, and maturity. A realistic budget range for a first-time certification at a small to mid-sized technology company looks like this:",[70,1591,1592,1598,1604,1610],{},[73,1593,1594,1597],{},[76,1595,1596],{},"Internal effort."," Six to twelve months of fractional time from an ISMS owner plus contributions from engineering, HR, legal, and IT. Equivalent fully loaded cost of $50,000 to $200,000.",[73,1599,1600,1603],{},[76,1601,1602],{},"External consulting (optional)."," Gap analysis and implementation support from a consultancy typically runs $20,000 to $100,000 depending on scope.",[73,1605,1606,1609],{},[76,1607,1608],{},"Certification body fees."," Stage 1 and Stage 2 audits combined usually cost $15,000 to $40,000. Annual surveillance audits run $8,000 to $20,000. Recertification in year three runs similar to the initial audit.",[73,1611,1612,1615],{},[76,1613,1614],{},"Platform and tooling."," GRC platforms like episki typically replace $30,000 or more in spreadsheet-driven consulting labor annually.",[32,1617,1618,1619,1622],{},"Total first-year ISO 27001 program cost for a 50 to 200 person company commonly lands between $60,000 and $150,000 all-in. Timeline from kickoff to certificate in hand is typically nine to fifteen months. See the ",[39,1620,1621],{"href":1377},"cost and timeline discussion in the certification process guide"," for more detail.",[50,1624,1626],{"id":1625},"choosing-a-certification-body","Choosing a certification body",[32,1628,1629],{},"Only an accredited certification body can issue a recognized ISO 27001 certificate. Accreditation is granted by national bodies such as UKAS in the United Kingdom, ANAB in the United States, and JAS-ANZ in Australia and New Zealand, all operating under the International Accreditation Forum (IAF). A certificate from a non-accredited body has little value with enterprise customers.",[32,1631,1632,1633,1637],{},"Selection criteria include accreditation scope, industry experience, auditor availability, geographic coverage, and cost transparency. The ",[39,1634,1636],{"href":1635},"\u002Fframeworks\u002Fiso27001\u002Fcertification-body-selection","certification body selection guide"," walks through the full evaluation.",[50,1639,1641],{"id":1640},"surveillance-audits-and-recertification","Surveillance audits and recertification",[32,1643,1644],{},"Once certified, your ISO 27001 certificate is valid for three years. Certification bodies conduct a lighter annual surveillance audit in years one and two to confirm the ISMS is still operating effectively. A full recertification audit occurs in year three. Nonconformities identified during surveillance can put your certificate at risk if not resolved within the specified timeframe.",[32,1646,1647,1648,1652],{},"See the ",[39,1649,1651],{"href":1650},"\u002Fframeworks\u002Fiso27001\u002Fsurveillance-audits","surveillance audits guide"," for preparation checklists and what auditors typically sample during year-one and year-two visits.",[50,1654,1656],{"id":1655},"iso-27001-vs-soc-2-vs-nist-csf","ISO 27001 vs SOC 2 vs NIST CSF",[32,1658,1659],{},"Customers and leadership teams frequently ask how ISO 27001 compares to other frameworks. The short version:",[70,1661,1662,1670],{},[73,1663,1664,1669],{},[76,1665,1666,1667,504],{},"ISO 27001 vs ",[39,1668,42],{"href":41}," ISO 27001 is an international certification of an ISMS. SOC 2 is a US-centric attestation of controls aligned with the AICPA Trust Services Criteria. SOC 2 produces a detailed report; ISO 27001 produces a certificate. SOC 2 is faster to complete and often preferred by US buyers. ISO 27001 is stronger for European customers and regulated industries. Many organizations run both, mapping controls once in a tool like episki.",[73,1671,1672,1675,1676,1680],{},[76,1673,1674],{},"ISO 27001 vs NIST CSF."," NIST CSF is a voluntary US framework structured around five functions: Identify, Protect, Detect, Respond, and Recover. It is not a certification. Organizations often use NIST CSF as a maturity assessment tool and ISO 27001 as the formal certification. The two map cleanly at the control level. See ",[39,1677,1679],{"href":1678},"\u002Fframeworks\u002Fnistcsf\u002Fmapping-to-other-frameworks","NIST CSF mapping to other frameworks"," for a side-by-side comparison.",[32,1682,1683,1684,1686],{},"If you are weighing which framework to pursue first, the ",[39,1685,1383],{"href":1382}," covers framework sequencing for growing companies.",[50,1688,1690],{"id":1689},"getting-certified-with-episki","Getting certified with episki",[32,1692,1693],{},"Most teams discover that ISO 27001 certification is less about security expertise and more about sustained, organized execution across months of risk assessments, control implementation, evidence collection, and documentation. Spreadsheet-based ISO 27001 programs tend to collapse under their own weight, especially when the certification cycle extends across surveillance audits and the 2022 transition creates additional documentation churn.",[32,1695,1696,1697,427,1701,1705],{},"episki was built to collapse that effort. The platform ships with the full 93-control Annex A library pre-mapped, automatic Statement of Applicability generation, a risk register tied to ISO 27005 treatment options, internal audit workflows, management review templates, and continuous evidence collection. Customers regularly compare episki against more established vendors; see ",[39,1698,1700],{"href":1699},"\u002Fcompare\u002Fvanta","episki vs Vanta",[39,1702,1704],{"href":1703},"\u002Fcompare\u002Fdrata","episki vs Drata"," for honest side-by-side views.",[32,1707,1708],{},"Teams using episki typically cut ISO 27001 preparation time by 60 percent compared to manual approaches and arrive at Stage 2 with a clean, auditor-ready evidence pack. Whether you are starting from zero or migrating an existing ISO 27001:2013 program to the 2022 standard, the platform scales with your scope.",[32,1710,1711],{},"Start a free trial, import your controls, and run your first ISO 27001 gap analysis in under an hour.",{"title":123,"searchDepth":124,"depth":124,"links":1713},[1714,1715,1716,1717,1718,1719,1720,1721,1722,1723,1724,1725,1726,1727,1728,1729],{"id":1329,"depth":124,"text":1330},{"id":1354,"depth":124,"text":1355},{"id":1367,"depth":124,"text":1368},{"id":1387,"depth":124,"text":1388},{"id":1404,"depth":124,"text":1405},{"id":1427,"depth":124,"text":1428},{"id":1450,"depth":124,"text":1451},{"id":1517,"depth":124,"text":1518},{"id":1534,"depth":124,"text":1535},{"id":1556,"depth":124,"text":1557},{"id":1571,"depth":124,"text":1572},{"id":1585,"depth":124,"text":1586},{"id":1625,"depth":124,"text":1626},{"id":1640,"depth":124,"text":1641},{"id":1655,"depth":124,"text":1656},{"id":1689,"depth":124,"text":1690},{"title":1731,"description":1732,"items":1733},"ISO 27001 certification checklist inside episki","Everything you need to scope, implement, and certify your ISMS is preloaded in your free trial.",[1734,1735,1736,1737,1738,1739,1740],"ISMS scope definition and context of the organization templates","Full Annex A control library with implementation guidance","Risk assessment and treatment plan workflows","Statement of Applicability generator","Internal audit programme with finding management","Management review agenda and output templates","Corrective action tracking with root cause analysis",{"title":1742,"description":1743},"Start your ISO 27001 journey today","Import your controls, define your ISMS scope, and generate your first Statement of Applicability in under an hour.",{"title":1745,"items":1746},"ISO 27001 frequently asked questions",[1747,1750,1753,1756,1759],{"label":1748,"content":1749},"How long does ISO 27001 certification take?","Most organizations achieve certification in 6-12 months depending on scope and existing maturity. The process includes a Stage 1 documentation review and a Stage 2 implementation audit. episki reduces preparation time by up to 60% with pre-mapped controls and automated evidence.",{"label":1751,"content":1752},"What is the difference between ISO 27001 and SOC 2?","ISO 27001 is an international certification standard focused on building a complete information security management system (ISMS). SOC 2 is a US-based attestation that evaluates specific Trust Services Criteria. Many companies pursue both, and episki lets you map controls once and reuse them across frameworks.",{"label":1754,"content":1755},"What is an ISMS?","An Information Security Management System (ISMS) is the set of policies, procedures, controls, and processes an organization uses to manage information security risk. ISO 27001 provides the framework for establishing, implementing, maintaining, and continually improving an ISMS.",{"label":1757,"content":1758},"How much does ISO 27001 certification cost?","Certification costs vary by organization size and scope but typically range from $30,000 to $80,000 including auditor fees, with ongoing surveillance audit costs annually. episki's flat-rate pricing keeps the platform cost predictable at $500\u002Fmonth.",{"label":1760,"content":1761},"How often are ISO 27001 surveillance audits?","After initial certification, surveillance audits occur annually to confirm your ISMS remains effective. A full recertification audit is required every three years. episki's continuous monitoring keeps evidence current between audits.",{"headline":1763,"title":1764,"description":1765,"links":1766},"ISO 27001 certification on your timeline","Build and maintain your ISMS without drowning in spreadsheets","episki maps Annex A controls, tracks your Statement of Applicability, and keeps risk treatment plans linked to real evidence so certification audits run smoothly.",[1767,1769],{"label":1768,"icon":160,"to":161},"Start ISO 27001 trial",{"label":163,"icon":164,"color":165,"variant":166,"to":167,"target":168},{},"\u002Fframeworks\u002Fiso27001",{"headline":1773,"title":1773,"description":1774,"items":1775},"ISO 27001 certification resources","Give leadership, auditors, and customers visibility into your ISMS maturity.",[1776,1779,1782],{"title":1777,"description":1778},"ISMS maturity dashboard","Visual progress across all Annex A domains with gap analysis and trending.",{"title":1780,"description":1781},"Auditor collaboration portal","Scoped access for certification bodies with evidence requests and Q&A threads.",{"title":1783,"description":1784},"Customer trust pack","Shareable ISO 27001 certification summary with scope details and control highlights.",{"title":1786,"description":1787},"ISO 27001 Compliance Platform","Build and certify your ISMS faster with episki. Annex A control mapping, SoA generation, and risk treatment plans in one workspace. Free 14-day trial.","iso27001",[1790,1792,1795],{"value":1412,"description":1791},"Pre-mapped to your control graph with owners, evidence, and review cadences.",{"value":1793,"description":1794},"60% less prep","Average reduction in Stage 2 audit preparation time with episki's automation.",{"value":1796,"description":1797},"Continuous compliance","Surveillance audits stay painless with always-current evidence and risk registers.","5.frameworks\u002Fiso27001","fLJWn_ae0AR8PEz8xvdjLxG0f-8ic96hI5mgt8HsEmg",{"id":1801,"title":1802,"advantages":1803,"body":1825,"checklist":2356,"cta":2365,"description":123,"extension":140,"faq":2368,"hero":2385,"meta":2394,"name":47,"navigation":171,"path":46,"resources":2395,"seo":2408,"slug":2411,"stats":2412,"stem":2422,"__hash__":2423},"frameworks\u002F5.frameworks\u002Fnistcsf.md","Nistcsf",[1804,1811,1818],{"title":1805,"description":1806,"bullets":1807},"Tailored CSF roadmap","Start with opinionated baseline controls, then layer your own.",[1808,1809,1810],"Gap analysis highlights missing outcomes","Auto-generated improvement initiatives","Budget impact estimates for leadership",{"title":1812,"description":1813,"bullets":1814},"Continuous monitoring and AI ops","Stream alerts, detections, and incidents into CSF context.",[1815,1816,1817],"Connect SIEM, EDR, and cloud posture tools","AI summarizes incidents for exec updates","Workflows escalate unreviewed alerts",{"title":1819,"description":1820,"bullets":1821},"Board and customer alignment","Share progress externally with confidence.",[1822,1823,1824],"Customizable scorecards for customers or partners","Trend lines show quarter-over-quarter improvements","Trust room access with expiring links",{"type":29,"value":1826,"toc":2334},[1827,1831,1838,1841,1845,1852,1855,1859,1862,1873,1877,1880,1883,1922,1928,1932,1935,1938,1942,1951,1955,1965,1969,1979,1983,1993,1997,2007,2011,2021,2024,2028,2035,2061,2067,2071,2077,2080,2094,2097,2108,2112,2122,2139,2146,2150,2158,2164,2175,2179,2182,2229,2232,2236,2239,2271,2274,2277,2281,2284,2328,2331],[50,1828,1830],{"id":1829},"what-is-nist-csf","What is NIST CSF?",[32,1832,1833,1834,1837],{},"The NIST Cybersecurity Framework (NIST CSF) is a voluntary, outcome-based set of cybersecurity guidelines published by the ",[39,1835,1836],{"href":334},"National Institute of Standards and Technology",". The NIST Cybersecurity Framework gives organizations a shared vocabulary and a prioritized structure for managing cybersecurity risk, measuring program maturity, and communicating security posture to executives, boards, regulators, customers, and insurers.",[32,1839,1840],{},"NIST CSF is not a certification, a control catalog, or a compliance standard. It is a framework — a model that organizes cybersecurity activities into functions, categories, and subcategories so that any organization can describe its current cybersecurity posture, describe its target cybersecurity posture, identify and prioritize opportunities for improvement, assess progress, and communicate cybersecurity risk in a consistent way. Because NIST CSF is technology- and sector-neutral, it has become one of the most widely adopted cybersecurity frameworks in the world, used by Fortune 500 companies, federal contractors, critical infrastructure operators, state and local governments, startups, nonprofits, and multinational enterprises.",[241,1842,1844],{"id":1843},"nist-origin-and-executive-order-13636","NIST origin and Executive Order 13636",[32,1846,1847,1848,1851],{},"The NIST Cybersecurity Framework was created in response to a growing wave of attacks against United States critical infrastructure. In February 2013, President Barack Obama signed ",[76,1849,1850],{},"Executive Order 13636 — Improving Critical Infrastructure Cybersecurity",", which directed NIST to work with industry, academia, and other government agencies to develop a voluntary cybersecurity framework for critical infrastructure operators. The executive order explicitly called for a flexible, repeatable, performance-based, and cost-effective approach that could scale from small municipal utilities to the largest financial institutions.",[32,1853,1854],{},"NIST published version 1.0 of the NIST Cybersecurity Framework in February 2014 after a year of public workshops, industry comment periods, and collaboration with more than three thousand individuals and organizations. The first version of NIST CSF introduced the five core functions — Identify, Protect, Detect, Respond, and Recover — along with the concept of framework profiles and implementation tiers. Even though NIST CSF was designed for critical infrastructure, organizations in every sector quickly adopted it because it filled a gap that prescriptive standards did not: a business-friendly model for talking about cybersecurity risk.",[241,1856,1858],{"id":1857},"the-evolution-of-nist-csf","The evolution of NIST CSF",[32,1860,1861],{},"In April 2018, NIST released NIST CSF version 1.1. This incremental update clarified existing guidance, added a new Supply Chain Risk Management category (ID.SC), improved the self-assessment language, and added authentication and identity proofing subcategories. NIST CSF 1.1 contained 108 subcategories grouped under 23 categories across the five functions, and it remained the dominant version of the NIST Cybersecurity Framework for six years.",[32,1863,1864,1865,1868,1869,1872],{},"In February 2024, NIST published ",[76,1866,1867],{},"NIST CSF 2.0"," — the first major revision of the NIST Cybersecurity Framework. NIST CSF 2.0 expanded the scope of the framework beyond critical infrastructure, added a brand-new sixth function called ",[76,1870,1871],{},"Govern",", reorganized several categories, and introduced a richer set of implementation resources including quick-start guides, informative references, and community profiles.",[50,1874,1876],{"id":1875},"nist-csf-20-changes","NIST CSF 2.0 changes",[32,1878,1879],{},"The jump from NIST CSF 1.1 to NIST CSF 2.0 is the most significant update the NIST Cybersecurity Framework has ever received. The changes are not cosmetic — they reshape how organizations are expected to structure and govern their cybersecurity programs.",[32,1881,1882],{},"Highlights of NIST CSF 2.0:",[70,1884,1885,1891,1897,1903,1916],{},[73,1886,1887,1890],{},[76,1888,1889],{},"A sixth function — Govern (GV)"," — elevates cybersecurity governance from a sub-category under Identify to a standalone top-level function covering organizational context, risk management strategy, roles and responsibilities, policy, oversight, and cybersecurity supply chain risk management.",[73,1892,1893,1896],{},[76,1894,1895],{},"Explicit scope expansion"," — NIST CSF 2.0 applies to organizations of any size, sector, or maturity level, not just critical infrastructure. Small-business quick-start guides, community profiles, and sector-specific profiles make the NIST Cybersecurity Framework accessible to organizations that previously found NIST CSF 1.1 too enterprise-centric.",[73,1898,1899,1902],{},[76,1900,1901],{},"Stronger supply chain focus"," — GV.SC expands the NIST CSF treatment of third-party risk, supplier due diligence, and software supply chain security, reflecting the lessons of SolarWinds, Kaseya, Log4j, and MOVEit.",[73,1904,1905,1908,1909,1912,1913,1915],{},[76,1906,1907],{},"Improved implementation guidance"," — NIST CSF 2.0 ships with a companion CSF Reference Tool, searchable informative references mapping NIST CSF subcategories to ",[39,1910,1911],{"href":334},"NIST SP 800-53",", ISO 27001, CIS Controls, ",[39,1914,42],{"href":41},", and more.",[73,1917,1918,1921],{},[76,1919,1920],{},"Refreshed implementation tiers"," — the four-tier maturity model (Partial, Risk-Informed, Repeatable, Adaptive) now explicitly incorporates governance and supply chain considerations.",[32,1923,1924,1925,979],{},"For a deep dive into every structural and categorical change between NIST CSF 1.1 and NIST CSF 2.0, see our ",[39,1926,1876],{"href":1927},"\u002Fframeworks\u002Fnistcsf\u002Fv2-changes",[50,1929,1931],{"id":1930},"the-six-core-functions-of-nist-csf-20","The six core functions of NIST CSF 2.0",[32,1933,1934],{},"The NIST Cybersecurity Framework organizes cybersecurity activity into a small number of top-level functions. NIST CSF 1.1 defined five functions; NIST CSF 2.0 defines six. Each function represents a category of outcomes that a mature cybersecurity program must deliver, and each function decomposes into categories and subcategories that describe the outcomes in progressively more specific terms.",[32,1936,1937],{},"The six NIST CSF 2.0 functions are:",[241,1939,1941],{"id":1940},"govern-gv","Govern (GV)",[32,1943,1431,1944,1946,1947,504],{},[76,1945,1871],{}," function — new in NIST CSF 2.0 — establishes, communicates, and monitors the organization's cybersecurity risk management strategy, expectations, and policy. Govern is the leadership and accountability layer of NIST CSF. It sits above the other five functions and informs everything the organization does to identify, protect, detect, respond, and recover. Deep dive: ",[39,1948,1950],{"href":1949},"\u002Fframeworks\u002Fnistcsf\u002Fgovern-function","NIST CSF Govern function",[241,1952,1954],{"id":1953},"identify-id","Identify (ID)",[32,1956,1431,1957,1960,1961,504],{},[76,1958,1959],{},"Identify"," function develops an organizational understanding of cybersecurity risk to systems, people, assets, data, and capabilities. Identify is where you inventory what you have, understand the business context in which it operates, and decide what matters most. Without Identify, the rest of the NIST Cybersecurity Framework has nothing to act on. Deep dive: ",[39,1962,1964],{"href":1963},"\u002Fframeworks\u002Fnistcsf\u002Fidentify-function","NIST CSF Identify function",[241,1966,1968],{"id":1967},"protect-pr","Protect (PR)",[32,1970,1431,1971,1974,1975,504],{},[76,1972,1973],{},"Protect"," function implements safeguards to ensure delivery of critical services and limit or contain the impact of cybersecurity events. Protect encompasses identity and access management, awareness and training, data security, information protection processes, maintenance, and protective technology. Deep dive: ",[39,1976,1978],{"href":1977},"\u002Fframeworks\u002Fnistcsf\u002Fprotect-function","NIST CSF Protect function",[241,1980,1982],{"id":1981},"detect-de","Detect (DE)",[32,1984,1431,1985,1988,1989,504],{},[76,1986,1987],{},"Detect"," function develops and implements appropriate activities to identify the occurrence of a cybersecurity event in a timely manner. Detect covers continuous monitoring, anomaly analysis, and detection processes — the telemetry, alerting, and threat-hunting capabilities that surface attacks as they happen. Deep dive: ",[39,1990,1992],{"href":1991},"\u002Fframeworks\u002Fnistcsf\u002Fdetect-function","NIST CSF Detect function",[241,1994,1996],{"id":1995},"respond-rs","Respond (RS)",[32,1998,1431,1999,2002,2003,504],{},[76,2000,2001],{},"Respond"," function contains activities to take action regarding a detected cybersecurity incident. Respond covers incident response planning, communications, analysis, containment, eradication, and lessons-learned improvements. A strong Respond capability is what separates a contained incident from a front-page breach. Deep dive: ",[39,2004,2006],{"href":2005},"\u002Fframeworks\u002Fnistcsf\u002Frespond-function","NIST CSF Respond function",[241,2008,2010],{"id":2009},"recover-rc","Recover (RC)",[32,2012,1431,2013,2016,2017,504],{},[76,2014,2015],{},"Recover"," function contains activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity incident. Recover covers recovery planning, improvements, and communications. Recover is how organizations return to normal operations while capturing lessons learned to strengthen the program. Deep dive: ",[39,2018,2020],{"href":2019},"\u002Fframeworks\u002Fnistcsf\u002Frecover-function","NIST CSF Recover function",[32,2022,2023],{},"Together, the six NIST CSF functions describe the complete cybersecurity lifecycle. Mature organizations operate all six functions simultaneously and continuously, not in a linear sequence.",[50,2025,2027],{"id":2026},"nist-csf-implementation-tiers","NIST CSF implementation tiers",[32,2029,2030,2031,2034],{},"NIST CSF uses ",[76,2032,2033],{},"implementation tiers"," to describe the degree to which an organization's cybersecurity risk management practices exhibit the characteristics defined in the NIST Cybersecurity Framework. The four tiers are not a maturity scale in the traditional sense — NIST is careful to say that Tier 4 is not required for every organization. Instead, implementation tiers help organizations choose an appropriate level of rigor given their risk tolerance, mission, regulatory obligations, threat environment, and resources.",[70,2036,2037,2043,2049,2055],{},[73,2038,2039,2042],{},[76,2040,2041],{},"Tier 1 — Partial",": Cybersecurity risk management is ad hoc and reactive. Policies are informal, risk awareness is limited, and supply chain considerations are rarely formalized.",[73,2044,2045,2048],{},[76,2046,2047],{},"Tier 2 — Risk-Informed",": Risk management practices are approved by management but may not be established organization-wide. Cybersecurity activities consider organizational risk objectives.",[73,2050,2051,2054],{},[76,2052,2053],{},"Tier 3 — Repeatable",": Formal policies exist and are applied consistently. The organization has the people, processes, and tooling to operate the NIST Cybersecurity Framework repeatably.",[73,2056,2057,2060],{},[76,2058,2059],{},"Tier 4 — Adaptive",": The organization adapts its cybersecurity practices based on lessons learned, threat intelligence, and changes in the business environment. Cybersecurity risk management is part of the organizational culture.",[32,2062,2063,2064,979],{},"For a complete walkthrough of each tier, including how to select a target tier and move between tiers, see our ",[39,2065,2027],{"href":2066},"\u002Fframeworks\u002Fnistcsf\u002Fimplementation-tiers",[50,2068,2070],{"id":2069},"nist-csf-framework-profiles","NIST CSF framework profiles",[32,2072,839,2073,2076],{},[76,2074,2075],{},"framework profile"," is the unique alignment of NIST CSF functions, categories, and subcategories with the organization's business requirements, risk tolerance, and resources. Profiles are the tool that turns the NIST Cybersecurity Framework from a generic model into a specific plan for a specific organization.",[32,2078,2079],{},"NIST CSF supports two kinds of profiles:",[70,2081,2082,2088],{},[73,2083,839,2084,2087],{},[76,2085,2086],{},"Current Profile"," describes the cybersecurity outcomes the organization is achieving today.",[73,2089,839,2090,2093],{},[76,2091,2092],{},"Target Profile"," describes the cybersecurity outcomes the organization wants to achieve.",[32,2095,2096],{},"The gap between the Current Profile and the Target Profile becomes a prioritized roadmap: which NIST CSF subcategories need investment, in what order, and at what cost. Community profiles published by NIST (for small business, healthcare, financial services, manufacturing, and others) give organizations a head start by providing pre-built Target Profiles tailored to specific sectors.",[32,2098,2099,2100,2104,2105,504],{},"For a complete framework profiles walkthrough — including how to build your first profile, how to use community profiles, and how to link profiles to your ",[39,2101,2103],{"href":2102},"\u002Fglossary\u002Fcontrol-framework","control framework"," — see ",[39,2106,2070],{"href":2107},"\u002Fframeworks\u002Fnistcsf\u002Fframework-profiles",[50,2109,2111],{"id":2110},"nist-csf-categories-and-subcategories","NIST CSF categories and subcategories",[32,2113,2114,2115,427,2118,2121],{},"Below the function layer, NIST CSF decomposes cybersecurity activity into ",[76,2116,2117],{},"categories",[76,2119,2120],{},"subcategories",". Categories group related outcomes within a function (for example, Asset Management, Access Control, Continuous Monitoring), and subcategories express specific outcome statements that a mature program should achieve.",[70,2123,2124,2134],{},[73,2125,2126,2129,2130,2133],{},[76,2127,2128],{},"NIST CSF 1.1"," defined 23 categories and ",[76,2131,2132],{},"108 subcategories"," across the five original functions.",[73,2135,2136,2138],{},[76,2137,1867],{}," reorganized the catalog around six functions. The total number of subcategories in NIST CSF 2.0 was restructured (and slightly reduced after consolidation) to roughly 106, grouped under 22 categories, with Govern contributing six new categories of its own.",[32,2140,2141,2142,2145],{},"Every NIST CSF subcategory is written as an outcome — for example, \"PR.AA-01: Identities and credentials for authorized users, services, and hardware are managed by the organization.\" NIST intentionally avoids prescribing specific technologies, controls, or implementation details. Instead, NIST CSF provides ",[76,2143,2144],{},"informative references"," that map each subcategory to specific controls in NIST SP 800-53, ISO 27001 Annex A, CIS Critical Security Controls, COBIT, and other authoritative sources. This outcome-first design is what makes NIST CSF work across industries, company sizes, and technology stacks.",[50,2147,2149],{"id":2148},"mapping-nist-csf-to-other-frameworks","Mapping NIST CSF to other frameworks",[32,2151,2152,2153,43,2155,2157],{},"One of the most valuable properties of the NIST Cybersecurity Framework is its ability to act as a unifying layer across multiple compliance regimes. Organizations that need to satisfy ",[39,2154,42],{"href":41},[39,2156,1336],{"href":1771},", HIPAA, PCI DSS, GDPR, FedRAMP, CMMC, and NIST SP 800-171 at the same time can use NIST CSF as the \"Rosetta Stone\" that maps each requirement to a common set of outcomes.",[32,2159,2160,2161,2163],{},"For federal contractors in particular, NIST CSF acts as the governance umbrella above NIST SP 800-171 and ",[39,2162,683],{"href":342},", both of which are derived from the NIST family of publications. A NIST CSF Target Profile that references NIST SP 800-53 informative references can be reused — with minor adjustments — as an ISO 27001 Statement of Applicability, a SOC 2 Trust Services Criteria mapping, and a HIPAA Security Rule crosswalk.",[32,2165,2166,2167,2169,2170,2174],{},"For a detailed crosswalk between NIST CSF and the major compliance frameworks — including worked examples of how a single NIST CSF subcategory maps to multiple standards — see ",[39,2168,2149],{"href":1678},". If you are actively building that mapping into a live compliance program, our ",[39,2171,2173],{"href":2172},"\u002Fnow\u002Fnist-csf-mapping-compliance","NIST CSF mapping compliance"," guide walks through the operational mechanics.",[50,2176,2178],{"id":2177},"who-uses-nist-csf","Who uses NIST CSF?",[32,2180,2181],{},"The NIST Cybersecurity Framework started as a voluntary framework for United States critical infrastructure. A decade later, NIST CSF is used by:",[70,2183,2184,2190,2199,2205,2211,2217,2223],{},[73,2185,2186,2189],{},[76,2187,2188],{},"Critical infrastructure operators"," — energy, water, transportation, communications, healthcare, and financial services organizations that fall under the 16 critical infrastructure sectors originally targeted by Executive Order 13636.",[73,2191,2192,2195,2196,504],{},[76,2193,2194],{},"Federal agencies and federal contractors"," — Executive Order 13800 required federal agencies to use NIST CSF to manage cybersecurity risk. Agencies and their contractors routinely use NIST CSF alongside ",[39,2197,2198],{"href":342},"NIST SP 800-171 and the CMMC program",[73,2200,2201,2204],{},[76,2202,2203],{},"State, local, tribal, and territorial (SLTT) governments"," — many states have adopted NIST CSF as the baseline cybersecurity model for agencies and municipal systems.",[73,2206,2207,2210],{},[76,2208,2209],{},"Large enterprises"," — Fortune 500 companies use NIST CSF to communicate cybersecurity risk to boards, investors, insurers, and regulators.",[73,2212,2213,2216],{},[76,2214,2215],{},"Small and mid-sized businesses (SMBs)"," — especially after NIST CSF 2.0, which ships with SMB-specific quick-start guides and community profiles.",[73,2218,2219,2222],{},[76,2220,2221],{},"Non-US organizations"," — NIST CSF is widely used outside the United States as a practical cybersecurity model that complements ISO 27001 and other international standards.",[73,2224,2225,2228],{},[76,2226,2227],{},"Insurers and investors"," — cyber insurance carriers and private-equity diligence teams increasingly ask portfolio companies to report maturity against NIST CSF as evidence of disciplined cybersecurity risk management.",[32,2230,2231],{},"The common thread is that NIST CSF works for any organization that needs to manage cybersecurity risk and communicate that risk to non-technical stakeholders. That is essentially every organization.",[50,2233,2235],{"id":2234},"nist-csf-vs-nist-sp-800-53-vs-nist-sp-800-171","NIST CSF vs NIST SP 800-53 vs NIST SP 800-171",[32,2237,2238],{},"NIST publishes dozens of cybersecurity documents, and three of them — NIST CSF, NIST SP 800-53, and NIST SP 800-171 — are often confused. Here is how they differ and how they fit together.",[70,2240,2241,2251,2261],{},[73,2242,2243,2246,2247,2250],{},[76,2244,2245],{},"NIST CSF (Cybersecurity Framework)"," is an ",[76,2248,2249],{},"outcome-based framework",". It defines what cybersecurity outcomes to achieve (the subcategories) but does not tell you exactly how to achieve them. NIST CSF is voluntary, technology-neutral, and applies to any organization.",[73,2252,2253,2256,2257,2260],{},[76,2254,2255],{},"NIST SP 800-53 (Security and Privacy Controls for Information Systems and Organizations)"," is a comprehensive ",[76,2258,2259],{},"control catalog",". SP 800-53 contains more than one thousand security and privacy controls organized into families such as Access Control (AC), Audit and Accountability (AU), and System and Communications Protection (SC). NIST SP 800-53 is mandatory for US federal information systems under FISMA and the Risk Management Framework (RMF).",[73,2262,2263,2266,2267,2270],{},[76,2264,2265],{},"NIST SP 800-171 (Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations)"," is a ",[76,2268,2269],{},"derived subset"," of NIST SP 800-53 focused on protecting Controlled Unclassified Information (CUI) in nonfederal systems. SP 800-171 is mandatory for any organization that handles CUI on behalf of the federal government and forms the basis for CMMC.",[32,2272,2273],{},"The relationship between the three is straightforward: NIST CSF describes the outcomes, NIST SP 800-53 and NIST SP 800-171 describe the controls that deliver those outcomes, and the NIST CSF informative references tell you which 800-53 and 800-171 controls satisfy each NIST CSF subcategory. Organizations use NIST CSF to frame the strategy and use NIST SP 800-53 or NIST SP 800-171 to implement the controls.",[32,2275,2276],{},"Federal contractors that handle CUI will typically use all three: NIST CSF for executive communication and maturity scoring, NIST SP 800-171 as the binding control baseline, and NIST SP 800-53 as the deeper reference catalog.",[50,2278,2280],{"id":2279},"getting-started-with-nist-csf","Getting started with NIST CSF",[32,2282,2283],{},"Implementing the NIST Cybersecurity Framework does not require a multi-year consulting engagement. A typical first NIST CSF implementation follows a repeatable pattern:",[549,2285,2286,2292,2298,2304,2310,2316,2322],{},[73,2287,2288,2291],{},[76,2289,2290],{},"Scope and prioritize"," — decide which parts of the organization are in scope for this iteration of NIST CSF. Startups often scope the entire company. Enterprises may scope a business unit, a product line, or a critical system.",[73,2293,2294,2297],{},[76,2295,2296],{},"Build a Current Profile"," — score the organization's current performance against each NIST CSF subcategory. Be honest. Many organizations discover that half of their NIST CSF subcategories are informal or partially implemented.",[73,2299,2300,2303],{},[76,2301,2302],{},"Build a Target Profile"," — decide what level of NIST CSF maturity the organization needs. Community profiles and sector profiles published by NIST are excellent starting points.",[73,2305,2306,2309],{},[76,2307,2308],{},"Perform a gap analysis"," — the delta between Current and Target is your NIST CSF roadmap. Prioritize by business impact, risk, and cost.",[73,2311,2312,2315],{},[76,2313,2314],{},"Select implementation tiers"," — match each part of the program to an appropriate tier. Not every subcategory needs to be Tier 4.",[73,2317,2318,2321],{},[76,2319,2320],{},"Execute and measure"," — track initiatives, re-score the NIST CSF profile quarterly, and report progress to leadership.",[73,2323,2324,2327],{},[76,2325,2326],{},"Map to other frameworks"," — reuse the NIST CSF profile as the source of truth for SOC 2, ISO 27001, HIPAA, and CMMC evidence.",[32,2329,2330],{},"episki was built for exactly this workflow. episki turns NIST CSF into a live scorecard: you import or build a Current Profile, choose a Target Profile, and episki generates the initiatives, tasks, and evidence collection needed to close the gap — all mapped to your other frameworks automatically. If you are starting from scratch or migrating from NIST CSF 1.1 to NIST CSF 2.0, episki can help you skip the spreadsheet phase entirely.",[32,2332,2333],{},"Ready to operationalize the NIST Cybersecurity Framework? Start a trial, import your controls, and share a NIST CSF scorecard with leadership the same day.",{"title":123,"searchDepth":124,"depth":124,"links":2335},[2336,2340,2341,2349,2350,2351,2352,2353,2354,2355],{"id":1829,"depth":124,"text":1830,"children":2337},[2338,2339],{"id":1843,"depth":631,"text":1844},{"id":1857,"depth":631,"text":1858},{"id":1875,"depth":124,"text":1876},{"id":1930,"depth":124,"text":1931,"children":2342},[2343,2344,2345,2346,2347,2348],{"id":1940,"depth":631,"text":1941},{"id":1953,"depth":631,"text":1954},{"id":1967,"depth":631,"text":1968},{"id":1981,"depth":631,"text":1982},{"id":1995,"depth":631,"text":1996},{"id":2009,"depth":631,"text":2010},{"id":2026,"depth":124,"text":2027},{"id":2069,"depth":124,"text":2070},{"id":2110,"depth":124,"text":2111},{"id":2148,"depth":124,"text":2149},{"id":2177,"depth":124,"text":2178},{"id":2234,"depth":124,"text":2235},{"id":2279,"depth":124,"text":2280},{"title":2357,"description":2358,"items":2359},"NIST CSF launch guide","Use episki’s free trial to benchmark, prioritize, and communicate fast.",[2360,2361,2362,2363,2364],"Baseline maturity assessment","Control library mapped to CSF categories","Initiative tracker with due dates and owners","Risk register tied to CSF outcomes","Executive report template",{"title":2366,"description":2367},"See your NIST CSF score in episki","Start the trial, import controls, and share a scorecard the same day.",{"title":2369,"items":2370},"NIST CSF frequently asked questions",[2371,2373,2376,2379,2382],{"label":1830,"content":2372},"The NIST Cybersecurity Framework (CSF) is a voluntary framework published by the National Institute of Standards and Technology that helps organizations manage and reduce cybersecurity risk. It provides a common language for understanding, managing, and expressing cybersecurity risk through five core functions.",{"label":2374,"content":2375},"What is the difference between NIST CSF and ISO 27001?","NIST CSF is a voluntary, outcome-focused maturity framework that helps organizations assess and improve their cybersecurity posture. ISO 27001 is a certifiable standard requiring a formal ISMS. Many organizations use NIST CSF as an internal maturity model alongside ISO 27001 certification for external assurance.",{"label":2377,"content":2378},"Is NIST CSF mandatory?","NIST CSF is voluntary for most private-sector organizations but is mandatory for US federal agencies under Executive Order 13800. Many industries and regulators reference it as a best-practice baseline, and customers increasingly expect suppliers to demonstrate alignment.",{"label":2380,"content":2381},"What are the NIST CSF implementation tiers?","The four tiers describe the maturity of an organization's cybersecurity risk management. Tier 1 (Partial) is ad hoc and reactive. Tier 2 (Risk-Informed) has some risk awareness. Tier 3 (Repeatable) has formal policies. Tier 4 (Adaptive) continuously improves based on lessons learned and threat intelligence.",{"label":2383,"content":2384},"How does NIST CSF relate to other compliance frameworks?","NIST CSF maps to many standards including SOC 2, ISO 27001, HIPAA, and PCI DSS. Organizations use it as a unifying layer to identify control gaps and overlaps across multiple compliance requirements, reducing duplicate work when pursuing multiple frameworks.",{"headline":2386,"title":2387,"description":2388,"links":2389},"Measure security maturity","Operationalize NIST CSF across Identify, Protect, Detect, Respond, and Recover","episki translates CSF categories into action plans with real-time scoring and executive reporting.",[2390,2392],{"label":2391,"icon":160,"to":161},"Start NIST CSF trial",{"label":163,"icon":2393,"color":165,"variant":166,"to":167,"target":168},"i-lucide-presentation",{},{"headline":2396,"title":2396,"description":2397,"items":2398},"NIST CSF toolset","Everything you need to show measurable progress.",[2399,2402,2405],{"title":2400,"description":2401},"Quarterly business review pack","Slides with KPIs, upcoming initiatives, and resource needs.",{"title":2403,"description":2404},"Customer assurance brief","Explains how NIST CSF maps to their requirements.",{"title":2406,"description":2407},"Automation cookbook","Step-by-step instructions for connecting your tooling.",{"title":2409,"description":2410},"NIST CSF Framework Software","Operationalize NIST CSF with live maturity scoring, risk registers, and executive dashboards. Benchmark and improve your cybersecurity posture with episki.","nistcsf",[2413,2416,2419],{"value":2414,"description":2415},"Live maturity score","Automated scoring by category, tier, and business unit.",{"value":2417,"description":2418},"Unified risk register","Link risks to CSF categories with AI-prioritized remediation.",{"value":2420,"description":2421},"Executive-ready","Dashboards turn security work into business milestones.","5.frameworks\u002Fnistcsf","78w8eqRvrZecA6ftBMBjnYVYwBGOHqhkHNWo0Q5A6lM",{"id":2425,"title":2426,"advantages":2427,"body":2449,"checklist":2869,"cta":2878,"description":123,"extension":140,"faq":2881,"hero":2899,"meta":2908,"name":2461,"navigation":171,"path":2909,"resources":2910,"seo":2923,"slug":2926,"stats":2927,"stem":2937,"__hash__":2938},"frameworks\u002F5.frameworks\u002Fpci.md","Pci",[2428,2435,2442],{"title":2429,"description":2430,"bullets":2431},"Cardholder data mapped","Visualize systems, networks, and data flows tied to each DSS requirement.",[2432,2433,2434],"Track segmentation documentation and approvals","Connect SIEM and log tools for retention evidence","Link vulnerability scans and pen tests to controls",{"title":2436,"description":2437,"bullets":2438},"Task orchestration for engineering","Send prioritized remediation tasks to Jira or Linear with context.",[2439,2440,2441],"Auto-created tickets with required evidence","SLA tracking ensures high-risk remediations close on time","Change management logs sync back automatically",{"title":2443,"description":2444,"bullets":2445},"QSA-ready collaboration","Centralize requests, walkthroughs, and findings with secure file sharing.",[2446,2447,2448],"QSA comments resolve next to each control","Expiring links for sensitive diagrams","Exportable ROC narrative drafts",{"type":29,"value":2450,"toc":2856},[2451,2455,2463,2466,2469,2473,2481,2569,2572,2576,2583,2587,2600,2604,2612,2665,2677,2681,2692,2695,2698,2702,2719,2723,2726,2764,2772,2776,2779,2783,2796,2800,2803,2853],[50,2452,2454],{"id":2453},"what-is-pci-dss","What is PCI DSS?",[32,2456,2457,2458,2462],{},"The Payment Card Industry Data Security Standard -- universally known as ",[39,2459,2461],{"href":2460},"\u002Fglossary\u002Fpci-dss","PCI DSS"," -- is the global baseline for protecting payment card data. Any organization that stores, processes, or transmits cardholder data is expected to meet PCI DSS, from a mom-and-pop e-commerce store to a Fortune 500 retailer and every payment processor in between. PCI DSS exists because card data is one of the most monetizable targets on the internet, and a single breach can expose millions of account numbers, trigger steep fines, and end businesses. PCI DSS translates decades of hard-won lessons into a prescriptive framework that security, engineering, and finance teams can operationalize.",[32,2464,2465],{},"PCI DSS is maintained by the Payment Card Industry Security Standards Council (PCI SSC), an independent standards body founded in 2006 by the five major payment brands: Visa, Mastercard, American Express, Discover, and JCB. The PCI SSC writes and publishes the standard, accredits assessors and scanning vendors, and runs supporting programs such as PA-DSS (now replaced by the PCI Secure Software Standard) and P2PE. While the PCI SSC owns the standard itself, it does not enforce PCI DSS. Enforcement is delegated to the card brands, which in turn push obligations down through acquiring banks and payment processors to merchants and service providers. In practice, your acquirer is the entity that tells you which PCI DSS validation path you owe and what happens if you fail it.",[32,2467,2468],{},"PCI DSS emerged from a patchwork of brand-specific programs in the early 2000s, including Visa's Cardholder Information Security Program (CISP) and Mastercard's Site Data Protection (SDP). PCI DSS v1.0 launched in December 2004. PCI DSS v2.0 arrived in 2010, v3.0 in 2013, v3.1 in 2015, v3.2 in 2016, v3.2.1 in 2018, and the long-anticipated PCI DSS v4.0 in March 2022, followed by v4.0.1 clarifications in June 2024. Organizations have until March 31, 2025 to fully meet the new \"future-dated\" PCI DSS v4.0 requirements. Each revision tightens controls around emerging threats: phishing-resistant authentication, e-commerce script tampering, automated log review, and customized approaches for mature security programs.",[50,2470,2472],{"id":2471},"the-12-pci-dss-requirements","The 12 PCI DSS requirements",[32,2474,2475,2476,2480],{},"PCI DSS organizes technical and operational controls across twelve core requirements grouped into six objectives. The full set of PCI DSS requirements is detailed on the ",[39,2477,2479],{"href":2478},"\u002Fframeworks\u002Fpci\u002Frequirements","PCI DSS requirements page","; at a glance they are:",[549,2482,2483,2493,2499,2515,2521,2527,2533,2539,2545,2551,2557,2563],{},[73,2484,2485,2488,2489,504],{},[76,2486,2487],{},"Install and maintain network security controls"," -- firewalls and equivalent controls around the ",[39,2490,2492],{"href":2491},"\u002Fglossary\u002Fcardholder-data-environment","cardholder data environment",[73,2494,2495,2498],{},[76,2496,2497],{},"Apply secure configurations to all system components"," -- hardening standards, default credential elimination, and secure build baselines.",[73,2500,2501,2504,2505,2509,2510,2514],{},[76,2502,2503],{},"Protect stored account data"," -- encryption, truncation, hashing, or ",[39,2506,2508],{"href":2507},"\u002Fglossary\u002Ftokenization","tokenization"," of the ",[39,2511,2513],{"href":2512},"\u002Fglossary\u002Fpan","PAN"," and prohibition on storing sensitive authentication data.",[73,2516,2517,2520],{},[76,2518,2519],{},"Protect cardholder data with strong cryptography during transmission"," over open, public networks.",[73,2522,2523,2526],{},[76,2524,2525],{},"Protect all systems and networks from malicious software"," -- anti-malware on in-scope systems and defenses against script-based threats.",[73,2528,2529,2532],{},[76,2530,2531],{},"Develop and maintain secure systems and software"," -- secure SDLC, patching, and vulnerability management for in-scope systems.",[73,2534,2535,2538],{},[76,2536,2537],{},"Restrict access to system components and cardholder data by business need to know"," -- least-privilege role design.",[73,2540,2541,2544],{},[76,2542,2543],{},"Identify users and authenticate access to system components"," -- unique IDs, strong authentication, and phishing-resistant MFA.",[73,2546,2547,2550],{},[76,2548,2549],{},"Restrict physical access to cardholder data"," -- physical security for facilities, media, and devices.",[73,2552,2553,2556],{},[76,2554,2555],{},"Log and monitor all access to system components and cardholder data"," -- centralized logging, daily review, and tamper protection.",[73,2558,2559,2562],{},[76,2560,2561],{},"Test security of systems and networks regularly"," -- ASV scans, internal scans, pen tests, and segmentation validation.",[73,2564,2565,2568],{},[76,2566,2567],{},"Support information security with organizational policies and programs"," -- governance, awareness, incident response, and third-party oversight.",[32,2570,2571],{},"Each PCI DSS requirement is broken into numbered sub-requirements with explicit testing procedures that an assessor follows line by line. The \"defined approach\" dictates specific controls; PCI DSS v4.0 also introduces a \"customized approach\" where mature organizations can meet a requirement's objective through alternative controls, documented in a controls matrix and targeted risk analysis.",[50,2573,2575],{"id":2574},"pci-dss-v40-changes","PCI DSS v4.0 changes",[32,2577,2578,2579,504],{},"PCI DSS v4.0 is the largest revision in more than a decade. Its headline shifts include a customized-approach validation path, mandatory multi-factor authentication for all access into the CDE, expanded requirements to detect and respond to e-commerce script tampering, targeted risk analyses replacing prescriptive frequencies, and stronger expectations for continuous security rather than point-in-time compliance. Several of the most material v4.0 controls became mandatory on March 31, 2025 after a two-year grace period. The full changelog, new testing procedures, and a migration checklist are covered in the ",[39,2580,2582],{"href":2581},"\u002Fframeworks\u002Fpci\u002Fv4-changes","PCI DSS v4.0 changes guide",[50,2584,2586],{"id":2585},"merchant-compliance-levels-1-4","Merchant compliance levels 1-4",[32,2588,2589,2590,2594,2595,2599],{},"Every merchant is assigned to one of four PCI DSS compliance levels based on annual card transaction volume across all channels. PCI DSS Level 1 covers merchants processing more than 6 million transactions per year and requires a formal Report on Compliance (ROC) signed by a ",[39,2591,2593],{"href":2592},"\u002Fglossary\u002Fqsa","QSA",". Level 2 covers 1-6 million transactions. Level 3 covers 20,000 to 1 million e-commerce transactions. Level 4 covers everything below those thresholds. Service providers have their own two-level structure. Your acquiring bank can also assign you a higher PCI DSS level at its discretion -- particularly after a breach. The ",[39,2596,2598],{"href":2597},"\u002Fframeworks\u002Fpci\u002Fcompliance-levels","PCI DSS compliance levels page"," breaks down every threshold by card brand and the validation path each level owes.",[50,2601,2603],{"id":2602},"self-assessment-questionnaires-saqs","Self-Assessment Questionnaires (SAQs)",[32,2605,2606,2607,2611],{},"Merchants and service providers that are not required to complete a full PCI DSS Report on Compliance validate using a ",[39,2608,2610],{"href":2609},"\u002Fglossary\u002Fsaq","Self-Assessment Questionnaire",", or SAQ. The PCI SSC publishes nine SAQ types, each tailored to a specific acceptance channel and technology profile:",[70,2613,2614,2620,2626,2632,2638,2644,2650,2656],{},[73,2615,2616,2619],{},[76,2617,2618],{},"SAQ A"," -- card-not-present merchants that fully outsource all cardholder data functions.",[73,2621,2622,2625],{},[76,2623,2624],{},"SAQ A-EP"," -- e-commerce merchants that partially outsource payment processing but host pages that could affect payment page security.",[73,2627,2628,2631],{},[76,2629,2630],{},"SAQ B"," -- merchants using only imprint machines or standalone dial-out terminals.",[73,2633,2634,2637],{},[76,2635,2636],{},"SAQ B-IP"," -- merchants using only standalone IP-connected POI devices.",[73,2639,2640,2643],{},[76,2641,2642],{},"SAQ C-VT"," -- merchants entering transactions into a virtual payment terminal.",[73,2645,2646,2649],{},[76,2647,2648],{},"SAQ C"," -- merchants with payment application systems connected to the internet.",[73,2651,2652,2655],{},[76,2653,2654],{},"SAQ P2PE"," -- merchants using PCI-listed point-to-point encryption solutions.",[73,2657,2658,427,2661,2664],{},[76,2659,2660],{},"SAQ D for Merchants",[76,2662,2663],{},"SAQ D for Service Providers"," -- the catch-all SAQs for entities that store cardholder data or do not qualify for a simpler SAQ.",[32,2666,2667,2668,1549,2672,2676],{},"Eligibility is narrow and precise. Picking the wrong SAQ is one of the most common PCI DSS mistakes -- and one that an acquiring bank or breach investigation can expose instantly. The ",[39,2669,2671],{"href":2670},"\u002Fframeworks\u002Fpci\u002Fself-assessment-questionnaire","SAQ reference",[39,2673,2675],{"href":2674},"\u002Fframeworks\u002Fpci\u002Fsaq-types-explained","SAQ types explained"," page walk through each SAQ's eligibility, question count, and typical pitfalls.",[50,2678,2680],{"id":2679},"cardholder-data-environment-cde-and-scoping","Cardholder data environment (CDE) and scoping",[32,2682,2683,2684,2686,2687,2691],{},"Every PCI DSS program begins with scoping. The ",[39,2685,2492],{"href":2491},", or CDE, is the set of people, processes, and technologies that store, process, or transmit cardholder data or sensitive authentication data, plus any system component that is connected to or could impact the security of those components. Determining what is in ",[39,2688,2690],{"href":2689},"\u002Fglossary\u002Fpci-scope","PCI scope"," is the single highest-leverage activity in a PCI DSS program -- it drives how many controls apply, how much evidence you collect, and how much your QSA engagement costs.",[32,2693,2694],{},"PCI DSS scoping has three categories: CDE systems that directly handle card data; connected-to systems that can route traffic to the CDE, authenticate CDE users, or otherwise interact with CDE components; and security-impacting systems that could affect CDE security even without direct connectivity (think SIEM, patch management, or anti-malware consoles). All three categories are in scope for PCI DSS.",[32,2696,2697],{},"Document your CDE with an annotated network diagram and a data-flow diagram for every payment channel. PCI DSS v4.0 makes these diagrams a requirement, not a nice-to-have, and your assessor will test them during every assessment.",[50,2699,2701],{"id":2700},"scope-reduction-strategies","Scope reduction strategies",[32,2703,2704,2705,2709,2710,2714,2715,2718],{},"Because PCI DSS obligations scale with the CDE, shrinking the CDE is the fastest way to cut PCI DSS cost and risk. Effective ",[39,2706,2708],{"href":2707},"\u002Fframeworks\u002Fpci\u002Fscope-reduction","PCI DSS scope reduction"," typically combines four levers: strong ",[39,2711,2713],{"href":2712},"\u002Fframeworks\u002Fpci\u002Fnetwork-segmentation","network segmentation"," that isolates the CDE onto dedicated VLANs with tightly controlled firewall rules; ",[39,2716,2508],{"href":2717},"\u002Fframeworks\u002Fpci\u002Ftokenization-vs-encryption"," that replaces stored PANs with non-sensitive surrogates; PCI-listed point-to-point encryption (P2PE) that removes in-store networks from PCI scope; and outsourcing card capture to a validated service provider so your systems never touch real card data. Layered correctly, these strategies can reduce a PCI DSS assessment from hundreds of in-scope systems to a handful.",[50,2720,2722],{"id":2721},"key-pci-dss-roles-qsas-asvs-and-isas","Key PCI DSS roles: QSAs, ASVs, and ISAs",[32,2724,2725],{},"Three accredited roles support every PCI DSS program:",[70,2727,2728,2743,2758],{},[73,2729,2730,2737,2738,2742],{},[76,2731,2732,2733,2736],{},"Qualified Security Assessors (",[39,2734,2735],{"href":2592},"QSAs",")"," -- individuals and firms certified by the PCI SSC to perform on-site PCI DSS assessments, produce the ROC, and sign the Attestation of Compliance. Selecting the right QSA shapes your PCI DSS experience for years; the ",[39,2739,2741],{"href":2740},"\u002Fframeworks\u002Fpci\u002Fqsa-selection","QSA selection guide"," covers how to evaluate firms, cost drivers, and red flags.",[73,2744,2745,2752,2753,2757],{},[76,2746,2747,2748,2736],{},"Approved Scanning Vendors (",[39,2749,2751],{"href":2750},"\u002Fglossary\u002Fasv","ASVs"," -- PCI SSC-approved firms that run the quarterly external vulnerability scans required by PCI DSS Requirement 11.3.2. The ",[39,2754,2756],{"href":2755},"\u002Fframeworks\u002Fpci\u002Fasv-program","ASV program guide"," covers vendor selection, scanning cadence, passing thresholds, and remediation workflows.",[73,2759,2760,2763],{},[76,2761,2762],{},"Internal Security Assessors (ISAs)"," -- employees who have completed PCI SSC training and can complete certain internal PCI DSS assessments or support a QSA engagement. ISAs are a cost-effective way to build PCI DSS capability inside large programs.",[32,2765,2766,2767,2771],{},"Penetration testing (Requirement 11.4) sits alongside ASV scanning and is a frequent source of PCI DSS findings. The ",[39,2768,2770],{"href":2769},"\u002Fframeworks\u002Fpci\u002Fpenetration-testing","PCI DSS penetration testing guide"," covers internal vs external scope, segmentation testing, and frequency.",[50,2773,2775],{"id":2774},"penalties-for-non-compliance","Penalties for non-compliance",[32,2777,2778],{},"PCI DSS is not law, but non-compliance carries material financial consequences. Acquirers can levy fines of $5,000 to $100,000 per month for PCI DSS violations, pass fines down to merchants, raise transaction fees, or revoke payment processing privileges outright. After a confirmed breach of card data, a merchant typically faces a forensic PFI investigation, card brand fines, assessments for fraud losses, reissuance costs for compromised cards, and mandatory Level 1 PCI DSS validation going forward. Regulators and state attorneys general may also get involved, and the organization almost always faces litigation. In short, PCI DSS fines are rarely the largest line item -- the true cost of a breach is reputational damage, customer churn, and the fully loaded cost of breach response.",[50,2780,2782],{"id":2781},"pci-dss-vs-other-frameworks","PCI DSS vs other frameworks",[32,2784,2785,2786,2790,2791,2795],{},"PCI DSS is narrower and more prescriptive than most security frameworks. ISO 27001 is a management-system standard focused on the process of running an ISMS; it tells you how to manage risk but does not specify controls the way PCI DSS does. SOC 2 is an attestation framework where you define your own controls against the Trust Services Criteria; PCI DSS prescribes them. HIPAA and HITECH cover protected health information, not cardholder data. NIST CSF and NIST SP 800-53 offer control catalogues and risk management guidance that many organizations map into their PCI DSS program, especially under the v4.0 customized approach. PCI DSS is also one of the few frameworks with ongoing external validation -- ASV scans every quarter, penetration tests at least annually, and a full assessment every year. For businesses in the ",[39,2787,2789],{"href":2788},"\u002Findustry\u002Ffinance","finance industry"," or running ",[39,2792,2794],{"href":2793},"\u002Findustry\u002Fecommerce","e-commerce"," platforms, PCI DSS almost always becomes the binding constraint that the rest of the security program organizes around.",[50,2797,2799],{"id":2798},"getting-pci-compliant","Getting PCI compliant",[32,2801,2802],{},"A typical path to PCI DSS compliance looks like this:",[549,2804,2805,2811,2817,2823,2829,2835,2841,2847],{},[73,2806,2807,2810],{},[76,2808,2809],{},"Define scope"," -- inventory every place card data lives, moves, or could move. Produce annotated network and data-flow diagrams.",[73,2812,2813,2816],{},[76,2814,2815],{},"Reduce scope"," -- apply segmentation, tokenization, P2PE, and outsourcing to shrink the CDE before assessment.",[73,2818,2819,2822],{},[76,2820,2821],{},"Select your validation path"," -- confirm your PCI DSS level with your acquirer and determine whether you owe a ROC or an SAQ.",[73,2824,2825,2828],{},[76,2826,2827],{},"Gap assess"," -- map your current controls to every applicable PCI DSS requirement and prioritize remediation.",[73,2830,2831,2834],{},[76,2832,2833],{},"Remediate and document"," -- close gaps, write the policies and procedures PCI DSS expects, and stand up the logging, monitoring, scanning, and testing programs.",[73,2836,2837,2840],{},[76,2838,2839],{},"Engage your QSA or ASV"," -- commission the ASV scans, book the penetration test, and (for Level 1) schedule your QSA engagement early enough to allow remediation cycles.",[73,2842,2843,2846],{},[76,2844,2845],{},"Validate and attest"," -- produce the ROC or SAQ plus Attestation of Compliance, and submit to your acquirer on the required cadence.",[73,2848,2849,2852],{},[76,2850,2851],{},"Operate continuously"," -- PCI DSS v4.0 expects continuous monitoring, targeted risk analyses, and evidence that controls stay effective between assessments.",[32,2854,2855],{},"episki automates the bulk of the evidence collection, control testing, and QSA collaboration work so your PCI DSS program is audit-ready year-round instead of scrambling at the end of each cycle. If you are starting a new PCI DSS program or rebuilding an existing one, episki can shorten your path from scoping through Report on Compliance.",{"title":123,"searchDepth":124,"depth":124,"links":2857},[2858,2859,2860,2861,2862,2863,2864,2865,2866,2867,2868],{"id":2453,"depth":124,"text":2454},{"id":2471,"depth":124,"text":2472},{"id":2574,"depth":124,"text":2575},{"id":2585,"depth":124,"text":2586},{"id":2602,"depth":124,"text":2603},{"id":2679,"depth":124,"text":2680},{"id":2700,"depth":124,"text":2701},{"id":2721,"depth":124,"text":2722},{"id":2774,"depth":124,"text":2775},{"id":2781,"depth":124,"text":2782},{"id":2798,"depth":124,"text":2799},{"title":2870,"description":2871,"items":2872},"PCI DSS playbook","Follow structured milestones from scoping through ROC submission.",[2873,2874,2875,2876,2877],"Automated scope confirmation questionnaires","Connector-backed logging and monitoring checks","Quarterly vulnerability and penetration testing tracker","Change-management evidence capture","ROC narrative template and artifact index",{"title":2879,"description":2880},"Keep PCI DSS audit-ready around the clock","Spin up your trial, sync evidence, and invite your QSA in a single day.",{"title":2882,"items":2883},"PCI DSS frequently asked questions",[2884,2887,2890,2893,2896],{"label":2885,"content":2886},"What are the PCI DSS compliance levels?","PCI DSS has four merchant levels based on annual transaction volume. Level 1 (over 6 million transactions) requires a formal Report on Compliance by a QSA. Levels 2-4 may self-assess using the appropriate Self-Assessment Questionnaire (SAQ). Service providers have two levels with different validation requirements.",{"label":2888,"content":2889},"What changed in PCI DSS 4.0?","PCI DSS 4.0 introduced a customized validation approach allowing organizations to meet objectives with alternative controls, expanded multi-factor authentication requirements, strengthened e-commerce and phishing protections, and added emphasis on continuous security rather than point-in-time compliance.",{"label":2891,"content":2892},"Who needs PCI DSS compliance?","Any organization that stores, processes, or transmits cardholder data must comply with PCI DSS. This includes merchants, payment processors, acquirers, issuers, and service providers. The scope is determined by your cardholder data environment (CDE).",{"label":2894,"content":2895},"How often is a PCI DSS assessment required?","PCI DSS assessments are required annually. Level 1 merchants and service providers must complete a formal assessment by a Qualified Security Assessor (QSA). Additionally, quarterly network vulnerability scans by an Approved Scanning Vendor (ASV) are required.",{"label":2897,"content":2898},"What is a cardholder data environment (CDE)?","The CDE includes all people, processes, and technologies that store, process, or transmit cardholder data or sensitive authentication data, plus any systems connected to those components. Accurate CDE scoping is the foundation of an efficient PCI DSS assessment.",{"headline":2900,"title":2901,"description":2902,"links":2903},"PCI controls that stay current","Keep PCI DSS requirements passing even as your CDE evolves","episki maps DSS requirements, automates testing, and keeps QSAs collaborating in one secure workspace.",[2904,2906],{"label":2905,"icon":160,"to":161},"Start PCI trial",{"label":163,"icon":2907,"color":165,"variant":166,"to":167,"target":168},"i-lucide-calendar",{},"\u002Fframeworks\u002Fpci",{"headline":2911,"title":2911,"description":2912,"items":2913},"PCI enablement kit","Give leadership, ops, and QSAs a single source of truth.",[2914,2917,2920],{"title":2915,"description":2916},"CDE architecture report","Share sanitized diagrams and segmentation notes with prospects.",{"title":2918,"description":2919},"Risk and remediation digest","Weekly summary of open items, owners, and due dates.",{"title":2921,"description":2922},"Assessor workspace","Prebuilt template keeps every requirement, artifact, and note aligned.",{"title":2924,"description":2925},"PCI DSS Compliance Tool","Automate PCI DSS evidence collection, manage QSA collaboration, and keep cardholder data controls current. Start your free 14-day trial with episki.","pci",[2928,2931,2934],{"value":2929,"description":2930},"90% automation","Evidence coverage across access, logging, segmentation, and monitoring.",{"value":2932,"description":2933},"QSA portal","Scoped access keeps your assessor in sync without endless spreadsheets.",{"value":2935,"description":2936},"Weekly drift checks","Automated alerts highlight misconfigurations before audits.","5.frameworks\u002Fpci","CLd_USSJYVGuYbFc7G7BM7AyRBX9rMAIVS8DpYE2SPU",{"id":2940,"title":2941,"advantages":2942,"body":2964,"checklist":3477,"cta":3486,"description":123,"extension":140,"faq":3489,"hero":3506,"meta":3514,"name":3515,"navigation":171,"path":41,"resources":3516,"seo":3528,"slug":3531,"stats":3532,"stem":3542,"__hash__":3543},"frameworks\u002F5.frameworks\u002Fsoc2.md","Soc2",[2943,2950,2957],{"title":2944,"description":2945,"bullets":2946},"Mapped once, reused forever","Applies Trust Service Criteria to your existing controls and keeps overlaps synced.",[2947,2948,2949],"Control graph highlights reuse across security, availability, and confidentiality","AI suggests narratives and testing procedures","Version history shows every update for auditors",{"title":2951,"description":2952,"bullets":2953},"Evidence organized by control","Upload and track screenshots, configs, and exports in a structured evidence locker.",[2954,2955,2956],"Organized screenshots, configs, and test exports","Alerting when evidence expires or SLAs slip","Immutable locker with reviewer threads",{"title":2958,"description":2959,"bullets":2960},"Auditor collaboration hub","Invite your auditor with scoped access and keep Q&A right next to each control.",[2961,2962,2963],"Bulk requests & fulfillment tracking","Redacted file sharing with access controls","One-click SOC 2 summaries for customers",{"type":29,"value":2965,"toc":3459},[2966,2970,2973,2981,2989,2995,2999,3002,3008,3014,3029,3033,3038,3042,3045,3049,3057,3061,3064,3068,3076,3080,3087,3091,3094,3097,3114,3122,3126,3133,3175,3178,3182,3185,3188,3226,3234,3238,3241,3299,3302,3306,3309,3316,3323,3330,3342,3350,3354,3362,3394,3397,3401,3404,3407,3445],[50,2967,2969],{"id":2968},"what-is-soc-2","What is SOC 2?",[32,2971,2972],{},"SOC 2 (System and Organization Controls 2) is an auditing standard developed by the American Institute of Certified Public Accountants (AICPA) that evaluates how a service organization manages customer data. A SOC 2 report is the de facto security credential for modern SaaS companies — enterprise buyers request it before signing, procurement teams rely on it during vendor reviews, and auditors consult it when assessing outsourced systems. Unlike a prescriptive standard, SOC 2 is principle-based. It does not tell you which tools to deploy; it tells you which outcomes you must demonstrate and leaves the implementation details to you.",[32,2974,2975,2976,2980],{},"SOC 2 evolved from SAS 70, an older attestation framework used primarily for financial reporting systems. As technology service providers increased their role in handling sensitive data, the AICPA introduced the SOC reporting suite. SOC 1 continued to address controls relevant to financial reporting. SOC 2 and SOC 3 shifted attention to information security, availability, and related commitments. Today, SOC 2 is issued under the AICPA's AT-C 105 and AT-C 205 attestation standards, following the ",[39,2977,2979],{"href":2978},"\u002Fglossary\u002Fssae-18","SSAE 18"," framework.",[32,2982,2983,2984,2988],{},"A SOC 2 engagement produces an opinion letter from a licensed CPA firm. That letter is the report buyers ask for. It documents the system under audit, the ",[39,2985,2987],{"href":2986},"\u002Fframeworks\u002Fsoc2\u002Ftrust-services-criteria","Trust Services Criteria"," selected, the controls in place, the testing the auditor performed, and any exceptions noted. A clean SOC 2 opinion signals to the market that a third party examined your controls and found them suitable — or in the case of Type II, found them operating effectively across a defined window.",[32,2990,2991,2992,2994],{},"SOC 2 is built on five ",[76,2993,2987],{},": security, availability, processing integrity, confidentiality, and privacy. Security is mandatory. The other four are optional and chosen based on your service commitments and customer expectations. Most first-time SOC 2 audits cover security alone or security plus one or two additional criteria. Scope expansion happens later, as the program matures.",[50,2996,2998],{"id":2997},"soc-2-type-i-vs-type-ii","SOC 2 Type I vs Type II",[32,3000,3001],{},"Every SOC 2 engagement is either Type I or Type II, and the difference matters.",[32,3003,839,3004,3007],{},[76,3005,3006],{},"SOC 2 Type I"," report evaluates whether controls are suitably designed and implemented as of a single date. Think of it as a design review. The auditor confirms your policies exist, your technical controls are configured, and your processes are in place. Type I is the fastest path to a SOC 2 report and is useful when a deal is on the line, but it does not prove your controls work day after day.",[32,3009,839,3010,3013],{},[76,3011,3012],{},"SOC 2 Type II"," report evaluates whether controls operated effectively across an observation period, typically three to twelve months. The auditor samples evidence from throughout the period — access reviews, change approvals, incident tickets, monitoring alerts — to confirm that controls were not just designed but consistently executed. Most enterprise buyers require a Type II, and many will not accept a Type I at all.",[32,3015,3016,3017,3021,3022,427,3026,504],{},"For a full comparison including cost benchmarks, observation period tradeoffs, and decision frameworks, see ",[39,3018,3020],{"href":3019},"\u002Fframeworks\u002Fsoc2\u002Ftype-1-vs-type-2","SOC 2 Type 1 vs Type 2",". Related glossary terms: ",[39,3023,3025],{"href":3024},"\u002Fglossary\u002Fsoc2-type-2","SOC 2 Type 2",[39,3027,2987],{"href":3028},"\u002Fglossary\u002Ftrust-services-criteria",[50,3030,3032],{"id":3031},"the-five-trust-services-criteria","The five Trust Services Criteria",[32,3034,1431,3035,3037],{},[39,3036,2987],{"href":2986}," define the principles your controls must satisfy. Each criterion addresses a different aspect of how a service organization protects and manages customer data.",[241,3039,3041],{"id":3040},"security-common-criteria-required","Security (Common Criteria) — required",[32,3043,3044],{},"The security criterion, also called the Common Criteria, is required for every SOC 2 engagement. It evaluates whether the system is protected against unauthorized access — both logical and physical. The Common Criteria are organized into nine categories (CC1 through CC9) that map to the COSO internal control framework and cover governance, communication, risk assessment, monitoring, access control, system operations, change management, and vendor risk. Every SOC 2 report includes testing against these categories.",[241,3046,3048],{"id":3047},"availability","Availability",[32,3050,3051,3052,3056],{},"The availability criterion applies when an organization commits to specific uptime levels or recovery capabilities. It covers environmental protections, capacity planning, disaster recovery, and incident management for availability-impacting events. If your product has published SLAs or customers rely on continuous uptime, include availability. Read the ",[39,3053,3055],{"href":3054},"\u002Fframeworks\u002Fsoc2\u002Favailability-criteria","availability criteria deep dive"," for common controls and implementation patterns.",[241,3058,3060],{"id":3059},"processing-integrity","Processing integrity",[32,3062,3063],{},"Processing integrity focuses on whether the system processes data completely, validly, accurately, timely, and with proper authorization. This criterion is relevant for platforms that perform calculations, process financial transactions, or transform customer data. It is less common in first-time SOC 2 audits but important for fintech, billing platforms, and data pipelines that customers rely on for operational decisions.",[241,3065,3067],{"id":3066},"confidentiality","Confidentiality",[32,3069,3070,3071,3075],{},"The confidentiality criterion addresses information designated as confidential — distinct from personal information. It covers data classification, access restrictions, encryption, and secure disposal of confidential data. If you handle intellectual property, business plans, or other sensitive non-personal information on behalf of clients, include confidentiality. See the ",[39,3072,3074],{"href":3073},"\u002Fframeworks\u002Fsoc2\u002Fconfidentiality-criteria","confidentiality criteria deep dive"," for details.",[241,3077,3079],{"id":3078},"privacy","Privacy",[32,3081,3082,3083,504],{},"The privacy criterion applies to personal information — data that can identify an individual. It evaluates whether your data practices match your stated privacy commitments across notice, choice, collection, use, retention, disclosure, security, and accuracy. Privacy aligns closely with regulations like GDPR and CCPA and is the most demanding criterion in terms of control coverage. For a full walkthrough, see the ",[39,3084,3086],{"href":3085},"\u002Fframeworks\u002Fsoc2\u002Fprivacy-criteria","privacy criteria deep dive",[50,3088,3090],{"id":3089},"who-needs-soc-2-compliance","Who needs SOC 2 compliance?",[32,3092,3093],{},"SOC 2 is not legally mandated, but the market treats it as a cost of doing business. Any SaaS company, cloud service provider, managed service provider, or data processor that handles customer data is a likely SOC 2 candidate. If your customers are businesses and their security teams will scrutinize your controls before signing, SOC 2 is almost certainly on your roadmap.",[32,3095,3096],{},"Companies typically pursue SOC 2 when one or more of the following is true:",[70,3098,3099,3102,3105,3108,3111],{},[73,3100,3101],{},"Enterprise prospects are asking for a report during procurement or vendor reviews.",[73,3103,3104],{},"Sales cycles are slowing because buyers are blocking deals on security questionnaires.",[73,3106,3107],{},"Existing customers are requesting a current SOC 2 report during annual reviews.",[73,3109,3110],{},"Investors or partners are asking about the company's security posture.",[73,3112,3113],{},"The business is entering regulated verticals like financial services, healthcare, or government.",[32,3115,3116,3117,3121],{},"Industries that almost always require SOC 2 from their vendors include financial services, healthcare, legal technology, HR technology, martech that handles PII, and any B2B SaaS selling into enterprise accounts. For SaaS companies specifically, SOC 2 has become table stakes — see ",[39,3118,3120],{"href":3119},"\u002Fnow\u002Fsoc2-for-saas","SOC 2 for SaaS"," for a deeper discussion.",[50,3123,3125],{"id":3124},"the-soc-2-audit-process-overview","The SOC 2 audit process overview",[32,3127,1431,3128,3132],{},[39,3129,3131],{"href":3130},"\u002Fframeworks\u002Fsoc2\u002Faudit-process","SOC 2 audit process"," follows a predictable sequence. Understanding each phase prevents surprises and helps you set realistic timelines with your team and auditor.",[549,3134,3135,3151,3157,3163,3169],{},[73,3136,3137,3140,3141,3145,3146,3150],{},[76,3138,3139],{},"Scoping and readiness assessment."," Define what systems and Trust Services Criteria are in scope, then perform a ",[39,3142,3144],{"href":3143},"\u002Fframeworks\u002Fsoc2\u002Freadiness-assessment","readiness assessment"," to compare current controls against ",[39,3147,3149],{"href":3148},"\u002Fframeworks\u002Fsoc2\u002Frequirements","SOC 2 requirements",". The output is a prioritized remediation plan.",[73,3152,3153,3156],{},[76,3154,3155],{},"Remediation."," Close the gaps identified during readiness. Common items include formalizing policies, enabling MFA everywhere, centralizing logging, documenting vendor risk processes, and running tabletop exercises.",[73,3158,3159,3162],{},[76,3160,3161],{},"Auditor selection."," SOC 2 audits must be performed by a CPA firm licensed to issue SOC reports. Request proposals from two to four firms, compare scope and pricing, and check references from similar companies.",[73,3164,3165,3168],{},[76,3166,3167],{},"Audit fieldwork."," For Type I, the auditor validates control design at a point in time. For Type II, the auditor samples evidence from across the observation period and tests operating effectiveness.",[73,3170,3171,3174],{},[76,3172,3173],{},"Report delivery and ongoing operation."," Once the report is issued, plan the next observation period so you maintain continuous coverage with no bridge gaps that buyers might question.",[32,3176,3177],{},"Most organizations complete their first Type I in three to six months and their first Type II in six to eighteen months, depending on starting maturity and observation period length.",[50,3179,3181],{"id":3180},"what-does-soc-2-cost","What does SOC 2 cost?",[32,3183,3184],{},"SOC 2 cost varies widely based on scope, starting maturity, and whether you pursue Type I, Type II, or both. Auditor fees are the largest line item, but they are not the only cost. You should budget for readiness consulting, compliance tooling, internal staff time, remediation work, and penetration testing.",[32,3186,3187],{},"Typical benchmarks for a first-time SOC 2 engagement:",[70,3189,3190,3196,3202,3208,3214,3220],{},[73,3191,3192,3195],{},[76,3193,3194],{},"Type I auditor fees",": $15,000 to $40,000",[73,3197,3198,3201],{},[76,3199,3200],{},"Type II auditor fees",": $25,000 to $80,000",[73,3203,3204,3207],{},[76,3205,3206],{},"Readiness consulting"," (optional): $10,000 to $40,000",[73,3209,3210,3213],{},[76,3211,3212],{},"Compliance platform",": $6,000 to $60,000 annually depending on vendor",[73,3215,3216,3219],{},[76,3217,3218],{},"Penetration testing",": $8,000 to $30,000 per test",[73,3221,3222,3225],{},[76,3223,3224],{},"Internal staff time",": 200 to 600 hours across the first cycle",[32,3227,3228,3229,3233],{},"Total first-year cost for most growth-stage SaaS companies lands between $40,000 and $200,000. See the full ",[39,3230,3232],{"href":3231},"\u002Fframeworks\u002Fsoc2\u002Fcost","SOC 2 cost breakdown"," for detailed ranges and cost-reduction strategies.",[50,3235,3237],{"id":3236},"common-soc-2-challenges","Common SOC 2 challenges",[32,3239,3240],{},"SOC 2 programs rarely fail because the audit is unfair. They fail because organizations underestimate the operational discipline required. The challenges show up in predictable places.",[70,3242,3243,3249,3255,3261,3267,3278,3289],{},[73,3244,3245,3248],{},[76,3246,3247],{},"Scope creep."," Teams add new systems mid-audit or expand Trust Services Criteria without revisiting the control set. Every addition extends timelines and evidence requirements.",[73,3250,3251,3254],{},[76,3252,3253],{},"Evidence gaps."," Screenshots expire. Configurations change. Ownership drifts between quarters. By the time the auditor asks, the evidence trail is broken.",[73,3256,3257,3260],{},[76,3258,3259],{},"Cross-team coordination."," SOC 2 touches engineering, IT, HR, legal, and finance. Without a single source of truth for control status, teams duplicate work or miss handoffs.",[73,3262,3263,3266],{},[76,3264,3265],{},"Policy drift."," Policies written for the audit do not match how the team actually operates. Auditors detect this quickly during interviews and walkthroughs.",[73,3268,3269,3272,3273,3277],{},[76,3270,3271],{},"Vendor oversight."," Third-party vendors handle critical data but are rarely monitored with the same rigor as internal systems. See ",[39,3274,3276],{"href":3275},"\u002Fframeworks\u002Fsoc2\u002Fvendor-management","vendor management"," for how to close this gap.",[73,3279,3280,3283,3284,3288],{},[76,3281,3282],{},"Change management."," Production changes bypass approval workflows, leaving no audit trail. ",[39,3285,3287],{"href":3286},"\u002Fframeworks\u002Fsoc2\u002Fchange-management","Change management"," is a frequent source of Type II exceptions.",[73,3290,3291,3294,3295,504],{},[76,3292,3293],{},"Incident response immaturity."," Teams have an incident response plan but have never tested it. Auditors look for evidence of real incidents handled end to end. See ",[39,3296,3298],{"href":3297},"\u002Fframeworks\u002Fsoc2\u002Fincident-response","incident response",[32,3300,3301],{},"A structured approach — mapping controls, evidence, and owners from day one — removes most of these friction points before they become audit findings.",[50,3303,3305],{"id":3304},"how-soc-2-compares-to-other-frameworks","How SOC 2 compares to other frameworks",[32,3307,3308],{},"SOC 2 is not the only security framework buyers may request. Understanding how SOC 2 relates to other standards helps you plan a cohesive compliance strategy rather than running parallel audits with overlapping work.",[32,3310,3311,3315],{},[76,3312,3313],{},[39,3314,1336],{"href":1771}," is an international certification focused on information security management systems. Unlike SOC 2, which produces an auditor's opinion letter, ISO 27001 results in a certificate issued by an accredited registrar. ISO 27001 is prescriptive about building an ISMS but the control set in Annex A overlaps heavily with the SOC 2 Common Criteria. Many mature companies pursue both and reuse evidence across them. ISO 27001 tends to be preferred by European and international buyers; SOC 2 is the North American standard.",[32,3317,3318,3322],{},[76,3319,3320],{},[39,3321,1116],{"href":1270}," is a US healthcare law that mandates specific safeguards for protected health information. HIPAA is a regulatory requirement rather than a voluntary attestation — there is no HIPAA certificate, but business associates and covered entities must comply. SOC 2 controls address many HIPAA administrative and technical safeguards, and a SOC 2 Type II report is often used as evidence of HIPAA compliance in vendor due diligence.",[32,3324,3325,3329],{},[76,3326,3327],{},[39,3328,2461],{"href":2909}," is the payment card industry's prescriptive standard for any organization that stores, processes, or transmits cardholder data. Unlike SOC 2, PCI DSS specifies exact controls down to firewall rules and encryption key rotation cadences. SOC 2 and PCI DSS share concepts like encryption, access control, and monitoring, but PCI DSS scope is narrower (cardholder data environment) and the requirements are more specific. Companies that process payments typically need both.",[32,3331,3332,43,3335,3338,3339,3341],{},[76,3333,3334],{},"NIST Cybersecurity Framework",[76,3336,3337],{},"FedRAMP",", and ",[76,3340,683],{}," address additional specialized audiences — federal contractors, defense industrial base, and government-adjacent systems. These are out of scope for most commercial SaaS but worth mapping if your buyer base includes public sector.",[32,3343,3344,3345,3349],{},"If you are comparing SOC 2 tooling options, our ",[39,3346,3348],{"href":3347},"\u002Fcompare\u002Fvs\u002Fvanta-vs-drata","Vanta vs Drata comparison"," covers the leading compliance automation platforms.",[50,3351,3353],{"id":3352},"soc-2-readiness-checklist","SOC 2 readiness checklist",[32,3355,3356,3357,3361],{},"A readiness checklist keeps your team focused during the months before the audit begins. The ",[39,3358,3360],{"href":3359},"\u002Fframeworks\u002Fsoc2\u002Fchecklist","full SOC 2 checklist"," covers every category, but at a high level expect to address:",[70,3363,3364,3367,3370,3373,3376,3379,3382,3385,3388,3391],{},[73,3365,3366],{},"Governance and policies (information security policy, acceptable use, code of conduct)",[73,3368,3369],{},"Access control (SSO, MFA, role-based access, quarterly access reviews)",[73,3371,3372],{},"Change management (code review, deployment approvals, production change logs)",[73,3374,3375],{},"Vendor risk management (inventory, assessments, monitoring)",[73,3377,3378],{},"Incident response (documented plan, tested at least annually)",[73,3380,3381],{},"Business continuity and disaster recovery (plan with defined RPO\u002FRTO, tested)",[73,3383,3384],{},"Logging and monitoring (centralized logs, alerting, incident tickets)",[73,3386,3387],{},"Security awareness training (annual minimum, tracked completion)",[73,3389,3390],{},"HR controls (background checks, onboarding, offboarding, confidentiality agreements)",[73,3392,3393],{},"Risk assessment (annual risk review, risk register, treatment plans)",[32,3395,3396],{},"Most companies find that the readiness phase surfaces gaps they did not know existed. That is the point — better to discover them before the auditor arrives.",[50,3398,3400],{"id":3399},"getting-started-with-soc-2","Getting started with SOC 2",[32,3402,3403],{},"The best time to start a SOC 2 program is before the first buyer demands it. The second best time is now.",[32,3405,3406],{},"A reasonable starting sequence:",[549,3408,3409,3415,3421,3427,3433,3439],{},[73,3410,3411,3414],{},[76,3412,3413],{},"Pick your Trust Services Criteria."," Security is required. Add others only if you have customer commitments that map to them.",[73,3416,3417,3420],{},[76,3418,3419],{},"Decide Type I vs Type II."," If you need a report fast for a specific deal, start with Type I. If you have time and buyer pressure is general, skip straight to Type II.",[73,3422,3423,3426],{},[76,3424,3425],{},"Run a readiness assessment."," Either internally or with a consultant. The goal is a prioritized remediation list, not a polished report.",[73,3428,3429,3432],{},[76,3430,3431],{},"Remediate in priority order."," Address policy gaps, access control weaknesses, and logging first — these are the most common sources of findings.",[73,3434,3435,3438],{},[76,3436,3437],{},"Select an auditor."," Get proposals from two to four CPA firms. Check references from similar companies. Book early — good auditors are scheduled quarters in advance.",[73,3440,3441,3444],{},[76,3442,3443],{},"Operate, collect, and iterate."," Run your controls, collect evidence continuously, and prepare for fieldwork. Do not treat the audit as a one-time event.",[32,3446,3447,3448,3453,3454,3458],{},"episki was built for exactly this journey. The platform maps your controls to Trust Services Criteria, automates evidence collection, tracks ownership across teams, and gives your auditor structured access when fieldwork begins. ",[39,3449,3452],{"href":161,"rel":3450},[3451],"nofollow","Start a free trial"," or ",[39,3455,3457],{"href":167,"rel":3456},[3451],"book a demo"," to see how SOC 2 looks with the scramble removed.",{"title":123,"searchDepth":124,"depth":124,"links":3460},[3461,3462,3463,3470,3471,3472,3473,3474,3475,3476],{"id":2968,"depth":124,"text":2969},{"id":2997,"depth":124,"text":2998},{"id":3031,"depth":124,"text":3032,"children":3464},[3465,3466,3467,3468,3469],{"id":3040,"depth":631,"text":3041},{"id":3047,"depth":631,"text":3048},{"id":3059,"depth":631,"text":3060},{"id":3066,"depth":631,"text":3067},{"id":3078,"depth":631,"text":3079},{"id":3089,"depth":124,"text":3090},{"id":3124,"depth":124,"text":3125},{"id":3180,"depth":124,"text":3181},{"id":3236,"depth":124,"text":3237},{"id":3304,"depth":124,"text":3305},{"id":3352,"depth":124,"text":3353},{"id":3399,"depth":124,"text":3400},{"title":3478,"description":3479,"items":3480},"SOC 2 readiness checklist inside episki","Everything is preloaded in your free trial so you can start assigning ownership and collecting proof immediately.",[3481,3482,3483,3484,3485],"Trust Service Criteria library with mapped controls","Policy templates and AI drafting assistant","Evidence library with structured ownership and review cadences","Emulated auditor workspace with sample requests","Customer-facing compliance portal template",{"title":3487,"description":3488},"Launch your SOC 2 workspace today","Import your controls, connect evidence, and invite your auditor in under an hour.",{"title":3490,"items":3491},"SOC 2 frequently asked questions",[3492,3495,3498,3501,3503],{"label":3493,"content":3494},"How long does a SOC 2 audit take?","A SOC 2 Type I audit typically takes 4-8 weeks of preparation plus the audit itself. Type II requires a 3-12 month observation period followed by the assessment. episki's automation can cut preparation time by up to 45 days.",{"label":3496,"content":3497},"What is the difference between SOC 2 Type I and Type II?","SOC 2 Type I evaluates whether controls are suitably designed at a single point in time. Type II tests whether those controls operated effectively over a sustained period, usually 3-12 months. Most enterprise buyers require a Type II report.",{"label":3499,"content":3500},"How much does SOC 2 compliance cost?","Total costs typically range from $20,000 to $100,000+ depending on scope, readiness, and auditor fees. episki covers the platform side at a flat $500\u002Fmonth with no per-seat charges, significantly reducing the software portion of that budget.",{"label":3090,"content":3502},"Any SaaS company, cloud service provider, or data processor handling customer data is a likely candidate. Enterprise buyers in financial services, healthcare, and technology frequently require a current SOC 2 report before signing contracts.",{"label":3504,"content":3505},"What are the SOC 2 Trust Services Criteria?","The five Trust Services Criteria are security (required), availability, processing integrity, confidentiality, and privacy. Security is mandatory for every SOC 2 audit; the other four are optional and selected based on the services you provide.",{"headline":3507,"title":3508,"description":3509,"links":3510},"SOC 2 without the scramble","Ship SOC 2 audits without slowing product velocity","episki maps Trust Service Criteria, automates evidence, and keeps auditors in sync so your team can focus on building.",[3511,3513],{"label":3512,"icon":160,"to":161},"Start SOC 2 trial",{"label":163,"icon":164,"color":165,"variant":166,"to":167,"target":168},{},"SOC 2 Type I\u002FII",{"headline":3517,"title":3517,"description":3518,"items":3519},"SOC 2 acceleration resources","Give execs and customers visibility into progress at every stage.",[3520,3522,3525],{"title":690,"description":3521},"Summaries translate control work into risk reduction and deals unlocked.",{"title":3523,"description":3524},"Sales enablement kit","SOC 2 FAQ answers and trust collateral ready for GTM teams.",{"title":3526,"description":3527},"Audit retro template","Capture what worked, track remediations, and prep the next period.",{"title":3529,"description":3530},"SOC 2 Compliance Software","Get SOC 2 Type I and Type II audit-ready faster with episki's automated controls, evidence tracking, and auditor collaboration. Start your free 14-day trial.","soc2",[3533,3536,3539],{"value":3534,"description":3535},"45 days faster","Average time saved reaching Type II readiness with episki’s automation.",{"value":3537,"description":3538},"120+ controls","Pre-mapped control narratives with owners, evidence, and review cadences.",{"value":3540,"description":3541},"100% coverage","Auditor portal with control health dashboards and SOC 2 exports.","5.frameworks\u002Fsoc2","shAxjjcx4JmL7Zy8hak9QyL4MkAUXkpn4CKU8l_0-Q4",[3545,3668,3792,4402],{"id":3546,"title":3547,"body":3548,"description":123,"extension":140,"lastUpdated":3654,"meta":3655,"navigation":171,"path":94,"relatedFrameworks":3656,"relatedTerms":3657,"seo":3662,"slug":3665,"stem":3666,"term":3553,"__hash__":3667},"glossary\u002F8.glossary\u002Fgrc.md","Grc",{"type":29,"value":3549,"toc":3645},[3550,3554,3561,3565,3568,3582,3586,3589,3603,3606,3617,3621,3624,3638,3642],[50,3551,3553],{"id":3552},"what-is-grc","What is GRC?",[32,3555,3556,3557,3560],{},"GRC stands for ",[76,3558,3559],{},"governance, risk, and compliance"," — a coordinated approach to aligning IT and security practices with business objectives, managing risk, and meeting regulatory requirements.",[241,3562,3564],{"id":3563},"governance","Governance",[32,3566,3567],{},"Governance defines the policies, roles, and decision-making structures that guide how an organization operates. In a security context, governance includes:",[70,3569,3570,3573,3576,3579],{},[73,3571,3572],{},"Establishing security policies and standards",[73,3574,3575],{},"Assigning ownership for controls and programs",[73,3577,3578],{},"Setting risk appetite and tolerance levels",[73,3580,3581],{},"Board-level oversight of security posture",[241,3583,3585],{"id":3584},"risk-management","Risk management",[32,3587,3588],{},"Risk management is the process of identifying, assessing, and treating threats that could affect the organization. Common activities include:",[70,3590,3591,3594,3597,3600],{},[73,3592,3593],{},"Maintaining a risk register with likelihood and impact scores",[73,3595,3596],{},"Prioritizing remediation based on business impact",[73,3598,3599],{},"Tracking treatment plans with owners and deadlines",[73,3601,3602],{},"Reviewing risk posture on a recurring schedule",[241,3604,3605],{"id":95},"Compliance",[32,3607,3608,3609,43,3611,43,3613,3338,3615,504],{},"Compliance means meeting the requirements of external standards, regulations, and contractual obligations. Common compliance frameworks include ",[39,3610,42],{"href":41},[39,3612,1336],{"href":1771},[39,3614,1116],{"href":1270},[39,3616,2461],{"href":2909},[241,3618,3620],{"id":3619},"why-grc-matters","Why GRC matters",[32,3622,3623],{},"Without a coordinated approach, organizations end up with fragmented policies, duplicated controls, and gaps between what auditors expect and what teams actually do. A GRC program brings these disciplines together so that:",[70,3625,3626,3629,3632,3635],{},[73,3627,3628],{},"Controls are mapped once and reused across frameworks",[73,3630,3631],{},"Risk decisions inform which controls get priority",[73,3633,3634],{},"Evidence is collected continuously rather than scrambled before audits",[73,3636,3637],{},"Leadership has visibility into security posture and compliance status",[241,3639,3641],{"id":3640},"grc-software","GRC software",[32,3643,3644],{},"GRC platforms like episki centralize controls, evidence, risk registers, and auditor collaboration in one workspace. Instead of managing compliance in spreadsheets, teams can assign owners, track evidence, and run programs across multiple frameworks simultaneously.",{"title":123,"searchDepth":124,"depth":124,"links":3646},[3647],{"id":3552,"depth":124,"text":3553,"children":3648},[3649,3650,3651,3652,3653],{"id":3563,"depth":631,"text":3564},{"id":3584,"depth":631,"text":3585},{"id":95,"depth":631,"text":3605},{"id":3619,"depth":631,"text":3620},{"id":3640,"depth":631,"text":3641},"2026-04-16",{},[3531,1788,1287,2926,2411],[3658,3659,3660,3661],"risk-register","control-framework","audit-trail","evidence-collection",{"title":3663,"description":3664},"What is GRC? Governance, Risk, and Compliance Explained","GRC stands for governance, risk, and compliance. Learn how GRC programs help organizations manage risk, meet regulatory requirements, and align security with business goals.","grc","8.glossary\u002Fgrc","z7uTPh4PsV0D9njj62M4FXnwjHgD1TiZCXJGfk_tnG8",{"id":3669,"title":716,"body":3670,"description":123,"extension":140,"lastUpdated":3654,"meta":3780,"navigation":171,"path":758,"relatedFrameworks":3781,"relatedTerms":3782,"seo":3787,"slug":1287,"stem":3790,"term":744,"__hash__":3791},"glossary\u002F8.glossary\u002Fhipaa.md",{"type":29,"value":3671,"toc":3770},[3672,3674,3677,3681,3707,3711,3714,3725,3729,3732,3746,3750,3753,3757,3760,3764],[50,3673,744],{"id":743},[32,3675,3676],{},"HIPAA (Health Insurance Portability and Accountability Act) is a US federal law enacted in 1996 that establishes standards for protecting sensitive patient health information. It applies to covered entities (healthcare providers, health plans, clearinghouses) and their business associates.",[241,3678,3680],{"id":3679},"key-rules","Key rules",[70,3682,3683,3689,3695,3701],{},[73,3684,3685,3688],{},[76,3686,3687],{},"Privacy Rule"," — governs the use and disclosure of protected health information (PHI)",[73,3690,3691,3694],{},[76,3692,3693],{},"Security Rule"," — requires administrative, physical, and technical safeguards for electronic PHI (ePHI)",[73,3696,3697,3700],{},[76,3698,3699],{},"Breach Notification Rule"," — mandates notification of affected individuals and HHS after a data breach",[73,3702,3703,3706],{},[76,3704,3705],{},"Enforcement Rule"," — establishes investigation and penalty procedures",[241,3708,3710],{"id":3709},"protected-health-information-phi","Protected Health Information (PHI)",[32,3712,3713],{},"PHI includes any individually identifiable health information, such as:",[70,3715,3716,3719,3722],{},[73,3717,3718],{},"Medical records and diagnoses",[73,3720,3721],{},"Treatment and payment information",[73,3723,3724],{},"Names, addresses, dates of birth, and Social Security numbers when linked to health data",[241,3726,3728],{"id":3727},"business-associate-agreements-baas","Business Associate Agreements (BAAs)",[32,3730,3731],{},"Any vendor that handles PHI on behalf of a covered entity must sign a BAA. This contract:",[70,3733,3734,3737,3740,3743],{},[73,3735,3736],{},"Defines how the vendor can use and disclose PHI",[73,3738,3739],{},"Requires the vendor to implement appropriate safeguards",[73,3741,3742],{},"Establishes breach notification obligations",[73,3744,3745],{},"Makes the vendor directly liable for HIPAA violations",[241,3747,3749],{"id":3748},"hipaa-penalties","HIPAA penalties",[32,3751,3752],{},"Penalties range from $141 to $2,134,831 per violation depending on the level of negligence, with an annual cap of $2,134,831 per identical violation category. Criminal penalties can include fines up to $250,000 and imprisonment.",[241,3754,3756],{"id":3755},"hipaa-for-saas-companies","HIPAA for SaaS companies",[32,3758,3759],{},"SaaS companies that store, process, or transmit PHI are considered business associates and must comply with HIPAA. Common requirements include encryption at rest and in transit, access controls, audit logging, and incident response procedures.",[241,3761,3763],{"id":3762},"how-episki-helps-with-hipaa","How episki helps with HIPAA",[32,3765,3766,3767,504],{},"episki maps safeguards to your systems, tracks BAA renewals, and provides auditor portals for sharing evidence. Learn more on our ",[39,3768,3769],{"href":1270},"HIPAA compliance page",{"title":123,"searchDepth":124,"depth":124,"links":3771},[3772],{"id":743,"depth":124,"text":744,"children":3773},[3774,3775,3776,3777,3778,3779],{"id":3679,"depth":631,"text":3680},{"id":3709,"depth":631,"text":3710},{"id":3727,"depth":631,"text":3728},{"id":3748,"depth":631,"text":3749},{"id":3755,"depth":631,"text":3756},{"id":3762,"depth":631,"text":3763},{},[1287],[3783,3784,3785,3786],"phi","baa","covered-entity","breach-notification",{"title":3788,"description":3789},"What is HIPAA? Healthcare Compliance Requirements Explained","HIPAA is the US federal law protecting health information. Learn about the Privacy Rule, Security Rule, BAAs, PHI safeguards, and penalties for non-compliance.","8.glossary\u002Fhipaa","ss95ye7uWJGVzf2zkCfpQl0GdS3eRaX7mvNnNdzpX5Q",{"id":3793,"title":1302,"body":3794,"description":123,"extension":140,"lastUpdated":3654,"meta":4390,"navigation":171,"path":1335,"relatedFrameworks":4391,"relatedTerms":4392,"seo":4397,"slug":1788,"stem":4400,"term":1330,"__hash__":4401},"glossary\u002F8.glossary\u002Fiso27001.md",{"type":29,"value":3795,"toc":4378},[3796,3798,3804,3812,3816,3839,3843,3846,3890,3894,3897,3923,3926,3929,3949,3953,3956,4011,4014,4018,4021,4027,4033,4039,4045,4051,4054,4056,4059,4149,4152,4155,4187,4190,4195,4209,4213,4216,4328,4331,4334,4337,4362,4368,4372],[50,3797,1330],{"id":1329},[32,3799,3800,3801,3803],{},"ISO 27001 is an international standard published by the International Organization for Standardization (ISO) that specifies requirements for establishing, implementing, maintaining, and continually improving an information security management system (",[39,3802,1341],{"href":1340},").",[32,3805,3806,3807,3811],{},"First published in 2005 and most recently revised in 2022, ISO 27001 is the world's most widely adopted information security framework. It takes a risk-based approach: rather than prescribing a fixed checklist, it requires organizations to identify their own security risks and select controls appropriate to their context. Certification is granted by accredited third-party ",[39,3808,3810],{"href":3809},"\u002Fglossary\u002Fcertification-body","certification bodies"," after a formal audit process.",[241,3813,3815],{"id":3814},"key-components","Key components",[70,3817,3818,3823,3828,3833],{},[73,3819,3820,3822],{},[76,3821,1341],{}," — a systematic approach to managing sensitive information through people, processes, and technology",[73,3824,3825,3827],{},[76,3826,1405],{}," — a reference set of 93 controls (in the 2022 revision) organized into four themes: organizational, people, physical, and technological",[73,3829,3830,3832],{},[76,3831,1428],{}," — a document listing which Annex A controls apply and justifying any exclusions",[73,3834,3835,3838],{},[76,3836,3837],{},"Risk assessment"," — a formal process for identifying and treating information security risks",[241,3840,3842],{"id":3841},"certification-process","Certification process",[32,3844,3845],{},"ISO 27001 certification involves:",[549,3847,3848,3854,3860,3866,3872,3878,3884],{},[73,3849,3850,3853],{},[76,3851,3852],{},"Gap analysis"," — compare current practices against the standard",[73,3855,3856,3859],{},[76,3857,3858],{},"ISMS implementation"," — build policies, controls, and processes",[73,3861,3862,3865],{},[76,3863,3864],{},"Internal audit"," — verify the ISMS works as intended",[73,3867,3868,3871],{},[76,3869,3870],{},"Stage 1 audit"," — external auditor reviews documentation",[73,3873,3874,3877],{},[76,3875,3876],{},"Stage 2 audit"," — external auditor tests operational effectiveness",[73,3879,3880,3883],{},[76,3881,3882],{},"Surveillance audits"," — annual reviews to maintain certification",[73,3885,3886,3889],{},[76,3887,3888],{},"Recertification"," — full audit every three years",[241,3891,3893],{"id":3892},"who-needs-iso-27001","Who needs ISO 27001?",[32,3895,3896],{},"ISO 27001 certification is voluntary — no law mandates it — but it is increasingly expected by enterprise buyers and procurement teams. Organizations that benefit most include:",[70,3898,3899,3905,3911,3917],{},[73,3900,3901,3904],{},[76,3902,3903],{},"Companies targeting international customers"," — ISO 27001 is the de facto security standard in Europe, APAC, and the Middle East. Without it, you may not make it past vendor questionnaires.",[73,3906,3907,3910],{},[76,3908,3909],{},"Regulated industries"," — Financial services, healthcare, and government contractors often require suppliers to hold ISO 27001 certification as a baseline.",[73,3912,3913,3916],{},[76,3914,3915],{},"SaaS and cloud providers"," — Enterprise buyers routinely ask for ISO 27001 during procurement. It signals that your security program is structured and externally validated.",[73,3918,3919,3922],{},[76,3920,3921],{},"Organizations scaling into new markets"," — If you already serve the US with a SOC 2, adding ISO 27001 opens doors globally without rebuilding your program from scratch.",[32,3924,3925],{},"Even when not contractually required, holding the certification reduces the time spent answering security questionnaires and builds trust with prospects before the first sales call.",[32,3927,3928],{},"ISO 27001 is especially valued in:",[70,3930,3931,3937,3943],{},[73,3932,3933,3936],{},[76,3934,3935],{},"Europe"," — GDPR-conscious buyers view it as evidence of mature data protection practices.",[73,3938,3939,3942],{},[76,3940,3941],{},"APAC"," — Markets like Japan, Australia, and Singapore treat it as a baseline requirement for technology vendors.",[73,3944,3945,3948],{},[76,3946,3947],{},"Global enterprises"," — Companies like Google, Microsoft, and Salesforce require ISO 27001 from critical suppliers in their vendor risk management programs.",[241,3950,3952],{"id":3951},"iso-270012022-changes","ISO 27001:2022 changes",[32,3954,3955],{},"The 2022 revision of ISO 27001 (formally ISO\u002FIEC 27001:2022) brought the most significant structural changes since the standard's 2013 edition. The core ISMS requirements in clauses 4–10 received minor wording updates, but Annex A was overhauled:",[70,3957,3958,3964,3970],{},[73,3959,3960,3963],{},[76,3961,3962],{},"Restructured from 14 categories to 4 themes"," — The previous 14-domain layout was replaced with four broad themes: organizational, people, physical, and technological.",[73,3965,3966,3969],{},[76,3967,3968],{},"Consolidated from 114 controls to 93"," — Controls were merged and reorganized, not removed. The reduction reflects overlapping controls being combined into more coherent groupings.",[73,3971,3972,3975,3976],{},[76,3973,3974],{},"11 new controls added"," — The 2022 revision introduced controls that reflect the modern threat landscape, including:\n",[70,3977,3978,3981,3984,3987,3990,3993,3996,3999,4002,4005,4008],{},[73,3979,3980],{},"Threat intelligence",[73,3982,3983],{},"Information security for cloud services",[73,3985,3986],{},"ICT readiness for business continuity",[73,3988,3989],{},"Physical security monitoring",[73,3991,3992],{},"Configuration management",[73,3994,3995],{},"Information deletion",[73,3997,3998],{},"Data masking",[73,4000,4001],{},"Data leakage prevention",[73,4003,4004],{},"Monitoring activities",[73,4006,4007],{},"Web filtering",[73,4009,4010],{},"Secure coding",[32,4012,4013],{},"Organizations certified under the 2013 edition were required to transition to the 2022 revision by October 31, 2025. New certifications are issued exclusively against the 2022 standard.",[241,4015,4017],{"id":4016},"the-annex-a-control-themes","The Annex A control themes",[32,4019,4020],{},"The four themes in Annex A group controls by domain rather than by the asset or process they protect. This makes it easier to assign ownership and track implementation progress.",[32,4022,4023,4026],{},[76,4024,4025],{},"Organizational controls (37 controls)","\nThese cover governance, policies, and management-level activities. Examples include information security policies, defined roles and responsibilities, threat intelligence, asset management, access control policies, supplier security, and incident management.",[32,4028,4029,4032],{},[76,4030,4031],{},"People controls (8 controls)","\nFocused on the human side of security. Examples include pre-employment screening, information security awareness and training, disciplinary processes, responsibilities after termination, remote working arrangements, and confidentiality agreements.",[32,4034,4035,4038],{},[76,4036,4037],{},"Physical controls (14 controls)","\nAddress the protection of physical spaces and equipment. Examples include physical security perimeters, physical entry controls, securing offices and facilities, equipment maintenance, storage media handling, and supporting utility security.",[32,4040,4041,4044],{},[76,4042,4043],{},"Technological controls (34 controls)","\nCover technical safeguards applied to IT systems. Examples include user endpoint devices, privileged access rights, access restriction to information, secure authentication, capacity management, protection against malware, management of technical vulnerabilities, logging, network security, encryption, secure development lifecycle, and data masking.",[32,4046,4047,4048,4050],{},"Together, the 93 controls form the reference set from which you build your ",[39,4049,1435],{"href":1434},". Not every control will apply — the SoA documents which you selected and why you excluded the rest.",[32,4052,4053],{},"A common approach is to assign theme ownership: IT leads technological controls, HR owns people controls, facilities manages physical controls, and a GRC or security team coordinates organizational controls. This clear division of responsibility is one reason the 2022 restructuring was widely welcomed by practitioners.",[241,4055,1586],{"id":1585},[32,4057,4058],{},"ISO 27001 certification is a significant investment in both money and internal effort. Typical ranges depend on organization size, complexity, and existing maturity:",[4060,4061,4062,4081],"table",{},[4063,4064,4065],"thead",{},[4066,4067,4068,4072,4075,4078],"tr",{},[4069,4070,4071],"th",{},"Factor",[4069,4073,4074],{},"Small org (\u003C 50 employees)",[4069,4076,4077],{},"Mid-size org (50–500)",[4069,4079,4080],{},"Enterprise (500+)",[4082,4083,4084,4101,4117,4133],"tbody",{},[4066,4085,4086,4092,4095,4098],{},[4087,4088,4089],"td",{},[76,4090,4091],{},"Implementation cost",[4087,4093,4094],{},"$30K–$50K",[4087,4096,4097],{},"$50K–$100K",[4087,4099,4100],{},"$100K+",[4066,4102,4103,4108,4111,4114],{},[4087,4104,4105],{},[76,4106,4107],{},"Timeline to certification",[4087,4109,4110],{},"6–9 months",[4087,4112,4113],{},"9–12 months",[4087,4115,4116],{},"12–18 months",[4066,4118,4119,4124,4127,4130],{},[4087,4120,4121],{},[76,4122,4123],{},"Certification audit fees",[4087,4125,4126],{},"$10K–$20K",[4087,4128,4129],{},"$20K–$40K",[4087,4131,4132],{},"$40K–$80K",[4066,4134,4135,4140,4143,4146],{},[4087,4136,4137],{},[76,4138,4139],{},"Annual surveillance audits",[4087,4141,4142],{},"$5K–$15K",[4087,4144,4145],{},"$15K–$25K",[4087,4147,4148],{},"$25K–$50K",[32,4150,4151],{},"These figures include consulting, tooling, auditor fees, and remediation. They do not include the internal time your team spends building policies, gathering evidence, and running internal audits — which is often the largest hidden cost.",[32,4153,4154],{},"The implementation timeline typically breaks down as:",[549,4156,4157,4163,4169,4175,4181],{},[73,4158,4159,4162],{},[76,4160,4161],{},"Months 1–2"," — Scoping, gap analysis, and risk assessment",[73,4164,4165,4168],{},[76,4166,4167],{},"Months 3–6"," — Policy development, control implementation, and staff training",[73,4170,4171,4174],{},[76,4172,4173],{},"Months 7–8"," — Internal audit and management review",[73,4176,4177,4180],{},[76,4178,4179],{},"Months 9–10"," — Stage 1 audit (documentation review)",[73,4182,4183,4186],{},[76,4184,4185],{},"Months 10–12"," — Remediation and Stage 2 audit (operational effectiveness)",[32,4188,4189],{},"After certification, expect ongoing costs for surveillance audits (annually) and a full recertification audit every three years.",[32,4191,4192],{},[76,4193,4194],{},"Tips for reducing cost and timeline:",[70,4196,4197,4200,4203,4206],{},[73,4198,4199],{},"Start with a gap analysis to avoid over-investing in areas you already cover.",[73,4201,4202],{},"Reuse existing policies and evidence from SOC 2 or NIST CSF if you have them.",[73,4204,4205],{},"Use a GRC platform to centralize evidence collection and automate control tracking.",[73,4207,4208],{},"Engage your certification body early for a pre-assessment to surface surprises before the formal audit.",[241,4210,4212],{"id":4211},"how-iso-27001-maps-to-other-frameworks","How ISO 27001 maps to other frameworks",[32,4214,4215],{},"If your organization already operates under another framework, ISO 27001 will share significant control overlap. Mapping controls across frameworks reduces duplicate work and accelerates certification timelines.",[4060,4217,4218,4232],{},[4063,4219,4220],{},[4066,4221,4222,4224,4226,4228,4230],{},[4069,4223],{},[4069,4225,1336],{},[4069,4227,42],{},[4069,4229,47],{},[4069,4231,2461],{},[4082,4233,4234,4253,4272,4290,4309],{},[4066,4235,4236,4241,4244,4247,4250],{},[4087,4237,4238],{},[76,4239,4240],{},"Type",[4087,4242,4243],{},"Certifiable standard",[4087,4245,4246],{},"Attestation report",[4087,4248,4249],{},"Voluntary framework",[4087,4251,4252],{},"Mandatory standard",[4066,4254,4255,4260,4263,4266,4269],{},[4087,4256,4257],{},[76,4258,4259],{},"Scope",[4087,4261,4262],{},"Global",[4087,4264,4265],{},"Primarily North America",[4087,4267,4268],{},"US-originated, global adoption",[4087,4270,4271],{},"Any org handling cardholder data",[4066,4273,4274,4279,4282,4284,4287],{},[4087,4275,4276],{},[76,4277,4278],{},"Structure",[4087,4280,4281],{},"ISMS + Annex A controls",[4087,4283,2987],{},[4087,4285,4286],{},"6 functions, 22 categories",[4087,4288,4289],{},"12 requirements, 300+ sub-requirements",[4066,4291,4292,4297,4300,4303,4306],{},[4087,4293,4294],{},[76,4295,4296],{},"Validity",[4087,4298,4299],{},"3 years with surveillance",[4087,4301,4302],{},"Report covers observation period",[4087,4304,4305],{},"Self-assessed (no certification)",[4087,4307,4308],{},"Annual assessment",[4066,4310,4311,4316,4319,4322,4325],{},[4087,4312,4313],{},[76,4314,4315],{},"Control count",[4087,4317,4318],{},"93 (Annex A)",[4087,4320,4321],{},"~60 points of focus",[4087,4323,4324],{},"~100 subcategories",[4087,4326,4327],{},"300+",[32,4329,4330],{},"The overlap between ISO 27001 and SOC 2 is roughly 70–80% at the control level. NIST CSF aligns even more closely with ISO 27001 since both follow a risk-based approach. PCI DSS is more prescriptive but shares foundational controls around access management, logging, encryption, and incident response.",[32,4332,4333],{},"Organizations that already have one framework in place can typically achieve ISO 27001 certification 30–40% faster by reusing existing policies, evidence, and control implementations.",[32,4335,4336],{},"Key areas of overlap include:",[70,4338,4339,4345,4351,4356],{},[73,4340,4341,4344],{},[76,4342,4343],{},"Access control"," — covered by all four frameworks, though PCI DSS is the most prescriptive about password complexity and multi-factor authentication.",[73,4346,4347,4350],{},[76,4348,4349],{},"Incident response"," — ISO 27001, NIST CSF, and PCI DSS all require documented incident response plans and regular testing.",[73,4352,4353,4355],{},[76,4354,3585],{}," — ISO 27001 and NIST CSF both center on risk-based decision-making; SOC 2 addresses it through the Common Criteria.",[73,4357,4358,4361],{},[76,4359,4360],{},"Logging and monitoring"," — a universal requirement, with PCI DSS specifying exact log retention periods and ISO 27001 leaving implementation details to the organization.",[32,4363,4364,4365,504],{},"For a detailed breakdown of how controls map across frameworks, see our ",[39,4366,4367],{"href":1678},"framework mapping guide",[241,4369,4371],{"id":4370},"how-episki-helps-with-iso-27001","How episki helps with ISO 27001",[32,4373,4374,4375,504],{},"episki maps controls to Annex A, tracks your Statement of Applicability, and connects evidence across ISO 27001 and other frameworks. Learn more on our ",[39,4376,4377],{"href":1771},"ISO 27001 compliance page",{"title":123,"searchDepth":124,"depth":124,"links":4379},[4380],{"id":1329,"depth":124,"text":1330,"children":4381},[4382,4383,4384,4385,4386,4387,4388,4389],{"id":3814,"depth":631,"text":3815},{"id":3841,"depth":631,"text":3842},{"id":3892,"depth":631,"text":3893},{"id":3951,"depth":631,"text":3952},{"id":4016,"depth":631,"text":4017},{"id":1585,"depth":631,"text":1586},{"id":4211,"depth":631,"text":4212},{"id":4370,"depth":631,"text":4371},{},[1788],[4393,4394,4395,4396],"isms","annex-a","certification-body","surveillance-audit",{"title":4398,"description":4399},"What is ISO 27001? ISMS Certification Explained","ISO 27001 is the international standard for information security management systems (ISMS). Learn about certification requirements, Annex A controls, and how to prepare.","8.glossary\u002Fiso27001","uV0isz5GoX3td94Hc92c2WCNJWN788aXYZbx9q7FEeY",{"id":4403,"title":2941,"body":4404,"description":123,"extension":140,"lastUpdated":3654,"meta":4530,"navigation":171,"path":4531,"relatedFrameworks":4532,"relatedTerms":4533,"seo":4538,"slug":3531,"stem":4541,"term":2969,"__hash__":4542},"glossary\u002F8.glossary\u002Fsoc2.md",{"type":29,"value":4405,"toc":4521},[4406,4408,4411,4414,4417,4445,4448,4452,4464,4467,4471,4474,4477,4480,4511,4515],[50,4407,2969],{"id":2968},[32,4409,4410],{},"SOC 2 (System and Organization Controls 2) is an auditing framework developed by the AICPA that evaluates how service organizations protect customer data. It is one of the most requested security certifications for SaaS companies and technology vendors.",[241,4412,2987],{"id":4413},"trust-services-criteria",[32,4415,4416],{},"SOC 2 is built around five Trust Services Criteria (TSC):",[70,4418,4419,4425,4430,4435,4440],{},[73,4420,4421,4424],{},[76,4422,4423],{},"Security"," (required) — protection against unauthorized access",[73,4426,4427,4429],{},[76,4428,3048],{}," — system uptime and operational reliability",[73,4431,4432,4434],{},[76,4433,3060],{}," — accurate and complete data processing",[73,4436,4437,4439],{},[76,4438,3067],{}," — protection of confidential information",[73,4441,4442,4444],{},[76,4443,3079],{}," — handling of personal information per commitments",[32,4446,4447],{},"Most organizations start with Security and add additional criteria based on customer requirements.",[241,4449,4451],{"id":4450},"type-i-vs-type-ii","Type I vs Type II",[70,4453,4454,4459],{},[73,4455,4456,4458],{},[76,4457,3006],{}," evaluates whether controls are designed appropriately at a specific point in time",[73,4460,4461,4463],{},[76,4462,3012],{}," evaluates whether controls operated effectively over a period (typically 3-12 months)",[32,4465,4466],{},"Type II reports carry more weight with enterprise buyers because they demonstrate sustained compliance rather than a single snapshot.",[241,4468,4470],{"id":4469},"who-needs-soc-2","Who needs SOC 2?",[32,4472,4473],{},"SOC 2 is not legally required, but it is effectively mandatory for SaaS companies selling to enterprises. Buyers, procurement teams, and security reviewers routinely request SOC 2 reports as part of vendor diligence.",[241,4475,3493],{"id":4476},"how-long-does-a-soc-2-audit-take",[32,4478,4479],{},"A typical timeline:",[70,4481,4482,4488,4494,4499,4505],{},[73,4483,4484,4487],{},[76,4485,4486],{},"Readiness assessment:"," 2-4 weeks",[73,4489,4490,4493],{},[76,4491,4492],{},"Remediation:"," 4-12 weeks depending on gaps",[73,4495,4496,4487],{},[76,4497,4498],{},"Type I audit:",[73,4500,4501,4504],{},[76,4502,4503],{},"Observation period for Type II:"," 3-12 months",[73,4506,4507,4510],{},[76,4508,4509],{},"Type II audit:"," 4-6 weeks",[241,4512,4514],{"id":4513},"how-episki-helps-with-soc-2","How episki helps with SOC 2",[32,4516,4517,4518,504],{},"episki maps controls to Trust Services Criteria, tracks evidence with ownership and review cadences, and provides auditor portals for streamlined collaboration. Learn more on our ",[39,4519,4520],{"href":41},"SOC 2 compliance page",{"title":123,"searchDepth":124,"depth":124,"links":4522},[4523],{"id":2968,"depth":124,"text":2969,"children":4524},[4525,4526,4527,4528,4529],{"id":4413,"depth":631,"text":2987},{"id":4450,"depth":631,"text":4451},{"id":4469,"depth":631,"text":4470},{"id":4476,"depth":631,"text":3493},{"id":4513,"depth":631,"text":4514},{},"\u002Fglossary\u002Fsoc2",[3531],[4413,4534,4535,4536,4537],"soc2-type-1","soc2-type-2","service-auditor","ssae-18",{"title":4539,"description":4540},"What is SOC 2? Compliance Requirements Explained","SOC 2 is an auditing framework for service organizations based on five Trust Services Criteria. Learn about SOC 2 Type I vs Type II, audit timelines, and what it takes to get compliant.","8.glossary\u002Fsoc2","HxCJ-MVx4pErD7AwYkHgr_2aiZffYJTt9jhfAl9AgSw",[4544,5093],{"id":4545,"title":4546,"body":4547,"description":123,"extension":140,"lastUpdated":3654,"meta":5081,"navigation":171,"path":5082,"relatedFrameworks":5083,"relatedTerms":5084,"seo":5087,"slug":5090,"stem":5091,"term":4552,"__hash__":5092},"glossary\u002F8.glossary\u002Faccess-control.md","Access Control",{"type":29,"value":4548,"toc":5067},[4549,4553,4556,4560,4563,4589,4593,4599,4605,4611,4617,4621,4624,4630,4647,4653,4667,4673,4684,4688,4691,4735,4739,4742,4756,4760,4763,4786,4790,4793,4842,4846,4849,4962,4965,4968,4997,5001,5007,5010,5047,5050,5053,5056,5060],[50,4550,4552],{"id":4551},"what-is-access-control","What is Access Control?",[32,4554,4555],{},"Access control is the set of policies, procedures, and technical mechanisms that regulate who can access systems, data, and resources within an organization. It ensures that only authorized individuals can view, modify, or interact with sensitive information and critical systems. Access control is one of the most fundamental and universally required security controls across every major compliance framework.",[241,4557,4559],{"id":4558},"core-principles","Core principles",[32,4561,4562],{},"Access control is built on several foundational principles:",[70,4564,4565,4571,4577,4583],{},[73,4566,4567,4570],{},[76,4568,4569],{},"Least privilege"," — users are granted only the minimum access necessary to perform their job functions",[73,4572,4573,4576],{},[76,4574,4575],{},"Separation of duties"," — critical tasks are divided among multiple individuals to prevent any single person from having unchecked authority",[73,4578,4579,4582],{},[76,4580,4581],{},"Need to know"," — access to information is restricted to those who require it for a specific purpose",[73,4584,4585,4588],{},[76,4586,4587],{},"Default deny"," — access is denied by default unless explicitly granted",[241,4590,4592],{"id":4591},"types-of-access-control","Types of access control",[32,4594,4595,4598],{},[76,4596,4597],{},"Role-Based Access Control (RBAC)"," — access is determined by the user's role within the organization. Roles are defined with specific permissions, and users are assigned to roles. This is the most common model in enterprise environments.",[32,4600,4601,4604],{},[76,4602,4603],{},"Attribute-Based Access Control (ABAC)"," — access decisions are based on attributes of the user, the resource, and the environment (e.g., department, location, time of day, device type).",[32,4606,4607,4610],{},[76,4608,4609],{},"Discretionary Access Control (DAC)"," — resource owners decide who can access their resources. Common in file systems where owners set permissions.",[32,4612,4613,4616],{},[76,4614,4615],{},"Mandatory Access Control (MAC)"," — access is controlled by the system based on security labels and clearance levels. Common in government and military environments.",[241,4618,4620],{"id":4619},"access-control-components","Access control components",[32,4622,4623],{},"A complete access control program addresses:",[32,4625,4626,4629],{},[76,4627,4628],{},"Authentication"," — verifying the identity of users:",[70,4631,4632,4635,4638,4641,4644],{},[73,4633,4634],{},"Passwords and passphrases",[73,4636,4637],{},"Multi-factor authentication (MFA)",[73,4639,4640],{},"Single sign-on (SSO)",[73,4642,4643],{},"Biometric authentication",[73,4645,4646],{},"Certificate-based authentication",[32,4648,4649,4652],{},[76,4650,4651],{},"Authorization"," — determining what authenticated users can do:",[70,4654,4655,4658,4661,4664],{},[73,4656,4657],{},"Permission assignments",[73,4659,4660],{},"Role definitions",[73,4662,4663],{},"Access control lists",[73,4665,4666],{},"Policy enforcement points",[32,4668,4669,4672],{},[76,4670,4671],{},"Access lifecycle management"," — managing access throughout the user lifecycle:",[70,4674,4675,4678,4681],{},[73,4676,4677],{},"Provisioning (granting access when hired or role changes)",[73,4679,4680],{},"Review (periodic access certification)",[73,4682,4683],{},"Deprovisioning (revoking access upon termination or role change)",[241,4685,4687],{"id":4686},"access-control-in-compliance-frameworks","Access control in compliance frameworks",[32,4689,4690],{},"Every major framework requires access control:",[70,4692,4693,4700,4711,4721,4728],{},[73,4694,4695,4699],{},[76,4696,4697],{},[39,4698,42],{"href":41}," — CC6.1 through CC6.8 cover logical and physical access controls",[73,4701,4702,4706,4707,4710],{},[76,4703,4704],{},[39,4705,1336],{"href":1771}," — ",[39,4708,4709],{"href":1411},"Annex A"," controls A.5.15 through A.5.18 and A.8.2 through A.8.5 address access management",[73,4712,4713,4717,4718,4720],{},[76,4714,4715],{},[39,4716,1116],{"href":1270}," — the ",[39,4719,3693],{"href":977}," requires access controls for ePHI (45 CFR 164.312(a))",[73,4722,4723,4727],{},[76,4724,4725],{},[39,4726,2461],{"href":2909}," — Requirements 7 and 8 address access restriction and user identification",[73,4729,4730,4734],{},[76,4731,4732],{},[39,4733,47],{"href":46}," — PR.AC covers identity management, authentication, and access control",[241,4736,4738],{"id":4737},"access-reviews","Access reviews",[32,4740,4741],{},"Regular access reviews (also called access certifications) are a critical control:",[70,4743,4744,4747,4750,4753],{},[73,4745,4746],{},"Review user access rights periodically (quarterly is common for sensitive systems)",[73,4748,4749],{},"Verify that access aligns with current job responsibilities",[73,4751,4752],{},"Identify and remove excessive or unnecessary access",[73,4754,4755],{},"Document review results and remediation actions",[241,4757,4759],{"id":4758},"common-access-control-weaknesses","Common access control weaknesses",[32,4761,4762],{},"Even well-designed access control programs can degrade over time without ongoing attention. Watch for these common issues:",[70,4764,4765,4768,4771,4774,4777,4780,4783],{},[73,4766,4767],{},"Excessive permissions that accumulate over time (privilege creep)",[73,4769,4770],{},"Shared or generic accounts that prevent individual accountability",[73,4772,4773],{},"Delayed deprovisioning when employees leave or change roles",[73,4775,4776],{},"Lack of MFA on critical systems and remote access paths",[73,4778,4779],{},"Inconsistent access review processes with no documented remediation",[73,4781,4782],{},"Service accounts with standing privileged access and no rotation schedule",[73,4784,4785],{},"Lack of visibility into SaaS application access outside the corporate IdP",[241,4787,4789],{"id":4788},"implementing-access-control-in-practice","Implementing access control in practice",[32,4791,4792],{},"Effective access control programs start with planning and build toward automation. The following steps provide a practical roadmap for organizations at any maturity level:",[549,4794,4795,4801,4807,4813,4819,4825,4836],{},[73,4796,4797,4800],{},[76,4798,4799],{},"Map your environment"," — inventory all systems, applications, and data repositories that require access controls. You cannot protect what you have not identified. Include SaaS applications, cloud infrastructure, on-premises servers, databases, file shares, and third-party integrations.",[73,4802,4803,4806],{},[76,4804,4805],{},"Define roles based on job functions"," — create roles that reflect organizational responsibilities, not individual users. Align roles to the principle of least privilege so each role includes only the permissions required for that function. Review role definitions annually and whenever organizational structure changes.",[73,4808,4809,4812],{},[76,4810,4811],{},"Centralize authentication with SSO"," — implement single sign-on using SAML 2.0 or OpenID Connect (OIDC) to unify identity across cloud and on-premises systems. Centralized authentication reduces password sprawl and gives security teams a single point of enforcement. Ensure all business-critical applications are integrated with your SSO provider before considering the rollout complete.",[73,4814,4815,4818],{},[76,4816,4817],{},"Layer MFA on all critical systems"," — require multi-factor authentication for remote access, privileged accounts, email, cloud consoles, and any system that touches sensitive data. Phishing-resistant methods such as FIDO2 hardware keys are preferred over SMS-based codes. At a minimum, enforce MFA on identity providers, admin consoles, and VPN access.",[73,4820,4821,4824],{},[76,4822,4823],{},"Automate provisioning and deprovisioning"," — connect your HR system to your identity provider (IdP) and use SCIM or directory sync to automate account creation, role assignment, and account removal. When an employee is terminated in the HR system, access should be revoked within minutes, not days. Automation eliminates the human error that leads to orphaned accounts and privilege creep.",[73,4826,4827,4830,4831,4835],{},[76,4828,4829],{},"Build an access request and approval workflow"," — establish a formal process where users request access with documented business justification, managers approve, and the request is logged for audit. This creates an ",[39,4832,4834],{"href":4833},"\u002Fglossary\u002Faudit-trail","audit trail"," that satisfies compliance requirements.",[73,4837,4838,4841],{},[76,4839,4840],{},"Monitor and log access events"," — collect authentication and authorization logs centrally. Monitor for anomalies such as failed login attempts, access from unusual locations, and privilege escalation. Logs are essential for incident response and audit evidence.",[241,4843,4845],{"id":4844},"access-control-requirements-by-framework","Access control requirements by framework",[32,4847,4848],{},"Different frameworks address the same access control concepts with different control references. The table below maps common requirements to their framework-specific identifiers:",[4060,4850,4851,4868],{},[4063,4852,4853],{},[4066,4854,4855,4858,4860,4862,4864,4866],{},[4069,4856,4857],{},"Requirement",[4069,4859,42],{},[4069,4861,1336],{},[4069,4863,1116],{},[4069,4865,2461],{},[4069,4867,47],{},[4082,4869,4870,4890,4909,4928,4945],{},[4066,4871,4872,4875,4878,4881,4884,4887],{},[4087,4873,4874],{},"Unique user IDs",[4087,4876,4877],{},"CC6.1",[4087,4879,4880],{},"A.5.16",[4087,4882,4883],{},"§164.312(a)(2)(i)",[4087,4885,4886],{},"Req 8.2.1",[4087,4888,4889],{},"PR.AC-1",[4066,4891,4892,4895,4897,4900,4903,4906],{},[4087,4893,4894],{},"MFA",[4087,4896,4877],{},[4087,4898,4899],{},"A.8.5",[4087,4901,4902],{},"Addressable",[4087,4904,4905],{},"Req 8.4",[4087,4907,4908],{},"PR.AC-7",[4066,4910,4911,4913,4916,4919,4922,4925],{},[4087,4912,4738],{},[4087,4914,4915],{},"CC6.2",[4087,4917,4918],{},"A.5.18",[4087,4920,4921],{},"§164.312(a)(1)",[4087,4923,4924],{},"Req 7.2",[4087,4926,4927],{},"PR.AC-4",[4066,4929,4930,4932,4935,4938,4940,4943],{},[4087,4931,4569],{},[4087,4933,4934],{},"CC6.3",[4087,4936,4937],{},"A.5.15",[4087,4939,4921],{},[4087,4941,4942],{},"Req 7.1",[4087,4944,4927],{},[4066,4946,4947,4950,4952,4954,4957,4960],{},[4087,4948,4949],{},"Deprovisioning",[4087,4951,4915],{},[4087,4953,4918],{},[4087,4955,4956],{},"§164.312(a)(2)(ii)",[4087,4958,4959],{},"Req 8.2.6",[4087,4961,4889],{},[32,4963,4964],{},"Organizations subject to multiple frameworks can use this mapping to build a unified access control program that satisfies overlapping requirements without duplicating effort.",[32,4966,4967],{},"A few notes on framework-specific nuances:",[70,4969,4970,4975,4983,4990],{},[73,4971,4972,4974],{},[76,4973,1116],{}," treats MFA as an \"addressable\" implementation specification, meaning covered entities must implement it or document why an equivalent alternative is reasonable. In practice, most organizations implement MFA because the risk of not doing so is difficult to justify.",[73,4976,4977,4982],{},[76,4978,4979,4981],{},[39,4980,2461],{"href":2909}," v4.0"," expanded MFA requirements (Req 8.4) to include all access into the cardholder data environment, not just remote access. Organizations processing card data should verify their MFA coverage meets the updated scope.",[73,4984,4985,4989],{},[76,4986,4987],{},[39,4988,42],{"href":41}," does not prescribe specific technologies but evaluates whether the controls in place are suitably designed and operating effectively. Auditors will look for evidence that access control policies are enforced consistently.",[73,4991,4992,4996],{},[76,4993,4994],{},[39,4995,47],{"href":46}," provides a flexible, risk-based approach. The PR.AC subcategory identifiers map to more detailed controls in NIST SP 800-53, which organizations can reference for implementation guidance.",[241,4998,5000],{"id":4999},"zero-trust-and-access-control","Zero trust and access control",[32,5002,5003,5004,504],{},"Traditional access control models assume that users inside the network perimeter can be trusted. Zero trust architecture rejects that assumption entirely: ",[76,5005,5006],{},"never trust, always verify",[32,5008,5009],{},"In a zero trust model, every access request is authenticated, authorized, and encrypted regardless of where it originates. Key principles include:",[70,5011,5012,5018,5024,5035,5041],{},[73,5013,5014,5017],{},[76,5015,5016],{},"Continuous verification"," — access decisions are re-evaluated throughout a session, not just at login. Changes in user behavior, location, or risk score can trigger step-up authentication or session termination.",[73,5019,5020,5023],{},[76,5021,5022],{},"Micro-segmentation"," — network resources are divided into small, isolated zones so that compromising one segment does not grant lateral access to others.",[73,5025,5026,5029,5030,5034],{},[76,5027,5028],{},"Device posture checks"," — the security state of the connecting device (patch level, endpoint protection status, disk ",[39,5031,5033],{"href":5032},"\u002Fglossary\u002Fencryption","encryption",") is evaluated before access is granted.",[73,5036,5037,5040],{},[76,5038,5039],{},"Identity-centric perimeter"," — the network perimeter is replaced by identity as the primary security boundary. Every user, device, and workload must prove its identity before accessing any resource.",[73,5042,5043,5046],{},[76,5044,5045],{},"Least privilege enforcement at the session level"," — access grants are scoped to the specific resource and action needed, and they expire when the session ends or conditions change.",[32,5048,5049],{},"NIST SP 800-207 defines the zero trust architecture and provides guidance on implementation. Many compliance frameworks are increasingly aligning their access control requirements with zero trust principles, making it a forward-looking strategy for organizations building or modernizing their access control programs.",[32,5051,5052],{},"Zero trust is not a single product but an architectural approach that spans identity, network, endpoints, and data.",[32,5054,5055],{},"Adopting zero trust does not require replacing your existing access control infrastructure overnight. Most organizations begin by enforcing MFA universally, segmenting their most sensitive assets, and adding device posture checks to their conditional access policies. Over time, these incremental improvements compound into a mature zero trust posture.",[241,5057,5059],{"id":5058},"how-episki-helps","How episki helps",[32,5061,5062,5063,504],{},"episki tracks access control policies, monitors review schedules, and documents access provisioning and deprovisioning activities. The platform sends reminders for periodic access reviews and maintains evidence for auditors. Learn more on our ",[39,5064,5066],{"href":5065},"\u002Fframeworks","compliance platform",{"title":123,"searchDepth":124,"depth":124,"links":5068},[5069],{"id":4551,"depth":124,"text":4552,"children":5070},[5071,5072,5073,5074,5075,5076,5077,5078,5079,5080],{"id":4558,"depth":631,"text":4559},{"id":4591,"depth":631,"text":4592},{"id":4619,"depth":631,"text":4620},{"id":4686,"depth":631,"text":4687},{"id":4737,"depth":631,"text":4738},{"id":4758,"depth":631,"text":4759},{"id":4788,"depth":631,"text":4789},{"id":4844,"depth":631,"text":4845},{"id":4999,"depth":631,"text":5000},{"id":5058,"depth":631,"text":5059},{},"\u002Fglossary\u002Faccess-control",[701,3531,1788,1287,2926,2411],[5085,3660,5033,5086],"minimum-necessary-rule","user-entity-controls",{"title":5088,"description":5089},"Access Control in Compliance: RBAC, MFA & Least Privilege","Access control restricts system and data access to authorized users. Learn RBAC, MFA, least privilege, and requirements across SOC 2, ISO 27001, HIPAA, and PCI DSS.","access-control","8.glossary\u002Faccess-control","aw9J1nXzlNuRVpTr3vx46B0ijrBB9hLxb3SnjmXE6cE",{"id":5094,"title":4709,"body":5095,"description":123,"extension":140,"lastUpdated":3654,"meta":5227,"navigation":171,"path":1411,"relatedFrameworks":5228,"relatedTerms":5229,"seo":5232,"slug":4394,"stem":5235,"term":5100,"__hash__":5236},"glossary\u002F8.glossary\u002Fannex-a.md",{"type":29,"value":5096,"toc":5217},[5097,5101,5111,5115,5118,5140,5144,5147,5164,5167,5171,5174,5178,5181,5195,5198,5201,5210,5212],[50,5098,5100],{"id":5099},"what-is-iso-27001-annex-a","What is ISO 27001 Annex A?",[32,5102,5103,5104,5106,5107,5110],{},"ISO 27001 Annex A is the normative annex to the ",[39,5105,1336],{"href":1771}," standard that provides a reference list of information security controls. Organizations use Annex A as a checklist to ensure their ",[39,5108,5109],{"href":1504},"Information Security Management System (ISMS)"," addresses a comprehensive range of security topics. As of the 2022 revision, Annex A contains 93 controls organized into four themes.",[241,5112,5114],{"id":5113},"the-four-themes","The four themes",[32,5116,5117],{},"The 2022 revision reorganized controls from the previous 14 categories into four themes:",[70,5119,5120,5125,5130,5135],{},[73,5121,5122,5124],{},[76,5123,4025],{}," — policies, roles and responsibilities, threat intelligence, information security in project management, supplier relationships, and more",[73,5126,5127,5129],{},[76,5128,4031],{}," — screening, terms and conditions of employment, security awareness training, disciplinary processes, and responsibilities after termination",[73,5131,5132,5134],{},[76,5133,4037],{}," — physical security perimeters, entry controls, securing offices and facilities, equipment protection, and clear desk policies",[73,5136,5137,5139],{},[76,5138,4043],{}," — user endpoint devices, privileged access management, access restrictions, secure authentication, malware protection, logging, encryption, and secure development",[241,5141,5143],{"id":5142},"how-annex-a-fits-into-iso-27001","How Annex A fits into ISO 27001",[32,5145,5146],{},"Annex A is not a standalone list of mandatory controls. Instead, it works in conjunction with the risk assessment process defined in clauses 6 and 8 of ISO 27001:",[549,5148,5149,5152,5155,5158,5161],{},[73,5150,5151],{},"The organization performs a risk assessment to identify information security risks",[73,5153,5154],{},"The organization determines how to treat each risk (mitigate, accept, transfer, or avoid)",[73,5156,5157],{},"For risks being mitigated, the organization selects appropriate controls",[73,5159,5160],{},"The organization compares selected controls against Annex A to ensure nothing has been overlooked",[73,5162,5163],{},"The results are documented in the Statement of Applicability",[32,5165,5166],{},"This approach ensures that control selection is risk-driven rather than checkbox-driven. An organization may determine that certain Annex A controls are not applicable based on their specific risk profile, and this is acceptable as long as the justification is documented.",[241,5168,5170],{"id":5169},"relationship-to-iso-27002","Relationship to ISO 27002",[32,5172,5173],{},"ISO 27002 provides detailed implementation guidance for each Annex A control. While Annex A lists the controls with brief descriptions, ISO 27002 explains the purpose, guidance, and other information for each control. Think of Annex A as the \"what\" and ISO 27002 as the \"how.\"",[241,5175,5177],{"id":5176},"changes-in-the-2022-revision","Changes in the 2022 revision",[32,5179,5180],{},"The 2022 update introduced several changes from the 2013 version:",[70,5182,5183,5186,5189,5192],{},[73,5184,5185],{},"Controls were consolidated from 114 to 93",[73,5187,5188],{},"The 14 categories were replaced with 4 themes",[73,5190,5191],{},"11 new controls were added, including threat intelligence, information security for cloud services, ICT readiness for business continuity, and data masking",[73,5193,5194],{},"Each control now includes attributes (control type, cybersecurity concept, operational capability, and security domain) to aid in filtering and mapping",[32,5196,5197],{},"Organizations certified under the 2013 version had a transition period to update their ISMS to align with the 2022 revision.",[241,5199,1435],{"id":5200},"statement-of-applicability",[32,5202,1431,5203,5205,5206,5209],{},[39,5204,1428],{"href":1445}," is the document where an organization records which Annex A controls are applicable, which are not, and the justification for each decision. The SoA is a mandatory document for ",[39,5207,5208],{"href":1377},"ISO 27001 certification"," and is a key artifact reviewed during certification audits.",[241,5211,5059],{"id":5058},[32,5213,5214,5215,504],{},"episki includes all 93 Annex A controls with mappings to your risk treatment plan and Statement of Applicability. The platform helps you track implementation status, assign ownership, and collect evidence for each applicable control. Learn more on our ",[39,5216,4377],{"href":1771},{"title":123,"searchDepth":124,"depth":124,"links":5218},[5219],{"id":5099,"depth":124,"text":5100,"children":5220},[5221,5222,5223,5224,5225,5226],{"id":5113,"depth":631,"text":5114},{"id":5142,"depth":631,"text":5143},{"id":5169,"depth":631,"text":5170},{"id":5176,"depth":631,"text":5177},{"id":5200,"depth":631,"text":1435},{"id":5058,"depth":631,"text":5059},{},[1788],[1788,5200,5230,5231,4393],"iso-27002","control-objectives",{"title":5233,"description":5234},"ISO 27001 Annex A: All 93 Controls Explained (2022)","ISO 27001 Annex A lists 93 security controls in 4 themes. Learn each control category, how they map to your Statement of Applicability, and implementation tips.","8.glossary\u002Fannex-a","zOi6CCz1VDeAbyXEMKP138bq5vOHAu0XAZAldrru9F0",[],null,{"id":5240,"title":5241,"body":5242,"comparison":5333,"competitorA":5378,"competitorB":5379,"cta":5380,"description":123,"extension":140,"faq":5238,"hero":5383,"meta":5391,"navigation":171,"path":5392,"seo":5393,"slug":5396,"slugA":5397,"slugB":5398,"stem":5399,"verdict":5400,"__hash__":5404},"compareVs\u002F7.compare\u002Fvs\u002Fdrata-vs-secureframe.md","Drata Vs Secureframe",{"type":29,"value":5243,"toc":5323},[5244,5248,5251,5255,5258,5264,5267,5271,5274,5277,5280,5284,5287,5290,5294,5297,5300,5304,5307,5310,5314,5317,5320],[50,5245,5247],{"id":5246},"drata-vs-secureframe-the-closest-comparison-in-compliance","Drata vs Secureframe: the closest comparison in compliance",[32,5249,5250],{},"If Vanta is the 800-pound gorilla, Drata and Secureframe are the two challengers most often compared against each other. They target similar buyers, cover similar frameworks, and offer similar automation. The differences are real but subtle — and they matter most in how your team experiences the platform day to day.",[241,5252,5254],{"id":5253},"feature-parity-with-different-emphasis","Feature parity with different emphasis",[32,5256,5257],{},"On paper, Drata and Secureframe look nearly identical. Both automate evidence collection, monitor your compliance posture continuously, support 15+ frameworks, and provide auditor-facing portals. The overlap is so significant that choosing between them often comes down to three factors: onboarding style, dashboard experience, and pricing.",[32,5259,5260,5263],{},[76,5261,5262],{},"Onboarding style"," is the clearest differentiator. Drata leans toward self-serve. The platform guides you through integration setup, control mapping, and evidence configuration with in-app workflows. For teams with compliance experience, this speed is an advantage — you can be operational in 1–2 weeks without waiting for a human to walk you through every step.",[32,5265,5266],{},"Secureframe takes the opposite approach. Every customer gets access to dedicated compliance managers who help interpret requirements, map controls to your environment, and prepare for audit. This white-glove model adds a week or two to implementation but dramatically reduces the learning curve for first-time audit teams.",[241,5268,5270],{"id":5269},"the-dashboard-question","The dashboard question",[32,5272,5273],{},"Drata's compliance dashboard is one of its signature features. The real-time posture view shows passing and failing controls across every framework, with compliance percentages and trend data. For compliance leads who report to a CISO or board, this visual layer simplifies status updates and makes it easy to demonstrate progress.",[32,5275,5276],{},"Secureframe also provides dashboards, but they feel more functional than visual. The platform surfaces actionable items — controls that need attention, evidence that's expiring, gaps to remediate — in a task-oriented format. It's effective, but it doesn't deliver the same at-a-glance executive view that Drata provides.",[32,5278,5279],{},"For teams that need board-ready compliance reporting, Drata has the edge. For teams that care more about daily workflow and task management, Secureframe's approach may feel more productive.",[241,5281,5283],{"id":5282},"integration-depth","Integration depth",[32,5285,5286],{},"Secureframe holds a slight advantage in integration count, with 150+ connections compared to Drata's 100+. The extra integrations primarily cover developer tools, identity providers, and security platforms. For teams running complex stacks with multiple CI\u002FCD pipelines, vulnerability scanners, and endpoint management tools, Secureframe's broader integration library means less manual evidence collection.",[32,5288,5289],{},"Drata's integrations, while fewer in number, tend to offer deeper configuration options for the platforms they do support. If your stack is standard — AWS or GCP, Okta or Google Workspace, GitHub, and a common HR tool — both platforms will serve you equally well.",[241,5291,5293],{"id":5292},"pricing-opacity","Pricing opacity",[32,5295,5296],{},"Neither Drata nor Secureframe publishes pricing. Both require a sales conversation to get a quote, and both scale based on team size, framework count, and contract terms. Based on market data, Drata typically starts around $10,000–$15,000\u002Fyr while Secureframe starts slightly lower at $8,000–$12,000\u002Fyr. At scale, both reach $30,000–$50,000\u002Fyr for larger organizations.",[32,5298,5299],{},"This pricing opacity creates a frustrating buying experience. You can't model costs internally before engaging sales. You can't easily compare options. And renewal conversations often involve price increases that are hard to predict at the time of initial purchase.",[241,5301,5303],{"id":5302},"where-both-platforms-struggle","Where both platforms struggle",[32,5305,5306],{},"The irony of comparing Drata and Secureframe is that their most significant limitations are shared. Both use pricing models that punish team growth. Both rely on templated control libraries that resist customization. Both treat policy documentation as a secondary concern — something generated through forms rather than crafted through a proper writing experience.",[32,5308,5309],{},"And both lock you into their workflow assumptions. If your compliance program doesn't map cleanly to their templates — if you run hybrid frameworks, need custom controls, or want to structure programs differently than the default — you'll spend time working around the platform instead of working within it.",[241,5311,5313],{"id":5312},"the-case-for-a-different-approach","The case for a different approach",[32,5315,5316],{},"When two products are this similar, the deciding factor often isn't which one is better — it's whether either one is the right category of tool for your needs. If you want maximum automation and are comfortable with enterprise pricing, Drata and Secureframe both deliver.",[32,5318,5319],{},"But if you want flat pricing at $500\u002Fmo, a Notion-like editor for compliance documentation, and the freedom to build programs that reflect how your team actually operates — episki offers something neither Drata nor Secureframe provides. No per-seat scaling. No opaque quotes. No templated policies that read like every other company's.",[32,5321,5322],{},"Just a workspace your compliance team will use daily, at a price that doesn't make your CFO wince.",{"title":123,"searchDepth":124,"depth":124,"links":5324},[5325],{"id":5246,"depth":124,"text":5247,"children":5326},[5327,5328,5329,5330,5331,5332],{"id":5253,"depth":631,"text":5254},{"id":5269,"depth":631,"text":5270},{"id":5282,"depth":631,"text":5283},{"id":5292,"depth":631,"text":5293},{"id":5302,"depth":631,"text":5303},{"id":5312,"depth":631,"text":5313},[5334,5339,5343,5348,5353,5358,5363,5368,5373],{"feature":5335,"competitorA":5336,"competitorB":5337,"episki":5338},"Pricing model","Custom pricing, typically starting around $10,000–$15,000\u002Fyr","Custom pricing, typically starting around $8,000–$12,000\u002Fyr","Flat $500\u002Fmo or $5,000\u002Fyr with unlimited seats",{"feature":5340,"competitorA":5341,"competitorB":5341,"episki":5342},"Framework coverage","SOC 2, ISO 27001, HIPAA, PCI DSS, GDPR, and 15+ frameworks","SOC 2, ISO 27001, HIPAA, PCI DSS, NIST CSF, and custom frameworks",{"feature":5344,"competitorA":5345,"competitorB":5346,"episki":5347},"Automation depth","Automated evidence collection with real-time compliance dashboards","Automated monitoring with continuous evidence collection and alerts","AI-assisted drafting and structured workflows with manual evidence uploads",{"feature":5349,"competitorA":5350,"competitorB":5351,"episki":5352},"Integration count","100+ integrations covering major cloud and SaaS platforms","150+ integrations covering cloud, identity, HR, and developer tools","Growing integration library with focus on structured evidence reuse",{"feature":5354,"competitorA":5355,"competitorB":5356,"episki":5357},"Auditor collaboration","Auditor-facing portal with read-only access and evidence downloads","Auditor-ready evidence rooms with structured access controls","Built-in auditor portal with scoped access and Q&A threads",{"feature":5359,"competitorA":5360,"competitorB":5361,"episki":5362},"AI features","AI-assisted control mapping and compliance recommendations","AI-driven compliance recommendations and automated risk scoring","AI drafts policies, narratives, remediation steps, and questionnaire answers",{"feature":5364,"competitorA":5365,"competitorB":5366,"episki":5367},"Implementation time","1–3 weeks with self-serve setup and optional guided onboarding","2–3 weeks with guided onboarding and compliance expertise","Same-day setup with self-serve onboarding and optional demo",{"feature":5369,"competitorA":5370,"competitorB":5371,"episki":5372},"Support model","In-app chat, email support, and dedicated CSM for larger accounts","Dedicated compliance managers, email, and in-app support","Direct founder access, in-app chat, and shared Slack channels",{"feature":5374,"competitorA":5375,"competitorB":5376,"episki":5377},"Free trial","Demo-based sales process, limited free trial availability","Demo-based sales process, no public free trial","14-day free trial with full access, no credit card required","Drata","Secureframe",{"title":5381,"description":5382},"Skip the comparison. Try episki free.","14-day trial with full access. No credit card required.",{"headline":5384,"title":5385,"description":5386,"links":5387},"Drata vs Secureframe","Similar features, different approaches to compliance automation","Compare Drata and Secureframe across pricing, onboarding, and compliance workflows. Two closely matched platforms with subtle but important differences for your team.",[5388,5390],{"label":5389,"icon":160,"to":161},"Try episki free",{"label":163,"icon":164,"color":165,"variant":166,"to":167,"target":168},{},"\u002Fcompare\u002Fvs\u002Fdrata-vs-secureframe",{"title":5394,"description":5395},"Drata vs Secureframe (2026): Pricing, Features & Honest Comparison","Drata vs Secureframe compared on pricing, onboarding, framework coverage, and compliance automation. See which platform fits your team — or why neither might be the best choice.","drata-vs-secureframe","drata","secureframe","7.compare\u002Fvs\u002Fdrata-vs-secureframe",{"chooseA":5401,"chooseB":5402,"chooseEpiski":5403},"Choose Drata if you value self-serve speed and visual compliance dashboards. Drata gets you operational faster and provides the clearest real-time view of your compliance posture — ideal for teams with in-house compliance knowledge.","Choose Secureframe if you want more hands-on guidance from dedicated compliance managers. Secureframe's human-led onboarding is better for teams running their first audit without experienced GRC staff.","Choose episki if you want transparent pricing, a writing-first editor, and the flexibility to structure programs your way. episki is for teams that want to own their compliance narrative without paying enterprise prices.","HuA5a0qhJVkEPHNLT6GY_VEempd7yA1ONnXItxDt-ZQ",{"id":5406,"title":5378,"advantages":5407,"body":5429,"comparison":5480,"competitor":5378,"cta":5506,"description":123,"extension":140,"hero":5509,"meta":5516,"navigation":171,"path":1703,"seo":5517,"slug":5397,"stem":5520,"__hash__":5521},"compare\u002F7.compare\u002Fdrata.md",[5408,5415,5422],{"title":5409,"description":5410,"bullets":5411},"One flat price for everything","episki includes unlimited frameworks, teammates, and portals for a single monthly or annual fee. No tiers, no negotiations.",[5412,5413,5414],"Add frameworks without upgrading to a higher tier","Invite auditors, customers, and stakeholders at no extra cost","Predictable billing that does not scale with headcount",{"title":5416,"description":5417,"bullets":5418},"Connected programs and assessments","episki treats compliance as connected work. Programs, assessments, controls, tasks, and issues link together so nothing falls through the cracks.",[5419,5420,5421],"Run recurring programs and one-time assessments side by side","Tasks inherit context from parent controls and programs","Evidence attaches once and stays available across every framework",{"title":5423,"description":5424,"bullets":5425},"Fast, keyboard-driven workspace","episki is built for people who spend hours in the tool. Keyboard shortcuts, global search, and a rich editor make daily compliance work feel fast.",[5426,5427,5428],"Navigate between programs, controls, and evidence without lifting your hands","Inline editing for policies, narratives, and response drafts","Dark mode and responsive layout for any screen",{"type":29,"value":5430,"toc":5475},[5431,5435,5438,5441,5461,5465,5468,5472],[50,5432,5434],{"id":5433},"why-teams-evaluate-drata-alternatives","Why teams evaluate Drata alternatives",[32,5436,5437],{},"Drata has built a comprehensive compliance automation platform with strong automated evidence collection and a wide library of supported frameworks. It works well for organizations that want continuous monitoring with minimal manual intervention.",[32,5439,5440],{},"Some teams look for alternatives when they need:",[70,5442,5443,5449,5455],{},[73,5444,5445,5448],{},[76,5446,5447],{},"Simpler pricing"," — Drata's tiered pricing based on framework count and company size can make budgeting unpredictable, especially for organizations running multiple frameworks or growing quickly.",[73,5450,5451,5454],{},[76,5452,5453],{},"Unified program management"," — teams managing overlapping compliance programs want controls, evidence, and tasks connected across frameworks in a single workspace rather than managed as separate compliance tracks.",[73,5456,5457,5460],{},[76,5458,5459],{},"A daily-use workspace"," — compliance teams that spend significant time writing, reviewing, and collaborating want an editor and navigation experience that feels productive rather than transactional.",[50,5462,5464],{"id":5463},"when-drata-might-be-the-better-fit","When Drata might be the better fit",[32,5466,5467],{},"Drata is a strong choice for teams that prioritize automated continuous monitoring and need a platform with deep integration coverage across cloud, identity, HR, and development tools. If your primary concern is automating evidence collection and you operate in a well-defined framework like SOC 2 or ISO 27001, Drata's automation depth is compelling.",[50,5469,5471],{"id":5470},"when-episki-shines","When episki shines",[32,5473,5474],{},"episki is designed for teams that view compliance as ongoing, cross-functional work rather than a monitoring dashboard. If you run multiple programs, collaborate with auditors directly in the tool, and want a workspace that feels as fast as your engineering tools, episki delivers a different kind of compliance experience.",{"title":123,"searchDepth":124,"depth":124,"links":5476},[5477,5478,5479],{"id":5433,"depth":124,"text":5434},{"id":5463,"depth":124,"text":5464},{"id":5470,"depth":124,"text":5471},[5481,5483,5484,5488,5492,5495,5498,5502],{"feature":5335,"episki":5338,"competitor":5482},"Tiered pricing based on framework count and company size",{"feature":5340,"episki":5342,"competitor":5341},{"feature":5485,"episki":5486,"competitor":5487},"Control management","Linked control graph with cross-framework reuse and ownership","Control library with automated testing and monitoring",{"feature":5489,"episki":5490,"competitor":5491},"Evidence collection","Manual uploads with structured ownership and reuse across frameworks","Automated evidence collection with 100+ integrations",{"feature":5493,"episki":5362,"competitor":5494},"AI assistance","AI-powered compliance automation",{"feature":3585,"episki":5496,"competitor":5497},"Risk registers with remediation tracking tied to controls","Built-in risk management with scoring and treatment plans",{"feature":5499,"episki":5500,"competitor":5501},"Editor experience","Notion-like rich text editor with inline editing","Structured forms and workflow-based interface",{"feature":5503,"episki":5504,"competitor":5505},"Collaboration","Built-in auditor portal, customer portals, and team workspaces","Auditor-facing dashboards and team collaboration features",{"title":5507,"description":5508},"Try episki side by side with Drata","Start a free trial with all features enabled. Import your controls and see the difference.",{"headline":1704,"title":5510,"description":5511,"links":5512},"How episki compares to Drata for compliance teams","A head-to-head on pricing, workflow design, and framework flexibility. See why teams that want a faster, more collaborative compliance workspace switch from Drata to episki.",[5513,5514],{"label":159,"icon":160,"to":161},{"label":5515,"icon":164,"color":165,"variant":166,"to":167,"target":168},"See a live demo",{},{"title":5518,"description":5519},"episki vs Drata (2026): Pricing, Flexibility & Why Teams Switch","Compare episki and Drata on pricing, workflow design, and framework flexibility. See why compliance teams switch from Drata to episki.","7.compare\u002Fdrata","rehdI9NC6n1m3mFaD-M9xGliPjg5awlPauCt-LCW_es",{"id":5523,"title":5524,"api":5238,"authors":5525,"body":5531,"category":5706,"date":5707,"description":5708,"extension":140,"features":5238,"fixes":5238,"highlight":5238,"image":5709,"improvements":5238,"meta":5711,"navigation":171,"path":5713,"seo":5714,"stem":5715,"__hash__":5716},"posts\u002F3.now\u002Fdefined-roles-pci-compliance-mistakes.md","Defined Roles in PCI: The Compliance Mistakes That Fly Under the Radar",[5526],{"name":5527,"to":5528,"avatar":5529},"Justin Leapline","https:\u002F\u002Fwww.linkedin.com\u002Fin\u002Fjustinleapline\u002F",{"src":5530},"\u002Fimages\u002Fjustinleapline.png",{"type":29,"value":5532,"toc":5698},[5533,5539,5542,5545,5548,5551,5554,5556,5560,5568,5571,5574,5577,5579,5583,5586,5589,5592,5595,5597,5601,5608,5611,5614,5617,5619,5623,5626,5629,5632,5634,5638,5641,5644,5647,5650,5652,5656,5659,5662,5665,5667,5672,5684,5690,5692],[5534,5535,5536],"blockquote",{},[32,5537,5538],{},"When it comes to PCI DSS, most organizations focus on the technical controls — encryption, access management, logging. But one of the most persistent failure points isn't technical at all. It's the question of who owns what. Undefined or poorly assigned roles quietly undermine even the most well-resourced compliance programs. This post breaks down the most common role-related mistakes security leaders make in PCI — and what to do differently.",[5540,5541],"hr",{},[32,5543,5544],{},"Most PCI compliance failures don't happen because teams don't know the standard.",[32,5546,5547],{},"They happen because nobody agreed on who was responsible for following it.",[32,5549,5550],{},"It sounds simple. In practice, it's one of the hardest problems in compliance programs — and one of the least discussed. When a QSA walks in for an assessment and finds gaps, the root cause is often not a missing control. It's a missing owner.",[32,5552,5553],{},"For CISOs leading PCI programs, role clarity isn't a nice-to-have. It's the foundation everything else sits on.",[5540,5555],{},[50,5557,5559],{"id":5558},"mistake-1-treating-pci-ownership-as-an-it-problem","Mistake #1: Treating PCI Ownership as an IT Problem",[32,5561,5562,5564,5565,5567],{},[39,5563,2461],{"href":2909}," governs the entire ",[39,5566,2492],{"href":2491}," — and the cardholder data environment touches far more than IT.",[32,5569,5570],{},"It includes how sales teams handle card data over the phone. How finance processes refunds. How third-party vendors connect to your systems. How HR onboards employees who access payment infrastructure. And yet, in most organizations, PCI ownership sits almost exclusively with the security or IT team — while the business units that handle cardholder data daily operate with little awareness of their own obligations.",[32,5572,5573],{},"This creates a structural gap. Controls get implemented technically but not operationally. Policies exist on paper but aren't followed in practice because the people they govern don't know they apply to them.",[32,5575,5576],{},"The fix isn't adding more controls. It's expanding the ownership model. Every team that touches cardholder data needs a defined role in the compliance program — with accountability, not just awareness.",[5540,5578],{},[50,5580,5582],{"id":5581},"mistake-2-confusing-responsible-with-accountable","Mistake #2: Confusing \"Responsible\" with \"Accountable\"",[32,5584,5585],{},"One of the most reliable ways to spot a broken compliance program is to ask two people on the same team who owns a specific PCI requirement. If you get two different answers — or two blank stares — you have an accountability problem.",[32,5587,5588],{},"The distinction between responsibility and accountability matters here. Responsibility is operational: this person performs the task. Accountability is governance: this person owns the outcome. In PCI, these roles are often blurred or duplicated, which means that when something goes wrong, nobody is clearly on the hook — and when audits come around, multiple people claim ownership of the same control without any of them actually running it.",[32,5590,5591],{},"The RACI model (Responsible, Accountable, Consulted, Informed) is a well-worn solution to this problem — but only when applied with rigor. A RACI matrix that was built two years ago and hasn't been updated since an acquisition, a reorg, or a new product launch is often worse than no RACI at all. It creates false confidence.",[32,5593,5594],{},"PCI role assignments need to be reviewed every time the business changes — not just every time the standard does.",[5540,5596],{},[50,5598,5600],{"id":5599},"mistake-3-letting-vendor-relationships-create-ownership-gaps","Mistake #3: Letting Vendor Relationships Create Ownership Gaps",[32,5602,5603,5604,5607],{},"PCI DSS Requirement 12.8 is clear: organizations are responsible for managing the compliance of all ",[39,5605,5606],{"href":116},"third-party service providers"," who have access to cardholder data. In practice, many organizations interpret this requirement as \"get a copy of their AOC and file it.\"",[32,5609,5610],{},"That's not management. That's documentation.",[32,5612,5613],{},"The gap shows up when a vendor has a breach, when a third-party integration introduces a vulnerability, or when an assessor asks how the organization monitors the compliance posture of its vendors — and the answer is \"we check their certificate once a year.\"",[32,5615,5616],{},"Vendor ownership in PCI requires a named internal owner for each critical third-party relationship. Someone who understands what that vendor does, what data they access, what their contractual security obligations are, and what the escalation path looks like if something goes wrong. Without that, vendor risk exists on paper but is managed by nobody.",[5540,5618],{},[50,5620,5622],{"id":5621},"mistake-4-role-assignments-that-dont-survive-personnel-changes","Mistake #4: Role Assignments That Don't Survive Personnel Changes",[32,5624,5625],{},"PCI roles are often documented at the person level — \"Sarah owns firewall management,\" \"Marco is responsible for log review\" — rather than at the function level. When Sarah leaves or Marco moves to a different team, the role doesn't transfer cleanly. Institutional knowledge walks out the door, and the new person inherits a responsibility they weren't briefed on.",[32,5627,5628],{},"This is especially dangerous in small security teams, where one person often carries multiple PCI functions. When that person leaves without a proper transition, entire sections of the compliance program can become effectively unowned — sometimes for months before anyone notices.",[32,5630,5631],{},"Sustainable role assignment means documenting at the position level, not the individual level. It means keeping role documentation alive and connected to onboarding processes, so that new team members understand their compliance obligations from day one. And it means building succession into the program architecture, not treating it as an afterthought.",[5540,5633],{},[50,5635,5637],{"id":5636},"mistake-5-assuming-the-ciso-owns-everything-that-isnt-assigned-elsewhere","Mistake #5: Assuming the CISO Owns Everything That Isn't Assigned Elsewhere",[32,5639,5640],{},"In many organizations, the CISO is the implicit owner of last resort. If a PCI requirement doesn't have a clear owner, it defaults upward — and eventually lands on the security leader's desk.",[32,5642,5643],{},"This is a governance problem masquerading as an efficiency problem. When the CISO is the catch-all for unassigned compliance obligations, two things happen: the CISO is spending time on operational tasks that should be delegated, and the organization's compliance program lacks the distributed ownership structure it needs to function at scale.",[32,5645,5646],{},"The CISO's role in PCI should be strategic: defining the program, setting the accountability structure, owning the relationship with assessors, and reporting to the board on risk posture. The moment the CISO is personally responsible for reviewing firewall rule changes or validating log configurations, something in the ownership model has broken down.",[32,5648,5649],{},"A well-structured PCI program distributes operational ownership to the teams closest to the work — and gives the CISO visibility into all of it without requiring their direct involvement in any of it.",[5540,5651],{},[50,5653,5655],{"id":5654},"what-getting-it-right-actually-looks-like","What Getting It Right Actually Looks Like",[32,5657,5658],{},"The organizations that manage PCI compliance most effectively share a few traits. Their role assignments are documented at the function level and reviewed on a regular cadence. Their business unit owners understand their obligations — not just their technical ones. Their vendor relationships have named internal owners with active oversight responsibilities. And their CISO has clear visibility into the program without being buried in its day-to-day operations.",[32,5660,5661],{},"None of this requires a larger team. It requires a more deliberate structure.",[32,5663,5664],{},"PCI compliance isn't won or lost in the technical controls. It's won or lost in the clarity of who owns them, who monitors them, and who is accountable when they fail.",[5540,5666],{},[32,5668,5669],{},[76,5670,5671],{},"Is your PCI ownership model as clear as you think it is?",[32,5673,5674,5675,5679,5680,5683],{},"At ",[39,5676,5678],{"href":5677},"\u002F","episki",", we help security leaders build compliance programs where accountability is real — not just documented. From role mapping to third-party oversight to board-level reporting, we work alongside your team to make sure your ",[39,5681,5682],{"href":2909},"PCI"," program holds up when it matters most.",[32,5685,5686],{},[39,5687,5689],{"href":167,"rel":5688},[3451],"Let's talk →",[5540,5691],{},[32,5693,5694],{},[5695,5696,5697],"em",{},"Compliance on paper isn't compliance. It's paperwork.",{"title":123,"searchDepth":124,"depth":124,"links":5699},[5700,5701,5702,5703,5704,5705],{"id":5558,"depth":124,"text":5559},{"id":5581,"depth":124,"text":5582},{"id":5599,"depth":124,"text":5600},{"id":5621,"depth":124,"text":5622},{"id":5636,"depth":124,"text":5637},{"id":5654,"depth":124,"text":5655},"craft","2026-04-15","Unclear ownership is one of the most common — and costly — failures in PCI compliance. Here's what security leaders get wrong about defining roles, and how to fix it.",{"src":5710},"\u002Fimages\u002Fblog\u002FPCI.jpg",{"slug":5712},"defined-roles-pci-compliance-mistakes","\u002Fnow\u002Fdefined-roles-pci-compliance-mistakes",{"title":5524,"description":5708},"3.now\u002Fdefined-roles-pci-compliance-mistakes","0u0CncSJsrHMYJZWMH_BzWgau-vuQTBQ7NdBBVQMz7Q",{"id":5718,"title":5719,"advantages":5720,"body":5742,"checklist":5749,"cta":5758,"description":5746,"extension":140,"faq":5238,"hero":5761,"meta":5769,"name":5770,"navigation":171,"path":1183,"resources":5771,"seo":5784,"slug":5787,"stats":5788,"stem":5796,"__hash__":5797},"industries\u002F6. industry\u002F1.healthcare.md","Healthcare",[5721,5728,5735],{"title":5722,"description":5723,"bullets":5724},"PHI-aware control mapping","Map administrative, technical, and physical safeguards to your stack without rebuilding every audit.",[5725,5726,5727],"Track EHR, identity, and cloud evidence with structured ownership","Track segmentation, backups, and log retention against HIPAA safeguards","Map once for HIPAA and reuse for HITRUST or regional requirements",{"title":5729,"description":5730,"bullets":5731},"Clinician-friendly workflows","Keep nurses, clinicians, and ops aligned without burying them in tickets.",[5732,5733,5734],"Role-aware tasks routed to the right owner with due dates","Playbooks show “what good looks like” for PHI handling","Attestations and approvals captured inline for auditors",{"title":5736,"description":5737,"bullets":5738},"Auditor and partner collaboration","Give regulators, payers, and partners scoped access instead of email threads.",[5739,5740,5741],"Auditor portal with threaded Q&A per safeguard","Secure uploads with expirations and access controls","Exports for SOC 2, PCI, or privacy questionnaires",{"type":29,"value":5743,"toc":5747},[5744],[32,5745,5746],{},"Healthcare buyers move fast when they trust your safeguards. episki keeps PHI protections documented, monitored, and shareable without slowing product or patient care.",{"title":123,"searchDepth":124,"depth":124,"links":5748},[],{"title":5750,"description":5751,"items":5752},"Healthtech compliance checklist","Use this inside your trial to assign owners, attach evidence, and track renewals.",[5753,5754,5755,5756,5757],"HIPAA safeguard library mapped to your systems","BAA tracker with renewal reminders and risk scoring","Incident response runbooks with timelines and owners","Access, logging, and backup verification tasks","Third-party risk reviews tied to PHI data flows",{"title":5759,"description":5760},"Launch a healthtech-ready workspace","Connect your stack, invite stakeholders, and show PHI protections the same day.",{"headline":5762,"title":5763,"description":5764,"links":5765},"HIPAA-grade governance without slowing clinicians","Keep PHI protections provable across cloud apps, clinics, and vendors","episki maps safeguards, automates evidence, and gives auditors scoped access so healthtech teams can keep shipping.",[5766,5768],{"label":5767,"icon":160,"to":161},"Start healthtech trial",{"label":163,"icon":164,"color":165,"variant":166,"to":167,"target":168},{},"healthcare and healthtech",{"headline":5772,"title":5772,"description":5773,"items":5774},"Healthcare enablement kit","Keep leadership, clinicians, and auditors aligned on the same story.",[5775,5778,5781],{"title":5776,"description":5777},"PHI data flow deck","Share sanitized diagrams plus segmentation notes for customers and partners.",{"title":5779,"description":5780},"Board + payer brief","Summarize control health, incidents, and remediation in plain language.",{"title":5782,"description":5783},"Auditor-ready workspace","Prebuilt template for requests, evidence, and walkthrough scheduling.",{"title":5785,"description":5786},"Healthcare Compliance Software","HIPAA-ready GRC for healthtech teams. Map safeguards, track PHI evidence, and collaborate with auditors in one secure workspace. Start your free trial.","healthcare",[5789,5791,5793],{"value":1290,"description":5790},"Move from baseline controls to monitored safeguards in under a month.",{"value":1293,"description":5792},"Role-based portals keep BAAs, policies, and diagrams organized and protected.",{"value":5794,"description":5795},"Continuous watch","Drift detection across access, logging, vendors, and incidents.","6. industry\u002F1.healthcare","831E5Bdk5x1SUBhE8YrTZtQjqMJj9Q3vjQivX_AG0IQ",1776395361256]