[{"data":1,"prerenderedAt":1509},["ShallowReactive",2],{"\u002Fnow\u002Fcompliance-framework-selector-guide":3,"\u002Fnow\u002Fcompliance-framework-selector-guide-surround":1499},{"id":4,"title":5,"api":6,"authors":7,"body":13,"category":1485,"date":1486,"description":1487,"extension":1488,"features":6,"fixes":6,"highlight":6,"image":1489,"improvements":6,"meta":1491,"navigation":1492,"path":1493,"seo":1494,"stem":1497,"__hash__":1498},"posts\u002F3.now\u002Fcompliance-framework-selector-guide.md","Compliance Framework Selector: Which Framework Should You Pursue First?",null,[8],{"name":9,"to":10,"avatar":11},"Justin Leapline","https:\u002F\u002Fwww.linkedin.com\u002Fin\u002Fjustinleapline\u002F",{"src":12},"\u002Fimages\u002Fjustinleapline.png",{"type":14,"value":15,"toc":1454},"minimark",[16,20,23,26,29,34,37,40,75,81,84,88,91,258,261,265,268,273,276,333,336,340,343,380,383,387,411,415,418,476,480,483,514,518,521,525,528,607,610,614,617,677,684,688,691,736,740,743,883,886,894,898,901,904,936,939,959,970,974,977,981,992,1012,1016,1022,1039,1043,1049,1070,1074,1080,1096,1107,1111,1117,1134,1138,1144,1160,1164,1167,1360,1364,1369,1372,1377,1380,1385,1388,1393,1399,1404,1411,1416,1419,1424,1438,1441,1444],[17,18,19],"p",{},"Here's the situation we see constantly: a founder or security lead lands in their first compliance conversation with a prospect, walks out with a laundry list of acronyms — SOC 2, ISO 27001, HIPAA, PCI DSS, CMMC — and stares at them wondering which one to tackle first.",[17,21,22],{},"The stakes feel high. You've heard that picking the wrong framework wastes six months and tens of thousands of dollars. You've also heard that picking the right one unlocks enterprise deals you can't close today. Meanwhile, every framework vendor wants to tell you theirs is the right answer.",[17,24,25],{},"We've watched hundreds of companies go through this decision. The truth is that the right framework is usually obvious once you answer a handful of questions in the right order. This guide walks you through that decision — step by step, with a quick-reference matrix, a decision tree, and scenario-based recommendations for common business types.",[17,27,28],{},"No paralysis. No wasted cycles. Just a clear path to your first framework.",[30,31,33],"h2",{"id":32},"the-paralysis-of-choosing-a-framework","The Paralysis of Choosing a Framework",[17,35,36],{},"Framework selection paralysis is real. We see it across every stage of company — founders burning weeks in Slack debates, newly hired security leads spending their first month trying to figure out where to start, CISOs deferring the decision because any wrong call feels irreversible.",[17,38,39],{},"It doesn't have to be this hard. Here's why people get stuck and how to get unstuck:",[41,42,43,51,63,69],"ul",{},[44,45,46,50],"li",{},[47,48,49],"strong",{},"\"We might need all of them eventually.\""," Probably true — but not today. Picking one to start isn't a commitment to skip the others.",[44,52,53,56,57,62],{},[47,54,55],{},"\"We don't want to waste work.\""," You won't. The control work you do for your first framework carries over. ",[58,59,61],"a",{"href":60},"\u002Fnow\u002Fcompliance-framework-comparison","40–60% of controls overlap"," between major frameworks when mapped correctly.",[44,64,65,68],{},[47,66,67],{},"\"Our industry is special.\""," Maybe, but the principles are the same. Most industries map cleanly onto one of five or six framework starting points.",[44,70,71,74],{},[47,72,73],{},"\"What if customers ask for something else?\""," They probably will. But trying to preempt every possible customer ask by pursuing four frameworks at once guarantees you'll execute none of them well.",[17,76,77,80],{},[47,78,79],{},"The operating principle",": pick one framework that satisfies your most urgent buyer, regulator, or business driver. Do it well. Then layer in the next one with the overlap you've already built.",[17,82,83],{},"Now let's actually pick.",[30,85,87],{"id":86},"quick-decision-matrix","Quick Decision Matrix",[17,89,90],{},"Before the detailed walkthrough, here's a fast-path matrix. Find the row that matches your situation and you'll have a starting answer in under a minute.",[92,93,94,113],"table",{},[95,96,97],"thead",{},[98,99,100,104,107,110],"tr",{},[101,102,103],"th",{},"You handle...",[101,105,106],{},"Buyers are asking for...",[101,108,109],{},"Your region \u002F market",[101,111,112],{},"You should pursue first...",[114,115,116,133,149,164,180,196,212,228,243],"tbody",{},[98,117,118,122,125,128],{},[119,120,121],"td",{},"Customer data only (no PHI, no PCI)",[119,123,124],{},"SOC 2 report",[119,126,127],{},"US-focused",[119,129,130],{},[47,131,132],{},"SOC 2 Type II",[98,134,135,138,141,144],{},[119,136,137],{},"Customer data only",[119,139,140],{},"ISO certificate",[119,142,143],{},"International \u002F EMEA",[119,145,146],{},[47,147,148],{},"ISO 27001",[98,150,151,153,156,159],{},[119,152,137],{},[119,154,155],{},"Both SOC 2 and ISO",[119,157,158],{},"Global",[119,160,161],{},[47,162,163],{},"SOC 2 Type II first, ISO 27001 next",[98,165,166,169,172,175],{},[119,167,168],{},"Protected Health Information (PHI)",[119,170,171],{},"HIPAA attestation, BAA",[119,173,174],{},"US healthcare",[119,176,177],{},[47,178,179],{},"HIPAA + SOC 2 Type II",[98,181,182,185,188,191],{},[119,183,184],{},"Cardholder data",[119,186,187],{},"PCI AOC",[119,189,190],{},"Any",[119,192,193],{},[47,194,195],{},"PCI DSS (SAQ or ROC)",[98,197,198,201,204,207],{},[119,199,200],{},"Federal \u002F defense data (CUI)",[119,202,203],{},"CMMC Level 2 certification",[119,205,206],{},"US federal \u002F DoD",[119,208,209],{},[47,210,211],{},"CMMC Level 2 (with NIST 800-171)",[98,213,214,217,220,223],{},[119,215,216],{},"Customer data, selling to US federal",[119,218,219],{},"FedRAMP ATO",[119,221,222],{},"US federal civilian",[119,224,225],{},[47,226,227],{},"FedRAMP (with SOC 2 as foundation)",[98,229,230,232,235,238],{},[119,231,137],{},[119,233,234],{},"Nothing yet, internal readiness",[119,236,237],{},"Early stage",[119,239,240],{},[47,241,242],{},"NIST CSF 2.0 as internal backbone + SOC 2 Type I",[98,244,245,248,251,253],{},[119,246,247],{},"AI \u002F ML model or service",[119,249,250],{},"AI governance evidence",[119,252,158],{},[119,254,255],{},[47,256,257],{},"ISO 27001 + ISO\u002FIEC 42001",[17,259,260],{},"If your situation fits cleanly into one of those rows, you can stop reading here and start scoping. If not — or if you want to understand the reasoning behind the matrix — keep going.",[30,262,264],{"id":263},"the-decision-tree","The Decision Tree",[17,266,267],{},"When the quick matrix doesn't resolve cleanly, walk this tree in order. The questions are ordered deliberately — regulatory obligations override everything else, and buyer pressure overrides internal preference.",[269,270,272],"h3",{"id":271},"question-1-are-you-legally-required-to-comply-with-a-specific-framework","Question 1: Are you legally required to comply with a specific framework?",[17,274,275],{},"If yes, that framework is non-negotiable and goes first.",[41,277,278,288,297,306,315,324],{},[44,279,280,283,284,287],{},[47,281,282],{},"Handle PHI in the US?"," → ",[47,285,286],{},"HIPAA"," is mandatory. No exceptions.",[44,289,290,283,293,296],{},[47,291,292],{},"Store, process, or transmit cardholder data?",[47,294,295],{},"PCI DSS"," is mandatory. Enforced by card brands through your acquiring bank.",[44,298,299,283,302,305],{},[47,300,301],{},"Have a DoD contract or subcontract with CUI?",[47,303,304],{},"CMMC"," (with underlying NIST 800-171) is required to bid.",[44,307,308,283,311,314],{},[47,309,310],{},"Sell to US federal agencies with cloud services?",[47,312,313],{},"FedRAMP"," is required for the specific workloads.",[44,316,317,283,320,323],{},[47,318,319],{},"Operate in the EU and handle personal data?",[47,321,322],{},"GDPR"," operationalization is required (though not certified).",[44,325,326,283,329,332],{},[47,327,328],{},"Deploy high-risk AI in the EU?",[47,330,331],{},"EU AI Act"," compliance is required.",[17,334,335],{},"Regulatory frameworks aren't optional. If any apply, they are your starting framework — whether or not a customer has asked for proof.",[269,337,339],{"id":338},"question-2-are-enterprise-buyers-asking-for-a-specific-framework-by-name","Question 2: Are enterprise buyers asking for a specific framework by name?",[17,341,342],{},"If your sales cycles are getting gated by \"do you have a...?\" conversations, the buyer's ask is usually the answer.",[41,344,345,355,363,372],{},[44,346,347,350,351,354],{},[47,348,349],{},"\"Do you have a SOC 2?\""," → You need ",[47,352,353],{},"SOC 2",", starting with Type I if you're early and moving to Type II quickly. US-centric buyers will almost always say this.",[44,356,357,350,360,362],{},[47,358,359],{},"\"Are you ISO certified?\"",[47,361,148],{},". European, APAC, and Latin American buyers often lead here.",[44,364,365,350,368,371],{},[47,366,367],{},"\"Are you HITRUST certified?\"",[47,369,370],{},"HITRUST CSF",". Common from large health systems and payers.",[44,373,374,350,377,379],{},[47,375,376],{},"\"What's your CMMC level?\"",[47,378,304],{},", level determined by the contract.",[17,381,382],{},"Don't fight the buyer on which framework they want. The deal closes when you meet their procurement requirements, not when you convince them your preferred framework is equivalent.",[269,384,386],{"id":385},"question-3-where-are-your-customers-or-prospects-geographically","Question 3: Where are your customers (or prospects) geographically?",[41,388,389,397,405],{},[44,390,391,283,394,396],{},[47,392,393],{},"Mostly US?",[47,395,353],{}," is the default expectation for SaaS and service organizations.",[44,398,399,283,402,404],{},[47,400,401],{},"Mostly international or selling across multiple regions?",[47,403,148],{}," travels better globally.",[44,406,407,410],{},[47,408,409],{},"Both, in roughly equal measure?"," → Start with whichever your biggest near-term deal requires, and plan to layer the second within 12 months.",[269,412,414],{"id":413},"question-4-whats-your-industry-vertical","Question 4: What's your industry vertical?",[17,416,417],{},"Sector determines which secondary frameworks you'll need beyond SOC 2 or ISO 27001:",[41,419,420,433,445,456,468],{},[44,421,422,425,426,428,429,432],{},[47,423,424],{},"Healthtech \u002F clinical software \u002F digital health"," → Add ",[47,427,286],{}," from day one. Consider ",[47,430,431],{},"HITRUST"," when health system customers demand it.",[44,434,435,425,438,440,441,444],{},[47,436,437],{},"Fintech \u002F payments \u002F wealth management",[47,439,295],{}," if you touch cardholder data. Add ",[47,442,443],{},"SOC 1 Type II"," if you process financial transactions for customers.",[44,446,447,283,450,452,453,455],{},[47,448,449],{},"Govtech \u002F defense contractors \u002F federal SaaS",[47,451,304],{}," or ",[47,454,313],{}," depending on the contract type.",[44,457,458,283,461,463,464,467],{},[47,459,460],{},"AI\u002FML platforms",[47,462,148],{}," + ",[47,465,466],{},"ISO\u002FIEC 42001"," is emerging as the combined standard.",[44,469,470,283,473,475],{},[47,471,472],{},"Horizontal B2B SaaS",[47,474,132],{}," is the default. Add ISO 27001 when international deals materialize.",[269,477,479],{"id":478},"question-5-whats-your-scope-timeline-and-budget","Question 5: What's your scope, timeline, and budget?",[17,481,482],{},"Assuming you have choice in sequencing, these constraints will shape which framework to do first:",[41,484,485,494,504],{},[44,486,487,283,490,493],{},[47,488,489],{},"Need something in 90 days to unblock a specific deal?",[47,491,492],{},"SOC 2 Type I"," is the fastest formal deliverable.",[44,495,496,283,499,452,501,503],{},[47,497,498],{},"Have 6+ months and want a durable foundation?",[47,500,132],{},[47,502,148],{}," are worth the longer runway.",[44,505,506,509,510,513],{},[47,507,508],{},"Very limited budget and just need internal rigor?"," → Start with ",[47,511,512],{},"NIST CSF 2.0"," as an internal framework while you fund an audit-bearing program.",[30,515,517],{"id":516},"the-step-by-step-selector","The Step-by-Step Selector",[17,519,520],{},"Let's walk through each step in more detail. The questions are sequential — answer them in order, and you'll land on the right framework.",[269,522,524],{"id":523},"step-1-what-data-do-you-handle","Step 1: What data do you handle?",[17,526,527],{},"The single most important input to framework selection is the type of data you touch. Data type dictates regulatory obligations before anything else.",[41,529,530,548,561,575,583,591,597],{},[44,531,532,283,535,537,538,542,543,547],{},[47,533,534],{},"Cardholder data (PAN, CVV, expiration dates, tracks)",[47,536,295],{}," applies. Level depends on transaction volume; validation type (SAQ vs ROC) depends on how you interact with card data. See our ",[58,539,541],{"href":540},"\u002Fframeworks\u002Fpci\u002Fcompliance-levels","PCI compliance levels"," and ",[58,544,546],{"href":545},"\u002Fframeworks\u002Fpci","PCI framework overview"," for specifics.",[44,549,550,552,553,555,556,560],{},[47,551,168],{}," — names, dates, diagnoses, treatment info, health identifiers → ",[47,554,286],{}," applies, whether you're a Covered Entity or Business Associate. See our ",[58,557,559],{"href":558},"\u002Fframeworks\u002Fhipaa","HIPAA framework overview",".",[44,562,563,283,566,569,570,574],{},[47,564,565],{},"Controlled Unclassified Information (CUI) from the DoD",[47,567,568],{},"CMMC Level 2"," applies, built on ",[58,571,573],{"href":572},"\u002Fframeworks\u002Fcmmc\u002Flevels","NIST 800-171",". Level 3 for the most sensitive contracts.",[44,576,577,283,580,582],{},[47,578,579],{},"Federal data on behalf of US agencies",[47,581,313],{}," applies to cloud workloads touching federal data.",[44,584,585,283,588,590],{},[47,586,587],{},"Personal data from EU data subjects",[47,589,322],{}," obligations apply regardless of your headquarters.",[44,592,593,596],{},[47,594,595],{},"Personal data from US state residents"," → CCPA\u002FCPRA, CPA, VCDPA, and other state privacy laws apply per jurisdiction.",[44,598,599,283,602,452,604,606],{},[47,600,601],{},"General customer data (no special categories)",[47,603,353],{},[47,605,148],{}," are the most common voluntary frameworks.",[17,608,609],{},"If multiple apply, all of them apply. Many healthtech companies, for example, carry HIPAA, SOC 2, and sometimes HITRUST simultaneously. That's normal.",[269,611,613],{"id":612},"step-2-whos-asking","Step 2: Who's asking?",[17,615,616],{},"Framework selection isn't purely about your internal view of risk — it's about what unlocks deals, contracts, and trust.",[41,618,619,628,636,644,652,660,671],{},[44,620,621,624,625,627],{},[47,622,623],{},"US enterprise B2B buyers"," → Default ask is ",[47,626,132],{},". Some sophisticated buyers will also ask for penetration testing results and ISO 27001.",[44,629,630,624,633,635],{},[47,631,632],{},"European or APAC enterprise buyers",[47,634,148],{}," certificate.",[44,637,638,283,641,643],{},[47,639,640],{},"US federal government (DoD)",[47,642,568],{}," or higher, depending on the contract.",[44,645,646,283,649,651],{},[47,647,648],{},"US federal government (civilian cloud)",[47,650,313],{}," Moderate or High ATO.",[44,653,654,283,657,659],{},[47,655,656],{},"Large health systems and payers",[47,658,370],{},", often in addition to HIPAA and SOC 2.",[44,661,662,665,666,542,668,670],{},[47,663,664],{},"Financial services customers"," → Commonly ",[47,667,132],{},[47,669,443],{},". Banks often add custom questionnaires.",[44,672,673,676],{},[47,674,675],{},"Insurers and underwriters"," → Cyber insurance renewals are increasingly demanding specific controls and audits; SOC 2 Type II often satisfies.",[17,678,679,680,683],{},"The question to ask your sales team: ",[47,681,682],{},"\"What framework name do we see most often in our RFPs and security questionnaires?\""," That name is usually the answer.",[269,685,687],{"id":686},"step-3-where-are-your-customers","Step 3: Where are your customers?",[17,689,690],{},"Geography affects framework choice more than most teams realize:",[41,692,693,701,709,717,725],{},[44,694,695,283,698,700],{},[47,696,697],{},"US-centric customer base",[47,699,353],{}," is the lingua franca. ISO 27001 is a strong second.",[44,702,703,283,706,708],{},[47,704,705],{},"European or UK customers",[47,707,148],{}," is the default. GDPR operationalization is required. SOC 2 is less common but increasingly respected.",[44,710,711,283,714,716],{},[47,712,713],{},"APAC customers",[47,715,148],{}," typically, sometimes sector-specific frameworks.",[44,718,719,283,722,724],{},[47,720,721],{},"Latin American customers",[47,723,148],{}," and increasingly regional data protection standards (LGPD in Brazil).",[44,726,727,730,731,542,733,735],{},[47,728,729],{},"Global customer base"," → Both ",[47,732,132],{},[47,734,148],{},". Plan to sequence them rather than stack them.",[269,737,739],{"id":738},"step-4-whats-your-timeline-and-budget","Step 4: What's your timeline and budget?",[17,741,742],{},"Reality check — compliance is expensive and takes real calendar time. Here's a rough guide to how long each framework takes from standing start to deliverable, and what to plan for financially.",[92,744,745,761],{},[95,746,747],{},[98,748,749,752,755,758],{},[101,750,751],{},"Framework",[101,753,754],{},"Typical Timeline",[101,756,757],{},"Budget Range",[101,759,760],{},"Key Cost Drivers",[114,762,763,776,789,802,816,830,843,856,869],{},[98,764,765,767,770,773],{},[119,766,492],{},[119,768,769],{},"3–4 months",[119,771,772],{},"$20K–$40K audit + tooling",[119,774,775],{},"Auditor, platform, remediation",[98,777,778,780,783,786],{},[119,779,132],{},[119,781,782],{},"6–12 months (including observation)",[119,784,785],{},"$30K–$80K audit + tooling",[119,787,788],{},"Auditor, platform, observation period",[98,790,791,793,796,799],{},[119,792,148],{},[119,794,795],{},"6–12 months",[119,797,798],{},"$30K–$100K certification body + tooling",[119,800,801],{},"Stage 1 + Stage 2, surveillance audits",[98,803,804,807,810,813],{},[119,805,806],{},"HIPAA readiness",[119,808,809],{},"3–9 months",[119,811,812],{},"$15K–$60K (no formal certification)",[119,814,815],{},"Risk analysis, policies, BAAs",[98,817,818,821,824,827],{},[119,819,820],{},"PCI DSS (SAQ)",[119,822,823],{},"2–4 months",[119,825,826],{},"$5K–$25K + ASV scans",[119,828,829],{},"Self-assessment, scanning vendor",[98,831,832,835,837,840],{},[119,833,834],{},"PCI DSS (ROC)",[119,836,795],{},[119,838,839],{},"$50K–$200K+",[119,841,842],{},"QSA fees, pen testing, remediation",[98,844,845,848,850,853],{},[119,846,847],{},"CMMC Level 1",[119,849,823],{},[119,851,852],{},"$10K–$30K (self-assessment)",[119,854,855],{},"15 basic safeguarding requirements",[98,857,858,860,863,866],{},[119,859,568],{},[119,861,862],{},"9–18 months",[119,864,865],{},"$75K–$300K+",[119,867,868],{},"C3PAO assessment, NIST 800-171 implementation",[98,870,871,874,877,880],{},[119,872,873],{},"FedRAMP Moderate",[119,875,876],{},"12–24 months",[119,878,879],{},"$750K–$2M+",[119,881,882],{},"3PAO, sponsor, continuous monitoring",[17,884,885],{},"If your timeline is ruthless (you have a deal waiting), SOC 2 Type I is the fastest formal deliverable. If you have runway, invest in SOC 2 Type II or ISO 27001 — the report is far more credible.",[17,887,888,889,893],{},"Our ",[58,890,892],{"href":891},"\u002Fnow\u002Fcompliance-cost-benchmark-2026","compliance cost benchmark"," breaks these ranges down in more detail, including the hidden costs most people miss.",[269,895,897],{"id":896},"step-5-multi-framework-strategy","Step 5: Multi-Framework Strategy",[17,899,900],{},"Once you've picked your first framework, think about the sequence for your second and third. The strategy is to pick frameworks where the overlap maximizes reuse.",[17,902,903],{},"High-overlap paths:",[41,905,906,912,918,924,930],{},[44,907,908,911],{},[47,909,910],{},"SOC 2 → ISO 27001",": Roughly 40–60% control overlap. Very common and well-trodden.",[44,913,914,917],{},[47,915,916],{},"SOC 2 → HIPAA",": Technical safeguards align tightly with SOC 2 Security criteria.",[44,919,920,923],{},[47,921,922],{},"ISO 27001 → ISO\u002FIEC 42001",": Management system structure transfers directly.",[44,925,926,929],{},[47,927,928],{},"NIST 800-171 → CMMC Level 2",": CMMC Level 2 controls are derived from NIST 800-171.",[44,931,932,935],{},[47,933,934],{},"NIST CSF 2.0 → anything",": NIST CSF maps to nearly every other framework; use it as internal backbone.",[17,937,938],{},"Lower-overlap paths (meaning more net-new work):",[41,940,941,947,953],{},[44,942,943,946],{},[47,944,945],{},"SOC 2 → PCI DSS",": Some overlap in access and encryption controls, but PCI DSS has significant unique requirements.",[44,948,949,952],{},[47,950,951],{},"SOC 2 → FedRAMP",": Meaningful overlap, but FedRAMP adds substantial control depth and continuous monitoring overhead.",[44,954,955,958],{},[47,956,957],{},"ISO 27001 → HITRUST",": Some overlap, but HITRUST is a much larger control set.",[17,960,961,962,542,965,969],{},"For detailed overlap analysis, see our ",[58,963,964],{"href":60},"compliance framework comparison",[58,966,968],{"href":967},"\u002Fnow\u002Fcontrol-mapping-frameworks","control mapping across frameworks"," guides.",[30,971,973],{"id":972},"if-you-can-only-pick-one-scenario-recommendations","\"If You Can Only Pick One\" — Scenario Recommendations",[17,975,976],{},"Here's how we'd actually advise common company types today.",[269,978,980],{"id":979},"b2b-saas-startup-pre-series-a-to-series-b","B2B SaaS Startup (Pre-Series A to Series B)",[17,982,983,986,987,991],{},[47,984,985],{},"Start with SOC 2 Type II."," It's the default enterprise buyer ask in the US. Use a ",[58,988,990],{"href":989},"\u002Fnow\u002Fgrc-tool-buying-guide","GRC platform"," with strong automation from day one. Plan to layer ISO 27001 within 12-18 months if international expansion is on the roadmap.",[41,993,994,1000,1006],{},[44,995,996,999],{},[47,997,998],{},"First framework",": SOC 2 Type II",[44,1001,1002,1005],{},[47,1003,1004],{},"Second framework",": ISO 27001",[44,1007,1008,1011],{},[47,1009,1010],{},"Internal backbone",": NIST CSF 2.0 (free, risk-based, maps to everything)",[269,1013,1015],{"id":1014},"healthtech-startup-digital-health-clinical-saas","Healthtech Startup (Digital Health, Clinical SaaS)",[17,1017,1018,1021],{},[47,1019,1020],{},"HIPAA is non-negotiable from day one."," Build your Business Associate Agreements early. Pair HIPAA with SOC 2 Type II as soon as you have enterprise health system customers. Large health systems will often ask for HITRUST — plan for it as a Series B\u002FC investment, not as a starter.",[41,1023,1024,1029,1034],{},[44,1025,1026,1028],{},[47,1027,998],{},": HIPAA + SOC 2 Type II (start both in parallel)",[44,1030,1031,1033],{},[47,1032,1004],{},": HITRUST CSF as enterprise customers demand",[44,1035,1036,1038],{},[47,1037,1010],{},": NIST CSF 2.0",[269,1040,1042],{"id":1041},"fintech-payments-startup","Fintech \u002F Payments Startup",[17,1044,1045,1048],{},[47,1046,1047],{},"PCI DSS scope reduction is your first priority."," Work hard to minimize the cardholder data environment (tokenization, iframes, third-party processors). Whatever scope remains, validate through the appropriate SAQ or ROC. Layer SOC 2 Type II for enterprise B2B fintech deals. Add SOC 1 Type II if you process transactions for customers.",[41,1050,1051,1056,1060,1066],{},[44,1052,1053,1055],{},[47,1054,998],{},": PCI DSS (right-sized validation type)",[44,1057,1058,999],{},[47,1059,1004],{},[44,1061,1062,1065],{},[47,1063,1064],{},"Third framework",": SOC 1 Type II (if applicable)",[44,1067,1068,1038],{},[47,1069,1010],{},[269,1071,1073],{"id":1072},"govtech-defense-contractor","Govtech \u002F Defense Contractor",[17,1075,1076,1079],{},[47,1077,1078],{},"NIST 800-171 is your starting point",", which maps directly to CMMC Level 2. If you're pursuing DoD contracts, CMMC certification is non-negotiable — and assessor capacity is limited, so start early. FedRAMP is a separate path for federal civilian cloud services.",[41,1081,1082,1087,1092],{},[44,1083,1084,1086],{},[47,1085,998],{},": NIST 800-171 → CMMC Level 2",[44,1088,1089,1091],{},[47,1090,1004],{},": FedRAMP (if cloud services to civilian agencies)",[44,1093,1094,1038],{},[47,1095,1010],{},[17,1097,1098,1099,542,1102,1106],{},"See our ",[58,1100,1101],{"href":572},"CMMC levels guide",[58,1103,1105],{"href":1104},"\u002Fframeworks\u002Fcmmc\u002Fimplementation-timeline","CMMC implementation timeline"," for practical planning.",[269,1108,1110],{"id":1109},"ai-ml-platform","AI \u002F ML Platform",[17,1112,1113,1116],{},[47,1114,1115],{},"ISO 27001 is the foundation, and ISO\u002FIEC 42001 is the emerging AI-specific layer."," Add SOC 2 Type II for US enterprise buyers. Be prepared for AI-specific questionnaires on training data, model governance, and human oversight.",[41,1118,1119,1124,1129],{},[44,1120,1121,1123],{},[47,1122,998],{},": SOC 2 Type II or ISO 27001 (depending on primary market)",[44,1125,1126,1128],{},[47,1127,1004],{},": ISO\u002FIEC 42001 (AI management system)",[44,1130,1131,1133],{},[47,1132,1010],{},": NIST CSF 2.0 + NIST AI RMF",[269,1135,1137],{"id":1136},"enterprise-services-managed-services-consulting-with-access","Enterprise Services (Managed Services, Consulting with Access)",[17,1139,1140,1143],{},[47,1141,1142],{},"SOC 2 Type II is the baseline."," If you work in regulated industries, you'll need sector-specific frameworks that match your clients'. If you're supporting healthcare, PCI-regulated, or federal customers, expect to carry multiple attestations.",[41,1145,1146,1150,1155],{},[44,1147,1148,999],{},[47,1149,998],{},[44,1151,1152,1154],{},[47,1153,1004],{},": ISO 27001 for international client work",[44,1156,1157,1159],{},[47,1158,1064],{},": Sector-specific as client industries demand",[30,1161,1163],{"id":1162},"quick-reference-costtimeline-table","Quick-Reference Cost\u002FTimeline Table",[17,1165,1166],{},"Save this for your board deck or budget planning:",[92,1168,1169,1187],{},[95,1170,1171],{},[98,1172,1173,1175,1178,1181,1184],{},[101,1174,751],{},[101,1176,1177],{},"Certification Type",[101,1179,1180],{},"Timeline",[101,1182,1183],{},"Cost Range",[101,1185,1186],{},"Re-certification",[114,1188,1189,1204,1217,1232,1247,1261,1274,1287,1301,1316,1331,1345],{},[98,1190,1191,1193,1196,1198,1201],{},[119,1192,492],{},[119,1194,1195],{},"Attestation (CPA)",[119,1197,769],{},[119,1199,1200],{},"$20K–$40K",[119,1202,1203],{},"Annual",[98,1205,1206,1208,1210,1212,1215],{},[119,1207,132],{},[119,1209,1195],{},[119,1211,795],{},[119,1213,1214],{},"$30K–$80K",[119,1216,1203],{},[98,1218,1219,1221,1224,1226,1229],{},[119,1220,148],{},[119,1222,1223],{},"Certification (accredited body)",[119,1225,795],{},[119,1227,1228],{},"$30K–$100K",[119,1230,1231],{},"Annual surveillance, 3-year recert",[98,1233,1234,1236,1239,1241,1244],{},[119,1235,286],{},[119,1237,1238],{},"No certification",[119,1240,809],{},[119,1242,1243],{},"$15K–$60K",[119,1245,1246],{},"Continuous",[98,1248,1249,1251,1254,1256,1259],{},[119,1250,820],{},[119,1252,1253],{},"Self-assessment",[119,1255,823],{},[119,1257,1258],{},"$5K–$25K",[119,1260,1203],{},[98,1262,1263,1265,1268,1270,1272],{},[119,1264,834],{},[119,1266,1267],{},"QSA attestation",[119,1269,795],{},[119,1271,839],{},[119,1273,1203],{},[98,1275,1276,1278,1280,1282,1285],{},[119,1277,847],{},[119,1279,1253],{},[119,1281,823],{},[119,1283,1284],{},"$10K–$30K",[119,1286,1203],{},[98,1288,1289,1291,1294,1296,1298],{},[119,1290,568],{},[119,1292,1293],{},"C3PAO certification",[119,1295,862],{},[119,1297,865],{},[119,1299,1300],{},"3-year cycle",[98,1302,1303,1306,1309,1311,1314],{},[119,1304,1305],{},"CMMC Level 3",[119,1307,1308],{},"DIBCAC assessment",[119,1310,876],{},[119,1312,1313],{},"$200K–$750K+",[119,1315,1300],{},[98,1317,1318,1320,1323,1325,1328],{},[119,1319,370],{},[119,1321,1322],{},"Certification",[119,1324,862],{},[119,1326,1327],{},"$50K–$250K+",[119,1329,1330],{},"2-year cycle",[98,1332,1333,1335,1338,1340,1342],{},[119,1334,873],{},[119,1336,1337],{},"ATO via sponsor",[119,1339,876],{},[119,1341,879],{},[119,1343,1344],{},"Continuous monitoring",[98,1346,1347,1349,1351,1354,1357],{},[119,1348,512],{},[119,1350,1238],{},[119,1352,1353],{},"Ongoing",[119,1355,1356],{},"Varies",[119,1358,1359],{},"Ongoing maturity",[30,1361,1363],{"id":1362},"faq","FAQ",[17,1365,1366],{},[47,1367,1368],{},"What if I pick the wrong framework first?",[17,1370,1371],{},"You probably won't cause catastrophic damage — controls overlap substantially. The worst case is you spend 6 months on a framework your buyers don't actually care about. The fix: talk to your sales team about which framework name shows up in their deals, and let that drive your decision.",[17,1373,1374],{},[47,1375,1376],{},"Can I pursue two frameworks in parallel from the start?",[17,1378,1379],{},"You can, and some companies do (notably healthtech companies pursuing HIPAA + SOC 2 together). But we recommend sequential for most teams: pick one, do it well, use the foundation to accelerate the second. Parallel execution only works if you have dedicated compliance resources and an experienced lead.",[17,1381,1382],{},[47,1383,1384],{},"Is SOC 2 Type I a waste, or should I go straight to Type II?",[17,1386,1387],{},"Type I is useful if you have a deal waiting and need something formal fast. If you have the runway (6+ months), go directly to Type II — sophisticated buyers will eventually ask for it anyway. Many companies use Type I as a bridge: something to hand to prospects while the Type II observation period runs.",[17,1389,1390],{},[47,1391,1392],{},"Do I need a GRC platform before pursuing my first framework?",[17,1394,1395,1396,1398],{},"Not strictly. Many teams start on spreadsheets and graduate. But we see the break point arrive fast — usually by the time you add a second framework or pass 150 controls. Budget for a ",[58,1397,990],{"href":989}," in the same planning cycle as your first audit.",[17,1400,1401],{},[47,1402,1403],{},"How do I avoid doing the same work twice when I add my second framework?",[17,1405,1406,1407,1410],{},"Control mapping. Map every control in your program to multiple frameworks simultaneously. Evidence that satisfies a SOC 2 control often satisfies ISO 27001, HIPAA, and NIST CSF controls as well. This is exactly where modern GRC tooling earns its keep — see our ",[58,1408,1409],{"href":967},"control mapping guide"," for the details.",[17,1412,1413],{},[47,1414,1415],{},"My prospect is asking for something I've never heard of. What now?",[17,1417,1418],{},"Common examples we hear: CSA STAR, CAIQ, PCI PIN, OSPAR. Start by asking the prospect why they're requesting it and what would satisfy their requirement. Often you can map your existing frameworks to their ask and avoid a separate attestation. When that fails, evaluate the ask on business value — is the deal size worth the compliance investment?",[17,1420,1421],{},[47,1422,1423],{},"What's the cheapest first framework?",[17,1425,1426,1428,1429,452,1431,1434,1435,1437],{},[47,1427,512],{}," is free and doesn't require an auditor. If you need a formal deliverable on a tight budget, ",[47,1430,492],{},[47,1432,1433],{},"PCI DSS SAQ"," are typically the lowest-cost paid options. Our ",[58,1436,892],{"href":891}," breaks down framework-by-framework costs.",[1439,1440],"hr",{},[17,1442,1443],{},"Picking your first compliance framework doesn't require a month of analysis. Answer the five questions in order, use the matrix, and match your scenario to one of the recommendations. The wrong decision slows you down; analysis paralysis stops you entirely.",[17,1445,1446,1449,1450,560],{},[47,1447,1448],{},"Want help running this decision with real data from your program?"," Episki comes with pre-built templates for SOC 2, ISO 27001, HIPAA, PCI DSS, CMMC, and NIST CSF, with control mapping built in so your first framework accelerates every framework after. ",[58,1451,1453],{"href":1452},"\u002Fpricing","See how it works",{"title":1455,"searchDepth":1456,"depth":1456,"links":1457},"",2,[1458,1459,1460,1468,1475,1483,1484],{"id":32,"depth":1456,"text":33},{"id":86,"depth":1456,"text":87},{"id":263,"depth":1456,"text":264,"children":1461},[1462,1464,1465,1466,1467],{"id":271,"depth":1463,"text":272},3,{"id":338,"depth":1463,"text":339},{"id":385,"depth":1463,"text":386},{"id":413,"depth":1463,"text":414},{"id":478,"depth":1463,"text":479},{"id":516,"depth":1456,"text":517,"children":1469},[1470,1471,1472,1473,1474],{"id":523,"depth":1463,"text":524},{"id":612,"depth":1463,"text":613},{"id":686,"depth":1463,"text":687},{"id":738,"depth":1463,"text":739},{"id":896,"depth":1463,"text":897},{"id":972,"depth":1456,"text":973,"children":1476},[1477,1478,1479,1480,1481,1482],{"id":979,"depth":1463,"text":980},{"id":1014,"depth":1463,"text":1015},{"id":1041,"depth":1463,"text":1042},{"id":1072,"depth":1463,"text":1073},{"id":1109,"depth":1463,"text":1110},{"id":1136,"depth":1463,"text":1137},{"id":1162,"depth":1456,"text":1163},{"id":1362,"depth":1456,"text":1363},"craft","2026-01-28","A step-by-step decision guide to choosing your first compliance framework — decision matrix, scenario recommendations, and a cost-timeline quick reference.","md",{"src":1490},"\u002Fimages\u002Fblog\u002Fplants-grow.jpg",{},true,"\u002Fnow\u002Fcompliance-framework-selector-guide",{"title":1495,"description":1496},"Compliance Framework Selector (2026): Which Framework Should You Pursue First?","Decision matrix and step-by-step selector for SOC 2, ISO 27001, HIPAA, PCI DSS, CMMC, and NIST CSF. Pick the right first framework in minutes.","3.now\u002Fcompliance-framework-selector-guide","MlG4Zdz-OFhOlB4s9qOQ2uWNpOZznzpl3vMXqroewUA",[1500,1504],{"title":1501,"path":60,"stem":1502,"description":1503,"children":-1},"Choosing the Right Compliance Framework: SOC 2, ISO 27001, HIPAA, PCI DSS, and NIST CSF Compared","3.now\u002Fcompliance-framework-comparison","A practical comparison of the five major compliance frameworks to help you decide which to pursue first and how to manage multiple frameworks efficiently.",{"title":1505,"path":1506,"stem":1507,"description":1508,"children":-1},"Compliance in the Cloud","\u002Fnow\u002Fcompliance-in-the-cloud","3.now\u002Fcompliance-in-the-cloud","A practical guide for growing companies on how to approach cloud compliance with confidence, clarity, and the right tools.",1776395335714]