Attention C-Level Executives: A Compliance Standards Primer…


July 9, 2021

why hire an mssp

If you’re at the top of the ladder, you’ve probably got a lot on your plate. Budgets, personnel issues, sales numbers, shareholders, etc. You’re busy all the time. Now, on top of all that you’ve got to focus more and more on a real problem. Your business is a target for cybercriminals, and it’s only a matter of time before you’re attacked.

Implementing a cybersecurity plan to protect your business can be equally as daunting as knowing you will eventually be the victim of a cybercrime. Where do you start? How do you manage something you might not fully comprehend?

You’re in luck. Seriously, there are systems and compliance standards your organization can put in place, allowing you to protect your business in today’s world.

Since it’s difficult to predict what your business will need in a blog article, Security7 has collected a few of the TOP compliance standards to read about and possibly help you narrow down your choices.

ISO 27001

Drafted by the International Organization for Standardization, ISO 27001 is designed specifically to help build an information security management system (ISMS). An ISMS is a framework of policies and procedures that includes all legal, physical, and technical controls involved in an organization’s information risk management processes.

ISO 27001 uses a top-down, risk-based approach and is technology-neutral. The specification defines a six-part planning process:

  1. Define a security policy.
  2. Define the scope of the ISMS.
  3. Conduct a risk assessment.
  4. Manage identified risks.
  5. Select-control objectives and controls to implement.
  6. Prepare a statement of applicability.

ISO 27001 is such a flexible standard that it can be implemented in any organization (regardless of size), in any vertical, a kind of ‘Compliance Chameleon,’ if you will. Retail, Finance, Healthcare, Education, Public Infrastructure, you name it, ISO 27001 fits the bill.

Read More About ISO 27001


The General Data Protection Regulation standard is new European Union legislation.

The new legislation replaces a previous standard implemented in 1995. The new legislation’s goal is to “harmonize” data privacy laws across the European Union and grant individuals a more comprehensive degree of protection.

Businesses and organizations that handle PII data will have to comply with the new standards or face repercussions/criminal charges if cyber attackers steal the PII data on their servers.

PII data consists of any information that can identify someone to a specific degree. Names, addresses, IP addresses all constitute PII Data. The category can expand to include things like genetic data, religion, political views, sexual orientation, and more.

Read More About GDPR


CMMC is an auditable security standard designed to help ensure contractors in the DoD’s supply chain are limiting exposure to sensitive controlled unclassified information (CUI) by having secure information systems.

The certification was developed in-house by the DoD with input from universities across the country, federally funded research, and direct input from the defense contractor industry.

Read More About CMMC


SOC 2 (or Service Organizational Control 2) is an auditing procedure that ensures the service providers you do business with securely manage your data and protect the business interests of your organization, its partners, and clients.

If you take data security seriously, SOC 2 compliance is an absolute must for your company.

NIST 800-171

The protection of Controlled Unclassified Information (CUI) residents in nonfederal systems and organizations are of paramount importance to federal agencies and can directly impact the ability of the federal government to successfully conduct its essential missions and functions. 

NIST 800-171 provides agencies with recommended security requirements for protecting the confidentiality of CUI when the information is resident in nonfederal systems and organizations; when the nonfederal organization is not collecting or maintaining information on behalf of a federal agency or using or operating a system on behalf of an agency; and where there are no specific safeguarding requirements for protecting the confidentiality of CUI prescribed by the authorizing law, regulation, or government-wide policy for the CUI category listed in the CUI Registry. 

The requirements apply to all components of nonfederal systems and organizations that process, store, and/or transmit CUI, or that provide protection for such components. The security requirements are intended for use by federal agencies in contractual vehicles or other agreements established between those agencies and nonfederal organizations.

Like our blog? Subscribe using the CTA in the upper right-hand corner of this page. Feel like sharing your thoughts with us? Use the comment section below.


Carl Keyser is the Content Manager at Integris.

Keep reading

Bridging the Gap between Automation and Innovation

Bridging the Gap between Automation and Innovation

Automation and Innovation. Some people might say those two words cancel each other out. Yet, I believe these two concepts can create capacity for each other—if your business leverages the free time automation creates to foster innovation. Automation can be...

Why Is My Laptop Draining So Fast?

Why Is My Laptop Draining So Fast?

Before You Replace Your Laptop Battery, Try These Fixes First Stuck with a laptop that’s running out way before it’s standard 8-10 hours of run time? Don't throw it out just yet.  Try these quick fixes to extend its life: Reduce your screen brightness If possible,...