Attention C-Level Executives: A Compliance Standards Primer…


July 9, 2021

why hire an mssp

If you’re at the top of the ladder, you’ve probably got a lot on your plate. Budgets, personnel issues, sales numbers, shareholders, etc. You’re busy all the time. Now, on top of all that you’ve got to focus more and more on a real problem. Your business is a target for cybercriminals, and it’s only a matter of time before you’re attacked.

Implementing a cybersecurity plan to protect your business can be equally as daunting as knowing you will eventually be the victim of a cybercrime. Where do you start? How do you manage something you might not fully comprehend?

You’re in luck. Seriously, there are systems and compliance standards your organization can put in place, allowing you to protect your business in today’s world.

Since it’s difficult to predict what your business will need in a blog article, Security7 has collected a few of the TOP compliance standards to read about and possibly help you narrow down your choices.

ISO 27001

Drafted by the International Organization for Standardization, ISO 27001 is designed specifically to help build an information security management system (ISMS). An ISMS is a framework of policies and procedures that includes all legal, physical, and technical controls involved in an organization’s information risk management processes.

ISO 27001 uses a top-down, risk-based approach and is technology-neutral. The specification defines a six-part planning process:

  1. Define a security policy.
  2. Define the scope of the ISMS.
  3. Conduct a risk assessment.
  4. Manage identified risks.
  5. Select-control objectives and controls to implement.
  6. Prepare a statement of applicability.

ISO 27001 is such a flexible standard that it can be implemented in any organization (regardless of size), in any vertical, a kind of ‘Compliance Chameleon,’ if you will. Retail, Finance, Healthcare, Education, Public Infrastructure, you name it, ISO 27001 fits the bill.

Read More About ISO 27001


The General Data Protection Regulation standard is new European Union legislation.

The new legislation replaces a previous standard implemented in 1995. The new legislation’s goal is to “harmonize” data privacy laws across the European Union and grant individuals a more comprehensive degree of protection.

Businesses and organizations that handle PII data will have to comply with the new standards or face repercussions/criminal charges if cyber attackers steal the PII data on their servers.

PII data consists of any information that can identify someone to a specific degree. Names, addresses, IP addresses all constitute PII Data. The category can expand to include things like genetic data, religion, political views, sexual orientation, and more.

Read More About GDPR


CMMC is an auditable security standard designed to help ensure contractors in the DoD’s supply chain are limiting exposure to sensitive controlled unclassified information (CUI) by having secure information systems.

The certification was developed in-house by the DoD with input from universities across the country, federally funded research, and direct input from the defense contractor industry.

Read More About CMMC


SOC 2 (or Service Organizational Control 2) is an auditing procedure that ensures the service providers you do business with securely manage your data and protect the business interests of your organization, its partners, and clients.

If you take data security seriously, SOC 2 compliance is an absolute must for your company.

NIST 800-171

The protection of Controlled Unclassified Information (CUI) residents in nonfederal systems and organizations are of paramount importance to federal agencies and can directly impact the ability of the federal government to successfully conduct its essential missions and functions. 

NIST 800-171 provides agencies with recommended security requirements for protecting the confidentiality of CUI when the information is resident in nonfederal systems and organizations; when the nonfederal organization is not collecting or maintaining information on behalf of a federal agency or using or operating a system on behalf of an agency; and where there are no specific safeguarding requirements for protecting the confidentiality of CUI prescribed by the authorizing law, regulation, or government-wide policy for the CUI category listed in the CUI Registry. 

The requirements apply to all components of nonfederal systems and organizations that process, store, and/or transmit CUI, or that provide protection for such components. The security requirements are intended for use by federal agencies in contractual vehicles or other agreements established between those agencies and nonfederal organizations.

Like our blog? Subscribe using the CTA in the upper right-hand corner of this page. Feel like sharing your thoughts with us? Use the comment section below.


Carl Keyser is the Content Manager at Integris.

Keep reading

Strong Cybersecurity Postures: How to Unleash their Power

Strong Cybersecurity Postures: How to Unleash their Power

In the vast digital landscape where virtual dragons and sneaky trolls roam a strong cybersecurity posture has never been more important. Imagine a band of modern-day knights led by our protagonist, Alex. Armed with a trusty laptop and a cup of coffee, Alex navigates...

How to Spot a Phishing Attack in 2023

How to Spot a Phishing Attack in 2023

In 2023 cyber threats lurk behind every tree trunk in today's digital jungle, and cybersecurity awareness is more critical than ever. Among the craftiest of these threats are phishing attacks. Phishing attacks are cunningly engineered with social manipulation at their...

How to Choose an IT Consultant in Boulder, CO

Regardless of industry size or type, Boulder IT consultants play a massive role in the way companies in the Boulder area do business. While most companies may have their own in-house IT department, many of these departments are small and cannot handle all the...