Cybersecurity compliance vs certification

2 minute read
Jan 5, 2022
Cybersecurity compliance document illustration next to a cybersecurity certification document illustration on a yellow background

There are many private, State, and Federal cybersecurity and data security frameworks and standards.  Frameworks and standards consist of requirements and guidelines that must be implemented, managed, and maintained.  There are generally many ways a company can fulfill specific requirements, and it’s up to the business to determine what is best for its operation.

We can make the comparison sound fancy, but we like to keep things simple. So here the way we like to think about compliance vs. certification.

Compliance – Satisfying requirements and continually doing what you say you do.

Audit – Proving compliance.

Certification – Audit backed by the organization that created or manages the standard or framework.

Compliance and audit

When satisfying requirements, you will almost always have to do some action after the fact. That’s why it’s essential to do what you say you do in your policies and procedures and can prove it, or you’ll fail an audit.

For example, if you say every employee gets cyber training, every employee must get cyber training. Or, if you have a policy that says you encrypt all hard drives, all hard drives must be encrypted.


Generally, only privately owned frameworks or standards have certifications. Almost all Government-owned programs like HIPPA, CCPA, GDRP, and NIST do not offer certifications since the owning organization doesn’t offer certifications. However, you can become compliant with them and pay for an audit, but you can never get officially certified.

Some certifications like SOC2 + allow companies to add other framework requirements' that don't offer certifications like HIPPA, GDPR, and NIST.  Companies would opt for this type of certification + compliance to  prove to outsiders that they have implemented all of the requirements. 

Examples frameworks and standards

Privately Owned– SOC2, PCI, and ISO 27001

State Government – CCPA, CPRA, and SB220

Federal Government: HIPPA, GDPR, and NIST 800-172

You can become compliant with all of the example standards and frameworks; however, currently, you can only be certified in SOC2, PCI, and ISO 27001. Even if you did a SOC2 + HIPPA, you would be SOC2 certified and HIPPA compliant.


Sean Worden's headshot

Written by Sean Worden

Sean is OpReady's Founder and CEO. He holds a BS in IT and many cybersecurity certifications. He has over a decade of real-world software development, compliance, cybersecurity, and federal contracting experience. Connect with Sean on LinkedIn!

Cybersecurity simplified.Sign up for early access.

Save time, money, and headaches with OpReady - sign up now!