There are many private, State, and Federal cybersecurity and data security frameworks and standards. Frameworks and standards consist of requirements and guidelines that must be implemented, managed, and maintained. There are generally many ways a company can fulfill specific requirements, and it’s up to the business to determine what is best for its operation.
We can make the comparison sound fancy, but we like to keep things simple. So here the way we like to think about compliance vs. certification.
Compliance – Satisfying requirements and continually doing what you say you do.
Audit – Proving compliance.
Certification – Audit backed by the organization that created or manages the standard or framework.
When satisfying requirements, you will almost always have to do some action after the fact. That’s why it’s essential to do what you say you do in your policies and procedures and can prove it, or you’ll fail an audit.
For example, if you say every employee gets cyber training, every employee must get cyber training. Or, if you have a policy that says you encrypt all hard drives, all hard drives must be encrypted.
Generally, only privately owned frameworks or standards have certifications. Almost all Government-owned programs like HIPPA, CCPA, GDRP, and NIST do not offer certifications since the owning organization doesn’t offer certifications. However, you can become compliant with them and pay for an audit, but you can never get officially certified.
Some certifications like SOC2 + allow companies to add other framework requirements' that don't offer certifications like HIPPA, GDPR, and NIST. Companies would opt for this type of certification + compliance to prove to outsiders that they have implemented all of the requirements.
Privately Owned– SOC2, PCI, and ISO 27001
State Government – CCPA, CPRA, and SB220
Federal Government: HIPPA, GDPR, and NIST 800-172
You can become compliant with all of the example standards and frameworks; however, currently, you can only be certified in SOC2, PCI, and ISO 27001. Even if you did a SOC2 + HIPPA, you would be SOC2 certified and HIPPA compliant.
Cybersecurity simplified.Sign up for early access.
Save time, money, and headaches with OpReady - sign up now!