Certifications and Frameworks

Understanding the Difference:

Certifications → Issued by an accredited third party after an audit. You get an official document we can show in sales/security reviews.

Frameworks → No one “issues” a certificate (unless tied to another certification). You self-align or hire a consultant to do an independent gap assessment, then you can claim alignment with supporting evidence.

Certifications📜

(you get audited, get a formal certificate, can show customers)

1. SOC 2 Type II – US SaaS trust standard, very common in procurement.
2. ISO/IEC 27001 – International information security management certification.
3. ISO/IEC 27701 – Privacy management (pairs with ISO 27001).
4. FedRAMP Moderate – Required if selling to US federal agencies (government cloud).
5. CMMC Level 2 – Required for Department of Defense-related contracts.
6. PCI DSS SAQ – Payment card security compliance (usually handled by payment processor, but you still attest).
7. CSA STAR Certification – Cloud security certification recognized globally.

Frameworks & Compliance Standards 📜

(best practices, often referenced in RFPs; you align to them)

1. NIST Cybersecurity Framework (CSF) – US government–favored baseline for managing cybersecurity risk.
2. NIST SP 800-53 – More detailed control set for government contracts.
3. State Privacy Laws Compliance – CCPA/CPRA (California)
4. GDPR – EU privacy regulation (important if expanding internationally).
5. CJIS Security Policy – If handling law-enforcement-related data for municipal utilities.

Phase 1 (next 12 months):

• SOC 2 Type II
• NIST CSF alignment (document controls)
• Begin ISO 27001 groundwork
• State privacy law compliance policies

Phase 2 (after Phase 1):

• ISO 27001 certification
• ISO 27701 (optional but good for privacy maturity)
• Public sector–specific (FedRAMP / CMMC / CJIS) if needed

Phase 3 (if expanding internationally):

• GDPR compliance readiness
• CSA STAR