Skip to main content

Certifications and Frameworks

Certificationsđź“ś

(you get audited, get a formal certificate, can show customers)

  1. SOC 2 Type II – US SaaS trust standard, very common in procurement.
  2. ISO/IEC 27001 – International information security management certification.
  3. ISO/IEC 27701 – Privacy management (pairs with ISO 27001).
  4. FedRAMP Moderate – Required if selling to US federal agencies (government cloud).
  5. CMMC Level 2 – Required for Department of Defense-related contracts.
  6. PCI DSS SAQ – Payment card security compliance (usually handled by payment processor, but you still attest).
  7. CSA STAR Certification – Cloud security certification recognized globally.

Frameworks & Compliance Standards đź“ś

(best practices, often referenced in RFPs; you align to them)

  1. NIST Cybersecurity Framework (CSF) – US government–favored baseline for managing cybersecurity risk.
  2. NIST SP 800-53 – More detailed control set for government contracts.
  3. State Privacy Laws Compliance – CCPA/CPRA (California)
  4. GDPR – EU privacy regulation (important if expanding internationally).
  5. CJIS Security Policy – If handling law-enforcement-related data for municipal utilities.
Back to top