Certifications and Frameworks

Certifications📜Certifications📜

(you get audited, get a formal certificate, can show customers)

1. SOC 2 Type II – US SaaS trust standard, very common in procurement.
2. ISO/IEC 27001 – International information security management certification.
3. ISO/IEC 27701 – Privacy management (pairs with ISO 27001).
4. FedRAMP Moderate – Required if selling to US federal agencies (government cloud).
5. CMMC Level 2 – Required for Department of Defense-related contracts.
6. PCI DSS SAQ – Payment card security compliance (usually handled by payment processor, but you still attest).
7. CSA STAR Certification – Cloud security certification recognized globally.

---

Frameworks & Compliance Standards 📜

(best practices, often referenced in RFPs; you align to them)

1. NIST Cybersecurity Framework (CSF) – US government–favored baseline for managing cybersecurity risk.
2. NIST SP 800-53 – More detailed control set for government contracts.
3. State Privacy Laws Compliance – CCPA/CPRA (California)
4. GDPR – EU privacy regulation (important if expanding internationally).
5. CJIS Security Policy – If handling law-enforcement-related data for municipal utilities.