Skip to content
MyCyberSecurityPath

Cybersecurity Compliance Frameworks — NIST, ISO 27001, SOC 2, HIPAA & PCI-DSS

What Are Compliance Frameworks and Why Do They Exist?

Section titled “What Are Compliance Frameworks and Why Do They Exist?”

Cybersecurity compliance frameworks are structured sets of guidelines, controls, and best practices that organisations follow to protect data, manage risk, and meet legal or contractual obligations. They exist because information security risks are too complex and varied to leave to individual judgement — frameworks provide a common language, repeatable processes, and baseline standards that regulators, customers, and auditors can all verify against.

If you are considering a career in GRC (Governance, Risk, and Compliance), you will work with these frameworks every day. Understanding what each one is, which industries use it, and how they relate to each other is one of the most practical things you can learn before your first GRC role.

Why do compliance frameworks matter for career changers specifically? Because they are often the entry point into cybersecurity that does not require deep technical skills. A former healthcare administrator who understands HIPAA requirements, a finance professional who knows PCI-DSS obligations, or an operations manager who has worked with ISO audits — all of these people can transition into GRC roles faster than someone starting from zero, because they already speak the language of compliance.

When I first heard terms like “SOC 2 Type II” and “ISO 27001 certification” thrown around in job postings, I assumed they were deep technical requirements I would need years to understand. Then I actually read the frameworks. They are fundamentally about organisational behaviour — having policies, training your staff, documenting your processes, and proving you did what you said you would do. The technical controls matter, but GRC is more about discipline and documentation than it is about coding or configuring firewalls.

NIST Cybersecurity Framework — The Universal Starting Point

Section titled “NIST Cybersecurity Framework — The Universal Starting Point”

The NIST Cybersecurity Framework (CSF) is a voluntary framework developed by the US National Institute of Standards and Technology in 2014, with version 2.0 released in 2024. It is the most widely adopted cybersecurity framework in the United States and is increasingly used globally.

What it covers: The NIST CSF organises security activities into six core functions:

FunctionWhat it means
GovernEstablish cybersecurity strategy, policies, and accountability (new in CSF 2.0)
IdentifyUnderstand your assets, risks, and business environment
ProtectImplement safeguards to limit the impact of a cybersecurity event
DetectIdentify cybersecurity events in a timely manner
RespondTake action once a cybersecurity incident is detected
RecoverRestore capabilities after a cybersecurity incident

Who uses NIST CSF: Originally designed for critical infrastructure (power grids, water systems, financial services), it has been widely adopted by organisations of all sizes across all industries. It is particularly prevalent in US federal contractors, healthcare organisations, and technology companies. It is not mandatory for most private organisations but is increasingly expected by enterprise customers.

Why start here: NIST CSF is deliberately accessible. It does not prescribe specific technologies or products — it describes what outcomes good security should achieve. It maps to dozens of other frameworks, making it an excellent mental model for understanding any compliance programme.

Career relevance: Security+ covers NIST CSF extensively. GRC analyst job postings regularly list “NIST CSF experience” as a requirement. Understanding the six functions fluently is a genuine job-readiness signal.

ISO 27001 — The International Standard

Section titled “ISO 27001 — The International Standard”

ISO/IEC 27001 is the international standard for Information Security Management Systems (ISMS). It is published by the International Organisation for Standardisation (ISO) and the International Electrotechnical Commission (IEC), and it defines what a complete information security management programme looks like.

What it covers: ISO 27001 requires organisations to establish an ISMS — a systematic approach to managing sensitive information. This includes:

  • Scope definition — which systems and data the ISMS covers
  • Risk assessment and treatment — identifying and addressing security risks
  • Controls implementation — Annex A of ISO 27001 lists 93 controls across 4 domains (Organisational, People, Physical, Technological)
  • Ongoing monitoring — regular audits, management reviews, and continual improvement
  • Certification — organisations can be formally certified by an accredited third-party auditor

Who uses ISO 27001: ISO 27001 is a global standard used in over 150 countries. It is particularly prevalent in Europe, Australia, and Asia-Pacific. Technology companies, managed service providers, and organisations processing government or regulated data commonly pursue ISO 27001 certification.

Certification vs compliance: Some organisations achieve formal ISO 27001 certification (audited by an accredited certification body). Others adopt ISO 27001 as a framework without formal certification. Either approach demonstrates commitment to structured information security management.

Career relevance: ISO 27001 Lead Implementer and Lead Auditor qualifications are respected GRC credentials. Many Australian and UK GRC roles specifically list ISO 27001 experience. Understanding the standard prepares you for internal audit, compliance analyst, and information security manager roles.

SOC 2 — The Trust Framework for Tech Companies

Section titled “SOC 2 — The Trust Framework for Tech Companies”

SOC 2 (System and Organisation Controls 2) is a framework developed by the American Institute of Certified Public Accountants (AICPA) that evaluates whether a service organisation manages customer data securely. It is not a certification — it is an auditor-produced report.

What it covers: SOC 2 reports assess controls against five Trust Service Criteria:

Trust Service CriteriaWhat it evaluates
SecurityProtection against unauthorised access (required for all SOC 2 reports)
AvailabilitySystems are available as committed or agreed
Processing IntegritySystem processing is complete, valid, accurate, and timely
ConfidentialityInformation designated as confidential is protected
PrivacyPersonal information is collected, used, and retained appropriately

Type I vs Type II:

  • SOC 2 Type I — Evaluates whether controls are designed appropriately at a point in time
  • SOC 2 Type II — Evaluates whether controls operated effectively over a period (typically 6-12 months)

Enterprise customers routinely require SOC 2 Type II reports before signing contracts with SaaS vendors, cloud providers, and managed service providers. A single SOC 2 audit can enable millions of dollars in enterprise sales.

Who uses SOC 2: Technology companies, SaaS platforms, cloud service providers, payroll processors, data analytics firms — any organisation handling sensitive customer data in the US market. SOC 2 has become table stakes for B2B technology companies.

Career relevance: SOC 2 readiness and audit support is a core function for GRC analysts at technology companies. Understanding what auditors look for, how to prepare evidence, and how to remediate gaps is directly marketable.

HIPAA — Healthcare Data Protection

Section titled “HIPAA — Healthcare Data Protection”

HIPAA (Health Insurance Portability and Accountability Act) is a US federal law passed in 1996 that sets national standards for the protection of Protected Health Information (PHI). While it is a law rather than a voluntary framework, it functions as a compliance framework through its Security Rule and Privacy Rule.

What it covers:

HIPAA RuleWhat it requires
Privacy RuleStandards for how PHI can be used and disclosed; patient rights over their health information
Security RuleAdministrative, physical, and technical safeguards for electronic PHI (ePHI)
Breach Notification RuleRequirements to notify patients and HHS when PHI is breached
Enforcement RulePenalties and procedures for HIPAA violations

Key concepts:

  • Covered Entities — Healthcare providers, health plans, healthcare clearinghouses that must comply with HIPAA
  • Business Associates — Vendors and service providers that handle PHI on behalf of covered entities, who must sign Business Associate Agreements (BAAs)
  • PHI — Any individually identifiable health information, including names, dates, geographic data, and account numbers when combined with health information

Penalties: HIPAA violations range from $100 to $50,000 per violation (with an annual cap of $1.9 million per violation category). Willful neglect cases can result in criminal prosecution.

Career relevance: Healthcare is one of the most targeted industries for cyberattacks. HIPAA compliance analyst, healthcare IT security specialist, and privacy officer roles are consistently in demand. Prior healthcare experience is a genuine advantage in entering this niche.

PCI-DSS — Payment Card Security

Section titled “PCI-DSS — Payment Card Security”

PCI-DSS (Payment Card Industry Data Security Standard) is a set of security standards developed and maintained by the PCI Security Standards Council — a body formed by American Express, Discover, JCB, Mastercard, and Visa. It governs how organisations that accept, process, store, or transmit credit and debit card data must protect that information.

What it covers: PCI-DSS v4.0 (released 2022) is organised around 12 requirements across 6 goals:

GoalRequirements
Build and maintain a secure networkInstall firewalls; change vendor-supplied defaults
Protect cardholder dataProtect stored data; encrypt transmission
Maintain a vulnerability management programmeAnti-malware; maintain secure systems
Implement strong access controlRestrict access; identify and authenticate; restrict physical access
Regularly monitor and test networksTrack and monitor; regularly test security systems
Maintain an information security policyAddress security policy for all personnel

Compliance levels: Merchants and service providers are assigned PCI compliance levels based on their transaction volumes. Level 1 merchants (processing over 6 million transactions per year) must undergo annual audits by a Qualified Security Assessor (QSA). Smaller merchants may self-assess using a Self-Assessment Questionnaire (SAQ).

Career relevance: QSA (Qualified Security Assessor) and Internal Security Assessor (ISA) roles are well-compensated GRC positions. Retail, e-commerce, financial services, and hospitality industries rely heavily on PCI compliance expertise.

How Frameworks Overlap — Mapping Controls Across Frameworks

Section titled “How Frameworks Overlap — Mapping Controls Across Frameworks”

One of the most valuable skills in GRC is understanding how different frameworks relate to each other. Most organisations subject to multiple frameworks do not manage each in isolation — they use a unified control framework or mapping to demonstrate compliance with several standards simultaneously.

Compliance Frameworks Compared

Section titled “Compliance Frameworks Compared”

NIST CSF vs ISO 27001 — Two Approaches to Security Governance

NIST CSF 2.0
  • Voluntary frameworkNot mandatory — organisations adopt it to demonstrate security maturity and align with US government expectations
  • Six functionsGovern, Identify, Protect, Detect, Respond, Recover — each containing categories and subcategories of outcomes
  • Outcome-focusedDescribes what security should achieve, not specifically how — flexible for different organisation sizes and risk profiles
  • No formal certificationOrganisations self-assess or hire consultants to evaluate their tier level — no auditor-issued certificate
  • US government alignedRequired for federal contractors; widely referenced in US regulations and NIST SP 800-series publications
VS
ISO 27001
  • Certifiable standardOrganisations can achieve formal third-party certification, which can be shown to customers and regulators as proof of compliance
  • 93 Annex A controlsSpecific control requirements covering organisational, people, physical, and technological security areas
  • ISMS-basedRequires establishing an Information Security Management System — a documented, managed, audited programme
  • Global recognitionWidely recognised in Europe, Australia, Asia-Pacific — often required for government contracts in those regions
  • Continuous improvementRequires annual surveillance audits and three-year full recertification cycles — compliance is ongoing
Verdict: NIST CSF is the best starting point for learning and US market readiness. ISO 27001 is the right choice when formal third-party certification is required by customers or regulators.
Use case
GRC professionals in US-focused technology companies spend most time with NIST CSF and SOC 2. Those in global or government-adjacent roles frequently work with ISO 27001.

Common Control Overlaps

Section titled “Common Control Overlaps”

The good news for GRC practitioners is that implementing one framework well creates a strong foundation for others:

Control areaNIST CSFISO 27001SOC 2HIPAAPCI-DSS
Access controlPR.ACA.5.15-A.5.18CC6§ 164.312(a)Req. 7-8
Incident responseRS.RPA.5.24-A.5.28CC7.3-CC7.5§ 164.308(a)(6)Req. 10, 12
Risk assessmentID.RAClause 6.1CC3.1-CC3.2§ 164.308(a)(1)Req. 6, 12
Security awareness trainingPR.ATA.6.3CC1.4, CC2.2§ 164.308(a)(5)Req. 12.6
EncryptionPR.DSA.8.24CC6.7§ 164.312(a)(2)(iv)Req. 3, 4

This overlap is why GRC professionals use control mapping — documenting how a single implemented control satisfies requirements across multiple frameworks. A well-implemented access control programme does not need to be rebuilt for each framework; it needs to be documented in a way that each framework’s auditor can verify.

Framework Selection by Industry

Section titled “Framework Selection by Industry”

Which Compliance Framework Applies to Your Industry?

Most organisations need to comply with multiple frameworks simultaneously

Healthcare
Patient data
HIPAA (mandatory)
NIST CSF (best practice)
ISO 27001 (optional)
Financial Services
Payment & investment data
PCI-DSS (card data)
SOC 2 (service orgs)
NIST CSF (US banks)
Technology / SaaS
Customer data
SOC 2 (customer trust)
ISO 27001 (enterprise sales)
NIST CSF (US contracts)
Government / Defence
Regulated data
NIST SP 800-53
NIST CSF (mandatory)
ISO 27001 (international)
Retail / E-commerce
Payment processing
PCI-DSS (mandatory)
SOC 2 (SaaS tools)
NIST CSF (best practice)
Idle

Which Framework to Learn First for GRC Careers

Section titled “Which Framework to Learn First for GRC Careers”

If you are new to GRC and trying to build a foundation, the order matters:

Start with NIST CSF. It is the most accessible, the most broadly referenced, and forms a mental model that makes every other framework easier. NIST CSF is also covered on CompTIA Security+, so studying for Security+ simultaneously reinforces it.

Add ISO 27001 awareness next. You do not need to memorise all 93 controls, but understanding the ISMS concept, the risk assessment methodology, and the certification process opens doors to roles in Australia, the UK, and Europe.

Learn SOC 2 when targeting tech companies. If your target industry is technology, SaaS, or cloud services, SOC 2 readiness work is a core GRC function. The Trust Service Criteria are straightforward to learn.

Learn HIPAA if you have a healthcare background. Healthcare experience is a major advantage for HIPAA-specific roles. If you have worked in a clinic, hospital, insurer, or health tech company, lean into that background.

Learn PCI-DSS for retail, payments, or financial services. If you are targeting those industries, understanding PCI scoping, SAQs, and the 12 requirements is directly practical.

When I looked at GRC job postings in Australia, I noticed that ISO 27001 experience appeared in almost every listing — more than NIST CSF, which is more dominant in the US. If you are in Australia or the UK, prioritising ISO 27001 makes career sense. If you are in the US, NIST CSF is the safer starting point.

Resources for Learning Compliance Frameworks

Section titled “Resources for Learning Compliance Frameworks”

Free resources:

  • NIST CSF 2.0 — full framework available free at nist.gov/cyberframework. The quick-start guide is particularly good for beginners.
  • NIST SP 800-53 Rev. 5 — the complete catalogue of security controls that NIST CSF references, also free at csrc.nist.gov.
  • AICPA SOC 2 Overview — aicpa-cima.com provides introductory guides to SOC 2 and the Trust Service Criteria.
  • HHS HIPAA Security Series — hhs.gov/hipaa publishes plain-English guidance on each component of the HIPAA Security Rule.
  • PCI Security Standards Council — pcisecuritystandards.org offers free downloads of PCI-DSS v4.0 and associated guidance documents.

Certifications for GRC careers:

CertificationWho it is forCost
CompTIA Security+First certification — covers risk management and compliance basics~$404 USD
CGRC (ISC2)Entry-level GRC — formerly SSCP-adjacent, specifically GRC-focused~$599 USD
ISO 27001 Lead ImplementerImplementing ISO 27001 programmes~$2,000-3,000 (course + exam)
CISA (ISACA)IT audit and assurance~$760 USD + membership
CRISC (ISACA)IT risk management~$760 USD + membership

Books:

  • The Art of Auditing and Assurance for ISO 27001 practitioners
  • ISACA study materials for CISA and CRISC preparation
  • CompTIA Security+ study guides for foundational compliance coverage

This guide goes deep on all 7 major frameworks — with control mapping tables, audit prep checklists, and industry-specific guidance that you won't find in free resources online.

Compliance Frameworks Decoded

NIST, ISO 27001, SOC 2, HIPAA & PCI-DSS explained in plain English.

See what's included → $29

Summary and Key Takeaways

Section titled “Summary and Key Takeaways”

Compliance frameworks are the language of GRC careers. Learning them fluently is one of the highest-leverage things you can do as a career changer entering cybersecurity.

  • Five major frameworks — NIST CSF, ISO 27001, SOC 2, HIPAA, and PCI-DSS — each serve different industries and regulatory contexts, but share significant control overlap.
  • NIST CSF is the universal starting point for US-market careers. ISO 27001 is essential for Australian, UK, and global roles.
  • SOC 2 is table stakes for tech companies. If your target industry is SaaS or cloud services, understanding SOC 2 readiness is directly marketable.
  • HIPAA and PCI-DSS are industry-specific — they apply narrowly but are mandatory in their domains. Prior industry experience is a genuine advantage.
  • Frameworks overlap significantly. A well-implemented control programme addresses multiple frameworks simultaneously through control mapping.
  • GRC careers do not require deep technical skills. They require comfort with documentation, audit processes, policy writing, and risk language — skills that transfer well from many non-IT backgrounds.

Individual results vary. Career timelines, salary outcomes, and job availability depend on your location, experience, market conditions, and effort. The information on this page is educational, not a guarantee of employment outcomes.

Section titled “Related”

Frequently Asked Questions

What is the most important compliance framework to learn first?

Start with NIST CSF. It is the most accessible, maps to all other major frameworks, and is covered on CompTIA Security+. In Australia and the UK, ISO 27001 is equally important — consider both if you are targeting a global career.

Is compliance the same as cybersecurity?

No. Compliance means meeting the minimum requirements of a framework or regulation. Cybersecurity means actually protecting against threats. An organisation can be fully compliant and still suffer a breach if its compliance programme is checkbox-driven rather than risk-driven. The goal is to use compliance frameworks as a foundation for genuine security, not just to pass audits.

Do I need technical skills for a GRC career?

Less than you might think. GRC roles primarily require risk assessment, policy writing, audit evidence collection, stakeholder communication, and documentation skills. You need enough technical understanding to have intelligent conversations with IT teams, but you do not need to be a sysadmin or developer. Many successful GRC professionals come from legal, accounting, healthcare administration, and project management backgrounds.

What is the difference between SOC 2 Type I and Type II?

SOC 2 Type I evaluates whether security controls are designed appropriately at a single point in time. SOC 2 Type II evaluates whether those controls actually operated effectively over a testing period of 6-12 months. Enterprise customers almost always require Type II because it provides evidence of sustained security practices, not just a snapshot.

Is HIPAA only relevant in the United States?

HIPAA applies specifically to US-based covered entities and their business associates. However, organisations in other countries that handle data on US patients (through telehealth, research, or software) may also need to comply. Internationally, GDPR (Europe) and the Privacy Act (Australia) have similar data protection requirements for health information.

What is a risk register and why does it matter for compliance?

A risk register is a documented inventory of identified risks with their likelihood, impact, treatment strategies, and owners. Most compliance frameworks require a formal risk register — NIST CSF's Identify function, ISO 27001 Clause 6.1, and SOC 2's CC3 criteria all include risk assessment and documentation requirements. Maintaining an accurate risk register is a core GRC function.

How long does ISO 27001 certification take?

For a small-to-medium organisation starting from scratch, ISO 27001 certification typically takes 6-18 months. This includes establishing the ISMS scope, conducting a gap analysis, implementing required controls, conducting internal audits, and passing the Stage 1 and Stage 2 certification audits. Larger or more complex organisations may take longer.

What is PCI scope and why does it matter?

PCI scope defines which systems, processes, and personnel are subject to PCI-DSS requirements. In theory, only systems that store, process, or transmit cardholder data are in scope. In practice, any system that could affect the security of in-scope systems also needs to be included. Reducing PCI scope through network segmentation is a major focus of PCI compliance programmes — fewer in-scope systems means less audit burden and lower compliance costs.

Related sections

Risk Management

The foundational discipline behind every compliance framework — understanding risk is prerequisite to GRC.

Explore CompTIA Security+

The entry-level certification that covers compliance frameworks, risk management, and governance concepts.

Explore CISA Certification

The leading certification for IT audit and assurance — the professional credential for compliance-focused careers.

Explore

More resources

NIST Cybersecurity Framework 2.0

Official NIST CSF documentation including the framework core, profiles, and implementation guidance — free download.

Visit ISO 27001 Overview — ISO.org

Official ISO page for ISO/IEC 27001 with scope, structure, and links to purchase the standard and related guidance.

Visit AICPA SOC 2 Overview

Official AICPA page explaining SOC 2, the Trust Service Criteria, and the difference between Type I and Type II reports.

Visit HHS HIPAA Security Series

Plain-English HIPAA Security Rule guidance from the US Department of Health and Human Services — free and authoritative.

Visit PCI Security Standards Council

Official PCI DSS documentation including the full standard, SAQ forms, and implementation guides — free downloads.

Visit