ISO, SOC, NIST: Which framework is right for your business?

Overview of standards and frameworks

Standards and frameworks (referred to as “standards” in this article) are sets of rules, practices, or measures which are implemented by an organization as activities to be performed periodically or at a point in time to achieve a certain objective. These rules, practices and measures are generally known as controls.

There are standards recognized internationally for a wide variety of objectives, ranging from environmental management (ISO14000), to food safety management (ISO22000), to medical devices (ISO13485). (See all ISO standards at

Examples of standards for data protection and privacy purposes are as follows:

  • ISO 27000 series
  • NIST Cybersecurity Framework and SP800 documentation
  • SOC2: for Service Organizations – Trust Services Criteria
  • General Accepted Privacy Principles (GAPP)
  • ISO 27701 - Extension for privacy compliance

The standards usually address the same areas of focus or domains, although bearing different names. Most standards include controls for overall governance, performing risk assessments and controlling relationships with third parties such as vendors of information services.

There are many resources that demonstrate detailed mappings of the controls of one standard against another. For example, the mapping produced by AICPA for SOC2 against NIST 800-53 and ISO 277001. However, the remainder of this article will focus more broadly on what factors to consider when deciding which standard is right for your organization.

Factors to consider when choosing the appropriate standard for your business

Implementing a standard to support your overall data protection and privacy compliance efforts will pay off in the long term. Those outcomes are better decisions on purchases of technology, increased confidence in the organization’s capability to protect its data and better positioning against the competition during new client acquisition activities such as responding to RFPs. A successful implementation will require dedication, focus and resources ranging from staff being available to project manage and support the implementation to financial.

Choosing the right standard is a careful balancing act requiring the judgement of a number of internal and external factors.

Factors external to the organization:

Legal obligations

  • Regulatory requirements. There can be legal requirements relevant to the organization that may include data protection obligations. Canada’s PIPEDA requires the implementation of safeguards to protect personal information. Organizations operating in the financial sector are required to carry out “Cybersecurity Self Assessments” while a number of other sectors are subject to guidelines and voluntary practices related to cybersecurity. The USA has cybersecurity legislation at both federal and state-level which vary by commercial sectors.
  • Contractual obligations can be imposed by clients and other parties. Whose data the organization is handling should also be considered and added to the list of legal obligations. For example, large organizations such as Microsoft have very detailed data protection requirements and they may even request an independent assessment to be paid for by the organization and submitted to their procurement departments.


  • The competitive landscape may also put pressure on organizations to implement standards. There is nothing stopping organizations announcing to their potential audience that they follow a certain standard in data protection. Visit the main competitors’ websites or check other marketing materials to see if they offer certification or have voluntarily implemented a standard.

Resources for determining which legal obligations apply to your business operations:

Next Steps:

  • Make a list of the security-related requirements
  • Identify and understand any other guidance, codes, best practice recommendations issued for your sector

Factors internal to the organization

  • The organization’s own clients may ask for a specific standard. It is becoming quite common for potential clients to ask for evidence of implementation of a standard as they feel reassured that the organization is taking a structured approach to data protection.
    • If you are noticing an increase in such requests, you should strongly consider implementing such a standard.
    • There may be situations where some clients demand one type (for example SOC2) and others demand another type. In these cases, the initial negotiation step is to explain the similarities between the standard you already adopted and the other one, in an attempt to demonstrate that what is already in place is sufficient. The mapping of the varying standards’ controls (mentioned above in the article), would be a useful tool.
  • Organization’s own objectives and growth path may suggest a standard over another. If the organization is planning a push into European markets, ISO standards are the usual choice. Or offering services to the Canadian government would likely result in a need to obtain a SOC2 report.
  • The type of data held may also impact the final decision. Handling credit card data will trigger the need to implement the Payment Card Industry Data Security standard. Large amounts of sensitive personal information may trigger the need to add the “Privacy” criteria to the SOC2 implementation and final assurance report.
North Americans more commonly refer to SOC2 reports while businesses located in other areas of the world are more likely to ask for an ISO certification.


The costs of the implementation usually play a large part in the decision. Organizations often weigh these two options:

1. Doing it internally

ISO standards can be initially implemented without any outside help and organizations can market themselves as following such a standard.

There are a number of vendors offering support through ISO implementation toolkits which include all of the necessary templates. However, it is recommended to ask for a demo to check the quality of the templates included in the package.

Skyscrapers from the ground looking up

2. Hiring third-parties

A SOC2 report can only be obtained through engaging an independent, qualified third party to audit the organization’s environment and issue the report. The usual time period covered by the report is annual. The cost of obtaining such a report may be substantial and incurred annually; subsequent years’ reports may not see a significant reduction in price from Year 1.

ISO certifications are the final step in an ISO implementation. This is likely to be another substantial investment as it involves a detailed audit carried out by the certification entity. Repeat audits are required every three years, although less detailed.

Hiring consultants to project manage the standard’s implementation and guide the organization through the process will incur additional costs but may be beneficial in the long run, especially in situations where there is no internal staff available to run the project.

In summary

This article focused on ISO and SOC2 standards, but a custom or hybrid standard can also be built for any organization by mixing controls from different standards or adding other standard’s controls to the chosen one, to obtain more specific controls for certain security areas. However, the minimum required controls will have to be implemented for each standard if certification or third-party assurance is intended.

As the final investment in the implementation of the standard is likely to be significant, choosing a standard is an important decision in the lifecycle of any organization. Researching the different standards to understand their coverage, advantages and disadvantages cannot be underestimated. There are a lot of free resources available and a lot of vendors willing to support your implementation. Once implemented, make the most of it and include it in your marketing materials.

How ComplyWorks can support the implementation process

ComplyWorks' Compliance Management Platform can help you securely implement and maintain data protection controls by helping you:

  • Ensure your third-party suppliers and contractors have done their due diligence on privacy policy standards – with Corporate Compliance Management.
    • Let ComplyWorks verify items like ISO certifications, according to your specific needs.
  • Track formal signoffs on custom requirements related to your new controls.
    • Assign and monitor signoffs related to data privacy policies, training or orientations.
    • Use our dynamic reporting and monitoring dashboard to alert for non-compliance and track employees' sign-off on training and course progress.
    • Create quizzes to confirm comprehension of modules when you induct/orient employees.
  • Track requirements for your specific project, worksite, location, division, or security file, as you define it - with Worksite Management.
    • Use the task scheduling capability to ensure all data privacy tasks gets done on time by the correct person.
    • Use the platform to record inspections of the controls that are in place and ensure they are functional.
    • Track and manage non-conformances and corrective actions from the expected standard.

Laura Brown

Privacy Consultant, YYC Privacy

Laura Brown is a guest blogger for ComplyWorks. Laura has many years of experience in data protection both as an auditor and consultant to small, medium and enterprise companies. Her work includes projects such as SOC 2 audits, privacy compliance assessments and implementation of both Canadian and EU legislation, cyber security assessments (NIST and OSFI), ISO standards implementations and IT operational and vendor compliance assessments.

Accreditations: BA, LPC (UK), IAPP – CIPM & CIPP/E (European privacy legislation certification), Artificial Intelligence: Implications for Business Strategy Program MIT Sloan, MIT CSAIL.