Compliance Questions,
Answered.

A compliance gap assessment evaluates the difference between your organization's current security controls and the requirements of a specific framework such as SOC 2, ISO 27001, or HIPAA. It identifies which controls are fully in place, which are partially implemented, and which are missing — then produces a prioritized roadmap to close those gaps before an audit.

Conducting a gap assessment before engaging an auditor typically reduces both audit preparation time and cost significantly, because you know exactly where to focus remediation effort.

The terms are often used interchangeably, but there is a subtle distinction. A readiness assessment is typically a broader evaluation of whether your organization is prepared to undergo a formal audit — it produces a yes/no or percentage readiness score. A gap assessment goes deeper: it identifies the specific controls that are missing or partially implemented, explains why each gap matters, and produces a concrete remediation roadmap.

In practice, the best compliance gap assessments include both. Running one before engaging an auditor is considered best practice because it prevents costly surprises mid-audit and lets you budget accurately for remediation.

A comprehensive gap assessment report includes: an overall readiness score; per-framework readiness scores; a domain-by-domain breakdown showing which control areas are present, partial, or missing; a gap assessment table with current state and recommended remediation for each gap; a prioritized action plan ranked by risk and effort; a phased implementation roadmap; a security tools and budget estimate; framework overlap analysis; and an executive summary for leadership.

Gap Assessment generates all of these sections automatically using AI, and delivers them as a downloadable PDF.

SOC 2 Type I is a point-in-time assessment that verifies your security controls are suitably designed as of a specific date — it can be achieved in as little as 45 days with high security maturity. It's a useful intermediate step to unblock deals while your Type II observation period runs.

SOC 2 Type II evaluates whether those controls actually operated effectively over an observation period, typically 3–12 months. It is far more credible and enterprise customers almost universally require it. If you need a compliance credential quickly, start with Type I — but begin your Type II observation period immediately after.

SOC 2 compliance is built around five Trust Services Criteria (TSC): Security (mandatory for every SOC 2), Availability, Processing Integrity, Confidentiality, and Privacy. Security is the only required category — the others are included based on what your product does.

In practice, achieving SOC 2 requires: documented security policies and procedures; technical controls including MFA, encryption at rest and in transit, firewalls, and intrusion detection; role-based access controls and regular access reviews; a formal risk assessment process; vulnerability scanning and patch management; an incident response plan; vendor/third-party risk management; employee security awareness training; and change management controls. You must collect and maintain audit evidence across all of these areas for the entire observation period.

The most important structural difference is flexibility vs. prescription. SOC 2 is flexible — you choose which Trust Services Criteria to include and decide how to implement controls. ISO 27001 is more prescriptive, requiring a formally structured ISMS, a documented risk treatment process, and a Statement of Applicability for all 93 Annex A controls.

A SOC 2 audit is conducted by a licensed CPA firm and produces an attestation report. ISO 27001 certification is issued by an accredited certification body and produces a formal certificate renewable every three years with annual surveillance audits. SOC 2 is primarily recognized in North America; ISO 27001 is an internationally recognized certification.

SOC 2 is most commonly required for: SaaS and cloud software companies selling to enterprise; fintech and financial services; healthcare technology; managed IT services and MSPs; data analytics and BI platforms; HR and payroll technology; legal technology; and any company in the supply chain of a regulated industry.

SOC 2 is not legally mandated in any of these industries, but enterprise and mid-market customers in these sectors routinely require it as a vendor qualification. Healthcare companies may need both SOC 2 and HIPAA. Companies handling payment data may need SOC 2 alongside PCI DSS.

SOC 2 reports don't expire on a fixed schedule, but they become stale quickly. Most enterprise customers expect a report issued within the last 12 months. In practice, the vast majority of SOC 2-certified organizations undergo an annual Type II audit to maintain a current, credible report. There is no formal renewal process — you simply commission a new audit each year.

ISO 27001 requires two interconnected components. First, Clauses 4–10 define mandatory management system requirements: establishing the scope and context of your ISMS; demonstrating leadership commitment; conducting formal risk assessments; implementing security controls; and running continuous improvement cycles including internal audits and management reviews.

Second, Annex A provides 93 security controls (2022 update) grouped into four categories — organizational (37), people (8), physical (14), and technological (34). You don't implement all 93; instead, a risk assessment determines which apply, and your decisions are documented in a Statement of Applicability (SoA). The certification process involves a two-stage audit by an accredited certification body.

ISO 27001 has a formal 3-year certification cycle. After initial certification, your organization undergoes surveillance audits in years one and two to confirm the ISMS is being maintained. In year three, a full recertification audit is required. Surveillance audits are typically less intensive than the initial certification but require ongoing evidence of continuous improvement and control effectiveness.

With SOC 2 already in hand, ISO 27001 typically takes 3–6 months rather than the standard 6–12, because a large portion of the required controls already exist. The two frameworks share substantial overlap in access control, encryption, vulnerability management, and incident response.

The main additional work involves establishing a formal ISMS, completing a documented risk assessment, and preparing for the two-stage audit process. Stage 1 typically takes 2–3 days; Stage 2 can be completed within 1–2 weeks. Many organizations pursue both simultaneously, running the ISO 27001 audit in parallel with SOC 2 evidence collection to maximize efficiency.

For ISO 27001-certified organizations, SOC 2 Type I readiness is typically achievable in 2–4 months, with your Type II observation period starting immediately. Your structured ISMS, documented risk assessments, and Annex A controls map well onto SOC 2's Trust Services Criteria.

Key gaps to address are usually around the specific Trust Services Criteria your ISO program did not explicitly cover — particularly Availability and Processing Integrity. The SOC 2 audit can often be timed to coincide with your ISO surveillance cycle, saving auditor fees.

From a HIPAA baseline, SOC 2 readiness typically requires a 2–3 month gap analysis followed by remediation, then a 3–12 month observation period for Type II. By leveraging existing HIPAA controls in access management, encryption, audit logging, incident response, and vendor risk management, organizations can reduce overall compliance effort by 30–40% — compressing the total timeline from a typical 9 months to roughly 4–5 months.

The main additional work involves addressing the SOC 2-specific Trust Services Criteria that HIPAA does not directly cover, such as Availability and Processing Integrity.

PCI DSS and SOC 2 share approximately 60% of their control requirements, particularly around access control, encryption, network security, vulnerability management, and vendor oversight. For PCI-certified organizations, SOC 2 readiness typically takes 3–6 months rather than the standard 6–12.

Combining both audits can cut the total timeline by 1–3 months and reduce costs by up to 30%. The primary gaps to address are areas of SOC 2's Trust Services Criteria not covered by PCI's narrower cardholder data environment scope — particularly broader organizational controls, availability commitments, and privacy practices.

Yes, and doing so is increasingly common. The two frameworks share control overlap estimated at 70–90% depending on scope. By pursuing both simultaneously, organizations can consolidate evidence collection, run coordinated audits, and avoid duplicating policy documentation.

Combined audits cut overall compliance timelines by 1–3 months and reduce costs by 20–30% compared to sequential certifications. The main challenge is coordinating two different audit processes at the same time, which is easier with a compliance automation platform or a single firm that handles both.

From a standing start, SOC 2 Type I can be achieved in 3–6 months with focused preparation. SOC 2 Type II requires an additional 3–12 month observation period on top of that, putting total time at 6–18 months for most organizations.

The biggest variables are your current security maturity, whether you use a compliance automation platform, and how quickly you can remediate gaps. Running a gap assessment first — before hiring an auditor — is the fastest way to compress the timeline, because you avoid discovering critical gaps mid-audit.

The fastest path to SOC 2 is: (1) run a gap assessment immediately to identify exactly which controls are missing before engaging an auditor; (2) target SOC 2 Type I first, which can be achieved in as little as 45 days with high security maturity; (3) use a compliance automation platform to accelerate evidence collection; (4) start your Type II observation period immediately after Type I, running both in parallel.

The mandatory 3-month minimum observation period for Type II cannot be accelerated regardless of budget — so starting early is the single most effective lever you have.

SOC 2 certification typically costs $30,000–$100,000 total in the first year: audit fees ($20,000–$50,000), readiness preparation and gap remediation ($5,000–$20,000), and compliance tooling ($5,000–$30,000 annually). Subsequent years are less expensive since the initial buildout is behind you.

The most significant cost driver is your current security maturity — organizations with strong existing controls spend considerably less on remediation. Running a gap assessment before engaging an auditor is the best way to estimate your specific cost.

ISO 27001 certification costs typically range from $15,000 to $60,000 for small to mid-sized organizations, and higher for larger or more complex environments. ISO 27001 is generally 1.5–2× more expensive than SOC 2 due to the more comprehensive ISMS requirements and two-stage audit process.

Ongoing costs include annual surveillance audits for two consecutive years, then a full recertification audit in year three. Organizations already holding SOC 2 often achieve ISO 27001 at the lower end of the cost range due to existing control documentation.

The right time to pursue SOC 2 is typically when you begin selling to enterprise or mid-market B2B customers, or when a prospect explicitly asks for it. Research suggests roughly 74% of enterprise buyers require SOC 2 before working with a new vendor, and deals frequently stall or collapse when a startup can't provide a report on demand.

As a practical trigger: if your first enterprise prospect has asked for a SOC 2 report, multiple future prospects will too. Most startups begin with Type I to unblock immediate deals, then start their Type II observation period immediately. The mandatory 3-month minimum for Type II cannot be accelerated — so starting early matters.

SOC 2 is not legally required — it is a voluntary standard. However, it has become effectively mandatory for B2B SaaS and cloud companies selling to enterprise and mid-market customers, regardless of vendor size. Enterprise procurement teams evaluate new vendors on the same criteria whether the vendor has 5 employees or 5,000.

If you're a B2C company selling directly to consumers, SOC 2 is generally not needed. But if your product handles customer data and you're selling to businesses — especially in finance, healthcare, or government — SOC 2 is likely a requirement to close deals above a certain contract value.

SOC 2 first if your customer base is primarily North American — it's the dominant standard for US enterprise SaaS buyers. ISO 27001 first if you're expanding globally, particularly into Europe, Asia-Pacific, or the Middle East, where it carries stronger recognition and is sometimes legally required.

Many organizations with a mixed customer base pursue both simultaneously. Since the control overlap means dual certification requires roughly 30–40% more effort than either alone (not double), a gap assessment that maps your current controls against both frameworks helps you understand exactly how much additional work each path requires from your current position.

No — SOC 2 and HIPAA are not interchangeable. SOC 2 demonstrates strong general security practices, but HIPAA requires specific controls for protecting Protected Health Information (PHI) that go beyond what SOC 2 covers. Areas HIPAA requires that SOC 2 does not explicitly address include: formal HIPAA-compliant policies, Business Associate Agreements (BAAs), workforce authorization controls for ePHI access, and specific breach notification timelines.

That said, a strong SOC 2 posture covers a significant portion of HIPAA's Security Rule requirements, and organizations pursuing both can reuse a large portion of their evidence and controls.

SOC 2 is a voluntary US framework that demonstrates your security and privacy controls to customers and partners. GDPR is mandatory EU law that governs how any organization handles the personal data of EU residents — regardless of where the organization is located.

SOC 2 compliance does not make you GDPR compliant, but a SOC 2 program with the Privacy Trust Services Criterion included covers significant ground toward GDPR's technical and organizational security requirements. Organizations selling into Europe typically need to address both.

NIST CSF (Cybersecurity Framework) is a voluntary US framework organized around five functions — Identify, Protect, Detect, Respond, Recover — that helps organizations manage and reduce cybersecurity risk. It does not result in a formal certification or audit report.

SOC 2 is an audited attestation standard — an independent CPA evaluates your controls and issues a report you can share with customers as proof of compliance. NIST CSF is often used internally to build a security program; SOC 2 is the external-facing credential customers and prospects ask for. Many organizations use NIST CSF to build their security program and then pursue SOC 2 to prove it to the market.

CMMC (Cybersecurity Maturity Model Certification) 2.0 is the US Department of Defense's mandatory cybersecurity framework for any company in the Defense Industrial Base (DIB) that handles Federal Contract Information (FCI) or Controlled Unclassified Information (CUI). This includes both prime contractors and every subcontractor tier in the DoD supply chain.

The framework has three levels: Level 1 (15 basic controls for FCI handlers, self-assessed annually), Level 2 (110 controls aligned with NIST SP 800-171, required for most CUI handlers, third-party assessed), and Level 3 (additional controls from NIST SP 800-172, reserved for the most sensitive programs, government-assessed). If you sell to — or are a subcontractor of anyone who sells to — the DoD, CMMC very likely applies to you.

CMMC 2.0 is rolling out in a phased timeline:

December 16, 2024 — The CMMC Final Rule (32 CFR) took effect. Official C3PAO assessments became available.

November 10, 2025 — Phase 1 began. CMMC Level 1 and Level 2 requirements started appearing in new DoD solicitations. Level 1 is self-assessed; Level 2 can be self-assessed for less sensitive CUI, or require a C3PAO assessment for higher-priority contracts.

October 31, 2026 — Hard deadline. CMMC compliance required for all new DoD contract awards involving FCI or CUI. Level 2 third-party certification becomes mandatory across the board.

November 10, 2028 — Full implementation. All applicable DoD contracts including option periods require CMMC certification at the appropriate level.

Most organizations need 6–12 months to reach Level 2 compliance. Given C3PAO assessment slots are limited and booking up fast, the time to start is now.

Level 1 — Foundational: 15 basic cybersecurity practices from FAR 52.204-21. Covers access controls, malware protection, system scans, and audit logs. Required for companies handling only FCI. Self-assessed annually with executive affirmation. No POA&Ms allowed — all controls must be fully implemented.

Level 2 — Advanced: 110 security requirements from NIST SP 800-171. Required for most companies handling CUI. Starting November 2026, third-party assessment by a certified C3PAO is mandatory. Limited POA&Ms are allowed for certification, but must be closed within 180 days. Your SPRS score must be at least 88/110 to be eligible for conditional certification.

Level 3 — Expert: Additional controls from NIST SP 800-172 on top of all Level 2 requirements. Required for companies working on the DoD's most sensitive programs. Assessed directly by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC). Very few organizations will need this level.

A C3PAO (Certified Third-Party Assessor Organization) is an organization accredited by the CyberAB to conduct official CMMC Level 2 certification assessments. They evaluate your security controls against all 110 NIST SP 800-171 requirements and issue the certification that the DoD will recognize.

You need a C3PAO if you are pursuing CMMC Level 2 certification (as opposed to Level 2 self-assessment, which is only allowed for certain lower-sensitivity CUI contracts during Phase 1). You do not need a C3PAO for Level 1 — that remains self-assessed. C3PAO slots are booking up well in advance, so engaging one early — even just for a readiness assessment — is strongly recommended. A gap assessment against NIST SP 800-171 before your C3PAO engagement will save time and money.

Most organizations need 6–12 months to achieve CMMC Level 2 compliance, depending on their current security posture and how closely they already align with NIST SP 800-171. Organizations with mature existing security programs — particularly those with prior SOC 2, ISO 27001, or NIST CSF work — can compress this timeline significantly due to control overlap.

The typical path is: (1) complete a NIST SP 800-171 gap assessment; (2) build or update your System Security Plan (SSP); (3) remediate gaps and document a Plan of Action & Milestones (POA&M) for any remaining items; (4) engage a C3PAO for the formal assessment. Starting with a gap assessment is the single most important first step — it reveals exactly what needs to be fixed and lets you budget realistically for the work ahead.

If you have been self-attesting to NIST SP 800-171 (as DoD contractors have been required to do since 2017), you are already working with the exact 110 controls that CMMC Level 2 is based on. The main difference is that CMMC Level 2 requires a third-party C3PAO assessment rather than self-attestation — so the controls work is largely the same, but you need to ensure your documentation and evidence are ready for external audit scrutiny.

If you have ISO 27001, the control overlap is substantial — ISO 27001's Annex A covers significant ground across NIST 800-171's 14 control families. You will still need to address CMMC-specific requirements (particularly around CUI handling, media protection, and the specific DFARS clauses) and produce a System Security Plan in the format DoD expects. Many organizations go from ISO 27001 to CMMC Level 2 readiness in 3–5 months.

Yes. CMMC requirements apply to all tiers of the DoD supply chain — not just prime contractors. If a subcontractor handles FCI or CUI as part of a DoD contract, they must achieve the appropriate CMMC level. Prime contractors are already requiring subcontractors to demonstrate CMMC readiness before including them in bids, since a non-compliant subcontractor can disqualify the prime's entire proposal.

There is one exception: companies selling purely commercial off-the-shelf (COTS) products — like office furniture — that do not handle any FCI or CUI are exempt from CMMC requirements.

FedRAMP is the US government's compliance framework for cloud service providers selling to federal agencies. It is based on NIST 800-53 controls and requires a formal Authorization to Operate (ATO) — it is mandatory for cloud services used by US federal agencies, not optional.

SOC 2 is a private-sector framework that does not qualify a vendor for federal government contracts. FedRAMP is significantly more rigorous and expensive than SOC 2, typically costing $500,000–$2 million+ in the first year. Organizations with SOC 2 and NIST CSF in place are better positioned to pursue FedRAMP, but considerable additional work is required.

Gap Assessment supports 35+ frameworks including SOC 2, ISO 27001, ISO 27701, HIPAA, GDPR, PCI DSS, NIST CSF, NIST 800-53, NIST 800-171, CMMC, FedRAMP, SOX ITGC, CCPA, LGPD, PIPEDA, APRA CPS 234, CIS Controls, HITRUST CSF, StateRAMP, TX-RAMP, CJIS, IRAP, ENS, TISAX, SWIFT CSP, DORA, NIS2, Cyber Essentials, and CSA STAR.

The tool also shows the control overlap between any frameworks you select, so you can plan the most efficient path to multi-framework compliance.

ISO/IEC 42001:2023 is the world's first international standard for an Artificial Intelligence Management System (AIMS). Published in December 2023, it specifies the requirements for establishing, implementing, maintaining, and continually improving a management system for responsible AI development and use. It is applicable to any organization of any size or industry that develops, provides, or uses AI-based products or services.

Unlike a general security standard, ISO 42001 specifically addresses AI's unique challenges: algorithmic bias, transparency and explainability, data governance for AI training, human oversight of automated decisions, and continuous monitoring as models evolve. Certification follows the same 3-year cycle as ISO 27001 — initial certification, annual surveillance audits in years one and two, and full recertification in year three. Major organizations including Microsoft (for Microsoft 365 Copilot) have already achieved certification.

ISO 42001 is currently a voluntary standard — no jurisdiction legally requires it yet. However, it is rapidly becoming a differentiator in enterprise sales, particularly for B2B SaaS companies with AI features. Enterprise procurement teams are beginning to include ISO 42001 in vendor security questionnaires, and this trend is accelerating as the EU AI Act enforcement ramps up through 2026–2027.

You should seriously consider ISO 42001 if: your product uses AI to make decisions that affect customers; you sell to regulated industries (finance, healthcare, insurance); you operate in or sell into Europe; your enterprise customers are asking about AI governance practices; or you want to demonstrate responsible AI as a competitive differentiator. Organizations that already hold ISO 27001 certification have a significant head start, since ISO 42001 shares the same management system structure and much of the documentation foundation.

The key difference is certification vs. guidance. ISO 42001 is a certifiable management system standard — you can undergo a third-party audit and receive a formal certificate that demonstrates to customers, regulators, and partners that your AI governance meets an internationally recognized bar. The NIST AI Risk Management Framework (AI RMF) is a voluntary US framework that provides excellent practical guidance for identifying and managing AI risk, but it has no certification, no audit, and no formal credential.

Think of NIST AI RMF as the internal playbook and ISO 42001 as the external proof. Many organizations use both: NIST AI RMF to structure their day-to-day AI risk management, and ISO 42001 to demonstrate governance maturity to enterprise customers and regulators. The two frameworks share substantial overlap in areas like transparency, accountability, and continuous improvement, so implementing both together is efficient.

The EU AI Act is the world's first comprehensive AI law, entered into force August 1, 2024. Unlike ISO 42001 or NIST AI RMF, it is legally binding — not voluntary. It applies to any organization that places AI systems on the EU market or affects EU residents, regardless of where the company is based. A US company with European customers is in scope.

It operates on a risk-based classification: Prohibited AI (banned outright — social scoring, subliminal manipulation, untargeted facial recognition scraping); High-Risk AI (strict requirements — used in hiring, credit scoring, healthcare, education, law enforcement); General-Purpose AI (GPAI) (transparency and safety obligations for large language models); and Limited/Minimal Risk (lighter-touch requirements). Key enforcement milestones: prohibited practices banned February 2025; GPAI obligations began August 2025; high-risk system requirements phase in through August 2027. Fines reach up to €35 million or 7% of global annual turnover for the most serious violations. ISO 42001 and NIST AI RMF both provide strong foundations for EU AI Act compliance.

The NIST AI Risk Management Framework (AI RMF), published in January 2023, is a voluntary US framework that helps organizations identify, assess, and manage the risks associated with AI systems throughout their lifecycle. It is organized around four core functions: Govern (establish AI risk governance policies and culture), Map (identify and categorize AI risks in context), Measure (analyze and quantify AI risks), and Manage (prioritize and respond to AI risks).

While voluntary, NIST AI RMF carries significant de facto weight — the FTC, FDA, SEC, and Department of Defense all reference its principles, and federal procurement increasingly expects NIST alignment. It is widely used as the standard for evaluating AI governance maturity in enterprise vendor assessments. NIST also publishes a Generative AI Profile with specific guidance for managing risks from large language models and other generative AI systems.

Organizations with ISO 27001 already in place have a significant head start on ISO 42001, because both standards share the same management system structure (Clauses 4–10, Plan-Do-Check-Act methodology, internal audits, management reviews, continuous improvement). Your existing ISMS documentation, risk assessment process, and control evidence framework all carry over directly.

The additional work specific to ISO 42001 focuses on AI-specific governance: establishing policies for responsible AI use, creating an AI system inventory, implementing AI risk assessments that address bias and transparency, defining human oversight mechanisms, and building processes for monitoring model performance and data quality over time. For organizations with mature ISO 27001 programs, ISO 42001 certification typically adds 3–6 months of incremental work rather than requiring a full new program build.

The right starting point depends on where you operate and who you sell to:

Start with EU AI Act if you have European customers or EU operations — it's law, not optional. Fines up to €35M mean non-compliance is not a risk you can ignore. ISO 42001 and NIST AI RMF both provide strong implementation support for meeting its requirements.

Start with NIST AI RMF if you are primarily US-based without immediate regulatory or customer pressure. It's free, flexible, and gives you a practical risk management foundation you can build on. Most organizations find it a natural first step before investing in ISO 42001 certification.

Pursue ISO 42001 when you need a formal, audited credential to satisfy enterprise customer requirements, government procurement expectations, or to demonstrate AI governance maturity in competitive sales situations. It is increasingly moving from differentiator to table stakes for enterprise AI vendors.

The good news: the three frameworks are largely complementary, not competing. Organizations that implement all three report that NIST AI RMF provides the risk management methodology, ISO 42001 provides the auditable management system, and the EU AI Act provides the legal compliance layer — with substantial control overlap between all three.