Getting started with your first IT compliance program

Hyperproof can help you jumpstart your first IT compliance program, pass the audit, and maintain continuous compliance -- so you can provide assurances to customers, maintain trusted business relationships, and establish a security baseline that supports your growth plan.

Get a Demo

Startups We Work With

Culture Amp Finance
Common compliance frameworks

What are the common IT compliance frameworks startups need?

SOC 2, PCI DSS, and ISO 27001 are a few common IT security frameworks that many early-stage companies and small businesses implement in order to build their security program on a solid foundation and show customers that they take security and data privacy seriously. With the U.S. federal government putting greater emphasis on the security posture of their supply chain, organizations that contract with the federal government must obtain a FedRAMP authorization and/or the Cybersecurity Maturity Model Certification (CMMC).

Hyperproof Solutions for Startups

Challenge #1

You’re new to IT compliance frameworks. You’re not sure what your organization needs to do to become compliant with a regulation, standard, or framework.

How Hyperproof can help

We can refer you to leading CPA and MSSP firms that can work with you to set up a solid security program, and guide you in the creation of policies, procedures and controls needed to pass security assessments and achieve attestation reports and certifications. Partners are well-trained in Hyperproof and can help you leverage Hyperproof effectively to implement and maintain an effective compliance program.

Learn about our SOC 2 Start to Finish offering ›

Challenge 1

Challenge #2

You don’t have a structured template or a process for managing your compliance program.

How Hyperproof can help

Hyperproof’s compliance operations platform comes with many information security and data privacy compliance framework templates, such as SOC 2, PCI DSS, ISO 27001, CMMC, and others. Each template has a particular framework’s requirements and illustrative controls -- providing you a starting point for conducting a gap assessment. Hyperproof also comes with project management tools that streamline and automate much of the day-to-day work.

Explore our Supported Frameworks ›

Challenge 2

Challenge #3

You don’t have all the controls (organizational policies, procedures, processes and technology) in place yet to meet all the requirements of a security framework and pass an audit.

How Hyperproof can help

Our MSSP partner firms can work with your team within the Hyperproof platform to help you establish suitable controls and provide guidance on the types of evidence you’ll need to collect and submit to an external audit to prove that controls were designed suitably and operating effectively over a period of time.

This process usually starts with a gap assessment -- a project where an experienced compliance consultant evaluates your current company policies, processes, security safeguards to see how they stack up against the requirements set up in a particular IT framework.

Based on gap assessment results, a consultant will make recommendations and assist your team in creating new controls. Once an organization’s made significant progress in implementing controls, an auditor can provide an independent look at your environment and identify the gaps you’ll need to address in order to pass a formal audit.

See a demo of Hyperproof ›

Challenge 3

Challenge #4

You don’t have an efficient system for collecting evidence.

When an auditor evaluates your security program against a set of criteria (e.g. SOC2) or standard, they are looking to assess the accuracy of your organization’s description of its systems and the design effectiveness and operating effectiveness of your controls.

Auditors expect to see evidence such as security policies; documentation of certain procedures; meeting notes; and screenshots showing statuses generated by business applications like your HRIS, developer tools like GitHub, and cloud computing platforms like AWS, Azure, and Google Cloud. Collecting all this data manually can take days.

How Hyperproof can help

With Hyperproof, you can automatically collect your latest company policies from various cloud-based file storage systems and status reports from dozens of cloud-based services across cloud infrastructure, developer tools, device management, HR, ticketing management, etc.

Further, all evidence can be centrally stored, categorized appropriately, labeled, and mapped back to specific controls and regulatory requirements.

See Evidence Collection Best Practices ›

Challenge 4

Challenge #5

You need to find a reputable audit firm to conduct your audit, and you’d like the audit process to wrap up quickly because there are sales opportunities relying upon those assurances.

How Hyperproof can help

Hyperproof partners with reputable audit firms who are well-versed in running efficient audits. And because they can work with you in Hyperproof and tell you what they need from your stakeholders, you can expect a streamlined and predictable audit process.

Find a CPA firm ›

Challenge 5

Challenge #6

There are costs associated with maintaining compliance, including the costs of follow-on audits and time and resources that must be dedicated to keeping controls up-to-date. You’d like to keep ongoing compliance costs down.

How Hyperproof can help

With Hyperproof's reports, you gain real-time visibility into your compliance posture. As you implement controls, you can set up automated reminders and tasks so the system can flag issues and route them to the right individuals.

See a demo of Hyperproof ›

Challenge 6

Hyperproof Grows With Your Company

Hyperproof supports 30+ cybersecurity, data privacy, and risk management frameworks and helps you identify and map common controls that can satisfy multiple frameworks.

See All Supported Frameworks

Compliance Frameworks

FAQ (For Organizations New to Security and Compliance)

  • What Cybersecurity Standards and Frameworks Should My Organization Implement?

    There isn’t a single cybersecurity framework or standard that is inherently better than the rest. What you implement should be based on your understanding of your market, the wants and needs of your customers, the regulatory requirements your organization needs to demonstrate compliance to, and the risks your business needs to manage. Key factors include:

    1. Business goals and customer requirements: How do you want to grow as a business? What types of customers do you want to serve in the next one to three years? Your target customers will have specific IT compliance requirements for their vendors depending on their industry, region, and the regulatory environment they’re in. For instance, here are some specific standards, certifications, and frameworks to consider:

    • Want to do business in Europe? Consider ISO/IEC 27000 series. When an organization is ISO 27001 certified, it means that the organization’s information security management system (ISMS) conforms to the ISO 27001 standard. ISO 27001 is seen as a gold standard in information security by organizations around the world. You’ll also need to comply with Europe’s GDPR in order to earn the trust of your European customers.
    • Want to do business with healthcare providers or health insurers? You need to be HIPAA compliant and may need to sign a Business Associate Agreement to ensure that your organization will appropriately safeguard protected health information.
    • Want to service the federal government? You need to prepare for the Cybersecurity Maturity Model Certification (CMMC) if you’d like to bid for contracts from the Department of Defense. If you want to sell a SaaS product, you’ll need to achieve a FedRamp authorization.
    • Is your company planning to go public in the next 2-3 years? If so, you’ll need to prepare to comply with the Sarbanes-Oxley Act (SOX).

    2. Security Needs and Risks

    At this time, cyber attack methods evolve quickly, and they’re becoming increasingly sophisticated. Global cybercrime costs businesses 16.4 billion every day, with a ransom attack occuring every eleven seconds.

    Chances are you have some security gaps at the moment. For instance, how would you score your organization’s capabilities in security assessment, access control, incident management and response, and configuration management? In addition to protecting your networks, systems, and data, your risk management plan should also cover your vendors. When over half of all data breaches are due to third-party vulnerabilities, you need to have a sound approach to vendor risk management.

    Given your current security state and the risk landscape you’re operating in, it may be time to  bring more rigor and discipline into your security and compliance program. Frameworks like the NIST Cybersecurity Framework (CSF)NIST SP 800-53, ISO 27000 series provide comprehensive lists of activities that are proven to enhance an organization’s security posture.

    3. Liability Protection (Safe Harbor) For Data Breach Claims

    Additionally, in the recent months, U.S. lawmakers have provided new incentives for organizations to implement certain well-recognized cybersecurity frameworks. States including Connecticut, Ohio, and Utah have passed new laws incentivizing organizations to adopt well-recognized cybersecurity standards/frameworks like NIST CSF, ISO 27001, and PCI DSS. These laws offer companies safe harbor from punitive damages in case they experience breaches that lead to Personally Identifiable Information (PII) loss. Having a written cybersecurity program that aligns to one of these frameworks is an affirmative defense against data breach claims brought under state law.

  • What are the first set of things an organization should do to build a security program that will be compliant with industry standards like PCI, SOC 2, ISO 27001, etc.?

    • Conduct a risk assessment: Security programs must be customized to the needs and challenges each company faces and be comprehensive enough to address all of the key risks the company wants to manage. Before you put any policies, procedures or technical safeguards (e.g. security software, firewalls, etc.) in place to protect your business’ information, it is important to understand what assets you want to protect and what threats exist, what vulnerabilities (a weakness in your system or process) exist. Then, you’ll need to determine the likelihood that an incident will occur and assess the impact a threat would have. Finally, you’d prioritize the risks and determine which ones warrant immediate action, where you should invest your time and resources, and which risks you can address at a later time.
    • Implement controls: Controls are the policies, procedures, processes and technology your organization has chosen to put in place to address the risks specific to your organization. Fortunately, you don’t have to start from scratch, you can find many of the recommended security controls in guidelines put out by organizations like NIST (e.g. NIST Cybersecurity Framework, NIST 800-171) and ISO (e.g. ISO 27001) and CIS.
      It is important that you develop, implement and document your key company-wide processes. Auditors will want to see documentation of the following policies during an audit:
      • New employee onboarding policy
      • Company handbook (also known as Code of Ethics and Business Conduct)
      • Information security policies
      • Business continuity and disaster recovery policies
      • Privacy policy

      If your organization is building software, you will need to establish secure software development processes. Security controls (e.g., access controls, change management, logging and monitoring) should be built into your software development lifecycle. If you haven’t developed processes to govern how you develop software at your organization, there isn’t going to be enough content for an auditor to audit.

    • Determine what type of evidence you need to gather to demonstrate that your controls were operating effectively throughout a designated time period. In order to pass IT compliance audits like SOC 2, you’ll need to make sure your controls -- operating procedures -- are implemented in ways that generate valid evidence.

      Let’s take a look at SOC2 Type 2 -- a common security assurance report many companies must achieve these days -- as an example. A System and Organization Control (SOC) 2 report documents the results of an auditor’s examination of the accuracy of the service organization’s description of its system, the design effectiveness of the internal controls and the operating effectiveness of internal controls.
      From the perspective of a SOC2 assessor, a control operated effectively if, throughout the entire audit period, the control was consistently performed in accordance with the underlying procedures. To test operating effectiveness, your SOC 2 auditor will examine evidence that your organization produces when executing the control. In simple terms, if the evidence doesn’t exist, the control doesn’t exist. In fact, the auditor in a SOC 2 exam must fulfill evidentiary requirements that are documented in SSAE 18.

      You’ll also need to develop an organization system for storing that evidence -- so it can be easily retrieved when an auditor asks for something.

  • What’s the typical process companies go through to achieve a security certification/report?

    Once you’ve decided which security framework/standard you want to pursue, below are the key steps you’ll need to take:

    • 1. Secure executive buy-in and support: Company executives should agree on the value of implementing a particular cybersecurity/compliance framework, allocate budget and resources to this initiative, and communicate to all stakeholders the importance of this initiative.
    • 2. Assign roles and responsibilities: Someone in your company should be responsible for driving the compliance readiness process forward. A project leader needs sufficient understanding of your business and your technology stack, and to be able to figure out what controls the organization needs to create in order to meet the requirements of the program. Typically, someone with deep security, engineering, or product background should be the one to lead this process. If you don’t have someone internally to lead this process, you may consider outsourcing these duties to a virtual, fractional compliance officer (professional services firm with expertise in delivering compliance-as-a-service).
    • 3. Gap assessment: A gap assessment is a review/evaluation of the controls your organization already has -- including policies, procedures, and technologies involved in protecting information assets and networks. You will map the existing controls to the requirements of the framework you’re looking to be compliant with and identify the gaps and actions you’ll need to take in order to achieve full compliance. At this time, it is important to be crystal clear about the scope of your compliance effort and get on the same page with your audit firm about what that scope is.
    • 4. Controls implementation/remediation: You will need to take the actions necessary to address gaps you’ve uncovered during the gap assessment. This will likely involve creating new policies, implementing new processes and procedures, and getting people familiar with these policies and procedures.
    • 5. Readiness assessment: This is a service provided by a CPA firm. Once you feel like your organization has made all the progress you possibly can to get your environment to a compliant state, an auditor from the CPA firm will provide an independent look at your environment and identify any issues you need to address in order to pass your audit.
    • 6. Scheduled audit starts: The auditor will ask you to submit evidence of controls within your environment (which fall in the scope of the audit). They may gather information by interviewing appropriate personnel (management, supervisors, and staff); inspecting documents and records; observing logs of activities and operations that have been performed; and testing controls. Each control in your organization’s description must be tested by an auditor to validate that the description is accurate and that controls are suitably designed and operating effectively to achieve the related control objectives or criteria. Once the tests are completed, an auditor will write down their observations in a report. The report goes through a quality assurance process (set by the standard-setting bodies like AICPA or ISO) and then is shared with the auditee organization.
    • 7. Address audit findings: Once the report is shared with the auditee organization, appropriate personnel need to review the findings, especially any audit exceptions. Audit exceptions are deviations from the expected result from testing one or more control activities. These deviations go by many names: audit exceptions, test exceptions, control exceptions, deficiencies, findings, misstatements, and so on.

      There are typically three types of exceptions when it comes to SOC audits:
      • Misstatements: Misstatement is used to refer to an error or omission in the description of the organization’s system or services.
      • Deficiency in the design of a control: The term “design deficiency” is used when a control necessary to achieve the control objective or criteria is missing or an existing control is not properly designed, even if the control operates as designed, to achieve the control objective or criteria.
      • Deficiency in the operating effectiveness of a control: The term “operating deficiency” is used when a properly designed control does not operate as designed or when the person performing the control does not possess the necessary authority or competence to perform the control effectively.

      It is important to spend some time with your auditors to understand the exceptions and confirm them internally. If there are control exceptions, ask them:

      • Does the exception constitute a control failure?
      • If there is a control failure, was it a design or operating deficiency?
      • Do any of the deficiencies impact the organization’s ability to meet their control objectives or criteria specified for the audit in their opinion?
      • Do they feel that the exceptions or deficiencies, individually or collectively, could result in a qualified opinion (which is a bad thing) on the audit?

      These questions help you understand the severity of the exceptions. If a control has an exception, knowing if it is a design or operating deficiency will help you understand what type and level of corrective action is needed.

  • SOC 2 vs. ISO 27001: What are the similarities and differences?

    • Similarities: These two security governance frameworks share many commonalities. Both are voluntary and designed to prove a business’s trustworthiness to handle customer data while protecting the confidentiality, integrity, and availability of sensitive information. The frameworks share equally regarded and respected reputations, and clients view both as viable proof of your company’s ability to protect data. In short, having either a SOC 2 type 2 report or ISO 27001 in hand will enhance your brand’s reputation and help you win new business.
      The ISO 27001 is an international standard establishing the requirements for managing the security of assets such as financial information, intellectual property, employee and customer details, and third-party entrusted information. Created by the International Standards Organization, ISO 27001 also establishes a guideline for Information Security Management Systems (ISMS), dedicated to safeguarding data over the long-term. An ISO 27001 certification indicates a significant time and resource investment in security and provides a robust foundational building block for any organization’s security compliance program.

      SOC (short for Service Organization Controls) is a set of standards created by the AICPA for assessing and rating the competency of an organization’s controls. SOC for Service Organizations: Trust Services Criteria–also known as SOC 2 Reports–are intended to meet the needs of a broad range of users that need detailed information and assurance about an organization’s controls relevant to security, availability, and processing integrity of the systems the organization uses to process users’ data and the confidentiality and privacy of the information processed by these systems. These reports can play an important role in oversight of the organization, vendor management programs, internal corporate governance, risk management processes, and regulatory oversight.
      There are two types of SOC 2 reports: type 1 and type 2.

      • A SOC 2 Type 1 examination provides a point-in-time assessment of the data protection controls present in an organization. The design of the controls is assessed, and implementation is confirmed, but consistent performance is not evaluated in a Type 1 report. If an organization is new to SOC 2, getting a SOC 2 Type 1 report is the first step.
      • A SOC 2 Type 2 examination covers the operating effectiveness of controls over a specific time, such as a six-to-12-month period. A SOC 2 Type 2 report is a higher bar than a Type 1 because in addition to evaluating the design and implementation of control processes, it also assesses whether the controls were consistently performed throughout the specified period. This provides a greater level of confidence in the effectiveness of control processes for customers and business partners.

      Differences between SOC 2 and ISO 27001

      The most significant difference between the frameworks comes down to attestation vs. certification. SOC 2 is a dual type attestation of security control function resulting in a deliverable report. ISO 27001 focuses more on an entire security system’s (ISMS) performance over time and provides certification. Both originated to ensure the presence and function of proper security controls, but ISO 27001 goes a step further–assessors also want to see an ISMS in place for ongoing data security.

      A SOC 2 report is broken into two types. A Type I report requires a management description of your organization’s controls and short-term effectiveness. A SOC 2 Type II report requires an American Institute of Certified Personal Accountant (AICPA) attestation of security controls as observed over time, such as a period of 6 or 12 months. If both meet AICPA requirements and all security controls measure up to the “trust service principles,” a full attestation report containing the assessor’s opinion verifying acceptance is delivered to the business. 

      An ISO 27001 certification audit is conducted by an accredited registrar who measures ISMS compliance against the “standard requirements” of the ISO 27001 framework. If framework compliance is verified during the audit, a compliance certificate is issued to the organization.

  • How can I find reputable CPA and IT risk advisory firms who can help me stand up IT compliance programs and/or verify my secure posture?

    There are many reputable CPA firms that have expertise in information risk management and IT audits. Hyperproof has partnered with some of the top CPA and Managed Security Services Providers (MSSPs) in the U.S., including The Bonadio Group, Schellman, Grant Thorton and others. You can browse through our partner directory here. Hyperproof has also worked closely with a few of our partner CPA  partners to develop bundled packages that include advisory service, readiness assessment, audit and usage of Hyperproof’s software. Here are the details for our SOC 2 Start to Certification offering.

  • How is Hyperproof different from other compliance software companies?

    Hyperproof is preferred by many fast-growing companies because:

    • It is easy to implement, operate, and scale
    • It fits seamlessly within organizations’ existing ecosystem
    • Minimal user training is involved
    • It automates manual work

    Further, we’re here to support your compliance journey. Once you sign up as a customer, you’ll get a dedicated customer success team. Our customer success team seeks to understand your goals and develops plans tailored to your needs. Your subscription includes guided product training, ongoing support, and consulting hours from security and compliance subject matter experts.

Ready to Optimize Your Risk & Compliance Management Workflows?

G2 Crowd Easiest to UseG2 Crowd High PerformerG2 Crowd LeaderG2 Crowd Most Implementable G2 Crowd Fastest Implementation

We got through product training in two hours. The moment our instance was set up, we started using the platform to prepare for our upcoming SOC 2 and SSPA audits.


Carl Lombardi
VP of Operations

G2 Crowd Easiest to UseG2 Crowd High PerformerG2 Crowd LeaderG2 Crowd Most Implementable G2 Crowd Fastest Implementation