Compliance framework guides

Straight-talking guides to the frameworks that matter — what each one is, who it applies to, realistic costs and timelines, and the fastest route to audit-ready documentation.

ISO/IEC 27001

ISO/IEC 27001 is the leading international standard for an Information Security Management System (ISMS). The current edition, ISO/IEC 27001:2022, sets management-system requirements in clauses 4-10 and lists 93 information security controls in Annex A. Certification is earned only when an accredited certification body audits a working ISMS and issues a certificate -- buying documentation does not by itself make you certified, but it builds the policies and records auditors expect to see.

Read the guide

SOC 2

SOC 2 is an independent examination performed by a licensed CPA firm that reports on how well a service organization protects customer data. It results in an attestation report, not a certificate, and there is no fixed list of required controls — each organization defines its own controls against the AICPA's Trust Services Criteria in scope.

Read the guide

HIPAA

HIPAA is the U.S. law requiring covered entities and their business associates to safeguard protected health information (PHI). There is no official "HIPAA certification" — the HHS Office for Civil Rights (OCR) enforces it, and compliance is self-attested. Policy templates and a Security Risk Assessment workbook build the required documentation fast, but you still operate the safeguards and run your own risk analysis.

Read the guide

NIST CSF 2.0

The NIST Cybersecurity Framework (CSF) 2.0, published by NIST on February 26, 2024, is a voluntary, risk-based framework for managing cybersecurity risk, organized into 6 Functions — Govern, Identify, Protect, Detect, Respond, and Recover — that break down into 22 Categories and 106 Subcategories (the specific outcomes you work toward). It is not a law or a certification: there is no official "NIST CSF certified" status, and adopting it means assessing your current state against a target profile and closing the gaps. Editable policy templates accelerate the documentation that adoption requires, but you still have to operate the controls.

Read the guide

GDPR

The GDPR (General Data Protection Regulation, EU Regulation 2016/679, applicable since 25 May 2018) governs how organizations handle the personal data of people in the EU. There is no "GDPR certificate" — compliance rests on the accountability principle (Art. 5(2)), meaning you must be able to show your records, policies, and decisions on request. You get there by documenting your processing (privacy notices, a Records of Processing Activities, a DSAR procedure, breach response, and more) and then operating those controls in practice.

Read the guide

AI Governance (EU AI Act & NIST AI RMF)

AI governance is the set of policies, roles, and controls an organization uses to deploy and use AI responsibly and to meet emerging AI regulation. The two reference points most teams build to are the EU AI Act (Regulation (EU) 2024/1689) — the first comprehensive AI law, which classifies systems into four risk tiers: unacceptable/prohibited, high-risk, limited (transparency), and minimal — and the NIST AI Risk Management Framework (AI RMF 1.0), a voluntary US framework organized around four functions: Govern, Map, Measure, and Manage. Buying documents does not by itself make you "compliant": compliance comes from operating the controls, and EU AI Act conformity for high-risk systems requires a formal assessment — well-structured templates simply accelerate the documentation, which is the longest part.

Read the guide

ISO 42001

ISO/IEC 42001:2023 is the world's first international standard for an Artificial Intelligence Management System (AIMS) — a certifiable framework for governing how an organization builds, deploys, and oversees AI responsibly. It combines management-system requirements in Clauses 4-10 with 38 reference controls in Annex A, and an accredited certification body can certify your AIMS after a two-stage audit.

Read the guide

WISP

A WISP (Written Information Security Plan) is the documented information-security program the FTC Safeguards Rule (16 CFR Part 314) requires every tax preparer, CPA, and accounting firm to develop, implement, and maintain. The Rule implements the Gramm-Leach-Bliley Act (GLBA), which treats firms that prepare tax returns as "financial institutions," so the requirement applies to firms of every size, including solo Enrolled Agents. The IRS reinforces it in Publication 4557 and on Form W-12 (PTIN renewal), but the underlying legal obligation comes from the FTC, not the IRS.

Read the guide

Compare frameworks side by side →

Professional editable templates — general information only, not legal, audit, tax, or certification advice, and no professional or advisory relationship is created. No purchase makes an organization compliant or certified. Review each document with qualified counsel, your compliance professional, or your auditor before relying on it. ISO, IEC, SOC 2, AICPA, HIPAA, NIST, GDPR, the EU AI Act, IRS and FTC are referenced descriptively only; ComplianceDocs (ExpertEngine LLC) is independent and is not affiliated with, endorsed by, or certified by any standards body, regulator, or audit firm.