Compliance Questions, Answered

Straight, honest answers to the questions buyers actually ask about compliance documentation — what each framework requires, what it costs, how long it takes, and the one rule that never changes: a template gives you the documents an auditor expects, but it does not make your organization certified or compliant.

Do compliance policy templates make you certified?

No. Templates give you the documented policies and procedures an auditor expects, but certification is separate: ISO 27001 is issued by an accredited certification body after a Stage 1 and Stage 2 audit, and SOC 2 is a licensed CPA firm's attestation. Templates remove the drafting work; you still operate the controls.

Related: ISO 27001 guide · SOC 2 guide

What's the cheapest way to get SOC 2 ready?

The cheapest path for the documentation layer is an editable SOC 2 policy template set (around $59–$99 one-time) instead of a consultant ($1,250+) or a compliance platform ($7,000+/yr). The templates map to the AICPA Trust Services Criteria; you then operate the controls and engage a licensed CPA firm for the actual attestation.

Related: SOC 2 Policy Pack — Core · SOC 2 Complete Toolkit

What documents does an ISO 27001 auditor ask for first?

Auditors typically start with the Information Security Policy, the scope of the ISMS, the risk assessment and risk treatment plan, and the Statement of Applicability covering all 93 Annex A controls of ISO/IEC 27001:2022. A complete documentation set is about 24 policies and procedures plus those registers.

Related: ISO 27001 Complete Toolkit · ISO 27001 guide

How many policies do I need for ISO 27001?

A complete ISO/IEC 27001:2022 set is about 24 policies and procedures, plus a risk register and the 93-control Statement of Applicability. A lean "core" starter set is around 16 policies. The exact number depends on your ISMS scope and which Annex A controls you apply.

Related: Documents per framework · ISO 27001 Policy Pack — Core

Is buying compliance templates better than hiring a consultant?

For the documentation layer, templates are far cheaper ($49–$149 vs $1,250–$2,750+) and instant. A consultant adds tailored judgment and hands-on program work. Many small teams use templates for the document set and bring in expert review only where it adds value, rather than paying to draft policies from scratch.

Related: Compliance template pricing index

What is a Statement of Applicability?

The Statement of Applicability (SoA) is the ISO 27001 document that lists all 93 Annex A controls and records, for each, whether it applies, how it's implemented, and the justification for any exclusion. It's one of the first artifacts an auditor reviews and is required for certification.

Related: Statement of Applicability explained · ISO 27001 Complete Toolkit

Do I need SOC 2 or ISO 27001?

US enterprise buyers sending vendor security questionnaires usually ask for SOC 2; international and EU/UK deals more often expect ISO 27001 certification. SaaS companies selling globally frequently end up needing both — which is why a single security program mapped to both frameworks is common.

Related: SOC 2 guide · ISO 27001 guide · ISO 27001 + SOC 2 Dual Toolkit

What is a WISP and who needs one?

A WISP (Written Information Security Plan) is the security program the FTC Safeguards Rule (16 CFR Part 314) requires every tax preparer, CPA and accounting firm to maintain. Because the rule implements the Gramm-Leach-Bliley Act, it applies to firms of every size, including solo Enrolled Agents. IRS Pub 4557 and PTIN renewal reinforce it.

Related: WISP Toolkit for Tax Professionals · WISP / FTC Safeguards guide

Does a HIPAA toolkit make my practice HIPAA compliant?

No. HIPAA has no official certification — compliance is self-attested and enforced by the HHS Office for Civil Rights. A toolkit gives you the required Security and Privacy Rule policies plus a Security Risk Assessment workbook, but you must actually run the risk analysis and operate the safeguards day to day.

Related: HIPAA Compliance Toolkit · HIPAA guide

How much does a compliance policy toolkit cost?

Editable toolkits run $49–$149 as a one-time purchase, depending on framework and document count — for example $49 for a 10-document AI Governance pack, $99 for a 24-document ISO 27001 complete set. That compares to $897–$2,397 for enterprise toolkit platforms and $1,250+ for consultants.

Related: Compliance template pricing index · AI Governance Policy Pack

Can I edit the policy templates?

Yes — every file is an editable Microsoft Word (.docx) or Excel (.xlsx) document, not a locked PDF. You replace the bracketed placeholders with your real details, adapt the wording to how you actually operate, and brand it as your own. Editing is expected: a policy must describe your real practice.

Related: Browse the policy template library

What's the difference between SOC 2 Type I and Type II?

A SOC 2 Type I report assesses whether your controls are suitably designed at a single point in time; a Type II report tests whether those controls operated effectively over a period (commonly 3–12 months). Type II carries more weight with enterprise buyers because it shows sustained operation, not just design.

Related: SOC 2 Type I vs Type II · SOC 2 guide

What is the EU AI Act and who does it affect?

The EU AI Act (Regulation (EU) 2024/1689) is the first comprehensive AI law. It classifies AI systems into four risk tiers — unacceptable/prohibited, high-risk, limited (transparency), and minimal — and applies to organizations placing AI on, or using it within, the EU market. High-risk systems require a formal conformity assessment.

Related: AI Governance Policy Pack · AI governance guide

Is ISO 42001 the same as EU AI Act compliance?

No. ISO/IEC 42001:2023 is a voluntary, certifiable AI management-system standard; the EU AI Act is binding law. An ISO 42001 certificate does not equal Act compliance — high-risk systems still need a separate conformity assessment. Many organizations use ISO 42001 as the operating backbone for meeting the Act's obligations.

Related: ISO 42001 AI Management System Toolkit · ISO 42001 guide

What documents do I need for GDPR?

A working GDPR set includes privacy notices, a Records of Processing Activities (Article 30), a Data Subject Access Request procedure, a DPIA procedure, breach-response procedures, and a processor/DPA checklist — about 14 documents. There's no GDPR certificate; compliance rests on the accountability principle, meaning you must be able to show these records on request.

Related: GDPR Compliance Pack · GDPR guide

How long does it take to get audit-ready with templates?

Tailoring each template takes most teams 15–60 minutes via Find & Replace, so a full ISO 27001 set (~24 documents) is realistically one to three focused days of editing. That's the documentation layer only — total audit readiness also depends on operating the controls and gathering evidence.

Related: How long compliance documentation takes

What is NIST CSF 2.0?

NIST Cybersecurity Framework 2.0, published February 26, 2024, is a voluntary, risk-based framework organized into six Functions — Govern, Identify, Protect, Detect, Respond, Recover — that break into 22 Categories and 106 Subcategories. It's not a certification; you assess your current state against a target profile and close the gaps.

Related: NIST CSF 2.0 Complete Toolkit · NIST CSF guide

Are AI-written compliance templates trustworthy?

They can be, if drafted under a structured editorial framework and then reviewed against the current standard — control numbering, regulatory deadlines, cross-document consistency — before publication. The test isn't who drafted them but whether they map accurately to the framework and whether you tailor them to your real operations.

Related: See free previews of real content · Read our FAQ

What's in an AI Governance policy pack?

A typical AI governance pack is about 10 policies — including an employee/acceptable AI-use policy, an AI risk register, AI vendor assessment, transparency and human-oversight standards — aligned to the EU AI Act and the NIST AI Risk Management Framework. It's how small teams govern workplace and product AI before regulators or clients ask.

Related: AI Governance Policy Pack · AI governance guide

Can one set of policies cover two frameworks?

Often yes. ISO 27001 and SOC 2 share many controls, so one well-written policy (access control, incident response, change management) can support both programs with a control crosswalk. Running a single security program mapped to both frameworks is usually cheaper than documenting each separately.

Related: ISO 27001 + SOC 2 Dual Toolkit

What is a Security Risk Assessment under HIPAA?

The HIPAA Security Rule requires covered entities and business associates to conduct an accurate, thorough risk analysis of risks to electronic protected health information (ePHI). It's a foundational requirement — many enforcement actions cite a missing or inadequate risk analysis — and is usually documented in a structured workbook, not a policy alone.

Related: HIPAA Security Risk Assessment explained · HIPAA Compliance Toolkit

Do startups need compliance documentation to close enterprise deals?

Frequently, yes. Enterprise buyers send vendor security questionnaires and increasingly ask for SOC 2 (or ISO 27001) plus, now, AI-use policies. Having the policy set documented lets a startup answer those questionnaires credibly instead of stalling the deal — which is why "trust pack" bundles pairing SOC 2 with AI governance exist.

Related: Startup Trust Pack · SOC 2 Policy Pack — Core

What's the difference between HIPAA and GDPR?

HIPAA is a US sectoral law protecting health information held by healthcare providers, plans, clearinghouses and their business associates. GDPR is an EU regulation protecting all personal data of people in the EU/EEA, regardless of industry. Neither is a certification; a US health-tech company with EU patients can owe both.

Related: HIPAA guide · GDPR guide

Will templates pass an audit on their own?

No document passes an audit just by existing. An auditor checks whether your controls actually operate and whether your policies match what you really do. Templates give you a strong, framework-aligned starting point and the structure auditors expect — but you operate the program and produce the evidence.

Related: What auditors look for first · ISO 27001 guide

Where can I see compliance templates before buying?

Look for vendors offering free, full-section previews of the real document content rather than locked samples — it's the clearest way to judge quality before purchase. ComplianceDocs publishes free previews of real content for each toolkit, alongside an honest pricing comparison and a single-organization license.

Related: Browse the policy template library · Compliance template pricing index

Related guides: ISO/IEC 27001 · SOC 2 · HIPAA · AI Governance (EU AI Act & NIST AI RMF)

Toolkits that help

Related articles

• How Long Compliance Documentation Actually Takes
• How Many Documents Each Compliance Framework Actually Requires
• 2026 Compliance Template Pricing Index
• How Much Does SOC 2 Cost (and How Long Does It Take)?
• How to Respond to a Customer Security Questionnaire

← All articles