Growth

A Founder’s Guide to Deciphering the Right Compliance Framework for Your Startup

January 21, 2020

By Team Laika

It doesn’t seem like compliance frameworks are meant to be understood by busy founders or even mere mortals. For example, take a look at the excerpt (right) from an AICPA guide on SOC 2. Not exactly bedtime reading.

The SOC 2 compliance framework manual isn't light reading.

Yet, you need to understand the compliance frameworks to select the right one for your customers and business. Choose right and you stand to close bigger deals and move upmarket. Make the wrong call and you risk holding up your compliance investment and overall company growth. The stakes are high.

The burden is on founders to understand the use cases and benefits of each compliance type to make an informed decision. Here’s how you can cut through the vague and verbose legal speak to do just that.

What Is a Compliance Framework?

A compliance framework provides a set of guidelines that companies can adhere to when building their IT security controls.

If a company decides to pursue an audit, the auditor or regulator will test the company’s processes and operations for security, stability, longevity, and compliance with laws and regulations based on the chosen framework.

Each Compliance Framework Is Different

Compliance frameworks focus on different considerations. PCI, for example, governs the handling of payment card data. HIPAA deals with the privacy of protected health information. COSO, the framework used for SOC 2 reports, looks at how well a company’s internal controls meet a broad range of standards.

Some compliance frameworks define their standards more explicitly than others. PCI, for example, is regarded as a compliance framework with a stricter set of rules. HIPAA and CCPA are federal and state laws, respectively, while GDPR is a European Union law. SOC 2 and other frameworks, on the other hand, are more industry best practices than hard-and-fast rules, though they still indicate that a company takes security and privacy seriously.

Choosing the Right Compliance Framework Matters

Deciding which frameworks will best benefit your startup is one of the first decisions you’ll make as you start to invest in compliance. This decision is important, as it determines the amount of time, money, and resources you’ll spend.

The more compliance frameworks you use within your startup, the longer and more expensive the process. (Though there are ways to make multiple audits more efficient, which we talk about in a later section!)

What You Should Know About the Common Compliance Frameworks

There are five compliance frameworks founders should familiarize themselves with as they start moving toward compliance. These frameworks are the “bread and butter” of compliance for startups and cover the most common needs.

SOC 2 (COSO)

Chances are you will need a SOC 2 audit at some point in your startup’s life, especially if your business does anything with data and software (which one doesn’t?).

Companies can use the AICPA-approved logo (right) to show enterprise buyers and the world that they’ve received a clean SOC 1, 2, or 3 report within the last year.

What does it test?
SOC 2 uses the COSO framework to test your internal controls against five Trust Services criteria: security, availability, confidentiality, privacy, and processing integrity.

Who needs it?
In many cases, enterprise buyers require their vendors to get SOC 2 compliance. This makes a SOC 2 audit particularly important for growth-focused B2B startups that are starting to attract enterprise customers in order to move upmarket.

Today, more startups than ever choose to pursue SOC 2 in order to satisfy enterprise customers’ needs. In fact, Deloitte saw a 25% increase in SOC 2 engagements between 2017-2018 alone.

Who manages it?
The American Institute of Certified Public Accountants (AICPA).

ISO 27001

This is another security-focused standard that enterprise buyers often require. It’s internationally recognized, making it more important for startups that cater to customers outside of the U.S.

What does it test?
ISO 27001 tests how well you create, implement, maintain, and continue to improve on an information security management system that’s appropriate for your company. It also sets standards for assessing and addressing information security risks.

Who needs it?
Startups looking to grow by working with enterprise customers, particularly those overseas.

Who manages it?
The International Organization for Standardization (ISO).

SOC 1

Does your startup impact your customers’ financial statements? Your customers will likely require you to invest in SOC 1.

What does it test?
SOC 1 hones in on internal controls that impact customer financial reporting. While SOC 2 evaluates security based on five Trust Services criteria, SOC 1 tests your controls based on objectives you and your auditor agree to. These objectives depend on what your customers need for their own financial reporting.

Who needs it?
Typically, any public company or large non-public company will require their service providers to get SOC 1 if they impact their financial reporting, even indirectly.

For example, say your SaaS startup provides billing services to large companies. Chances are your customers will require you to become SOC 1 compliant as your billing impacts their payables, and their payables impact their financial statements.

Who manages it?
Like SOC 2, SOC 1 is published by the AICPA.

PCI DSS

If your startup deals with customer credit, debit, prepaid, or other payment cards in any way, you’ll likely want to add PCI DSS to your arsenal of compliance. Thankfully, many payment and security vendors (e.g., Stripe, Very Good Security, etc.) can help startups meet strict PCI standards.

What does it test?
The PCI framework tests controls for companies that host cardholder data, receive card payments, or save cardholder information.

Who needs it?
PCI is for companies that handle payment cards like credit cards. It’s often used by startups in the financial technology community that process payments or store/handle credit card information.

Who manages it?
The PCI Security Standards Council.

HIPAA

Unlike the above frameworks, compliance with HIPAA is not a choice. HIPAA is a federal law, and if your startup handles protected health information (PHI) in any way, it must abide by HIPAA’s regulatory rules.

Fail to comply with HIPAA, and you could face criminal charges.

What does it regulate?
HIPAA is a federal law that defines how companies keep PHI private and secure. It defines how your company is allowed to manage and disclose PHI internally and externally. It also sets strict policies and controls for managing data security, risk assessments, and responding to incidents like data breaches.

Who needs it?
Expect to meet HIPAA regulations if your startup deals with patient data or information about consumers in the healthcare space.

Who enforces it?
The Office for Civil Rights within the U.S. Department of Health and Human Services.

How to Choose the Right Compliance Framework(s) for Your Startup

To reap the best benefit from your investment, it’s important to find the right mix of compliance frameworks that fits your startup’s needs.

Select Your Compliance Type(s) Based on the Services You Provide

Designing a compliance program is all about understanding which frameworks fit your business based on your startup’s size, industry, business model, data, and customer needs. When it comes to choosing which audits to pursue, simplify your decision by focusing on the services you provide to your customers.

Information security and privacy for data stored on the cloud are must-haves for all startups, so you’ll likely want SOC 2, at least. Other than that, startups need to focus on the regulations within their specific industries.

For example, let’s say your startup not only manages your customers’ data in the cloud, but you also process their credit cards for purchases. That means you’d need SOC 2 and PCI. And yes, healthcare startups need HIPAA, but not only healthcare startups — if you sell insurance, for example, you need to be HIPAA compliant, too. Do you want to do business in Europe or even hire a European citizen? Then you’ll want to consider GDPR.

The more customer services your startup provides, the more likely you’ll need to target multiple compliance frameworks. Salesforce, for example, complies with SOC 2, HIPAA, GDPR, ISO 27001, PCI DSS, and more.

Decide How to Handle Multiple Frameworks

What happens if you want to target more than one compliance framework? Your decision to tackle them one at a time or all at once depends on if you know what you’re doing and whether you have the right tools.

Pursuing multiple frameworks at the same time can overwhelm founders, especially without expert guidance. Compliance frameworks are nuanced, difficult to navigate, and expensive to audit. However, common compliance frameworks often overlap each other, so you can save time and money by knocking them out at the same time.

For example, SOC 2 and ISO test similar controls like:

  • Securing your physical space
  • Assigning appropriate information access to each employee
  • Basic employee security training
  • Human resources functions (onboarding, employee termination, etc.)

Your SOC 2 auditor can use the same control sample for PCI compliance as well, as long as you schedule your testing periods around the same time. This not only eliminates extra work for the auditor, but it also minimizes the disturbance to your own team.

If you can only invest in one framework at a time, you’ll want to pick based on what your customers need and request most.

Keep in mind that the work you do to become compliant for one framework can help you progress in another, regardless of whether you tackle all of your frameworks at once or one at a time.

Laika benchmarks your implementation, so your efforts toward one framework can be reused for another. You can track your progress toward each framework in your Knowledge Base and access all of your policies and documentation based on how they help you achieve each compliance requirement.

Understand Stage-Appropriate Compliance

While the compliance standards are the same for all businesses, the implementation of those rules varies drastically from small to large companies. So, don’t be alarmed when you dive in and realize that the legal language is far more generic than helpful.

For example, a common compliance standard is making sure your physical space is secure. A small lock on an office door and a doorman who handles building security would be sufficient for a six-person startup. An AWS data center, on the other hand, would need much more.

We often get questions from founders asking us for guidance on what’s enough for their startup. Unfortunately, the answer is often, “It depends.” One way founders can start thinking about translating compliance frameworks to meet their startups’ needs is to consider what makes the most sense based on their current stage.

As Forbes illustrated earlier this year, your infrastructure security needs will change as your startup matures. Stage-appropriate compliance might look like database backups and basic encryption when you’re pre-seed. If you’re on your way to Series A funding and have hired a dozen engineers, you may want to replace your team’s shared accounts with individual accounts with strict permissions and start regular infrastructure penetration tests. And you’ll likely want to invest in a security information and event management tool post-Series A.

Seek Professional Guidance

The complexity of compliance makes it all the more important to look for help in understanding what’s actually important in each framework and what’s not. It’s also critical to understand what makes sense to implement and how to fulfill the requirements appropriate for your stage.

Unfortunately, there aren’t many resources online for startups seeking compliance. Yet, as more tech startups demonstrate a need and interest in compliance, companies like Laika are bringing the focus to startups.

To save yourself the struggle of becoming an expert in compliance frameworks, consider relying on Laika.

Our expert concierge team works closely with you to understand your existing policies and procedures and create a personalized, stage-appropriate compliance plan built for your specific needs and goals. We help you translate vague framework requirements into startup-specific tasks and provide a detailed list of step-by-step instructions and timelines to guide you through the process.

You can also reach out to a certified public accounting (CPA) firm specializing in information security. A CPA will conduct your compliance audits and issue your reports; however, selecting the right one can be challenging. CPA firms handle a variety of tasks (bookkeeping, taxes, etc.), so it’s important to find one that’s experienced in infosec audits.

Find a Guide You Can Trust and Stick with Them

Compliance is complicated enough without changing your guide halfway through the process. Regardless of the type of compliance you choose, it’s important to find an expert team or vendor you trust and stick with them throughout the process.

Because of the complexity of compliance frameworks and how they apply to your unique startup, there’s a bulk of knowledge that vendors need to know about your company and its situation at the beginning. That need for company-specific knowledge continues to grow as you step through this process, and your startup continues to grow.

Stepping through the knowledge-sharing stage again can cause you to lose your momentum and increase your time and cost investment. Save yourself the time, energy, and frustration of cycling through vendors by choosing the right compliance guide at the beginning and sticking with them.

Stay in touch