This chapter covers three major compliance frameworks — ISO 27001, NIST (specifically NIST SP 800-53), and SOC 2 — that are essential for understanding how organizations demonstrate security and compliance. For the SC-900 exam, these frameworks appear in questions about compliance management, shared responsibility, and third-party assurance. Approximately 10-15% of exam questions touch on compliance frameworks, controls, and assessments. Understanding the differences between these frameworks and how they relate to Microsoft's compliance offerings is critical.
Jump to a section
Think of compliance frameworks as building codes for a skyscraper. ISO 27001 is like the International Building Code (IBC) — a comprehensive set of standards for structural integrity, fire safety, and accessibility. An organization hires an independent inspector (certification body) who reviews the building's design and construction plans (policies and procedures), then visits the site to verify that the building actually meets the code. If it does, the building receives an IBC certificate (ISO 27001 certification). NIST SP 800-53 is like the city's specific fire safety code — a detailed catalog of controls (e.g., sprinkler system specs, exit sign placement) that you must implement. The city fire marshal (auditor) checks each control against the catalog. SOC 2 is like a tenant improvement report for a specific office floor — it attests that the floor's security, availability, and confidentiality controls are designed and operating effectively, based on a pre-agreed set of criteria (like the Trust Services Criteria). The tenant (customer) wants this report to know if the space is safe for their sensitive data. Each framework has a different scope and audience, but all rely on independent assessment and continuous monitoring.
What Are Compliance Frameworks?
Compliance frameworks are structured sets of guidelines, controls, and best practices that help organizations manage security, privacy, and operational risks. They provide a common language for auditors, regulators, and business partners to assess an organization's security posture. The SC-900 exam expects you to know the purpose, scope, and key characteristics of ISO 27001, NIST SP 800-53, and SOC 2, as well as how they map to Microsoft's compliance offerings like the Microsoft Purview Compliance Manager.
Why They Exist
Organizations face pressure from customers, partners, and regulators to prove they protect data. Without a framework, security is ad hoc and unverifiable. Frameworks provide: - Standardization: A common set of controls that can be audited consistently. - Benchmarking: A way to compare security maturity across organizations. - Assurance: Independent verification that controls are in place and effective. - Legal/Regulatory Compliance: Many regulations (e.g., GDPR, HIPAA) require or reference these frameworks.
ISO 27001
ISO 27001 is an international standard for Information Security Management Systems (ISMS). It is published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). The full name is ISO/IEC 27001:2022 (latest version).
Key Characteristics: - Prescriptive but flexible: Specifies requirements for establishing, implementing, maintaining, and continually improving an ISMS. It does not mandate specific controls but requires organizations to select controls from Annex A (now 93 controls in the 2022 version) based on a risk assessment. - Certification: An organization can be certified by an accredited certification body after a formal audit. Certification lasts 3 years with annual surveillance audits. - Scope: The ISMS scope defines which parts of the organization (departments, locations, systems) are covered. - PDCA Cycle: Plan-Do-Check-Act model for continuous improvement.
How It Works: 1. Define ISMS policy and scope. 2. Conduct a risk assessment to identify threats, vulnerabilities, and impacts. 3. Select controls from Annex A to mitigate risks to an acceptable level. 4. Implement controls and create a Statement of Applicability (SoA) listing which controls are selected and why. 5. Internal audits and management review. 6. External certification audit by an accredited body.
Exam Relevance: The exam may ask about the purpose of the SoA, the PDCA cycle, or that certification is valid for 3 years.
NIST SP 800-53
NIST Special Publication 800-53 (Revision 5) is a catalog of security and privacy controls for federal information systems and organizations. Developed by the National Institute of Standards and Technology (NIST), it is mandatory for U.S. federal agencies under FISMA, but widely adopted in private sector.
Key Characteristics: - Control Catalog: Contains over 1,000 controls organized into 20 families (e.g., AC – Access Control, AU – Audit and Accountability, SC – System and Communications Protection). - Baselines: NIST provides low, moderate, and high impact baselines based on the system's security categorization (FIPS 199). - Tailoring: Organizations can tailor controls by adding parameters, scoping, or compensating controls. - Not Certifiable: Unlike ISO 27001, there is no formal certification for NIST SP 800-53 compliance. However, agencies must attest compliance via annual assessments (e.g., FedRAMP for cloud services). - Integration with Risk Management Framework (RMF): NIST SP 800-37 describes the RMF process (6 steps: Categorize, Select, Implement, Assess, Authorize, Monitor).
How It Works: 1. Categorize the system based on impact (low, moderate, high) using FIPS 199. 2. Select baseline controls from SP 800-53. 3. Implement controls. 4. Assess control effectiveness. 5. Authorize system operation. 6. Monitor controls continuously.
Exam Relevance: Know that NIST SP 800-53 is a control catalog, not a certification. Understand the concept of baselines and that FedRAMP uses NIST controls for cloud services.
SOC 2
SOC 2 (Service Organization Control 2) is a reporting framework developed by the American Institute of CPAs (AICPA). It is specifically for service organizations that store or process customer data. SOC 2 reports provide assurance about controls related to the Trust Services Criteria: Security, Availability, Processing Integrity, Confidentiality, and Privacy.
Key Characteristics: - Trust Services Criteria (TSC): The five criteria are the basis for the audit. Most SOC 2 reports focus on Security (common criteria) plus one or more of the others. - Two Types of Reports: - Type I: Reports on the design of controls at a point in time. - Type II: Reports on the operating effectiveness of controls over a period (typically 6-12 months). - Auditor: A certified public accountant (CPA) or accounting firm performs the audit. - No Certification: SOC 2 is not a certification; the auditor issues a report (opinion) on whether controls meet the criteria. The organization does not get a certificate but can share the report with customers. - Scope: Defined by the system description and the criteria covered.
How It Works: 1. Define the system and scope (which services, locations, and controls are included). 2. Select applicable TSC (e.g., Security + Confidentiality). 3. Implement controls to meet the criteria. 4. Engage a CPA firm to audit. 5. For Type II, the auditor tests controls over the period. 6. The auditor issues a report with an opinion (unqualified, qualified, adverse, or disclaimer).
Exam Relevance: Understand the difference between Type I and Type II, the five TSC, and that SOC 2 is a report, not a certification. Also know that SOC 2 is common for SaaS providers.
How They Interact with Microsoft Compliance
Microsoft Azure and Microsoft 365 undergo independent audits against all three frameworks. Microsoft provides: - Azure Compliance Offerings: Detailed documentation and audit reports for ISO 27001, SOC 2, and FedRAMP (based on NIST). - Service Trust Portal: Repository of compliance reports and certifications. - Microsoft Purview Compliance Manager: A tool that helps organizations assess their compliance posture by mapping controls from various frameworks (including ISO 27001, NIST 800-53, and SOC 2) to Microsoft's implementation. It provides a score and recommendations.
Shared Responsibility: The customer is responsible for configuring their own applications and data correctly to maintain compliance. The frameworks certify the platform, not the customer's use.
Key Values and Terms
ISO 27001: Standard number (27001), Annex A controls (93 in 2022), certification valid 3 years.
NIST SP 800-53: Revision 5, 20 control families, FIPS 199 impact levels (low, moderate, high).
SOC 2: Type I vs Type II, Trust Services Criteria (5), CPA auditor.
Common Terms: Control, audit, scope, risk assessment, statement of applicability (SoA), continuous monitoring.
Exam Trap Patterns
Confusing SOC 2 with ISO 27001: SOC 2 is a report, not a certification. ISO 27001 is a certification.
Thinking NIST SP 800-53 is a certification: It is a control catalog; FedRAMP uses it for certification.
Assuming SOC 2 requires all five TSC: Most reports only cover Security plus optionally others.
Mixing up Type I and Type II: Type I is point-in-time design; Type II is operating effectiveness over a period.
Forgetting the 3-year cycle for ISO 27001: Surveillance audits are annual, recertification every 3 years.
Define Scope and Objectives
An organization decides which framework(s) to adopt based on customer demands, regulatory requirements, and business goals. For ISO 27001, the scope defines which parts of the organization (e.g., entire company, specific data center) will be certified. For SOC 2, the scope includes the system description and the Trust Services Criteria to be audited. For NIST SP 800-53, the scope is the information system and its security categorization (low, moderate, high). This step involves senior management commitment and resource allocation.
Conduct Risk Assessment
Identify threats, vulnerabilities, and impacts to information assets. ISO 27001 requires a formal risk assessment methodology. NIST SP 800-53 is part of the RMF, where the categorization step (FIPS 199) determines impact levels. SOC 2 does not mandate a specific risk assessment but expects controls to be designed based on risks to the TSC. The output is a risk register that informs control selection.
Select and Implement Controls
Based on the risk assessment, select appropriate controls. For ISO 27001, choose from Annex A and document in the Statement of Applicability (SoA). For NIST SP 800-53, select baseline controls from the catalog and tailor as needed. For SOC 2, implement controls that meet the chosen Trust Services Criteria. Controls can be technical (e.g., encryption), administrative (e.g., policies), or physical (e.g., access badges). Implementation includes writing policies, configuring systems, and training staff.
Conduct Internal Audit and Management Review
Before the external audit, the organization performs an internal audit to verify controls are in place and effective. For ISO 27001, internal audits are required at planned intervals. Management reviews the ISMS to ensure it remains suitable and effective. For SOC 2, the organization may perform readiness assessments. For NIST, the assessment step (Step 4 of RMF) involves evaluating control effectiveness using assessment procedures.
Engage External Auditor
Select an accredited certification body (ISO 27001) or a CPA firm (SOC 2). For NIST, there is no external certification, but a Third-Party Assessment Organization (3PAO) may be used for FedRAMP. The auditor reviews documentation, interviews staff, and tests controls. For ISO 27001, there is a Stage 1 audit (documentation review) and Stage 2 audit (implementation verification). For SOC 2 Type II, the auditor tests controls over the audit period (e.g., 6 months).
Obtain Report or Certification
If the audit is successful, the organization receives a certificate (ISO 27001) or an audit report (SOC 2). ISO 27001 certification is valid for 3 years with annual surveillance audits. SOC 2 reports are typically issued annually. For NIST, the Authorizing Official (AO) issues an Authorization to Operate (ATO) based on the assessment. The organization can then share the certification or report with customers and partners to demonstrate compliance.
Scenario 1: SaaS Company Seeking Enterprise Customers
A SaaS company providing HR software wants to sell to Fortune 500 companies. These enterprises require third-party assurance of security. The company pursues SOC 2 Type II report covering Security and Confidentiality. They engage a Big Four accounting firm for the audit. The scope includes their cloud infrastructure (hosted on AWS), application code, and HR data. They implement controls such as encryption at rest and in transit, access logging, and incident response procedures. The audit covers a 6-month period. Once the report is issued, they share it with prospects via a non-disclosure agreement. Common pitfalls: scope creep (including too many systems) and failing to remediate findings before the audit period ends. The company must continuously monitor controls; misconfiguration of cloud storage can lead to a qualified opinion.
Scenario 2: Government Contractor Needing FedRAMP
A company providing a cloud service to U.S. federal agencies must achieve FedRAMP authorization. FedRAMP uses NIST SP 800-53 controls as the baseline. The company categorizes their system as moderate impact. They implement hundreds of controls from the NIST catalog, including multifactor authentication, continuous monitoring, and vulnerability scanning. They engage a Third-Party Assessment Organization (3PAO) to perform the audit. The process takes 12-18 months. Once authorized, they receive an ATO from the Joint Authorization Board (JAB) or an agency. Common issues: failure to properly document control implementation and lack of continuous monitoring capabilities. The company must also reauthorize every 3 years.
Scenario 3: Global Enterprise Achieving ISO 27001
A multinational manufacturing company wants ISO 27001 certification for its corporate IT and production systems. They define the ISMS scope to include all data centers and remote offices. They conduct a risk assessment and select 80 controls from Annex A. They implement an ISMS policy, asset management, access control, and business continuity plans. They hire a certification body like BSI or SGS. After Stage 1 and Stage 2 audits, they receive certification. They must undergo annual surveillance audits and recertification every 3 years. Common challenges: maintaining documentation across multiple languages and ensuring all employees understand the ISMS policy. Non-compliance in one site can lead to a major non-conformity and suspension of certification.
SC-900 Objective 1.3: Describe the concepts of compliance and governance
This objective includes understanding compliance frameworks. The exam tests your ability to:
Identify the purpose and key characteristics of ISO 27001, NIST SP 800-53, and SOC 2.
Differentiate between certification (ISO 27001), control catalog (NIST), and reporting (SOC 2).
Recognize the Trust Services Criteria and Type I/Type II reports for SOC 2.
Understand the relationship between these frameworks and Microsoft's compliance offerings (e.g., Compliance Manager, Service Trust Portal).
Common Wrong Answers
"SOC 2 is a certification like ISO 27001." → Incorrect. SOC 2 is an audit report, not a certification. The organization receives an opinion letter, not a certificate.
"NIST SP 800-53 provides a certification for organizations." → Incorrect. NIST SP 800-53 is a control catalog. FedRAMP uses it for certification, but NIST itself does not certify.
"SOC 2 Type I evaluates controls over a period of time." → Incorrect. Type I is point-in-time; Type II is over a period.
"ISO 27001 certification never expires." → Incorrect. It is valid for 3 years with annual surveillance audits.
Specific Numbers and Terms
ISO 27001:2022: 93 controls in Annex A (previously 114 in 2013).
NIST SP 800-53 Rev 5: 20 control families, over 1,000 controls.
SOC 2: 5 Trust Services Criteria (Security, Availability, Processing Integrity, Confidentiality, Privacy).
Type I vs Type II: Type I – design at a point in time; Type II – operating effectiveness over 6-12 months.
FIPS 199: Defines impact levels (low, moderate, high) used in NIST categorization.
Edge Cases
SOC 2 + SOC 3: SOC 3 is a summary version of SOC 2 for public distribution.
ISO 27001 + ISO 27701: ISO 27701 extends ISO 27001 for privacy management (PIMS).
FedRAMP: Uses NIST SP 800-53 as baseline but adds FedRAMP-specific controls.
Microsoft Compliance Manager: Maps controls from multiple frameworks to Azure/M365 implementations, providing a unified compliance score.
How to Eliminate Wrong Answers
If the question mentions "certification" and the option includes SOC 2, it's likely wrong unless referring to a specific certification program (which SOC 2 is not).
If the question mentions "control catalog" or "baselines", think NIST SP 800-53.
If the question mentions "audit report" and "CPA", think SOC 2.
For ISO 27001, look for terms like "ISMS", "Annex A", "Statement of Applicability", "certification body".
Remember that Microsoft's compliance offerings are not certifications themselves but tools to manage compliance.
ISO 27001 is a certification for an ISMS, valid for 3 years with annual surveillance audits.
NIST SP 800-53 is a control catalog with 20 families and over 1,000 controls; it is not a certification.
SOC 2 is an audit report (Type I or Type II) based on Trust Services Criteria; it is not a certification.
SOC 2 Type I evaluates control design at a point in time; Type II evaluates operating effectiveness over a period.
FedRAMP uses NIST SP 800-53 controls as a baseline for cloud service authorization.
Microsoft Purview Compliance Manager maps controls from multiple frameworks to help organizations manage compliance.
The Statement of Applicability (SoA) in ISO 27001 lists selected controls and justification for exclusions.
The five Trust Services Criteria for SOC 2 are Security, Availability, Processing Integrity, Confidentiality, and Privacy.
These come up on the exam all the time. Here's how to tell them apart.
ISO 27001
International standard for ISMS.
Certification by accredited body.
Valid for 3 years with annual audits.
93 controls in Annex A (2022).
Focus on risk management and PDCA.
SOC 2
AICPA framework for service organizations.
Audit report (Type I or II) by CPA.
Report valid for the audit period only.
5 Trust Services Criteria.
Focus on controls over customer data.
Mistake
SOC 2 certification is equivalent to ISO 27001 certification.
Correct
SOC 2 is not a certification; it is an audit report issued by a CPA firm. ISO 27001 is a formal certification issued by an accredited certification body. The two serve different purposes: SOC 2 focuses on service organization controls, while ISO 27001 focuses on an ISMS.
Mistake
NIST SP 800-53 is a certification framework.
Correct
NIST SP 800-53 is a catalog of security and privacy controls. It does not provide certification. However, programs like FedRAMP use NIST controls as a baseline for certifying cloud services.
Mistake
SOC 2 Type I report is more valuable than Type II because it is faster.
Correct
Type I only evaluates control design at a single point in time. Type II evaluates operating effectiveness over a period (e.g., 6 months), providing stronger assurance. Most customers require Type II.
Mistake
ISO 27001 certification covers all controls in Annex A.
Correct
Organizations select controls based on risk assessment. They can exclude controls if justified in the Statement of Applicability. Certification does not require implementing all 93 controls.
Mistake
Once certified ISO 27001, no further audits are needed.
Correct
ISO 27001 requires annual surveillance audits and recertification every 3 years to maintain certification.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
SOC 2 Type I reports on the design of controls at a specific point in time. Type II reports on the operating effectiveness of controls over a period (usually 6-12 months). Type II provides stronger assurance because it includes testing of controls over time. For the SC-900 exam, remember that Type I is point-in-time design, Type II is effectiveness over a period.
No, NIST SP 800-53 is a catalog of security and privacy controls. Organizations use it to implement controls, but there is no formal certification for NIST SP 800-53. However, programs like FedRAMP use NIST controls as a baseline and issue authorizations (ATOs) based on assessments.
An organization implements an Information Security Management System (ISMS) and selects controls from Annex A based on risk assessment. An accredited certification body conducts a Stage 1 audit (documentation review) and Stage 2 audit (implementation verification). If successful, certification is granted for 3 years, with annual surveillance audits. The SC-900 exam may ask about the 3-year validity and the purpose of the Statement of Applicability.
The five Trust Services Criteria are Security, Availability, Processing Integrity, Confidentiality, and Privacy. Most SOC 2 reports cover Security (common criteria) plus one or more additional criteria. The exam may ask to identify these five criteria or distinguish between them.
Microsoft Purview Compliance Manager is a tool that helps organizations assess their compliance posture. It provides built-in assessments for various frameworks including ISO 27001, NIST SP 800-53, and SOC 2. It maps Microsoft's implementation of controls to the framework requirements, giving a compliance score and recommendations. The SC-900 exam expects you to know that Compliance Manager helps manage compliance across multiple frameworks.
The SoA is a document that lists all controls from Annex A and indicates whether each control is implemented or not, along with justification for exclusions. It is a key output of the control selection process and is reviewed during the certification audit. The exam may ask about its purpose.
Technically, SOC 2 is not a compliance certification; it is an audit report. Organizations often say they are 'SOC 2 compliant' to mean they have a SOC 2 Type II report with an unqualified opinion. The exam may test that SOC 2 is a report, not a certification.
You've just covered Compliance Frameworks: ISO 27001, NIST, SOC 2 — now see how well it sticks with free SC-900 practice questions. Full explanations included, no account needed.
Done with this chapter?