Security controls exist for two reasons: because attackers are real, and because regulators require them. Compliance frameworks translate both motivations into structured requirements. GDPR defines how organizations must handle personal data of EU residents. HIPAA protects health information in the United States. PCI-DSS governs how organizations handle payment card data. NIST provides voluntary frameworks that many organizations adopt voluntarily or are required to follow by contracts. Security+ tests these frameworks by their specific requirements and breach notification timelines, not just by name.
Practice this topic
GDPR (General Data Protection Regulation) governs personal data of EU residents regardless of where the organization processing it is located. Key requirements: lawful basis for processing personal data, the right to erasure (right to be forgotten), data portability, and breach notification to supervisory authorities within 72 hours of becoming aware of the breach. GDPR fines can reach 4 percent of global annual revenue.
HIPAA (Health Insurance Portability and Accountability Act) protects Protected Health Information (PHI) in the United States. PHI includes any information that can identify a patient and relates to their health condition, treatment, or payment. HIPAA applies to covered entities (healthcare providers, insurers, clearinghouses) and their business associates. HIPAA requires administrative, physical, and technical safeguards, and breach notification to affected individuals within 60 days.
PCI-DSS (Payment Card Industry Data Security Standard) is a set of technical and operational requirements created by the card brands (Visa, Mastercard, Amex) for any organization that stores, processes, or transmits cardholder data. Unlike GDPR and HIPAA, PCI-DSS is not a law but a contractual requirement: organizations that do not comply risk losing the ability to accept card payments. Twelve core requirements cover network security, access control, encryption, monitoring, and vulnerability management.
The NIST Cybersecurity Framework (CSF) organizes security activities into five core functions: Identify (know your assets and risks), Protect (implement safeguards), Detect (identify security events), Respond (take action on detected events), and Recover (restore capabilities after an incident). The framework is voluntary for most private organizations but is required for US federal agencies and is widely adopted as a best-practice reference.
NIST SP 800-53 is the catalog of security controls used by US federal agencies and contractors. It covers hundreds of specific controls across access control, audit, configuration management, incident response, and more.
ISO 27001 is an international standard for information security management systems (ISMS). Organizations can certify their ISMS against ISO 27001 through an independent audit, providing a recognized certification of their security posture.
SOC 2 (System and Organization Controls) is an audit framework covering five Trust Service Criteria: Security, Availability, Processing Integrity, Confidentiality, and Privacy. SOC 2 Type I assesses whether controls are designed correctly at a point in time. SOC 2 Type II assesses whether they operated effectively over a period (typically 6 to 12 months). SaaS providers often obtain SOC 2 Type II reports to demonstrate security to enterprise customers.
Framework identification: EU personal data, 72-hour breach notification = GDPR. US health information, PHI = HIPAA. Payment card data = PCI-DSS.
NIST CSF functions in order: Identify, Protect, Detect, Respond, Recover. The function being described determines the correct answer.
SOC 2 Type I: design of controls at a point in time. Type II: operational effectiveness over a period. For vendor due diligence, Type II is more meaningful.
Compliance vs security: compliance establishes a minimum baseline. It does not guarantee security. An organization can be fully compliant and still be breached because compliance frameworks are not updated fast enough to address emerging threats.
| Framework | Applies to | Key requirement | Breach notification |
|---|---|---|---|
| GDPR | Personal data of EU residents | Lawful basis, right to erasure, data portability | 72 hours to supervisory authority |
| HIPAA | US health information (PHI) | Administrative, physical, technical safeguards | 60 days to individuals |
| PCI-DSS | Payment card data | 12 requirements: network, access, encryption, monitoring | Notify card brands, varies |
| NIST CSF | Broadly applicable (US federal required) | Identify, Protect, Detect, Respond, Recover | N/A (framework, not regulation) |
| ISO 27001 | Any organization (international) | ISMS controls, certification via audit | N/A (framework, not regulation) |
GDPR only applies to European companies.
GDPR applies to any organization that processes the personal data of EU residents, regardless of where the organization is located. A US company with EU customers must comply with GDPR for that customer data.
Complying with PCI-DSS means your cardholder data environment is fully secure.
PCI-DSS defines a minimum baseline of required controls. Compliance at a point in time does not guarantee that new vulnerabilities have not emerged or that all data flows involving cardholder data are protected. Compliance assessments are point-in-time snapshots, not continuous security guarantees.
SOC 2 Type I and Type II reports provide the same level of assurance.
SOC 2 Type I only verifies that controls are suitably designed at a single point in time. Type II verifies they actually operated effectively over an extended period (6-12 months). For vendor security due diligence, Type II provides much stronger assurance about the vendor's actual security practices.
Try free Compliance Frameworks practice questions with explanations, topic links and progress tracking.