Compliance Management: SOC 2, ISO 27001, PCI DSS, and HIPAA

Part of the Cybersecurity Skills Guide — This article is one deep-dive in our complete guide series.

By HADESS Team | February 28, 2026 | Updated: February 28, 2026 | 5 min read

Compliance is not security, but it forces organizations to build documented, repeatable controls. Understanding compliance frameworks helps you translate security work into language that auditors, executives, and regulators accept. If you work in security long enough, you will deal with at least one of these frameworks.

SOC 2

SOC 2 applies to service organizations — SaaS companies, cloud providers, managed service providers. It evaluates controls across five Trust Services Criteria: security, availability, processing integrity, confidentiality, and privacy. Most companies pursue security only.

Type I reports assess control design at a point in time. Type II reports test control effectiveness over a period (usually 6-12 months). Type II is what customers actually care about.

Preparation means documenting policies, implementing monitoring, and building evidence collection into daily operations. Automate evidence gathering. Manually collecting screenshots for 80+ controls every audit cycle burns time and introduces errors. Tools like Vanta, Drata, and Secureframe pull evidence from your infrastructure directly.

ISO 27001

ISO 27001 is an international standard for information security management systems (ISMS). It requires a risk assessment, a Statement of Applicability listing which Annex A controls you implement, and ongoing management review.

The 2022 revision reorganized controls into four categories: organizational, people, physical, and technological. The certification audit has two stages: documentation review and implementation assessment.

The real work is maintaining the ISMS after certification. Conduct internal audits, track nonconformities, update your risk register, and prepare for annual surveillance audits.

PCI DSS

PCI DSS applies to any organization that stores, processes, or transmits cardholder data. Version 4.0 introduced customized validation — you can now implement alternative controls if they meet the stated objective.

The twelve requirements cover network segmentation, access control, encryption, vulnerability management, and monitoring. The most common failures: flat networks without segmentation, default credentials on systems in scope, and incomplete logging.

Reduce your scope. Tokenization and point-to-point encryption remove systems from PCI scope entirely. Less scope means fewer controls to maintain and fewer audit headaches.

HIPAA

HIPAA protects health information in the US. The Security Rule requires administrative, physical, and technical safeguards for electronic protected health information (ePHI). The Privacy Rule governs how PHI is used and disclosed.

Conduct a risk analysis annually. Document your findings and remediation plans. The most common HIPAA violations involve unauthorized access by employees, missing encryption on portable devices, and inadequate access controls on EHR systems.

Business Associate Agreements (BAAs) are required for any vendor that handles ePHI. Cloud providers like AWS and Azure offer BAAs, but signing one does not make you compliant — you still own the configuration.

Audit Preparation

Start preparing months before the audit. Map your controls to the framework requirements. Identify gaps and remediate them. Collect evidence continuously — do not wait until the auditor asks.

Build a controls matrix that links each requirement to a policy, a procedure, an owner, and evidence. This document becomes your single source of truth for compliance status.

Related Career Paths

Compliance expertise maps to Information Security Analyst and Data Privacy Officer career paths. Both roles require the ability to implement and maintain compliance programs.

Next Steps

• Assess your compliance knowledge with the skills assessment
• Browse the skills library for governance, risk, and compliance topics
• Use the coaching tool to build a study plan around your target framework

Related Guides in This Series

• Agile Security: Embedding Security in Sprints and Development Cycles — HADESS | 2026
• AI/ML Security: Adversarial Attacks, Model Poisoning, and Prompt Injection — HADESS | 2026
• Security Design Patterns: Building Defensible Systems

Take the Next Step

Browse 80+ skills on HADESS. Go to the browse 80+ skills on hadess on HADESS.

See your certification roadmap. Check out the see your certification roadmap.

Get started free — Create your HADESS account and access all career tools.

Frequently Asked Questions

How long does it take to learn this skill?

Most practitioners build working proficiency in 4-8 weeks of dedicated study with hands-on practice. Mastery takes longer and comes primarily through on-the-job experience.

Do I need certifications for this skill?

Certifications validate your knowledge to employers but are not strictly required. Hands-on experience and portfolio projects often carry more weight in technical interviews. Check the certification roadmap for relevant options.

What career paths use this skill?

Explore the career path explorer to see which roles require this skill and how it fits into different cybersecurity specializations.

—

HADESS Team consists of cybersecurity practitioners, hiring managers, and career strategists who have collectively spent 50+ years in the field.