SOC2, ISO, GDPR, CCPA, NIST, HIPAA, and others: Are they related?

  • September 6, 2022

In an industry that is increasingly saturated with security standards and regulations, it is important to know their scope, applicability, and how they relate to each other. Compliance, whether voluntary or mandatory, will depend on the type of company and/or its residence.

Below is a general vision of the majority of security standards, regulations, and controls:


As seen in the graphic above, there are several. However, they all aim to mitigate security risks that ensure the attributes of data confidentiality, integrity, and availability. In other words, day by day, protecting information is vital and these standards and regulations intersect at that end.

Protecting information not only implies controls at a technological level, but also in all the company’s critical resources, these are: people, technology, physical and digital Information, and tangible assets. For this reason, establishing a Robust Security Government is essential and the best way forward.

Although some standards and regulations focus on a single attribute or a combination of them, in this article we will explain that in order to mitigate data risks efficiently and effectively over time, compliance with the 3 attributes as a whole is essential.

If we talk about data risks, each attribute is presented according to different risk scenarios. For example:

  • Risk of information leakage: Confidentiality is affected
  • Risk of ransomware (malware): Affects availability and confidentiality
  • Risk of internal attacks (intentional modification of data): Affects integrity.

For this, it is necessary to establish several preventive, detective, and corrective controls. For example:

  • Preventive: Multi Factor Authentication (MFA) 🡪 Access Control (Ref. Graphic)
  • Detective: Monitoring of logs on user access and actions 🡪 Logging and Monitoring (Ref. Graphic)
  • Corrective: Management of patches on vulnerabilities that endanger data 🡪 Threat & Vulnerability Management (Ref. Graphic)


Next, some examples of similarities and differences between them:


With all this in mind, let’s take a look at another example. If a company located in Virginia, USA makes the decision to comply with a voluntary standard such as ISO22701/2, and over time, with significant growth in revenue and customers, opens an office in California, USA, where CCPA compliance is required, their efforts and investment to accomplish this goal will be minimal.

That said, when asked if these standards and regulations are related to each other, the answer is YES. These standards and regulations overlap in many ways with security controls, which include processes, policies, and technologies designed to protect information.

Looking to establish a robust and sustainable information security program? Do not hesitate to contact, who will help you define the best strategy for your company.

Their virtual CISO service focuses on ensuring that you are truly prepared to comply voluntarily or under obligation with any security standard or regulation, such as: SOC2, ISO, GDPR, CCPA, NIST, and HIPAA, among others.


Written by: Francisco Cruz Caviedes
General corrections and edition: Diego Woitasen