Robust cybersecurity is more than best practice, it’s often a regulatory requirement. Here’s everything you need to know about the major compliance requirements.
back to BLOG

Essential guide to cybersecurity compliance

James Harrison

SOC 2, ISO, HIPAA, Cyber Essentials – all the security frameworks and certifications today are an acronym soup that can make even a compliance expert’s head spin. If you’re embarking on your compliance journey, read on to discover the differences between standards, which is best for your business, and how vulnerability management can aid compliance.

What is cybersecurity compliance?

Cybersecurity compliance means different things to different businesses in different industries and locations, but essentially it means you have met a set of agreed rules regarding the way you protect sensitive information and customer data. These rules can be set by law, regulatory authorities, trade associations or industry groups.  

For example, the GDPR is set by the EU with a wide range of cybersecurity requirements that every organization within its scope must comply with, while ISO 27001 is a voluntary (but internationally recognized) set of best practices for information security management. While not mandatory, compliance may be necessary if you’ve signed a contract requiring it.  

Agreements like these with customers and suppliers are increasingly driving compliance. Customers expect the assurance that compliance brings, because breaches and data disclosure will impact their operations, revenue and reputation too.

Which cybersecurity compliance standard is right for you?

Every business in every industry is operationally different and has different cybersecurity needs. The safeguards used to keep hospital patient records confidential are not the same as the regulations for keeping customers’ financial information secure.  

For certain industries, compliance is the law. Industries that deal with sensitive personal information such as healthcare and finance are highly regulated. In some cases, cybersecurity regulations overlap across industries. For example, if you’re a business in the EU that handles credit card payments, then you’ll need to be compliant with both credit and banking card regulations (PCI DSS) and GDPR.  

Security basics like risk assessments, encrypted data storage, vulnerability management and incident response plans are fairly common across standards, but what systems and operations must be secured, and how, are specific to each standard. The standards we explore below are far from exhaustive, but they are the most common compliance for start-ups and SaaS businesses that handle digital data. Let’s dive in.


What is GDPR compliance?

The General Data Protection Regulation (GDPR) is a far-reaching piece of legislation that governs how businesses – including those in the US – collect and store the private data of European Union citizens. Fines for non-compliance are high – up to €20,000,000 or 4% of global revenue – and the EU is not shy about enforcing them. Better security rarely comes free, and managing your vulnerabilities is no exception, but the expense of proper vulnerability management is extremely low compared to the costs of GDPR fines, not to mention damages caused by a breach itself.  

Who needs to comply with GDPR?

Buckle up because it’s essentially anyone that collects or processes the personal data of anyone else in the EU, wherever they go or shop online. Personal information or “personal data” includes just about anything from the name and date of birth to geographic information, IP address, cookie identifiers, health data and payment information. So, if you do business with EU residents, you’re required to comply with GDPR.  

How vulnerability scanning can aid compliance with GDPR

Your IT security policy for GDPR doesn’t have to be a complicated document – it just needs to lay out, in easy-to-understand terms, the security protocols your business and employees should follow. You can also use free templates from SANS as models.  

You can start taking simple steps right away. There are automated platforms that make it easier to work out which requirements you already meet, and which ones you need to correct. For example, you’re required to “develop and implement appropriate safeguards to limit or contain the impact of a potential cybersecurity event” which vulnerability scanning using a tool like Intruder can help you achieve.


What is SOC 2 compliance?

SaaS and born-in-the-cloud businesses that provide digital services and systems will be most familiar with SOC 2 as it covers the storage, handling and transmission of digital data, although certification is becoming increasingly popular with all service providers.

SOC is managed by AICPA and based on achieving several specific criteria. There are two reports: Type 1 is a point-in-time assessment of your cyber security posture; Type 2 is an ongoing audit by an external assessor to check you’re meeting these commitments, reviewed and renewed every 12 months.  

Like ISO 27001, SOC 2 gives you some wiggle room on how to meet its criteria, whereas PCI DSS, HIPAA and most other security frameworks have very explicit requirements. You can find full details of the required criteria in this pdf document on the AICPA website or in our dedicated SOC 2 guide.  

Who needs SOC 2 compliance?

While SOC 2 isn’t a legal requirement, it’s the most sought-after security framework for growing SaaS providers. It’s quicker and cheaper to achieve than most of the other standards in this list, while still demonstrating a concrete commitment to cyber security.  

How do you comply with SOC 2?

SOC 2 compliance requires you to put in place controls or safeguards on system monitoring, data alert breaches, audit procedures and digital forensics. The subsequent SOC 2 report is the auditor’s opinion on how these controls fit the requirements of five ‘trust principles’: security, confidentiality, processing integrity, availability and privacy. You don’t have to cover every category if they don’t apply to your business operations, but one control you need for your SOC 2 report is vulnerability management using a scanner like Intruder – that’s exactly what we did, using our own tool alongside Drata’s compliance platform for our own report. Find out more in our handy guide to SOC 2 compliance and see how vulnerability management can get you there faster.  

Find your weaknesses,
before the hackers do

Try Intruder for free

ISO 27001

What is ISO 27001 compliance?

The International Organization for Standardization, or ISO, produces a set of voluntary standards for a variety of industries – ISO 27001 is the standard for best practice in an ISMS (information security management system) to manage the security of financial information, intellectual property, personnel information, and other third-party information.

Unlike some standards, ISO 27001 is not a legal requirement by default, but many large enterprises or government agencies will only work with you if you are ISO certified.  

It’s recognized as one of the most rigorous compliance frameworks but it’s notoriously difficult, expensive and time consuming to complete, even with a dedicated team or external consultants.

Who needs it?

Like SOC 2, ISO 27001 is a good way to demonstrate publicly that your business is committed and diligent when it comes to information security, and that you’ve taken steps to keep the data you share with them secure. If you work in a highly regulated industry like finance, handle sensitive private data such as medical records, or if customers want an internationally recognized standard, then ISO 27001 may be worth investing in.  

How do you comply with ISO 27001?

The ISO itself does not hand out certifications. Instead, third-party auditors validate that you’ve implemented all of the relevant best practices in accordance with the ISO standard.  

There isn’t a universal ISO 27001 compliance checklist that guarantees certification either. It’s up to each organization to decide what’s in scope and implement the framework, and auditors will use their discretion to evaluate each case.

Remember that ISO 27001 is largely about risk management. Risks are not static and evolve as new cyber threats emerge, so you should build automated vulnerability management with a tool like Intruder into your security controls to evaluate and analyze new risks as they emerge – you can find out more in our ISO 27001 and vulnerability management guide. Automated compliance platforms such as Drata can also help speed up the whole process too.


What is PCI DSS compliance?

The PCI DSS (Data Security Standard) was developed by the PCI Security Standards Council and the major card brands (American Express, Mastercard and Visa) to regulate anyone that stores, processes, and/or transmits cardholder data.  

Many payment card-using businesses, especially retailers and restaurants, don’t know about PCI. After a hack, they may wish they did. When Target revealed that criminals got their hands on the credit card details of 40 million customers, it was using malware installed on their US point-of-sale (POS) network. It wasn’t necessarily the work of a cybercriminal mastermind either; Forbes found they could hack into unsecured POS systems with equipment costing just $25. And while PCI is not technically a legal requirement, credit card companies and banks will expect it. Fail to comply, and they may stop you taking card payments or charge you more for doing so.

Who needs it?

In theory, anyone that processes card payment transactions, but there are different rules depending on the number and type of payments you take. If you use a third-party card payment provider like Stripe or Sage, they can manage the process and provide validation for you.

How to comply with PCI DSS

Unlike ISO 27001 and SOC 2, PCI DSS requires a strict vulnerability management program, but accreditation is complex. Third-party payment providers will usually populate the PCI form for you automatically, providing validation at the click of a button. For smaller businesses, this can save hundreds of hours of work; for larger ones, it can save thousands. If you’re looking to implement cyber security best practices to help with PCI DSS, we can help.  


What is HIPAA compliance?

HIPAA (the Health Insurance Portability and Accountability Act) regulates the transfer and storage of patient data in the US healthcare industry, where compliance is a legal requirement. And it makes sense too, because healthcare is a prime target for identity theft. Unlike credit card details, which at least change when cards expire, personal health information never changes and can be used for tax fraud, to take out false credit cards or loans, and open fraudulent bank accounts – which is why health records can go for 40 times as much on the black market as credit card numbers. HIPAA is designed to protect this sensitive information.  

Who needs it?

HIPAA compliance is mandatory for any business that handles patient information in the US, or anyone doing business in the US with companies that are also HIPAA compliant.  

How to comply with HIPAA

Although a part of life for anyone working in healthcare in the US, HIPAA can be difficult to navigate. The rules cover two categories: privacy and security, which requires a thorough assessment of the potential risks and vulnerabilities to the “confidentiality, integrity, and availability of electronic patient information that you create, receive, maintain, or transmit”. It also requires a risk management plan with security measures sufficient to reduce risk to a reasonable and appropriate level. Although HIPAA doesn’t specify the methodology, vulnerability scans or penetration tests with an advanced tool like Intruder should be integral components of any risk analysis and management process.

Cyber Essentials

What is Cyber Essentials compliance?

Cyber Essentials is a UK government-backed scheme designed to check businesses are adequately protected against common cyberattacks. Similar to SOC 2, think of it as good cyber hygiene – like washing your hands or brushing your teeth. Designed for the smaller business without dedicated security expertise, it should be just the starting point of a more robust security program but it is widely recognized and demonstrates that you are trustworthy and take security seriously. What’s more, if you’re looking to win public sector contracts, Cyber Essentials may be necessary for any bid.

Who needs Cyber Essentials compliance?

Any business bidding for a UK government or public sector contract which involves sensitive and personal information or providing certain technical products and services.

How to comply with Cyber Essentials

The basic certificate is a self-assessment of five basic security controls: firewalls, secure configuration, user access control, malware protection and patch management. The self-assessments are available through a secure hosted platform. Cyber Essentials Plus is a more advanced, comprehensive, hands-on technical certification that includes a series of vulnerability tests that can easily be provided by an automated tool like Intruder. The internal test is an authenticated internal scan and a test of the security and anti-malware configuration of each device. The external scan checks patch levels and system configurations of your public-facing infrastructure.

Compliance doesn’t have to mean complexity

Compliance can seem like a labor-intensive and expensive exercise, but it can pale in comparison to the cost of fixing a breach, paying settlements to customers, losing your reputation, or paying fines. You can also miss out on potential business if you don’t have the certifications customers expect.

But cybersecurity compliance doesn’t need to be difficult with today’s automated tools. If you use Intruder’s vulnerability management that already integrates with automated compliance platforms like Drata then auditing, reporting and documentation for compliance becomes a whole lot quicker and easier. Whether you’re just starting your compliance journey or looking to improve your security, we can help you get there faster. Get started today with a free trial.

Release Date
Level of Ideal
Before CVE details are published
Limited public information is available about the vulnerability.

Red teamers, security researchers, detection engineers, threat actors have to actively research type of vulnerability, location in vulnerable software and build an associated exploit.

Tenable release checks for 47.43% of the CVEs they cover in this window, and Greenbone release 32.96%.
Day of CVE publish
Vulnerability information is publicly accessible.

Red teamers, security researchers, detection engineers and threat actors now have access to some of the information they were previously having to hunt themselves, speeding up potential exploit creation.

Tenable release checks for 17.12% of the CVEs they cover in this window, and Greenbone release 17.69%.
First week since CVE publish
Vulnerability information has been publicly available for up to 1 week.

The likelihood that exploitation in the wild is going to be happening is steadily increasing.

Tenable release checks for 10.9% of the CVEs they cover in this window, and Greenbone release 20.69%.
Between 1 week and 1 month since CVE publish
Vulnerability information has been publicly available for up to 1 month, and some very clever people have had time to craft an exploit.

We’re starting to lose some of the benefit of rapid, automated vulnerability detection.

Tenable release checks for 9.58% of the CVEs they cover in this window, and Greenbone release 12.43%.
After 1 month since CVE publish
Information has been publicly available for more than 31 days.

Any detection released a month after the details are publicly available is decreasing in value for me.

Tenable release checks for 14.97% of the CVEs they cover over a month after the CVE details have been published, and Greenbone release 16.23%.

With this information in mind, I wanted to check what is the delay for both Tenable and Greenbone to release a detection for their scanners. The following section will focus on vulnerabilities which:

These are the ones where an attacker can point their exploit code at your vulnerable system and gain unauthorised access.

We’ve seen previously that Tenable have remote checks for 643 critical vulnerabilities, and OpenVAS have remote checks for 450 critical vulnerabilities. Tenable release remote checks for critical vulnerabilities within 1 month of the details being made public 58.4% of the time, but Greenbone release their checks within 1 month 76.8% of the time. So, even though OpenVAS has fewer checks for those critical vulnerabilities, you are more likely to get them within 1 month of the details being made public. Let’s break that down further.

In Figure 10 we can see the absolute number of remote checks released on a given day after a CVE for a critical vulnerability has been published. What you can immediately see is that both Tenable and OpenVAS release the majority of their checks on or before the CVE details are made public; Tenable have released checks for 247 CVEs, and OpenVAS have released checks for 144 CVEs. Then since 2010 Tenable have remote released checks for 147 critical CVEs and OpenVAS 79 critical CVEs on the same day as the vulnerability details were published. The number of vulnerabilities then drops off across the first week and drops further after 1 week, as we would hope for in an efficient time-to-release scenario.

Figure 10: Absolute numbers of critical CVEs with a remote check release date from the date a CVE is published

While raw numbers are good, Tenable have a larger number of checks available so it could be unfair to go on raw numbers alone. It’s potentially more important to understand the likelihood that OpenVAS or Tenable will release a check of a vulnerability on any given day after a CVE for a critical vulnerability is released. In Figure 11 we can see that Tenable release 61% their checks on or before the date that a CVE is published, and OpenVAS release a shade under 50% of their checks on or before the day that a CVE is published.

Figure 11: Percentage chance of delay for critical vulnerabilities

So, since 2010 Tenable has more frequently released their checks before or on the same day as the CVE details have been published for critical vulnerabilities. While Tenable is leading at this point, Greenbone’s community feed still gets a considerable percentage of their checks out on or before day 0.

I thought I’d go another step further and try and see if I could identify any trend in each organisations release delay, are they getting better year-on-year or are their releases getting later? In Figure 12 I’ve taken the mean delay for critical vulnerabilities per year and plotted them. The mean as a metric is particularly influenced by outliers in a data set, so I expected some wackiness and limited the mean to only checks released 180 days prior to a CVE being published and 31 days after a CVE being published. These seem to me like reasonable limits, as anything greater than 6 months prior to CVE details being released is potentially a quirk of the check details and anything after a 1-month delay is less important for us.

What can we take away from Figure 12?

Figure 12: Release delay year-on-year (lower is better)

With the larger number of checks, and still being able to release a greater percentage of their remote checks for critical vulnerabilities Tenable could win this category. However, the delay time from 2019 and 2020 going to OpenVAS, and the trend lines being so close, I am going to declare this one a tie. It’s a tie.

The takeaway from this is that both vendors are getting their checks out the majority of the time either before the CVE details are published or on the day the details are published. This is overwhelmingly positive for both scanning solutions. Over time both also appear to be releasing remote checks for critical vulnerabilities more quickly.

Written by

James Harrison

Recommended articles

Ready to get started with your 14-day trial?

try for free