Compliance Frameworks
Understand what each compliance framework requires and browse the policy templates you need to achieve certification. PoliWriter generates documentation for all major frameworks.
SOC 2 Type II
SOC 2 Type II is the gold standard for demonstrating security controls to enterprise customers. It covers five Trust Services Criteria: Security, Availability, Processing Integrity, Confidentiality, and Privacy. Auditors evaluate your controls over a period of 6-12 months.
SaaS companies, cloud service providers, and any organization handling customer data
Required Policies
+ 14 more policies
GDPR
The General Data Protection Regulation (GDPR) is the EU's comprehensive data protection law. It governs how organizations collect, process, store, and transfer personal data of EU residents. Non-compliance can result in fines of up to 4% of global annual revenue.
Any organization processing personal data of EU/EEA residents
Required Policies
HIPAA
HIPAA establishes national standards for protecting sensitive patient health information. It requires administrative, physical, and technical safeguards for Protected Health Information (PHI). The Security Rule, Privacy Rule, and Breach Notification Rule form its three key components.
Healthcare providers, health plans, healthcare clearinghouses, and their business associates
Required Policies
ISO 27001
ISO/IEC 27001 is the international standard for information security management systems (ISMS). It provides a systematic approach to managing sensitive information through risk assessment, security controls, and continuous improvement. Certification is recognized globally.
Organizations of any size seeking internationally recognized security certification
Required Policies
PCI DSS v4.0
PCI DSS v4.0 is the global security standard for organizations that store, process, or transmit payment cardholder data. It mandates 12 high-level requirements covering network security, cardholder data protection, vulnerability management, and more.
Merchants, payment processors, and any organization handling payment card data
Required Policies
+ 6 more policies
CCPA/CPRA
The California Consumer Privacy Act (CCPA) and its amendment the CPRA give California consumers rights over their personal information. Businesses must honor requests to know, delete, correct, and opt out of the sale or sharing of personal data.
Businesses collecting personal data from California residents that meet certain thresholds
Required Policies
+ 2 more policies
NIST CSF 2.0
The NIST Cybersecurity Framework 2.0 provides voluntary guidance for managing cybersecurity risk. It organizes practices into six functions: Govern, Identify, Protect, Detect, Respond, and Recover — giving organizations a flexible, risk-based approach to cybersecurity.
Organizations of any size or sector seeking a flexible cybersecurity risk management framework
Required Policies
+ 4 more policies
SOC 2 Type I
SOC 2 Type I is a point-in-time assessment that evaluates whether your security controls are properly designed. It is the ideal starting point for organizations pursuing SOC 2 certification for the first time before progressing to the more rigorous Type II audit.
Startups and growing companies seeking their first SOC 2 certification
Required Policies
ISO 42001
ISO/IEC 42001 is the first international standard for Artificial Intelligence Management Systems (AIMS). It provides a framework for responsible AI development, deployment, and governance — covering risk management, transparency, human oversight, and continuous monitoring.
Organizations developing, deploying, or using AI systems that need to demonstrate responsible AI practices
Required Policies
NIS 2 Directive
The NIS 2 Directive (EU 2022/2555) is EU-wide cybersecurity legislation that requires essential and important entities to implement comprehensive risk management measures, supply chain security, and incident reporting within 24 hours of detection.
Essential and important entities operating in the EU across energy, transport, health, digital infrastructure, and more
Required Policies
NIST SP 800-53
NIST SP 800-53 provides a comprehensive catalog of security and privacy controls for federal information systems. Widely adopted by private sector organizations, it covers 20 control families from access control to system integrity.
Federal agencies, government contractors, and private organizations seeking comprehensive security controls
Required Policies
Framework Comparison
Understand which frameworks apply to your organization
| Feature | SOC 2 Type II | GDPR | HIPAA | ISO 27001 | PCI DSS v4.0 | CCPA/CPRA | NIST CSF 2.0 | SOC 2 Type I | ISO 42001 | NIS 2 Directive | NIST SP 800-53 |
|---|---|---|---|---|---|---|---|---|---|---|---|
| Focus Area | Security Controls | Data Privacy | Healthcare Data | Security Management | |||||||
| Geographic Scope | US / Global | EU / EEA | United States | International | |||||||
| Required Policies | 20 | 3 | 3 | 3 | 12 | 8 | 10 | 0 | 0 | 0 | 0 |
| Certification Type | Audit Report | Self-Assessment | Self-Assessment | Certification | |||||||
| Typical Timeline | 3-12 months | 1-6 months | 3-12 months | 6-18 months |
Ready to get compliant?
PoliWriter generates audit-ready documentation for all four frameworks. Answer questions about your infrastructure and get customized policies in hours.