Compliance, in plain English

← Home

A customer just asked whether you're “SOC 2 compliant” or “ISO 27001 certified,” and your stomach dropped. Breathe. You're not behind, and you don't have to turn into a security expert. Here's the whole thing, explained once, in plain words — no jargon, no scare tactics.

First — why is anyone even asking you for this?

Compliance is really just proof that you look after data carefully, in a form someone else already trusts. You're almost never doing it for its own sake — something pulls it in:

A customer won't buy without it. Larger companies have to vet the vendors they rely on, so their security team asks for proof before they sign.
An investor asks during due diligence. It quietly signals you run a tidy, trustworthy ship.
A law applies to your data. Handle health records, card payments, or EU personal data, and some rules simply aren't optional.

So the honest first question isn't “which one should I get?” — it's “who's asking, and what exactly did they ask for?” Start there, not from the list.

What's a “framework”?

A framework is just a security checklist that someone trusts. You don't invent the rules — a customer, investor, or regulator points at one, and your job is to meet it and show your work. Here are the ones you'll actually hear about:

Framework	When it's for you
CIS (AWS baseline)	Nobody asks for this one by name — it's the universal good-hygiene baseline for any AWS account. Start here. It's free, practical, and makes every later audit easier.
SOC 2	What US business customers usually ask SaaS vendors for. It's a report, not a certificate (more on that just below).
ISO 27001	The international equivalent — more common in Europe, the UK, and with large or global enterprises. This one is a formal certificate.
PCI-DSS	Required if you store or process credit-card payments yourself.
HIPAA	Required if you handle US health or medical data.
GDPR	EU personal-data law — applies automatically if you have EU/EEA users. It's mostly legal and process, not a badge you display.

A quick gut-check: it's about where your customers are, not where you are. A European company selling into the US still gets asked for SOC 2; a US company selling into Europe gets asked for ISO 27001. Plenty of teams end up doing both eventually — but only when a real deal calls for it. For most people: CIS now, then SOC 2 or ISO 27001 once a customer names it.

Every audit has two halves

This is the bit that trips everyone up, so let's say it plainly. Any of these frameworks is really two different kinds of requirement:

The technical half — your actual AWS settings: is data encrypted, is access locked down, is logging on, is anything exposed to the public internet? A tool can check all of this for you automatically. (This is the part CloudProof scans, scores, and gives you the exact fixes for.)
The human half — your policies and habits: do you have a plan for when something goes wrong? do you review who has access at least once a year? do you train new hires? A scan can't see these — only you can answer them.

An auditor wants to see both. The good news: the technical half is the bigger, slower slog, and it's exactly the part that can be automated.

“Attestation,” “report,” “certificate” — what's the difference?

These words get used interchangeably, which is half the confusion. Here's the difference, simply:

Attestation = you formally saying “yes, we do this.” Inside CloudProof, the human-half questions above are your self-attestation — a short set of yes/no answers about your policies. It's how you fill in the part a scan can't see.

An attestation report (e.g. SOC 2) = a licensed CPA firm reviews you and writes a formal opinion on whether your controls genuinely work, usually over a 3–12 month window. You hand the customer that report — often 30–80 pages. There's no “SOC 2 certified” badge; their security team reads the report.

A certification (e.g. ISO 27001) = an accredited body audits you and issues an actual certificate, valid for about three years. This one you can show off as a badge.

So when someone says “send me your SOC 2,” they mean the report a CPA produced. When they ask “are you ISO certified?”, they mean the certificate. Both come at the end — after you've done the work and an outsider has checked it.

So how does a real audit actually go?

Pick the framework a customer asked for (or just start with CIS while you wait for one to come up).
Fix the technical stuff. Scan your AWS, see what's failing, and work down the list — each issue should come with a plain explanation and an exact fix.
Sort out the human half. Write the few policies you're missing and answer the yes/no attestation questions honestly.
Gather the evidence. Reports, config exports, screenshots — proof that what you say is actually true.
Bring in the outside reviewer. A CPA firm for SOC 2; an accredited certification body for ISO. They examine everything and issue the report or the certificate.

Rough expectations for a first SOC 2: a few months of prep, and somewhere from a few thousand up to low-five-figures for the auditor. ISO 27001 is similar, sometimes a bit heavier. The prep — fixing technical issues and assembling evidence — is the slow part, and it's exactly the part good tooling shrinks.

Where CloudProof fits — and where it doesn't

We'll be straight with you about this:

We do the technical half automatically — scan your AWS read-only, score you against every framework at once, and hand you the exact fixes (copy-paste commands and all).
We hold your self-attestation — the yes/no answers for the human half — and fold them into your score.
We hand you an organized, signed evidence package that your auditor (or your customer's security team) can verify as genuine and untampered.

What we don't do: we don't issue the SOC 2 report or the ISO certificate — only a CPA firm or a certification body can do that. What we do is get you to their door prepared, so that final step is faster, cheaper, and far less stressful. Think of us as the prep, not the stamp.

Run a free scan — see where you stand Read the detailed FAQ

A free scan takes about five minutes, needs only read-only access, and there's no sales call.