Skip to content
Compliance mix quiz

Ready to discover the power of taking a multi-framework approach to compliance?

As a B2B SaaS or technology company in a regulated industry, you understand the growing demands and pressure to prove your security and compliance posture. Data breaches continue to rise year after year, with breaches in regulated industries costing anywhere from $4M to $10M. But with so many frameworks serving so many different purposes, it can be challenging to know which ones you need and where to start. Relax—we got you covered.

Do you offer your services/products internationally?

Do you process protected health information?

Do you process protected health information?

Are you a covered entity or a business associate?

Do you currently or plan to work with health plans or hospital systems?

Do you store or process credit card information?

Do you plan on working with health plans or hospital systems in the future?


Get a full recommendation for your business headline

Certificate icon Your initial results:

Congratulations! You’re one step closer to your organization’s best and most efficient path to complete compliance and ensuring the safety and security of your customers’ data.

Learn more about your recommended frameworks and how to build a custom roadmap to go from zero to compliant with a single audit a year, saving your organization time, resources, and money along the way.

Frameworks of interest for companies that handle personal and/or financial data

SOC 2: The baseline one

SOC 2 or (Service Organization Control Type 2) is a compliance framework developed by the AICPA (American Institute of Certified Public Accountants) and considered table stakes for US companies that store user data. 

SOC 2 is one of three types of SOC reports (including SOC 1 and SOC 3) and involves an audit to examine service providers and determine if they are securely managing 3rd party data. For example, if you’re dealing with personal health information (PHI), incorporating SOC 2 into your compliance program is key to building trust with investors and buyers. 

Fast Fact: Achieving SOC 2 Type 2 gets you 90% of the way to achieving HITRUST e1. That’s why a lot of Thoropass customers choose to do both at the same time.

HIPAA: The legal one

HIPAA, or the Health Insurance Portability and Accountability Act, was developed to protect Protected Health Information (PHI) in any form like paper or stored in digital locations such as Electronic Health Records (EHR). 

HIPAA applies to two types of organizations:

Covered Entity (CE): Covered entities are health plans, healthcare clearinghouses, or healthcare providers who transmit any health information in electronic form in connection with a transaction. 

Business Associate (BA): A Business Associate is a service provider to a CE. A BA is an organization that receives, maintains, creates, or transmits protected health information (PHI) on behalf of a covered entity.

Complying with the laws set forth by HIPAA is not an option but a legal requirement for CEs and BAs to conduct business. Failing to comply can result in significant reputational and financial damage.

Fast Fact: While HIPAA may be legally required to launch products or services that handle PHI, the HITRUST r2 assessment may cover all HIPAA requirements (and then some.) for certain organizations—specifically, if you’re working with insurance carriers or hospital systems.

HITRUST e1: The gateway one

The HITRUST (CSF) is a globally utilized and recognized framework with dozens of authoritative sources covering multiple industries.

The HITRUST e1 (essentials one-year certification) is one of three HITRUST assessments. It’s the newest and most accessible certification with the fewest controls. It’s also significantly cheaper than the other HITRUST certifications. The e1 serves as a great foundation for achieving future HITRUST certifications. 

Fast Fact: For smaller companies and startups just setting off on their compliance journey, the e1 is a great stepping stone to HITRUST compliance as it’s faster and less expensive than the other two. The e1 includes just 44 HITRUST CSF requirements for year one and year two.

HITRUST i1 and r2: The gold standard ones

The HITRUST i1 (implementation one-year certification) and r2 (risk-based two-year certification) assessments offer considerably higher levels of protection and assurance than the e1, but they take much longer to achieve. If you’ve already achieved your e1 certification, you’ll have a substantial head start toward achieving your i1. 

The i1,  originally developed as the gateway to r2, tends to be the most commonly recommended version. The r2 is by far the most comprehensive of the three. The r2 is the original version of the certification and the most intensive (and expensive.)

Fast Fact: The HITRUST CSF is considered a gold standard as it’s regulated by a private body and unifies many authoritative sources, pre-existing security regulations, and frameworks—such as NIST, HIPAA, ISO 27001, FedRAMP, PCI DSS, GDPR, and more.  

PCI DSS: The payments one

Payment Card Industry Data Security Standards (PCI DSS) apply to any entity that processes, stores, or transmits credit card information. The payment card brands mandate the standards and enforce compliance. Merchants and service providers of all sizes are responsible for maintaining compliance with PCI DSS.

Fast Fact: When it comes to PCI DSS, one set of requirements or standards does not fit all. Your journey to PCI DSS compliance will change depending on the entity type, the number of transactions, and your organization’s customer requirements.

ISO 27001: The international one

Plan on expanding your business across borders? ISO 27001 is an international standard for implementing an effective Information Security Management System (ISMS) that generally applies to companies wishing to pursue international deals.

ISO 27001 is an excellent certification for organizations who wish to prove an extra level of credibility with customers, partners, and regulators.

Fast Fact: ISO 27001 is most often sought after by companies in the EU because it has a privacy component that closely aligns with GDPR (General Data Protection Regulation). However, there is a growing interest in ISO for US-based companies that wish to expand globally.

Jay Trinckes

Meet Jay Trinckes

Jay is Thoropass’s Director of Compliance. He has two decades of experience in cybersecurity and privacy. He advises organizations on security and privacy issues and specializes in privacy, healthcare, medical devices, government, banking and credit unions, and regulatory requirements, including HIPAA, HITRUST, ISO 27001, ISO 27701, SOC 1, SOC 2, GDPR, CCPA, FERPA, and PIPEDA

He has a wide range of experience in information security consulting, privacy, auditing, computer networks, vulnerability and penetration testing, compliance, and risk assessments, and he has published multiple books on related topics.

Find your multiframework mix

So many frameworks, so little time! No need to fret; Thoropass’s Compliance Mix Quiz will help you zero in on the exact framework mix you’ll need to keep your customer’s data safe and secure and prevent data breaches that can cost thousands and ruin reputations.