Which compliance framework do you actually need?
Three quick questions. Get a tailored starting point across ISO 27001, SOC 2, DPDP, GDPR, HIPAA and more.
Who are your customers?
choose anyWhat kind of data do you handle?
choose anyWhat's prompting this?
Answer the three questions and your likely path appears here.
Framework selector — common questions
Do I need ISO 27001 or SOC 2?
They overlap heavily. SOC 2 is the common ask from US enterprise buyers; ISO 27001 is the internationally recognised certification and the stronger signal when you sell across regions. Many companies end up with both, and a single security program can cover most of the shared ground.
Is this selector a substitute for advice?
No. It points you to a likely starting framework based on three inputs. Your real scope depends on your contracts, data flows, and where you operate — which is the conversation to have before you commit time and budget.
We handle health data and sell to US enterprises. What then?
You would likely need both HIPAA, for the health data and usually through a Business Associate Agreement, and SOC 2, for the enterprise security review. The two can be run together as one program.
When does India’s DPDP Act apply to us?
Once you process the personal data of people in India. Full compliance is due 13 May 2027, and the work — data mapping, consent, grievance handling — usually takes longer than teams expect.
Want a human to confirm your scope?
A 30-minute call to map your frameworks to your contracts, data, and timeline.
Free Assessment
No obligation, no sales pitch
Custom Roadmap
Tailored to your organization
Expert Guidance
500+ successful audits