8 Compliance Frameworks Every Cloud Team Should Know

Why Compliance Matters

Compliance isn't just checkbox security. For growing companies, compliance frameworks provide:

Customer trust: SOC 2 and ISO 27001 badges remove friction from enterprise sales

Regulatory requirement: GDPR, HIPAA, and PCI DSS are legally mandated for certain data types

Security baseline: Frameworks codify best practices that prevent real breaches

But managing compliance manually is painful. EchelonGraph automates compliance scoring, evidence collection, and report generation across 8 frameworks simultaneously.

The 8 Frameworks

1. SOC 2 Type II (64 controls)

Who needs it: Any SaaS company selling to enterprise customers. What it covers: Security, availability, processing integrity, confidentiality, and privacy. EchelonGraph automation: We map 17 SOC 2 trust service criteria to infrastructure checks — encryption at rest, access controls, logging, change management.

2. GDPR (42 controls)

Who needs it: Any company processing EU resident data. What it covers: Data protection, consent, right to erasure, breach notification, DPIAs. EchelonGraph automation: Data flow mapping, encryption verification, access logging, retention policy enforcement.

3. ISO 27001:2022 (93 controls)

Who needs it: Companies seeking international security certification. What it covers: 14 control domains covering information security management. EchelonGraph automation: Annex A control mapping to infrastructure state — asset inventory, access control, cryptography, network security.

4. NIST CSF 2.0 (21 functions)

Who needs it: US federal contractors and companies following US security standards. What it covers: Identify, Protect, Detect, Respond, Recover + Govern. EchelonGraph automation: Runtime evidence collection from eBPF telemetry and cloud configuration.

5. PCI DSS 4.0 (78 requirements)

Who needs it: Any company handling payment card data. What it covers: Network security, encryption, access control, monitoring, testing. EchelonGraph automation: Network segmentation checks, encryption verification, firewall rule analysis.

6. HIPAA (44 controls)

Who needs it: Healthcare companies and business associates handling ePHI. What it covers: Administrative, physical, and technical safeguards. EchelonGraph automation: ePHI data flow tracking, access audit logging, encryption verification.

7. DPDP Act — India (10 obligations)

Who needs it: Companies processing Indian citizens' personal data. What it covers: Data processing obligations, consent, data principal rights. EchelonGraph automation: Data processing inventory, consent tracking, erasure verification.

8. ISMS-P — Korea (16 controls)

Who needs it: Companies operating in South Korea under KISA certification. What it covers: Combined ISMS + privacy controls. EchelonGraph automation: Combined infrastructure + privacy checks covering both ISMS and personal data protection.

Continuous Compliance

Traditional compliance is annual: hire an auditor, collect evidence for 3 months, get certified, forget about it for 11 months.

EchelonGraph runs compliance checks every 5 minutes. When a score drops — a new S3 bucket is created without encryption, or a security group is opened to 0.0.0.0/0 — you get an alert immediately, not 11 months later.

Getting Started

Connect your cloud accounts and see your compliance scores instantly. No auditor required for the initial assessment.

Start your free trial →