Security Compliance and Governance Cheat Sheet

Updated 2026-04-30

Next Topic: Security in Web Applications Cheat Sheet

Security compliance and governance provide the structured framework through which organizations manage information security risks while meeting regulatory obligations. Compliance frameworks define specific security controls and practices organizations must implement, while governance establishes the oversight, accountability, and decision-making processes that ensure these controls operate effectively. Together, they create a comprehensive approach to protecting sensitive data and managing cyber risk in an increasingly regulated environment. The key distinction is that compliance answers "what controls must exist," while governance answers "who owns them and how do we prove they work."

What This Cheat Sheet Covers

This topic spans 17 focused tables and 114 indexed concepts. Below is a complete table-by-table outline of this topic, spanning foundational concepts through advanced details.

Table 1: Major Compliance FrameworksTable 2: ISO 27001 Control DomainsTable 3: SOC 2 Trust Service CriteriaTable 4: PCI DSS RequirementsTable 5: GDPR Data Protection PrinciplesTable 6: NIST 800-53 Control FamiliesTable 7: Risk Assessment MethodologiesTable 8: Audit Preparation and Evidence CollectionTable 9: Control Mapping and IntegrationTable 10: Compliance Monitoring and ReportingTable 11: Governance Structures and RolesTable 12: Policy Framework and DocumentationTable 13: Risk Treatment and ManagementTable 14: Specific Compliance ActivitiesTable 15: Audit Types and AssessmentsTable 16: Findings and RemediationTable 17: Governance and Compliance Tools

Table 1: Major Compliance Frameworks

These are the headline standards and regulations most organizations have to answer to, ranging from voluntary certifications like ISO 27001 and SOC 2 to legally mandated regimes like HIPAA, GDPR, and FISMA. Knowing which applies to you starts with your industry, your data, and your customers — a payment processor lives under PCI DSS, a defense contractor under CMMC, a EU-facing business under GDPR.

Framework	Example	Description
ISO 27001	`93 controls across 4 themes` `Requires ISMS certification`	• International standard for information security management systems • includes organizational, people, physical, and technological controls with mandatory external audit for certification
SOC 2	`Type I: design at point in time` `Type II: operating effectiveness over 12 months`	• Service organization control report based on five trust service criteria (security, availability, processing integrity, confidentiality, privacy) • issued by CPA firms under SSAE 18.
PCI DSS 4.0	`12 requirements for cardholder data` `Network segmentation + encryption`	• Payment card industry data security standard protecting cardholder data • requires annual assessment by QSA for Level 1 merchants processing over 6 million transactions
HIPAA	`Privacy Rule + Security Rule + Breach Notification` `Administrative, physical, technical safeguards`	• Health Insurance Portability and Accountability Act protecting electronic protected health information (ePHI) • enforced by HHS Office for Civil Rights with significant penalties for violations
GDPR	`7 data protection principles` `72-hour breach notification`	• General Data Protection Regulation governing personal data processing in EU/EEA • grants data subjects rights including access, erasure, and portability with fines up to 4% of global revenue
NIST 800-53 Rev 5	`20 control families, 1,189+ controls` `AC-Access Control, AU-Audit, IA-Identification`	• Comprehensive security and privacy control catalog for federal systems • forms foundation for FedRAMP and FISMA compliance with tailorable baseline sets (low, moderate, high).

Table 1: Major Compliance Frameworks

Framework	Example	Description
ISO 27001	`93 controls across 4 themes` `Requires ISMS certification`	• International standard for information security management systems • includes organizational, people, physical, and technological controls with mandatory external audit for certification
SOC 2	`Type I: design at point in time` `Type II: operating effectiveness over 12 months`	• Service organization control report based on five trust service criteria (security, availability, processing integrity, confidentiality, privacy) • issued by CPA firms under SSAE 18.
PCI DSS 4.0	`12 requirements for cardholder data` `Network segmentation + encryption`	• Payment card industry data security standard protecting cardholder data • requires annual assessment by QSA for Level 1 merchants processing over 6 million transactions
HIPAA	`Privacy Rule + Security Rule + Breach Notification` `Administrative, physical, technical safeguards`	• Health Insurance Portability and Accountability Act protecting electronic protected health information (ePHI) • enforced by HHS Office for Civil Rights with significant penalties for violations
GDPR	`7 data protection principles` `72-hour breach notification`	• General Data Protection Regulation governing personal data processing in EU/EEA • grants data subjects rights including access, erasure, and portability with fines up to 4% of global revenue
NIST 800-53 Rev 5	`20 control families, 1,189+ controls` `AC-Access Control, AU-Audit, IA-Identification`	• Comprehensive security and privacy control catalog for federal systems • forms foundation for FedRAMP and FISMA compliance with tailorable baseline sets (low, moderate, high).