SOC 2 Type 2 is an attestation report in which an independent CPA firm tests whether your security controls operated effectively across a defined observation window — commonly three to twelve months.

$15K–$400K · 6–15 months

SOC 2 Type 1 attests that your controls are suitably designed at a single point in time.

$10K–$150K · 4–10 weeks

ISO 27001 is the international standard for an Information Security Management System (ISMS).

$15K–$120K · 3–12 months

HIPAA is a US law governing how protected health information (PHI) is handled.

$10K–$60K · varies

PCI DSS is the security standard for organizations that store, process, or transmit payment-card data.

$15K–$200K · 3–9 months

The General Data Protection Regulation is the EU's data-protection law.

Varies · ongoing

FedRAMP is the US government's standardized program for authorizing cloud services.

$250K+ · 12–24 months

HITRUST CSF is a certifiable security framework that harmonizes HIPAA, NIST, ISO, and others.

$40K–$200K · 6–18 months

CMMC is the US Department of Defense's certification program for contractors that handle controlled unclassified information (CUI).

$25K–$200K+ · 6–18 months

The NIST Cybersecurity Framework is a voluntary, outcome-based framework for managing cyber risk.

No cert · ongoing