How To Add A Compliance Framework To Your Business

March 29, 2021


Regardless of what type of business you have, you need cybersecurity to keep your devices, customer data, and accounts secure.  But knowing where to start your businesses’ cybersecurity journey can be a daunting task.  Maybe you’re a ten person startup or a thousand person mega company.  Regardless of the size of your business, it is important to start somewhere when it comes to securing your business from cyber threats.  Here are some practical tips that can help you get started.


  • First and foremost, you need buy-in and support from leadership before you add any compliance frameworks to your business.  If you are trying to convince leadership of the need for a compliance framework, highlight the benefits and also highlight the repercussions (including financial) that may occur without a compliance framework to keep your business safe.  Without this support from the top down, you will continually encounter roadblocks and pushback from teams and people.  If leadership is on board, you will have support when you encounter implementation challenges.
  • Determine what type of data you have and who your customers are.  Are you a small flower shop in the United States that only sells flowers to people in your local town and don’t have an e-commerce site?  If this is the case, you don’t need to go all out and try to attain GDPR compliance Vice versa, if you are a large e-commerce business that sells internationally, starting on the road to GDPR compliance is not a bad idea.  Or maybe you’re a business in California, exploring CCPA would also be prudent.
  • Take inventory of your internal resources.  Do you have a dedicated IT team or person who handles all of your internal technology or is it just you serving as the IT resource for everything?  Depending on what resources you have, you can divide up work into smaller chunks for manageability.  For example, if you’re a ten person SaaS startup that processes credit card data and has customer PII (Personally Identifiable Information), starting with something like ISO 27001 or PCI DSS and dividing these frameworks into smaller tasks can help you get started on tackling this security project.
  • Communicate and be transparent with the company about what is required of them and their respective teams.  For example, if you will be implementing an ISMS (Information Security Management System) as part of your ISO 27001 efforts, explain the upcoming changes and policies and how this will impact employees and their workflows.  Being transparent about impact to employees will go a long way to ensuring there are less bumps in the road, such as departments or teams feeling blindsided by policy or workflow changes.


A compliance framework can help your business stay secure and safe.  Additionally, you can build off of different frameworks along the way, as there is a lot of overlap between various frameworks.

Want more information or have questions about ways that you can properly secure your business from cyber threats? Click here to learn more!


Share this post: