Logo Menu

Platform

Best Auditors Directory Software Cost Calculator

By Country

πŸ‡ΊπŸ‡Έ United States πŸ‡¬πŸ‡§ United Kingdom πŸ‡¨πŸ‡¦ Canada πŸ‡¦πŸ‡Ί Australia πŸ‡©πŸ‡ͺ Germany

Free Tools

SOC 2 Readiness Assessment Cost Calculator Timeline Calculator Find My Auditor Framework Selector

Resources

Compliance Frameworks SOC 2 Buyer Guides What is SOC 2? Pricing Guide Insights Find Near Me

About

How We Review For Vendors For Auditors
Last verified 2026-05-13

Compliance frameworks, plainly.

10 frameworks buyers ask about most. Each page answers the same four questions in the same order: what it is, certification or attestation, who actually needs it, and a defensible cost and timeline range with the source.

The four-question template is intentional. Vendors mix the answers up to make a sale. We keep them separate so the comparison stays clean across all 10.

How to read this hub

The single most common error in compliance purchasing is treating all frameworks as equivalent credentials. They are not. Some produce a certificate with an expiry date. Some produce an auditor opinion with no certificate at all. Some are laws. One is a voluntary scoring benchmark. One is a federal authorization granted by a government official. Mixing these up produces budget errors, contract failures, and genuinely bad procurement decisions. This hub uses the cert-vs-attestation-vs-regulation question as the organizing principle because it is the one question that cuts across all 10 and gives buyers a consistent way to evaluate what they are actually being asked to produce. The card groupings below follow that lens; the analytical sections that follow them go deeper on geography, cost bands, and sequencing.

US security attestation (2)

SOC 2 Type 1

An attestation report governed by the AICPA, using the 2017 Trust Services Criteria (revised 2022), that evaluates whether a service organization's security controls are suitably designed at a single point in time.

$7.5K–$30K / 3–6 months Read explainer β†’

SOC 2 Type 2

An AICPA attestation report, using the 2017 Trust Services Criteria (revised 2022), that evaluates both the design and operating effectiveness of controls over an observation period of 3–12 months.

$12K–$100K / 6–15 months Read explainer β†’

ISO certification (1)

ISO 27001

An international standard (ISO/IEC 27001:2022) published by ISO and IEC, scoped to an organization's Information Security Management System (ISMS). The 2022 version updated Annex A controls from 114 to 93.

$10K–$80K audit / 6–18 months Read explainer β†’

US healthcare (2)

HIPAA

A US federal law (enacted 1996, with the HITECH Act in 2009 and Omnibus Rule in 2013; Security Rule overhaul proposed January 2025) administered by HHS Office for Civil Rights, scoped to covered entities and business associates that handle protected health information (PHI).

$4K–$60K assessment / 2–8 weeks Read explainer β†’

HITRUST

The HITRUST Common Security Framework (HITRUST Alliance, current version v11.x, 2024) is a prescriptive, certifiable security framework that maps controls from HIPAA, NIST, ISO 27001, PCI DSS, GDPR, and others into a single unified model. It is primarily used in US healthcare and its supply chain.

$20K–$300K+ / 3–24 months Read explainer β†’

US federal & defense (2)

FedRAMP

The Federal Risk and Authorization Management Program (US GSA / OMB, current baseline Rev 5 aligned to NIST SP 800-53 Rev 5) is the mandatory federal cloud security authorization framework for cloud service providers (CSPs) selling to US federal agencies.

$250K–$3M+ / 12–36 months Read explainer β†’

CMMC

The Cybersecurity Maturity Model Certification 2.0 (US Department of Defense, codified in 32 CFR Part 170, final rule effective December 16, 2024) is a mandatory framework for DoD contractors handling Federal Contract Information (FCI) or Controlled Unclassified Information (CUI), with three levels aligned to NIST SP 800-171 and SP 800-172.

$5K–$500K+ / 1–18 months Read explainer β†’

EU regulation (1)

GDPR

The EU General Data Protection Regulation (European Parliament and Council, enforced May 25, 2018) governs the collection, processing, and transfer of personal data of EU and EEA residents. It applies to any organization worldwide that handles such data.

€30K–€500K+ program / 6–18 months Read explainer β†’

Payments (1)

PCI DSS

A global security standard (version 4.0, current release 4.0.1) maintained by the PCI Security Standards Council (founded by Visa, Mastercard, Amex, Discover, JCB), scoped to any entity that stores, processes, or transmits payment cardholder data. Version 3.2.1 was retired March 31, 2024.

$1K–$200K / 3–12 months Read explainer β†’

Voluntary frameworks (1)

NIST CSF

The NIST Cybersecurity Framework 2.0 (National Institute of Standards and Technology, US Department of Commerce, released February 26, 2024) is a voluntary, outcome-based framework covering six functions (Govern, Identify, Protect, Detect, Respond, Recover) applicable to organizations of any size or sector globally.

$12K–$80K assessment / 5–10 weeks Read explainer β†’

Cert, attest, or regulation: the question that organizes this page

Every framework covered here falls into one of six categories, and the category determines what a buyer can actually ask a vendor to produce.

Certification (a physical certificate from an accredited body)
ISO 27001, HITRUST, and CMMC (Level 2 and above) each produce a certificate issued by an accredited certification body or authorized assessor organization. ISO 27001 certificates have a three-year validity with annual surveillance audits. HITRUST certificates are issued by the HITRUST Alliance, not by the external assessor firm. CMMC Level 2 certificates are issued after a C3PAO-led assessment.
Attestation (a CPA firm's opinion, no certificate)
SOC 2 Type 1 and SOC 2 Type 2 produce an auditor's report, not a certificate. A licensed CPA firm issues an opinion under AICPA standards. There is no SOC 2 certification body, no certificate document, and no public registry to look up. When a vendor says "we passed our SOC 2," they mean a CPA firm issued a report in their favor. That report is typically shared under NDA, not posted publicly.
Authorization (granted by a US federal Authorizing Official)
FedRAMP produces an Authorization to Operate (ATO). A federal agency Authorizing Official grants the ATO after a Third-Party Assessment Organization (3PAO) assessment. The FedRAMP PMO then lists the service on the Marketplace. There is no FedRAMP certificate.
Regulation (a law, no certificate, no auditor opinion)
HIPAA and GDPR are laws. HIPAA is enforced by HHS Office for Civil Rights. GDPR is enforced by national Data Protection Authorities across the EU. Neither produces a certificate. When someone says "we're HIPAA certified," that phrase has no defined legal meaning. What they usually mean is HITRUST, which is the closest certifiable proxy for HIPAA compliance. Procurement teams that ask for a "HIPAA certificate" are asking for something that does not exist.
Contractual standard (validated by a QSA-issued AOC or ROC)
PCI DSS is a contractual compliance requirement maintained by the PCI Security Standards Council, founded by Visa, Mastercard, Amex, Discover, and JCB. Validation produces an Attestation of Compliance (AOC) or, for Level 1 merchants, a Report on Compliance (ROC) from a Qualified Security Assessor. PCI SSC issues no certificates.
Voluntary benchmark (no issuing body, no certificate)
NIST CSF is a voluntary framework published by the National Institute of Standards and Technology. NIST issues nothing. Third-party assessors can produce a maturity score report, but NIST CSF itself has no certification, no certificate, and no public registry. Organizations use it as a governance baseline and, increasingly, as a cyber insurance underwriting input.

Geography decides the floor before industry does

The framework a vendor needs is determined primarily by where their buyers sit, not by what vertical they are in. Industry adds requirements on top. Geography sets the floor.

This matters because vendors often approach compliance as a product decision ("what should we build toward?") when it is actually a sales decision ("what do our next contracts require?"). The table below maps buyer location to the minimum expected credential. A vendor serving buyers across multiple geographies will typically layer these, starting with the one that opens the most revenue.

US B2B SaaS buyers
SOC 2 Type 2 is the de facto floor. Enterprise procurement teams at Series B and beyond expect it. SOC 2 Type 1 is accepted as a short-term interim credential while the observation period for Type 2 runs. See the SOC 2 audit cost guide for sourced ranges on both types.
European enterprise buyers
ISO 27001 is the expected credential. European procurement teams recognize the ISO/IEC mark globally; many do not accept SOC 2 as a substitute without a supplemental mapping document. Use the SOC 2 vs ISO 27001 selector to decide which to pursue first if serving both markets.
EU resident data (regardless of incorporation)
GDPR applies to any organization that processes personal data of EU or EEA residents, regardless of where the organization is incorporated. A US startup with one EU customer is in scope. GDPR is a legal obligation, not an optional credential, and there is no certificate to show for it.
US federal civilian agencies
FedRAMP authorization is mandatory. No FedRAMP ATO means no federal contract. Roughly 80% of authorizations are at the Moderate impact baseline, covering systems that handle CUI, PII, or agency financial data. The timeline is 12–36 months minimum.
US DoD contractors
CMMC Level 2 (C3PAO assessment) is required for contracts involving Controlled Unclassified Information. Phase 2 contract requirements take effect November 2026. CMMC and FedRAMP are distinct; holding one does not satisfy the other.
US healthcare buyers
HIPAA compliance is a legal floor for any vendor signing a Business Associate Agreement. HITRUST r2 or i1 is increasingly expected as the certifiable proof layer on top of HIPAA, particularly when onboarding with health systems or large payers.
Payment card flows (worldwide)
PCI DSS is contractually required by card brands for any entity that stores, processes, or transmits cardholder data. The validation path (SAQ vs. ROC) depends on annual transaction volume. Level 1 merchants (6M+ transactions/year) require an annual QSA-led assessment.
Board governance / cyber insurance
NIST CSF is increasingly used as the shared language between security teams and boards, and as an underwriting input for cyber insurance carriers. It does not open a contract on its own, but it signals maturity in contexts where a formal certification is not required.

The cost axis spans from $1K to $3M+

Compliance costs across these 10 frameworks span roughly two orders of magnitude. The ranges below group the frameworks into three bands based on total first-year spend, using sourced figures from each framework's explainer page. All figures are total program cost, not just auditor fees.

One number that matters more than most vendors advertise: the auditor invoice is typically the smallest line item in a compliance program. For SOC 2 Type 2, the total first-year cost often splits roughly 30% audit fees, 40% readiness tooling, and 30% internal engineering time. That 30/40/30 split, documented in our SOC 2 Type 2 data, holds approximately across ISO 27001 and HITRUST as well. Budget for the program, not just the audit fee.

Light band ($1K–$30K total)
  • PCI DSS SAQ (Levels 2–4): $1K–$40K over 3–6 months. The SAQ path is a self-assessment questionnaire with optional third-party support; no QSA required.
  • SOC 2 Type 1: $7.5K–$30K auditor fees over 3–6 months. Point-in-time design evaluation, no observation period.
  • HIPAA third-party risk assessment: $4K–$60K over 2–8 weeks. Not a certification; a risk analysis report demonstrating ongoing legal compliance.
  • NIST CSF maturity assessment: $12K–$80K over 5–10 weeks. The report is a scored maturity benchmark, not a certification.
  • HITRUST e1: $20K–$70K all-in over 3–4 months. The entry-level HITRUST assessment with 44 controls.
Mid band ($30K–$220K total)
  • SOC 2 Type 2: $12K–$100K auditor fees; total first-year program typically $50K–$220K. The 3–12 month observation period is the main driver of timeline cost.
  • ISO 27001: $10K–$80K certification body fees; all-in first year $50K–$220K for mid-market organizations. Three-year certificate with annual surveillance audits.
  • HITRUST i1: $60K–$200K all-in over 6–12 months. 182 controls; one-year certification cycle.
  • GDPR compliance program: Initial program build typically €30K–€500K+ (roughly $33K–$550K+) over 6–18 months. Ongoing costs settle near 35–40% of year-one spend.
Heavy band ($200K–$3M+)
  • FedRAMP Low: $250K–$500K over approximately 12 months. Excludes ongoing continuous monitoring of $50K–$400K+/year.
  • FedRAMP Moderate: $1M–$2M+ over 12–18 months. Covers roughly 323 NIST SP 800-53 Rev 5 controls.
  • FedRAMP High: $2M–$3M+ over 18–36 months. Approximately 410 controls; required for systems handling the most sensitive federal data.
  • CMMC Level 2 (C3PAO): $100K–$500K total over 6–18 months. The C3PAO assessment fee itself runs $35K–$75K; the remainder is remediation, tooling, and documentation.
  • PCI DSS Level 1 ROC: $30K–$200K for the QSA-led assessment alone over 6–12 months. Required for merchants processing 6M+ card transactions per year.
  • HITRUST r2: $150K–$300K+ all-in over 9–24 months. Two-year certification; large or high-risk-profile organizations can exceed $300K.

Full sourced breakdowns for SOC 2 are in the SOC 2 audit cost guide. Each framework's explainer page cites its own source for the cost range shown on its card above.

The next contract decides the next framework

A common question from early-stage SaaS founders is: "Which framework should we start with?" The correct answer is almost always the same: whichever one is written into the next contract you need to close.

Compliance programs are not built in the abstract toward a future that may or may not materialize. They are built to open specific revenue. SOC 2 Type 2 is the credential US enterprise procurement asks for. ISO 27001 is what European enterprise procurement expects. HIPAA plus HITRUST is the combination most health systems require. FedRAMP is mandatory for federal agency contracts. CMMC Level 2 is mandatory for DoD contracts involving CUI. PCI DSS is forced by card processing volume. GDPR is forced by EU resident data, regardless of what else you are pursuing.

Sequencing follows revenue, not abstract maturity. For a US-based B2B SaaS company, the standard progression looks like this: SOC 2 Type 1 (fast proof-of-concept for first enterprise deals) followed by SOC 2 Type 2 (required for procurement at most large enterprises), then ISO 27001 (when European deals start closing), then HITRUST (when health systems enter the pipeline). FedRAMP and CMMC are pursued only when federal or DoD contracts are specifically on the table, because the cost and timeline are too high to pursue speculatively.

The sequencing has a second implication: do not optimize for control overlap before validating that both frameworks are needed. SOC 2 and ISO 27001 share significant control coverage, and a well-run SOC 2 program positions an organization to pursue ISO 27001 more efficiently. But running both simultaneously in year one, before either is complete, splits attention and typically delays both. Build one clean, then extend. See the SOC 2 vs ISO 27001 selector for a structured way to decide which comes first given your specific buyer mix.

For buyers evaluating vendors rather than vendors pursuing compliance: the framework a vendor presents tells you who their customers are. SOC 2 Type 2 means US enterprise customers. ISO 27001 means European or multinational customers. HITRUST means healthcare. FedRAMP means federal agencies. A vendor with SOC 2 and no ISO 27001 is telling you their buyer base is US-centric. That context matters when evaluating whether their security program is calibrated to your risk environment. The buyer-question guides in the buyer-question guides library cover specific vendor evaluation scenarios in more detail.

One last note on sequencing and cost: the frameworks in the heavy band above are not options for early-stage companies. FedRAMP Moderate at $1M–$2M+ and CMMC Level 2 at $100K–$500K total are viable only when there is confirmed federal or DoD revenue on the other side. Pursuing them speculatively burns capital that would produce faster returns in SOC 2 Type 2 or ISO 27001. The directory includes auditors experienced in federal-track programs for when that moment does arrive. Find them in the SOC 2 auditor directory, filtered by specialization.

How these explainers were built

Each of the 10 framework explainers linked above uses the same four-question structure. What it is. Certification or attestation or something else. Who actually needs it. What it costs and how long it takes, with the source named and linked. The cost ranges are sourced to published price pages, issuing-body documents, or third-party surveys, and dated when last checked. We do not round to round numbers or produce point estimates; every figure is a range that reflects real variability by organization size, scope, and starting posture. The evidence-weighting model behind the sourced ranges is in our four-tier source weighting methodology; the underlying math for the SOC 2 figures is on our SOC 2 sources page. For broader reading on how these frameworks interact in practice, the insights library covers the SOC 2 vs. ISO 27001, SOC 2 vs. HIPAA, SOC 2 vs. FedRAMP, and related comparison long-reads.