Docy Child

Standard vs Framework vs Laws vs Regulations

Estimated reading: 3 minutes 736 views

Overview

These terms are used interchangeably in the compliance world and often create confusion. This article will dive into the differences between standards, frameworks, and regulations.

Standard vs. Framework

Standards provide specific guidelines or requirements for implementing a generally accepted process as the best method. When used as prescribed, standards can help ensure the quality and efficiency of the process at hand. Standards examples include, but are not limited to:

  • International Organization for Standardization (ISO) Standards
  • Payment Card Industry Data Security Standard (PCI DSS)
  • The Health Insurance Portability and Accountability Act of 1996

On the other hand, frames are general and based on principles that allow for flexibility in designing and implementing the process. Frameworks examples include, but are not limited to:

  • National Institute of Standards and Technology (NIST)
  • Health Information Trust Alliance (HITRUST)
  • Control Objectives for Information and Related Technologies (COBIT)

Where Standards are rigid, frameworks are general, used as a practice ground, and allow for experimentation.

Regulations vs. Statutory Laws

Laws are rules made by the government of a country, state, or city. The laws are enacted by a legislative body and signed by a ranking official (President/Governor), and everyone must follow them to be legal. Statutory laws examples include, but are not limited to:

  • Health Insurance Portability and Accountability Act of 1996 (HIPAA)
  • Children’s Online Privacy Protection Act (COPPA)
  • Fair and Accurate Credit Transactions Act (FACTA) – including the “Red Flags” rule
  • Family Education Rights and Privacy Act (FERPA)
  • Federal Information Security Management Act (FISMA)
  • Canada – Personal Information Protection and Electronic Documents Act (PIPEDA)
  • UK – Data Protection Act (DPA)

Regulations are detailed instructions on how the laws are enforced or carried out. Regulations examples include, but are not limited to:

  • European Union General Data Protection Regulation (EU GDPR)
  • Defense Federal Acquisition Regulation Supplement (DFARS)
  • Federal Acquisition Regulation (FAR)
  • Federal Risk and Authorization Management Program (FedRAMP)

Contractual Obligations

This is a term that we don’t hear often but is the one we ought to use when referring to SOC 1/SOC 2/SOC 3, PCI.

Legal contracts between private parties require contractual obligations. This can be a privacy addendum, vendor contract with unique requirements, or broader industry association obligations. Some examples of contractual obligations include:

  • Service Organization Control (SOC)
  • Generally Accepted Privacy Principles (GAPP)
  • Center for Internet Security (CIS) Critical Security Controls (CSC)
  • Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM)

Summary

To recap:

  • Standards are guidelines on how to implement a set of requirements – i.e., International Organization for Standardization ISO/IEC 27701:2019
  • Frameworks are best practices and differ from more rigid Standards
  • Statutory laws are current laws that were passed by a state or federal government – i.e., California Consumer Privacy Act CCPA
  • Regulations are rules issued by a regulating body appointed by a state or federal government and are detailed instructions on how the laws are to be enforced or carried out – i.e., European Union General Data Protection Regulation EU GDPR
  • Contractual are obligations required by legal contract between private parties – i.e., Service Organization Control SOC

Join the conversation

ON THIS PAGE
SUBSCRIBE
FlightSchool
SHARE THIS ARTICLE
Twitter Facebook LinkedIn

❤️  Joyfully crafted by a 100% distributed team.