Compliance means meeting requirements established by laws, regulations, industry standards, and contractual obligations. Healthcare organizations comply with HIPAA, payment processors with PCI DSS, and public companies with SOX. Non-compliance can result in fines, legal liability, loss of business, and reputational damage.
A compliance program identifies applicable requirements, maps them to controls, implements necessary measures, monitors ongoing adherence, and documents evidence for auditors and regulators. Compliance is necessary but not sufficient for security—meeting minimum requirements doesn’t guarantee protection against sophisticated threats.
CISSP Relevance
Domain 1 (Security and Risk Management) covers legal, regulatory, and compliance requirements. Know major regulations (HIPAA, GDPR, SOX, GLBA, PCI DSS), how they apply to different industries, and the relationship between compliance and security. Understand that security professionals must work with legal counsel on compliance matters.
The regulatory landscape is summarized at CISA Critical Infrastructure.
Related terms: Governance, Security Audit