Standard vs Framework vs Laws vs Regulations

Overview

Standard vs Framework vs Laws vs Regulations talks about the detailed difference between these four.

These terms are used interchangeably in the compliance world and often create confusion. In this article, you will learn more about the differences between standards, frameworks, and regulations.

Standard vs. Framework

Standards provide specific guidelines or requirements for implementing a generally accepted process as the best method. When used as prescribed, standards can help ensure the quality and efficiency of the process at hand. Examples of standards include, but are not limited to:

1. International Organization for Standardization (ISO) Standards
2. Payment Card Industry Data Security Standard (PCI DSS)
3. The Health Insurance Portability and Accountability Act of 1996

On the other hand, frames are general and based on principles that allow for flexibility in designing and implementing the process. Framework examples include, but are not limited to:

1. The National Institute of Standards and Technology (NIST)
2. Health Information Trust Alliance (HITRUST)
3. Control Objectives for Information and Related Technologies (COBIT)

Where Standards are rigid, frameworks are general, used as a practice ground, and allow for experimentation.

Regulations vs. Statutory Laws

The Laws are rules made by the government of a country, state, or city. They are enacted by a legislative body and signed by a ranking official (the president or governor). Everyone must follow them to be legal. Statutory law examples include, but are not limited to:

1. Health Insurance Portability and Accountability Act of 1996 (HIPAA)
2. Children’s Online Privacy Protection Act (COPPA)
3. Fair and Accurate Credit Transactions Act (FACTA)—including the “Red Flags” rule
4. Family Education Rights and Privacy Act (FERPA)
5. Federal Information Security Management Act (FISMA)
6. Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA)
7. UK: The Data Protection Act (DPA)

Regulations are detailed instructions on how the laws are enforced or carried out. Examples of regulations include, but are not limited to:

1. European Union General Data Protection Regulation (EU GDPR)
2. Defense Federal Acquisition Regulation Supplement (DFARS)
3. Federal Acquisition Regulation (FAR)
4. Federal Risk and Authorization Management Program (FedRAMP)

Contractual Obligations

This is a term that we don’t hear often but is the one we ought to use when referring to SOC 1, SOC 2, and PCI.

Legal contracts between private parties require contractual obligations. This can be a privacy addendum, a vendor contract with unique requirements, or broader industry association obligations. Some examples of contractual obligations include:

1. Service Organization Control (SOC)
2. Generally Accepted Privacy Principles (GAPP)
3. Center for Internet Security (CIS) and Critical Security Controls (CSC)
4. Cloud Security Alliance (CSA) and Cloud Controls Matrix (CCM)

Summary

To recap:

• Standards are guidelines on how to implement a set of requirements (i.e., International Organization for Standardization ISO/IEC 27701:2019).
• Frameworks are best practices and differ from more rigid standards.
• The Statutory laws are current laws that are passed by a state or federal government, i.e., the California Consumer Privacy Act (CCPA).
• The Regulations are rules issued by a regulating body appointed by a state or federal government and are detailed instructions on how the laws are to be enforced or carried out, i.e., the European Union General Data Protection Regulation (EU GDPR).
• Contractual obligations are obligations required by a legal contract between private parties, i.e., Service Organization Control (SOC).