Skip to content
sudodudes_
[root@sudodudes ~]# Certifications

What you actually get, and what it takes to keep it.

Not every framework here is a certificate you hang on a wall - some are ongoing regulatory obligations. We say which is which up front, because that changes how you should scope and budget for it.

root@sudodudes:~$ frameworks --list --verbose
Framework What it is Typical timeline Issued by Renewal
ISO 27001 ISMS certification 3-4 months to Stage 1, longer for a first-time ISMS Accredited certification body Annual surveillance audit, full recertification every 3 years
ISO 27017 Cloud security controls (27001 extension) Add-on scope to an existing or parallel 27001 engagement Same certification body as 27001 Same cycle as the underlying 27001 certificate
ISO 27018 PII protection in public cloud (27001 extension) Add-on scope to an existing or parallel 27001 engagement Same certification body as 27001 Same cycle as the underlying 27001 certificate
SOC 2 Type I Point-in-time control design attestation 4-6 weeks readiness, then a single audit date Licensed CPA firm One report; most buyers expect Type II to follow within a year
SOC 2 Type II Control operating-effectiveness attestation 3, 6, or 12-month observation window, plus reporting Licensed CPA firm New report each observation period, typically annual
PCI-DSS v4.0 Payment card data security standard Scope-dependent - CDE reduction usually shortens it the most QSA (Report on Compliance) or self-assessment (SAQ) Annual RoC/SAQ, quarterly ASV scans
GDPR EU data protection regulation - not a certificate Ongoing program, not a one-time engagement Self-attested, enforced by national Data Protection Authorities Continuous - DPIAs and RoPA reviewed as processing changes
HIPAA US healthcare data protection rule - not a certificate Ongoing program Self-attested, enforced by HHS OCR Continuous - annual risk analysis expected
DPDPA India's Digital Personal Data Protection Act - not a certificate Ongoing program Self-attested, enforced by the Data Protection Board of India Continuous

# exit 0 - full scope and pricing discussed on a call, not published as a rate card

How we run a certification engagement.

Scope, implement, pentest before the auditor does, then certify - the same four-phase model regardless of which framework you're after.

See the full approach
  • One team, every framework

    The same engineers who scope your ISMS also run the pentest and sit on the audit call. No handoff to a separate vendor mid-engagement.

  • Evidence as code

    Control evidence is generated from your actual Terraform, CI, and IdP state where possible - not hand-typed into a spreadsheet the week before the audit.

Talk to us

Ask us which framework you actually need first.

Most companies over-scope their first certification. A 30-minute call usually saves months of unnecessary work.