Some companies see cybersecurity as a cost center. We see things a little different. LEARN MORE >
Experiencing a Breach?
BLOG
Compliance 101
How Inversion6 helps businesses make sense of cybersecurity certification
JUMP TO: INTRO | LAYING THE FRAMEWORK | CERTIFIED EXPERTS | ISO | CMMC| NIS2|INVERSION6
If you're in the business of storing data, processing payments or working with government contracts, you already know the compliance acronyms that get thrown around: NIST, SOC 2, ISO 27001, CMMC etc.
But before you chase a new cybersecurity certification, you need a strategy. That’s why we’re going back to the basics of cybersecurity compliance.
"Compliance work sometimes seems like pushing paper and checking boxes, but that’s not what it’s about at all,” said Inversion6 CISO Jack Nichelson. “It’s about building a strong cybersecurity foundation that ensures trust and supports long-term business growth.”
Laying the Framework
Before diving into the certifications themselves, it’s important to start with a solid foundation. Frameworks like NIST (National Institute of Standards and Technology) serve as roadmaps to help U.S. organizations assess their current security posture, identify gaps and prioritize improvements.
There are many different frameworks with different levels of focus and thoroughness. At Inversion6, we typically align our implementation recommendations with NIST 800-53; a specific variant on the NIST framework.
“NIST 800-53 is one of the most comprehensive frameworks. That means any compliance improvements you make using this framework will also meet or exceed many other standards,” said Nichelson. “That’s why we use it. It’s a powerful starting point.”
Learn more about NIST Frameworks:
https://inversion6.com/insights/blog/nist-cybersecurity-framework-2-0-what-you-need-to-know
Certified Experts
You can use cybersecurity frameworks like NIST to achieve many types of cybersecurity compliance certifications. Few businesses will need all of them; but most businesses will need at least one of them at some point.
Some certifications are designed for companies that handle sensitive government data. Others cater to SaaS providers hosting third-party information; still others are internationally recognized, helping businesses operate across borders.
“At the end of the day it’s a combination of your industry, geography and customer base that will dictate which compliance path makes the most sense,” said Nichelson.
Below are some common certifications Inversion6 helps clients achieve:
SOC 2: The Smart Play for SaaS and Growing Startup
Developed and governed by the American Institute of CPAs, SOC 2 certification has evolved into an essential trust-builder for SaaS companies, fast-growing startups or any business that routinely handles third-party data.
“If you’re selling to large enterprises, chances are you’re going to be asked for your SOC 2 report at some point before signing a contract,” said Nichelson.
Achieving SOC 2 certification requires a formal audit. These reports typically cover a 12-month period, and controls must be re-evaluated regularly to maintain validity. With this in mind, ongoing reviews and annual audits are the norm.
As SOC 2 practitioners, Inversion6 CISOs have guided many companies through this ongoing process, guiding clients through the preparation and helping them meet audit requirements.
“Some of my closest long-term client relationships are with my SOC 2 clients,” Nichelson added. “Once they get on that path, they need to stay compliant and do their SOC 2 audit every year. so we’ve spent a lot of time together.”
Learn more about SOC2 Compliance:
https://inversion6.com/insights/blog/why-soc2-should-be-a-priority
ISO: The International Standard
International Organization for Standardization (ISO) certifications, particularly ISO 27002, have become a recognized baseline for businesses operating internationally or in highly regulated sectors.
“If you do a lot of business outside the U.S., this is often the way to go,” said Nichelson. “
For U.S.-based organizations with ambitions to expand their global footprint, ISO certification is often the most credible and recognized way to demonstrate security maturity to partners, regulators and customers alike.
“This certification carries a lot of weight in international markets,” Nichelson added. “That’s why we have certified ISO assessors in-house. We’ve helped plenty of Midwest companies get ISO certified to drive more global growth.”
Learn more about ISO Certification:
https://inversion6.com/insights/blog/iso-27001-and-soc-2-which-is-right-for-you
CMMC: The Non-Negotiable for Defense Contractors
Cybersecurity Maturity Model Certification (CMMC) has its roots in the NIST 800-171 framework. But it evolved into a full-fledged certification when mandatory third-party assessments were introduced into the mix.
CMMC was designed for the Department of Defense after they came to the realization that asking contractors to audit their own cybersecurity preparedness wasn’t getting the job done.
“I tell people the reason CMMC exists is because China’s next-gen fighter plane looks exactly like ours,” said Nichelson. “The government realized self-attesting just doesn’t work. So, now you need an independent audit. That’s CMMC in a nutshell.”
First proposed in 2020, the rules have evolved considerably since their final approval in October 2025.
"For the longest time, people didn’t believe this was really going to happen," Nichelson said in a previous interview. "There were delays, revisions and even talk that the whole thing might get scrapped. But it’s all happening. In fact, contractors are now getting direct letters from the DoD telling them they either need to be CMMC compliant—or they’re out."
This flurry of activity has led to an influx of new compliance work for CMMC registered practitioners like Nichelson and fellow Inversion6 CISO Craig Burland.
"Anyone you use to help you prepare has to be totally independent from the third-party auditors who make the final decision," said Nichelson. “That’s creating a lot of demand for folks like Craig and myself right now. But it’s really the auditing timeline that’s going to be the issue.”
“These auditors are going to start getting bottlenecked and it’s going to get tight for folks who wait too long,” he added. “That’s why I’m telling everyone I know who needs CMMC certification to get started right now. I don’t want to see them waiting in the audit line losing contracts next year.”
Learn more about CMMC Compliance:
https://inversion6.com/insights/blog/cmmc-2-0-compliance
Cyber Essentials and NIS2: Compliance Across the Atlantic
While we talk often about compliance from a U.S. perspective, global businesses also need to account for overseas requirements.
In the UK, Cyber Essentials is a government-backed certification focused on basic cyber hygiene—think firewalls, patching and malware protection. Cyber Essentials is often seen as a de-facto prerequisite for doing business with UK public-sector entities. In fact, the UK government is so confident that Cyber Essential certification will protect businesses, it offers cyber liability insurance to those who achieve it.
Then there’s NIS2, the European Union’s updated directive aimed at critical infrastructure and digital service providers. NIS2 compliance sets requirements for risk management, incident reporting, compliance enforcement and supply chain security, to name a few.
For those providing essential or digital services in the EU, NIS2 compliance is mandatory to maintain access to European markets, making it worthy of attention for any business with global growth plans.
Learn more about Cyber Essentials and NIS2 Compliance:
https://inversion6.com/insights/blog/a-guide-to-cyber-essentials-and-nis2-compliance-for-global-organizations
The Inversion6 Advantage:
What sets Inversion6 apart is not just technical knowledge, it’s a strategic mindset.
“We don’t push cybersecurity certifications as disposable products,” said Nichelson. “We guide clients through the bigger picture: how specific compliance certifications align with their actual risk management strategy, not to mention their long-term growth goals.”
Whether you are preparing for a formal audit, benchmarking against a framework or expanding into international markets, Inversion6 meets you where you are.
The goal isn’t just to pass the test; it’s to build sustainable, scalable cybersecurity practices that build trust and grow with your business.
