Certifications and compliance

If you organisation or company has a website or is just connected to the web in any way, there is certain security requirements you have to fulfill. But some requirements are required by law and some are just good recommendations. This article will break down the most common certifications and compliance.

Requirements by law

By that we mean requirements stated by government or counsel, and if the laws are violated they would risk a fine.

The following requirements are required by law:

1) GDPR-compliance: 

The GDPR ( Guide to the General Data Protection Regulation ) is a law stated to make data protection and data privacy stronger. It has certain requirement to how personalized data is gathered, handled and stored. Read about the specific requirements here: The law was made in the EU-counsel in 2016 and compromises every EU organisation, company and citizen. With that even if you are a company in the US and work with data from EU- citizen , you’d still have to be GDPR-compliant. The fines for violating the laws is 2-4 % of the firm’s annual revenue,

2) HIPAA-compliance:

The HIPAA (Health Insurance Portability and Accountability Act) is law made to make data protection and data privacy better especially medical privacy data. It has certain requirements to the handling of medical data. It compromises the US health privacy data holders, and the US citizens. The law was enacted in the american congress in 1996. The fines for violating the HIPAA ranges from 100$ – 50.000$. Read more here

3) PCI / PA – DSS

The PCI – DSS (Payment Card Industry  / Payment Application  – Data Security Standard) is a security standard for organisations that handles payment cards physical or digital. The major goals of the standard is to

a) Protect Cardholder Data

b) Implement strong Acces Control Measures

c) Monitor and test networks

read more here

The standard was made in 2004 by the PCISSC ( Payment Card Industry Security Standards Council) a council made by the payment card giants ( Visa, Mastercard, American Express etc.) to ensure the security for payment card data. The fines for violating the standard is $5,000 – $100,000 per month until the merchant achieve compliance.


Apart from the laws there is also security certifications. An organization can get a certification if they complete the specific requirements. The idea of having a certification is so other companies and potential partners can see the firm’s level of security.

The following list is example of such certifications.

1) ISO 27001

The ISO (International Organization for Standardization) 27001 is a international standard for IT security. It has certain requirement to data protection and general security. It testes the confidence, integrity and availability of the website / web-entrance.  The certificate was made by the UK Government , Department for Trade and Industry in 1995.


The UK MCSS (Minimum Cyper Security Standard) is a certificate given if the company complies mandatory cyper resilience. It’s a certificate that every UK government department must achieve in order to get their obligations under the SPF (Security Policy Framework). It’s not only government department but also organisations that handles UK personalized health data.

Why getting a certificate?

When you have a security certificate potentials partners and customers can see that your company live up to a standard of security. It makes the company more trustworthy, gives better security and the result is often more public attention and a raise in market value.

Help to getting certificates or compliance.

Are you worried about weather your company complies with the it security laws? Or are you interested in getting a certificate and eliminate weaknesses on your website?
Codesealer’s Red Assestment is test where we dig in and find what weaknesses your company needs to improve to be compliant with every law. Further we find the vulnerabilities and can repair them and set up a defense designed for your organisation.


Read more  Get in touch