Compliance vs. Common-Sense Monitoring
Frameworks and good operational hygiene overlap more than people think. The failure mode is treating them as separate programmes.
Somewhere between "we just launched" and "we sell to enterprises" is the moment a small business gets asked about compliance.
A prospect wants to see your SOC 2 report. An investor asks about your security controls. A larger customer's procurement process sends a vendor security questionnaire. Suddenly, compliance has moved from "something other companies deal with" to "something we need to have an answer about."
The instinct at that point is to treat compliance as a new programme. Hire a consultant, buy a compliance platform, build a separate set of processes that exist to satisfy the framework. This is usually wrong. Compliance done well looks a lot like common-sense operational hygiene, and the small businesses that navigate it smoothly are the ones that already had the hygiene.
The overlap is larger than people think
Pick any serious compliance framework — SOC 2, ISO 27001, HIPAA, PCI — and look at the controls. Strip out the jargon. What you're left with is, to a surprising degree, things any competent small business should be doing anyway.
The AICPA's SOC 2 Trust Services Criteria[1] — the five categories audited in a SOC 2 report — are Security, Availability, Processing Integrity, Confidentiality, and Privacy. The NIST Cybersecurity Framework 2.0[2] is organised around six functions: Govern, Identify, Protect, Detect, Respond, and Recover. Different vocabularies, enormous overlap. Both frameworks ultimately ask whether you can answer:
- Know where your customer data lives
- Control who has access to it
- Review access periodically and revoke stale accounts
- Log changes to production systems
- Have backups, and verify they work
- Monitor for failures and respond to them
- Document incidents and what you learned
- Have a plan for how you'd handle a breach
If you've been running sensible monitoring and ops hygiene, you already have 60-80% of the control surface covered. The remaining 20-40% is paperwork — writing down the thing you already do, in the format the framework expects.
The businesses that find compliance painful are usually the ones where the baseline hygiene was missing. The framework isn't adding work; it's exposing the absence of work that should have been done anyway.
Where compliance and hygiene diverge
That said, they aren't identical. Compliance has requirements that pure operational hygiene wouldn't necessarily produce:
Evidence and audit trails. Hygiene cares that you do the thing. Compliance also cares that you can prove you did the thing, to an external party, after the fact. This is usually a documentation and logging burden.
Formal policies. Having a password policy isn't the same as having a written, dated, version-controlled password policy that employees have acknowledged. The written artifact is a real requirement in most frameworks.
Specific review cadences. Frameworks specify frequencies — quarterly access reviews, annual risk assessments, etc. Hygiene tends to be more opportunistic. The cadence is new.
Risk assessment. Formal documentation of what could go wrong, what you're doing about it, and what residual risk you're accepting. Most SMBs don't do this explicitly; compliance requires it.
Vendor security reviews. Compliance requires structured third-party risk assessments. You're already thinking about vendor risk in operational terms; compliance wants that thinking captured in a document.
None of these are conceptually hard. They're paperwork on top of practice. The practice still has to exist.
The trap: compliance without hygiene
The anti-pattern is clear and widespread: a small business hears "SOC 2" and buys a compliance platform. The platform helps them generate policies, collect evidence, and prepare for audit. They pass the audit. They tell prospects they're SOC 2 compliant.
And their actual security posture is unchanged, because the controls are theatre. The password policy is written down and not enforced. The access reviews are quarterly checkbox exercises. Monitoring evidence is collected but not acted on. Incidents are documented but not prevented.
This passes audit. It doesn't protect the business. And sophisticated buyers can tell — they ask questions that go beyond "do you have this control" to "walk me through how this control works in practice." If the answer is vague, the theatre is exposed.
The right order is hygiene first, compliance second. Build the practice. Then the framework is just documenting what you already do.
The trap: hygiene without compliance
The reverse failure is less common but worth naming. Some teams have excellent operational hygiene and refuse to do the paperwork required by compliance frameworks. "We do all this stuff, we just don't have a piece of paper saying we do."
Fine in principle. Expensive in practice. If your business eventually needs SOC 2 or ISO 27001 for sales reasons, you'll have to produce the paperwork anyway, and you'll have to produce it retroactively — which is harder than producing it as you go.
A small amount of ongoing documentation is cheaper than a sprint to generate a year's worth of evidence the week before an audit.
What SMBs should actually do
A pragmatic ramp:
Get the hygiene right
Monitoring, alerts, backups, access control, vendor inventory, documented incidents. These are load-bearing. Without them, compliance is theatre.
Keep lightweight evidence
As you do operational work, capture it. Monitoring dashboards with history. Alert logs. Incident write-ups. Access review results. You don't need a compliance platform — a shared folder works.
Write down the obvious policies
Password policy, access management policy, incident response plan, data handling. One page each, dated, reviewed annually. This takes an afternoon, not a quarter.
Wait until compliance has a real trigger
An enterprise prospect asks. A regulated customer needs it. You're fundraising and due diligence requires it. Don't pursue compliance without a trigger — you'll waste money.
When triggered, formalise
At that point, bring in a platform or consultant to map your existing practices to the framework. Because you have real practices, this is documentation work, not control-building work.
This sequence is what separates businesses that pass compliance cheaply from businesses that pay consultants six figures to invent controls from scratch.
The connection to monitoring specifically
Compliance frameworks all require monitoring, logging, and incident response. They differ in details, but the substance is the same. If you're already running good monitoring and can articulate the real cost of downtime, you're well-positioned for the monitoring-related controls.
What trips SMBs up isn't the monitoring itself; it's the gap between what they monitor and what they can evidence. "Yes, we monitor uptime" isn't enough. "Here are the historical uptime reports, here are the incidents in the period, here's how we responded, here's the mean time to resolve" is what frameworks want.
The fix isn't more monitoring. It's keeping the history and the logs. Most monitoring tools do this by default — Site Watcher, for instance, retains a year of uptime, SSL, domain, DNS, and vendor status history that an auditor can inspect directly — you just have to actually look at them and occasionally export a report.
The auditor test
A useful mental check: if an auditor walked into your company today and asked "walk me through how you detect and respond to a security incident," could you do it? Not read a policy — actually walk through it.
If the answer is yes, you're in reasonable shape for any framework, and certification is a documentation exercise. If the answer is no, you need hygiene work regardless of whether compliance is on the horizon.
The pillar on boring IT for SMBs has a section on this, and it's worth reading alongside this piece: the shortest path from where most SMBs are to "audit-ready" runs through practice, not through paperwork. Get the practice right, and the rest is administrative.
The takeaway
Compliance is most expensive when it's being retrofitted to a business that didn't have operational hygiene. It's cheapest when it's formalising hygiene that already existed.
The small businesses that navigate compliance well aren't the ones that started compliance early. They're the ones that did the boring operational work early and then formalised it when a specific customer or market required it. The hygiene serves them whether or not they ever pursue certification.
If you're going to invest in one or the other first, invest in hygiene. Compliance without hygiene is theatre. Hygiene without compliance still protects the business.
References
- AICPA, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (with revised Points of Focus — 2022). aicpa-cima.com. ↩
- NIST, The NIST Cybersecurity Framework (CSF) 2.0 (CSWP 29), February 2024. nist.gov/cyberframework. ↩