About This Site

Who We Are and How We Work

Full transparency about our editorial process, what we cover, how we fund the site, and why you can trust what you read here.

Who We Are

An Independent Resource, Not a Software Company

Security Compliance Guide is an independent publication focused on helping startups and small businesses navigate cybersecurity compliance frameworks without being sold to. We are not a compliance automation platform, a consulting firm, or an audit firm. We have nothing to sell you except useful information.

The compliance information landscape is dominated by vendors. Search for "SOC 2 checklist" and you will find ten results from companies whose software costs $20,000 per year. Their advice is engineered to make their product look necessary. We write without that incentive.

This site is run by a small editorial team. We use AI to draft initial summaries of publicly available compliance documentation, then review every claim against primary sources before publication. We are not licensed auditors, attorneys, or compliance consultants. Where we are uncertain, we say so. Where the official documentation is ambiguous, we link directly to it so you can verify.

Founder & Publisher

Who’s Behind the Site

Martin Ebongue

Founder & Publisher

I’m Martin Ebongue. I built and run Security Compliance Guide. I’m not a licensed auditor, attorney, or compliance consultant, and this site is not legal or regulatory advice. What I am is the operator who put together the editorial process you see in our Editorial Standards: the source-tier hierarchy, the AI-drafting workflow, the primary-source verification step, and the “no fake authors” rule.

The site exists because I started looking into these frameworks for my own businesses (I’ve spent 20+ years in marketing automation, with engagements at Fortune 500 companies including Coca-Cola, PepsiCo, and eBay) and could not find one place that explained them honestly, sourced everything to the regulators, and refused to push a vendor. So I built it.

I assemble the team and the workflow. The actual reading of the AICPA / NIST / HHS / ISO / PCI SSC / SEC / FTC documentation, the cross-checking, the human review pass before publication — that’s the editorial team’s work, following the standards on the Editorial Standards page. The byline on every article reads “Security Compliance Guide Editorial Team” for that reason: it’s an honest description of who wrote it.

You can verify I’m a real person at my LinkedIn profile. If something on this site is wrong, you can contact me directly and I’ll fix it.

AI Disclosure

How We Use AI in Our Workflow

We believe in being direct about this because Google, our readers, and our advertisers all deserve to know.

  • AI is used for drafting. We use large language models to produce a first draft from our research notes, primary-source documents, and outline. This speeds up production and keeps our cost low enough that we can stay free for readers.
  • Every claim is human-reviewed. Before publication, the editorial team checks each factual claim against a primary source (AICPA, HHS, NIST, ISO, PCI SSC, official vendor documentation, or dated news reports). Unsourceable claims are removed.
  • We do not invent statistics or quotes. If a number appears in our articles, it links to its source. If a quote appears, it is real and attributed.
  • We do not pretend to be auditors. Our articles are educational summaries of public information. They are not legal, tax, audit, or compliance advice. For binding decisions, hire a licensed auditor or attorney.
  • We update for accuracy, not freshness. We change article dates only when content materially changes, not to game search rankings.

For our full sourcing rules, see our Editorial Standards.

What We Cover

Five Frameworks, Covered Thoroughly

We focus on the five compliance frameworks most relevant to startups and SMBs selling to enterprise customers or operating in regulated industries:

  • SOC 2 - The audit standard for SaaS companies. We cover Type 1 vs Type 2, trust services criteria, audit firm selection, preparation timelines, and real cost data.
  • HIPAA - Required for companies handling protected health information. We cover the Privacy Rule, Security Rule, Business Associate Agreements, and what a realistic compliance program looks like.
  • ISO 27001 - The international information security standard. We cover the certification process, gap assessments, Annex A controls, and whether your company actually needs it yet.
  • NIST CSF - The U.S. government cybersecurity framework. We break down the five functions (Identify, Protect, Detect, Respond, Recover) with practical implementation guidance.
  • PCI DSS - Required for any company processing credit card payments. We cover the 12 requirements, merchant levels, SAQs, and QSA assessments.

We also publish unbiased reviews of penetration testing firms, compliance automation tools, and audit firms, because the companies selling those services will never give you a straight answer about their competitors.

How We Make Money

Transparent Revenue Model

We are honest about this because it matters. Here is exactly how this site generates revenue:

Primary Revenue
Display Advertising
Google AdSense contextual ads. We have no control over which specific ads appear. Ad revenue does not influence editorial content.
Secondary Revenue
Affiliate Links
When we link to tools or services, some links may include affiliate tracking. We disclose this clearly on any article where it applies.
We Do Not Do This
Sponsored Content
We do not publish sponsored posts, paid reviews, or vendor-written content disguised as editorial material.
We Do Not Do This
Lead Generation
We do not sell leads or refer readers to specific vendors in exchange for payment. We make nothing from you contacting any company we mention.

Affiliate commissions do not affect rankings, scores, or recommendations. If a free tool is better than a paid one, we say so. If a tool we could earn commission from is mediocre, we say that too.

Editorial Independence

How We Protect Our Independence

Several things we do not do, regardless of financial incentives:

  • Accept payment for favorable coverage of any tool, service, or vendor
  • Allow advertisers to review or approve content before publication
  • Remove negative reviews or criticism in exchange for advertising spend
  • Recommend tools we have not independently evaluated
  • Publish vendor guest posts without clear disclosure and independent editorial review

If you believe we have made a factual error or that our coverage of a specific product or service is unfair, contact us and we will investigate. We correct errors publicly and promptly.

Advertisers and affiliate partners are chosen based on relevance to our audience. An advertiser buying space on this site does not earn any influence over what we write. If a company we have criticized chooses to advertise here, their ads will run alongside that criticism.

Editorial Policy

Our Standards for Every Article

Every piece of content on this site is held to these standards before publication:

  • Factual accuracy. Claims are supported by primary sources, official framework documentation, or verifiable pricing data. We do not repeat vendor marketing claims as facts.
  • Disclosed conflicts. Any article where a writer has a financial relationship with a mentioned company will disclose this clearly at the top of that article.
  • Dated content. Every article carries a publication date and last-updated date. Compliance requirements change frequently and we update articles when they do.
  • Clear scope. We write for companies in the startup-to-SMB range. We do not claim our guidance applies equally to Fortune 500 enterprises or highly regulated sectors like banking and pharmaceuticals.
  • Not legal advice. We are not lawyers and our content is not legal advice. We clearly label when readers should consult qualified legal or compliance counsel.

We welcome corrections, challenges to our analysis, and tips from people with firsthand experience in compliance programs. Use the contact page to reach us.

Methodology

How We Research and Write

Our research process for each guide follows a consistent approach designed to produce content that is accurate, practical, and vendor-neutral.

Primary Sources First

We start with official framework documentation: AICPA for SOC 2, HHS for HIPAA, ISO for 27001, NIST for the CSF, and PCI SSC for PCI DSS. Where official documentation is ambiguous or out of date, we note this explicitly.

Real Pricing Data

Cost figures come from publicly available pricing, direct quotes obtained for research purposes, and data shared by practitioners in our network. We update pricing at least annually. We do not publish "contact us for pricing" without providing at least an order-of-magnitude range based on market research.

Tool Evaluations

For tool comparison articles, we use free trials, sandbox environments, or request evaluation access directly from vendors. We do not publish comparisons based solely on marketing materials or feature lists provided by vendors.

Editorial Review

Before publication, every article goes through an editorial pass focused on three things: (1) each factual claim has a verifiable primary source, (2) cost figures and statistics are sourced and dated, (3) framework language matches the latest official wording from the standards body. Where we cannot verify a claim, we either remove it or label it as estimated.

Content Maintenance

We conduct a quarterly audit of all published guides to check for outdated information. Framework standards change, pricing changes, and tool recommendations change. Articles older than 12 months are flagged for review and either updated or retired.

If you have firsthand data, case study experience, or corrections to contribute, we welcome them. We credit contributors who improve our content.