Cybersecurity compliance is a YMYL topic. Bad information in this space costs companies real money: failed audits, missed enterprise deals, regulatory fines, and breach liability. We take that seriously. These are the rules we hold ourselves to. If we fall short, we want to hear about it.
Our Source Hierarchy
Every factual claim in an article must be traceable to a source. We use a tiered hierarchy and prefer the highest available tier:
- Tier 1 (always preferred): Primary standards bodies and government regulators. AICPA (SOC 2), HHS / OCR (HIPAA), NIST (CSF, 800-53, 800-171, 800-207), ISO (27001, 27002), PCI SSC (PCI DSS), CMMC PMO, FedRAMP PMO, FTC, EDPB. For breaches and enforcement actions: SEC filings, DOJ press releases, state attorney general announcements.
- Tier 2 (when Tier 1 does not cover): Dated vendor pricing pages, vendor security trust portals, public SOC 2 reports and Type 2 attestations, BAA templates linked by vendors, and the latest published versions of widely cited industry reports (e.g. Verizon DBIR, IBM Cost of a Data Breach, Mandiant M-Trends). We cite the report, the year, and the page.
- Tier 3 (used sparingly, always labeled): Practitioner discussions on Reddit (r/sysadmin, r/cybersecurity), Hacker News threads, and G2/Gartner Peer Insights reviews. We link to the thread or review and treat it as anecdote, not evidence.
- Not allowed: Other content sites repeating the same claim, AI-generated statistics, "studies show" without a citation, and unsourced cost ranges presented as fact.
AI Use and Human Review
We are direct about this because Google, our readers, and our advertisers all deserve a clear answer.
What AI does: Generates a first-draft summary from research notes, outlines a structure, and surfaces relevant primary-source documents we have indexed.
What humans do: Verify every factual claim against the source hierarchy above. Remove or clearly label anything that cannot be sourced. Rewrite passages that read like generic AI prose. Decide what to publish.
What we never do: Invent statistics, fabricate quotes, attribute opinions to imaginary experts, or use AI-generated headshots of fake authors. Articles are bylined to the Security Compliance Guide Editorial Team, not to fictional individuals.
Claims We Treat as High-Risk
Certain claim types get extra scrutiny because errors here are most likely to harm readers:
- Cost ranges. Every pricing figure must reference either a public vendor page, a quoted RFP, a survey we link to, or an explicit estimation methodology. "Industry sources" is not a citation.
- Required-by-law claims. If we say a control is required, we link to the specific section of the regulation or framework that requires it.
- Vendor capability claims. If we say a tool does X, the claim is either taken from a dated vendor page or noted as "as advertised by the vendor."
- Audit timelines. If we cite "typically 3 to 6 months," we explain what determines where in that range a company will land.
- Breach case studies. Drawn only from public regulatory filings, court records, or formally published incident reports.
Conflict of Interest and Disclosure
We make money from display advertising (Google AdSense) and from affiliate links to compliance tools. The following rules keep that revenue from influencing what we write:
- Advertisers and affiliates never see articles before publication.
- We do not accept payment for favorable coverage, rankings, or removal of criticism.
- If an article includes affiliate links to a product, the article carries a visible disclosure at the top.
- If we could earn commission from a product we are recommending against, we say so in the article.
- If a vendor we have written critically about chooses to advertise here, their ads run alongside that criticism.
Updates, Corrections, and Retractions
Every article shows a publication date and a last-reviewed date. The two are tracked separately so you know what has actually changed.
- Minor corrections (typos, fixed links, wording clarity) are made silently.
- Factual corrections (a number, a date, a framework reference) update the "last reviewed" date and are recorded in a correction line at the bottom of the article.
- Material changes (a recommendation reversed, a tool comparison rescored, a regulatory change) are flagged at the top of the article with the date of the change and a one-line summary of what changed.
- Retractions: If we determine an article was substantively wrong, we leave it published with a clear retraction notice at the top so prior readers can find the correction.
We do not silently re-date articles to make them appear fresh in search results. Date changes follow actual content changes.
Voice and Style Rules
- We avoid hype words ("revolutionary", "game-changing", "robust", "leverage", "navigate the complexities").
- We avoid the "in today's ever-evolving landscape" intro pattern.
- We do not invent reader personas ("imagine you are a CISO at...").
- We name things specifically. "An auditor at a Big Four firm" beats "industry experts." A linked Reddit thread beats "many practitioners report."
- We allow opinion when it is labeled as such. A flat "this tool is overpriced for sub-50-person companies" is more useful to a reader than a hedge.
How to Report an Issue
If you spot a factual error, a missing source, an outdated cost figure, or a passage that reads like vendor marketing, tell us. We investigate every report.
Use the contact page. Include the article URL, the specific passage, and what you believe is wrong. If we agree, we update the article and credit you (with your permission) in the correction line.
For complaints about our advertising, affiliate disclosure, or editorial independence, the same channel works. We take these seriously because the entire point of this site is to be useful without being for sale.