Compliance & Audit Readiness Engine
Your AI compliance officer. Guides startups and scale-ups through SOC 2, ISO 27001, GDPR, HIPAA, and PCI DSS — from zero to audit-ready. No consultants needed.
Phase 1 — Compliance Discovery
Framework Selection Matrix
| Framework | Who Needs It | Trigger | Timeline | Cost Range |
|---|---|---|---|---|
| SOC 2 Type I | Any B2B SaaS | Enterprise prospect asks | 3-6 months | $20K-$80K |
| SOC 2 Type II | Established SaaS | After Type I, or direct | 6-12 months | $30K-$100K |
| ISO 27001 | Global/EU-facing SaaS | EU enterprise deals | 6-12 months | $40K-$120K |
| GDPR | Anyone with EU users | Day 1 if EU data | 1-3 months | $5K-$30K |
| HIPAA | Health data handlers | Before first PHI | 3-6 months | $20K-$60K |
| PCI DSS | Payment processors | Before card data | 3-9 months | $15K-$50K |
| SOX | Public companies | IPO prep | 12-18 months | $100K-$500K |
Readiness Assessment Brief
company_profile:
name: ""
industry: ""
employee_count: 0
annual_revenue: ""
data_types_handled:
- PII (names, emails, addresses)
- Financial (payment cards, bank accounts)
- Health (PHI, medical records)
- Children (COPPA scope)
- Biometric
- Government/classified
customer_segments:
- SMB
- Mid-market
- Enterprise
- Government
geographic_scope:
- US only
- US + EU
- Global
current_state:
existing_frameworks: []
security_team_size: 0
has_written_policies: false
has_asset_inventory: false
has_risk_assessment: false
has_incident_response: false
has_vendor_management: false
previous_audits: []
known_gaps: []
drivers:
- Customer requirement
- Board/investor mandate
- Regulatory obligation
- Competitive advantage
- Insurance requirement
target_frameworks: []
target_date: ""
budget_range: ""
Priority Decision Rules
- Customer asking for SOC 2? → Start there (most requested in B2B SaaS)
- EU customers? → GDPR is non-negotiable, do it alongside SOC 2
- Health data? → HIPAA first, then layer SOC 2
- Payment data? → PCI DSS is legally required, do immediately
- Multiple frameworks? → Map common controls (40-60% overlap between SOC 2 and ISO 27001)
Phase 2 — SOC 2 Deep Dive
Trust Service Criteria (TSC)
SOC 2 is built on 5 categories. Security is mandatory. Others are optional but often expected.
CC1 — Control Environment (Foundation)
- Board/management oversight of security
- Organizational structure with clear security roles
- Code of conduct / acceptable use policy
- HR processes (background checks, onboarding, offboarding)
- Performance evaluations include security responsibilities
CC2 — Communication & Information
- Security policies documented and accessible to all employees
- External communication channels for security (status page, security@)
- Whistleblower / anonymous reporting mechanism
- Security awareness training program (annual + onboarding)
- System description document maintained
CC3 — Risk Assessment
- Annual risk assessment process documented
- Risk register maintained with likelihood × impact scoring
- Risk treatment plans for high/critical risks
- Risk appetite statement approved by management
- Changes in business/technology trigger risk re-assessment
CC4 — Monitoring Activities
- Continuous monitoring of controls (not just annual)
- Internal audit or self-assessment program
- Deficiency tracking and remediation
- Management review of monitoring results
- Penetration testing (annual minimum)
CC5 — Control Activities
- Logical access controls (RBAC, least privilege)
- Physical access controls (offices, data centers)
- Change management process
- System development lifecycle (SDLC)
- Data backup and recovery procedures
CC6 — Logical & Physical Access
- User provisioning and deprovisioning process
- MFA enforced on all critical systems
- Password policy (12+ chars, complexity, rotation)
- Access reviews (quarterly minimum)
- Physical access logs for sensitive areas
- Encryption at rest (AES-256) and in transit (TLS 1.2+)
- Firewall rules reviewed quarterly
- VPN or zero-trust network access
CC7 — System Operations
- Monitoring and alerting (uptime, errors, security events)
- Incident detection and response procedures
- Vulnerability management (scan weekly, patch critical <72h)
- Anti-malware / endpoint protection
- Capacity planning and performance monitoring
CC8 — Change Management
- Formal change request and approval process
- Separation of duties (dev ≠ prod deploy)
- Testing before production deployment
- Rollback procedures documented
- Emergency change process with post-hoc approval
CC9 — Risk Mitigation (Vendors)
- Vendor risk assessment before onboarding
- Vendor inventory with criticality ratings
- Annual vendor reviews
- BAAs / DPAs with sub-processors
- Vendor offboarding process
Additional Criteria
Availability (A1):
- SLAs defined and monitored
- Disaster recovery plan tested annually
- Business continuity plan documented
- RTO/RPO defined for critical systems
- Redundancy for critical infrastructure
Confidentiality (C1):
- Data classification scheme (Public, Internal, Confidential, Restricted)
- Handling procedures per classification level
- Confidentiality agreements (NDA) with employees and vendors
- Data retention and disposal policies
- DLP controls for sensitive data
Processing Integrity (PI1):
- Input validation controls
- Processing completeness and accuracy checks
- Output reconciliation procedures
- Error handling and correction processes
Privacy (P1):
- Privacy notice published
- Consent mechanisms for data collection
- Data subject rights procedures (access, deletion, portability)
- Privacy impact assessments for new features
- Data breach notification procedures
SOC 2 Project Plan (16-Week Sprint)
| Week | Phase | Key Activities |
|---|---|---|
| 1-2 | Scoping | Define system boundaries, select TSC, choose auditor |
| 3-4 | Gap Assessment | Audit current state against TSC, document gaps |
| 5-6 | Policy Writing | Draft all required policies (see policy list below) |
| 7-8 | Control Implementation | Deploy technical controls, configure tools |
| 9-10 | Process Implementation | Establish operational processes, train team |
| 11-12 | Evidence Collection | Gather evidence for all controls, test internally |
| 13-14 | Readiness Assessment | Mock audit, remediate findings |
| 15-16 | Type I Audit | Auditor fieldwork, management response, report |
Required Policy Documents
- Information Security Policy — Master policy, scope, objectives
- Access Control Policy — Authentication, authorization, reviews
- Change Management Policy — SDLC, deployment, emergency changes
- Incident Response Policy — Detection, response, notification
- Risk Management Policy — Assessment methodology, treatment, appetite
- Data Classification Policy — Levels, handling, retention, disposal
- Acceptable Use Policy — Employee responsibilities, prohibited actions
- Vendor Management Policy — Assessment, monitoring, offboarding
- Business Continuity / DR Policy — Plans, testing, RTO/RPO
- HR Security Policy — Background checks, onboarding, offboarding, training
- Encryption Policy — Standards, key management, certificate handling
- Physical Security Policy — Office access, visitor management, clean desk
- Logging & Monitoring Policy — What to log, retention, alerting
- Password & Authentication Policy — Standards, MFA requirements
- Backup & Recovery Policy — Schedule, testing, retention
Policy Template
# [Policy Name]
**Version:** 1.0
**Owner:** [Name, Title]
**Approved by:** [Name, Title]
**Effective date:** [Date]
**Next review:** [Date + 1 year]
**Classification:** Internal
## 1. Purpose
[Why this policy exists — 2-3 sentences]
## 2. Scope
[Who and what this policy applies to]
## 3. Policy Statements
[Numbered, actionable requirements — not aspirational]
### 3.1 [Topic]
- SHALL [requirement]
- SHALL NOT [prohibition]
- SHOULD [recommendation]
## 4. Roles & Responsibilities
| Role | Responsibility |
|------|---------------|
| [Role] | [What they must do] |
## 5. Exceptions
[Process for requesting exceptions — who approves, how long, documentation]
## 6. Enforcement
[Consequences of non-compliance]
## 7. Definitions
[Technical terms used in the policy]
## 8. Related Documents
[Links to related policies, standards, procedures]
## 9. Revision History
| Version | Date | Author | Changes |
|---------|------|--------|---------|
| 1.0 | [Date] | [Author] | Initial release |
Phase 3 — ISO 27001 Framework
ISMS Implementation Roadmap
Clause 4 — Context of the Organization
- Define ISMS scope and boundaries
- Identify interested parties and their requirements
- Determine internal and external issues
- Document scope statement
Clause 5 — Leadership
- Management commitment statement
- Information security policy (signed by CEO/CTO)
- Assign ISMS roles and responsibilities
- Allocate resources (budget, people, tools)
Clause 6 — Planning
- Risk assessment methodology (ISO 27005 or custom)
- Risk assessment execution
- Risk treatment plan
- Statement of Applicability (SoA) — map all 93 Annex A controls
- Information security objectives (measurable, time-bound)
Clause 7 — Support
- Determine required competencies
- Security awareness program
- Internal and external communication plan
- Document control process
Clause 8 — Operation
- Execute risk treatment plan
- Implement controls from SoA
- Manage operational changes
- Conduct risk assessments on changes
Clause 9 — Performance Evaluation
- Monitoring and measurement program
- Internal audit schedule and execution
- Management review (at least annually)
- Corrective action tracking
Clause 10 — Improvement
- Nonconformity and corrective action process
- Continual improvement program
- Lessons learned integration
ISO 27001:2022 Annex A Control Categories
| Category | Controls | Key Areas |
|---|---|---|
| A.5 Organizational | 37 | Policies, roles, threat intel, asset mgmt, access, supplier |
| A.6 People | 8 | Screening, T&C, awareness, disciplinary, termination |
| A.7 Physical | 14 | Perimeters, entry, offices, monitoring, utilities, cabling |
| A.8 Technological | 34 | Endpoints, access rights, auth, malware, vuln mgmt, logging, crypto, SDLC |
SOC 2 ↔ ISO 27001 Control Mapping (Save 40-60% effort)
| SOC 2 TSC | ISO 27001 Annex A | Overlap |
|---|---|---|
| CC1 Control Environment | A.5.1-5.6 (Org controls) | ~80% |
| CC2 Communication | A.5.1, A.6.3 (Awareness) | ~70% |
| CC3 Risk Assessment | Clause 6.1, A.5.7 (Threat intel) | ~90% |
| CC5 Control Activities | A.8 (Technological) | ~75% |
| CC6 Access | A.5.15-5.18, A.8.1-8.5 | ~85% |
| CC7 Operations | A.8.7-8.16 (Monitoring) | ~80% |
| CC8 Change Mgmt | A.8.25-8.33 (SDLC) | ~70% |
| CC9 Vendors | A.5.19-5.23 (Supplier) | ~85% |
Strategy: Build for one framework, extend to the other. SOC 2 first (faster) → ISO 27001 (adds clauses 4-10 management system).
Phase 4 — GDPR Compliance Program
12 Core Requirements
-
Lawful Basis for Processing — Document legal basis for each data processing activity
- Consent | Contract | Legal obligation | Vital interest | Public task | Legitimate interest
- Data processing register (Article 30)
- Legitimate Interest Assessments (LIAs) where applicable
-
Data Subject Rights — Respond within 30 days
- Right of access (SAR) process
- Right to rectification
- Right to erasure ("right to be forgotten")
- Right to data portability (machine-readable export)
- Right to restrict processing
- Right to object
- Automated decision-making opt-out
-
Privacy by Design & Default — Build privacy into products
- Privacy Impact Assessment (PIA/DPIA) template
- Data minimization review for each feature
- Default privacy settings (opt-in, not opt-out)
-
Data Protection Officer (DPO) — Required if:
- Public authority, OR
- Large-scale systematic monitoring, OR
- Large-scale processing of special category data
-
Consent Management
- Granular consent mechanisms (not bundled)
- Easy withdrawal (as easy as giving consent)
- Consent records with timestamp, version, scope
- Cookie consent banner (ePrivacy)
-
Data Processing Agreements (DPAs)
- DPA template for sub-processors
- Article 28 requirements checklist
- Sub-processor notification process
- Sub-processor register
-
International Transfers
- Transfer mechanism (SCCs, adequacy decision, BCRs)
- Transfer Impact Assessment
- Supplementary measures where needed
-
Breach Notification
- 72-hour notification to supervisory authority
- "Undue delay" notification to affected individuals
- Breach register with risk assessment
- Breach response team and escalation path
-
Records of Processing Activities (ROPA)
processing_activity:
name: ""
purpose: ""
lawful_basis: ""
data_categories: []
data_subjects: []
recipients: []
retention_period: ""
transfers_outside_eea: false
transfer_mechanism: ""
technical_measures: []
organizational_measures: []
dpia_required: false
last_reviewed: ""
-
Privacy Notice — Must include:
- Identity of controller
- DPO contact (if applicable)
- Purposes and lawful basis
- Categories of data
- Recipients / transfers
- Retention periods
- Data subject rights
- Right to complain to supervisory authority
- Whether providing data is statutory/contractual requirement
-
Data Retention Schedule
| Data Type | Retention Period | Legal Basis | Disposal Method |
|---|---|---|---|
| Customer PII | Duration + 3 years | Contract + legitimate interest | Automated deletion |
| Employee records | Duration + 7 years | Legal obligation | Secure shred |
| Financial records | 7 years | Legal obligation | Secure shred |
| Server logs | 90 days | Legitimate interest | Automated rotation |
| Marketing consent | Until withdrawn | Consent | Database purge |
| Support tickets | 2 years after resolution | Legitimate interest | Automated deletion |
- Training & Awareness
- Mandatory GDPR training for all employees (annual)
- Role-specific training (developers, support, marketing, HR)
- Training records with completion tracking
Phase 5 — HIPAA Compliance (Health Data)
HIPAA Security Rule — 3 Safeguard Categories
Administrative Safeguards
- Security Management Process (risk analysis, risk management)
- Assigned Security Responsibility (HIPAA Security Officer)
- Workforce Security (authorization, clearance, termination)
- Information Access Management (access authorization, establishment, modification)
- Security Awareness Training (reminders, malware, login monitoring, password mgmt)
- Security Incident Procedures (response, reporting)
- Contingency Plan (backup, DR, emergency mode, testing)
- Evaluation (periodic technical/non-technical)
- BAAs with all business associates
Physical Safeguards
- Facility Access Controls (contingency ops, facility security plan, access control, maintenance records)
- Workstation Use (policies, restrictions)
- Workstation Security (physical safeguards)
- Device and Media Controls (disposal, re-use, accountability, data backup)
Technical Safeguards
- Access Control (unique user ID, emergency access, automatic logoff, encryption)
- Audit Controls (hardware, software, procedural mechanisms)
- Integrity Controls (authentication of ePHI, transmission security)
- Person or Entity Authentication (verify identity)
- Transmission Security (integrity controls, encryption)
HIPAA Breach Rule
- ≤500 individuals: Annual batch notification to HHS (within 60 days of year end)
- >500 individuals: Notify HHS within 60 days + media notification
- All breaches: Notify affected individuals without unreasonable delay (≤60 days)
- Penalties: $100-$50,000 per violation, up to $1.5M per year per category
Phase 6 — PCI DSS 4.0 (Payment Data)
12 Requirements Summary
| # | Requirement | Key Controls |
|---|---|---|
| 1 | Install/maintain network security controls | Firewalls, network segmentation |
| 2 | Apply secure configurations | No vendor defaults, CIS benchmarks |
| 3 | Protect stored account data | Encryption, masking, key mgmt |
| 4 | Encrypt transmission over open networks | TLS 1.2+, no SSL/early TLS |
| 5 | Protect from malicious software | Anti-malware, regular updates |
| 6 | Develop secure systems | SDLC, vuln mgmt, WAF |
| 7 | Restrict access by business need | RBAC, least privilege |
| 8 | Identify users and authenticate | MFA, password standards |
| 9 | Restrict physical access | Badges, cameras, visitor logs |
| 10 | Log and monitor all access | Centralized logging, review |
| 11 | Test security regularly | Vuln scans, pen tests, IDS |
| 12 | Support security with policies | Policies, training, incident response |
Scope Reduction Strategy
- Use tokenization — Replace card data with tokens (Stripe, Braintree handle PCI for you)
- Use hosted payment pages — Never touch raw card data (SAQ A instead of SAQ D)
- Network segmentation — Isolate cardholder data environment
- Cloud provider compliance — Leverage AWS/GCP/Azure PCI certifications
SAQ Decision:
- Fully outsourced (Stripe Checkout) → SAQ A (22 controls, simplest)
- API-based (Stripe Elements) → SAQ A-EP (~140 controls)
- You store/process card data → SAQ D (300+ controls, avoid this)
Phase 7 — Compliance Tooling Stack
Essential Tools by Category
| Category | Budget Option | Mid-Range | Enterprise |
|---|---|---|---|
| GRC Platform | Notion/Sheets | Vanta, Drata | ServiceNow, OneTrust |
| Policy Mgmt | Google Docs + versioning | Vanta policies | Hyperproof |
| Vulnerability Scanning | OWASP ZAP, Trivy | Qualys, Tenable | Rapid7 |
| SIEM/Logging | ELK Stack, Wazuh | Datadog, Sumo Logic | Splunk |
| Endpoint Protection | CrowdStrike Falcon Go | SentinelOne | CrowdStrike Enterprise |
| Identity/Access | Google Workspace + Okta | JumpCloud | Azure AD P2 |
| Training | KnowBe4 Free | KnowBe4 | Proofpoint |
| Pen Testing | HackerOne Community | Cobalt | Bishop Fox |
| Backup | Native cloud backups | Veeam | Commvault |
Automation-First Compliance
What to automate (saves 70%+ of audit prep):
- Evidence collection (screenshots of configs → API pulls)
- Access reviews (quarterly manual → continuous monitoring)
- Vulnerability scanning (manual → scheduled + auto-ticket)
- Policy acknowledgment (email → onboarding workflow)
- Vendor assessments (spreadsheets → intake forms with scoring)
- Training tracking (manual → LMS with auto-reminders)
Compliance-as-Code Patterns
# Infrastructure compliance
- Terraform with Sentinel policies (enforce encryption, tagging)
- OPA/Rego for Kubernetes admission control
- AWS Config Rules / Azure Policy for cloud compliance
- GitHub branch protection rules as change management evidence
# Application compliance
- Automated dependency scanning in CI (Snyk, Dependabot)
- SAST in PR pipeline (Semgrep, CodeQL)
- Container scanning (Trivy, Grype)
- License compliance (FOSSA, Licensee)
Phase 8 — Audit Preparation
90-Day Audit Prep Checklist
Days 90-60: Foundation
- Confirm audit scope with auditor
- Complete system description document
- Verify all policies are current (reviewed within 12 months)
- Confirm all employees completed security training
- Run vulnerability scan and remediate critical/high findings
- Schedule penetration test (results needed before audit)
Days 60-30: Evidence Gathering
- Collect evidence for each control (organized by TSC/clause)
- Access review documentation (screenshots of reviews, action items)
- Change management evidence (sample of tickets showing approval flow)
- Incident response test evidence (tabletop exercise minutes)
- DR test evidence (recovery test results, RTO achieved)
- Vendor review evidence (assessment records, DPAs)
- Risk assessment and treatment plan (current year)
- Board/management meeting minutes discussing security
Days 30-0: Final Prep
- Internal mock audit — walk through every control
- Remediate any mock audit findings
- Brief team on auditor interviews (what to expect, who answers what)
- Prepare management assertion letter
- Set up auditor access (read-only to evidence repository)
- Confirm all monitoring/alerting is functioning
- Verify offboarding was completed for all departed employees
Evidence Organization
/compliance-evidence/
/SOC2-2026/
/CC1-control-environment/
org-chart.pdf
code-of-conduct-signed.pdf
background-check-process.pdf
/CC2-communication/
security-training-completion.csv
security-policy-acknowledgments.pdf
/CC3-risk-assessment/
risk-assessment-2026.xlsx
risk-treatment-plan.pdf
/CC6-access/
access-review-Q1.pdf
access-review-Q2.pdf
mfa-enforcement-screenshot.png
offboarding-checklist-samples/
/CC7-operations/
vulnerability-scan-reports/
pentest-report-2026.pdf
incident-log-2026.csv
/CC8-change-management/
sample-change-tickets/
deployment-pipeline-config.png
/CC9-vendors/
vendor-inventory.xlsx
vendor-assessments/
dpas-and-baas/
Auditor Interview Prep
Common questions and who should answer:
| Question | Best Respondent | Key Points |
|---|---|---|
| "Walk me through your risk assessment process" | CISO/Security Lead | Methodology, frequency, treatment |
| "How do you manage access to production?" | Engineering Lead | RBAC, approval flow, reviews |
| "Describe your change management process" | Engineering Lead | PR review, testing, deployment |
| "How do you handle security incidents?" | Security Lead | Detection, response, communication |
| "How do you evaluate vendors?" | Security/Procurement | Assessment, monitoring, contracts |
| "Describe your backup and recovery process" | Infrastructure Lead | Schedule, testing, RTO/RPO |
| "How do you track and remediate vulnerabilities?" | Security Lead | Scanning, SLAs, patching |
| "Walk me through employee onboarding/offboarding" | HR + IT | Checklist, timing, verification |
Phase 9 — Continuous Compliance
Monthly Compliance Dashboard
compliance_dashboard:
month: ""
control_health:
total_controls: 0
controls_passing: 0
controls_failing: 0
controls_not_tested: 0
health_percentage: 0
action_items:
open: 0
overdue: 0
closed_this_month: 0
key_metrics:
mean_time_to_patch_critical: ""
access_reviews_completed: "X/X"
security_training_completion: ""
incidents_this_month: 0
vendor_reviews_due: 0
policies_due_for_review: 0
risk_register:
high_risks: 0
risks_without_treatment: 0
new_risks_identified: 0
upcoming:
next_pen_test: ""
next_dr_test: ""
next_audit: ""
next_access_review: ""
Compliance Calendar
| Frequency | Activity |
|---|---|
| Weekly | Review security alerts, patch critical vulln |
| Monthly | Control testing sample, metrics dashboard, policy exception review |
| Quarterly | Access reviews, vendor risk check, risk register update, tabletop exercise |
| Semi-annual | Vulnerability scan (external), BCP/DR test, security training refresh |
| Annual | Full risk assessment, penetration test, policy review cycle, SOC 2/ISO audit, security awareness training, management review |
Compliance Debt Tracker
compliance_debt:
- id: "CD-001"
framework: "SOC 2"
control: "CC6.1"
finding: "MFA not enforced on staging environment"
severity: "High"
identified: "2026-01-15"
owner: ""
target_remediation: "2026-02-15"
status: "In Progress"
compensating_control: "VPN + IP allowlisting"
When Controls Fail
Severity-based response:
| Severity | Response Time | Actions |
|---|---|---|
| Critical | 24 hours | Immediate remediation, notify management, consider if breach occurred |
| High | 7 days | Remediation plan, compensating control if needed, risk acceptance by CISO |
| Medium | 30 days | Add to sprint, track in compliance debt |
| Low | 90 days | Batch with next review cycle |
Phase 10 — Multi-Framework Management
Common Control Framework (CCF)
Build controls ONCE, map to MULTIPLE frameworks:
control:
id: "CCF-AC-001"
title: "Multi-Factor Authentication"
description: "MFA required for all access to production systems and sensitive data"
owner: "Security Team"
framework_mapping:
soc2: ["CC6.1", "CC6.6"]
iso27001: ["A.8.5"]
gdpr: ["Article 32"]
hipaa: ["§164.312(d)"]
pci_dss: ["Req 8.4"]
evidence:
- type: "Configuration screenshot"
source: "Okta MFA policy"
frequency: "Quarterly"
- type: "Access review"
source: "Okta user report"
frequency: "Quarterly"
test_procedure: "Verify MFA policy is enforced, test with non-MFA login attempt"
last_tested: ""
result: ""
next_test: ""
Framework Expansion Strategy
Year 1: SOC 2 Type I → establishes baseline Year 1-2: SOC 2 Type II → proves sustained operation Year 2: + GDPR → covers EU expansion Year 2-3: + ISO 27001 → international credibility As needed: + HIPAA / PCI DSS → industry-specific
Audit Fatigue Prevention
- Single evidence repository — collect once, map to all frameworks
- Continuous monitoring — evidence auto-collected, not scrambled at audit time
- Control owner accountability — each control has ONE owner, not "security team"
- Compliance sprints — 2-week sprints dedicated to compliance work, not crammed before audit
- Auditor relationship — same firm for multiple frameworks if possible (they know your environment)
Phase 11 — Scoring & Quality
Compliance Readiness Score (0-100)
| Dimension | Weight | Score 0-10 |
|---|---|---|
| Policy Coverage — All required policies exist, reviewed, approved | 15% | |
| Technical Controls — Security tools deployed and configured | 20% | |
| Process Maturity — Operational processes followed consistently | 20% | |
| Evidence Quality — Complete, organized, recent evidence | 15% | |
| Training & Awareness — All employees trained, records maintained | 10% | |
| Vendor Management — All critical vendors assessed and contracted | 10% | |
| Risk Management — Current assessment, treatment plans, monitoring | 10% |
Scoring guide:
- 0-2: Not started / major gaps
- 3-4: In progress / significant gaps
- 5-6: Partially implemented / some gaps
- 7-8: Implemented / minor improvements needed
- 9-10: Mature / audit-ready
Interpretation:
- < 40: Not ready — significant work needed (3-6 months)
- 40-60: Getting there — focus on gaps (1-3 months)
- 60-80: Nearly ready — polish and evidence gathering (2-6 weeks)
- 80+: Audit-ready — schedule the audit
Edge Cases & Special Situations
Startup with Zero Compliance
- Start with security basics (MFA, encryption, access control, backups) before any framework
- Use a GRC platform from Day 1 (Vanta/Drata cost $10-15K/yr but save 100+ hours)
- Don't wait for perfect — "documented and improving" beats "undocumented and perfect"
- Budget $20-40K for first SOC 2 Type I (auditor + tools + time)
Multi-Cloud / Hybrid Infrastructure
- Map shared responsibility model for each provider
- Ensure consistent controls across environments
- Consider cloud-specific compliance tools (AWS Audit Manager, Azure Compliance Manager)
- Network segmentation especially important
Acquired Company Integration
- Conduct compliance gap assessment within 30 days of close
- Identify highest-risk gaps (access control, data handling)
- 90-day integration plan to bring to baseline
- Don't assume their compliance posture matches claims
International (Multi-Jurisdiction)
- Map all jurisdictions where you operate or store data
- GDPR applies if you have EU users — not just EU office
- Data residency requirements (Russia, China, India, Brazil)
- Consider local DPA registrations
Regulated Industries (FinTech, HealthTech)
- Layer industry regulations ON TOP of SOC 2/ISO
- FinTech: SOC 2 + PCI DSS + potentially banking regs (state MTLs, FinCEN)
- HealthTech: SOC 2 + HIPAA + potentially FDA (SaMD)
- EdTech: SOC 2 + FERPA + COPPA (if under 13)
Natural Language Commands
| Command | What It Does |
|---|---|
| "Assess our compliance readiness" | Run readiness assessment, score, identify gaps |
| "Create SOC 2 project plan" | Generate 16-week implementation timeline |
| "Write [policy name] policy" | Generate policy from template with your context |
| "Map controls across frameworks" | Build common control framework mapping |
| "Prepare for audit" | Generate 90-day audit prep checklist with evidence needs |
| "Review our GDPR compliance" | Check all 12 GDPR requirements against current state |
| "Score our compliance posture" | Run 7-dimension scoring rubric |
| "Generate evidence checklist" | List all evidence needed for specific framework |
| "Build vendor assessment" | Create vendor risk assessment for a specific vendor |
| "Plan framework expansion" | Recommend next framework based on business needs |
| "Track compliance debt" | Review and prioritize open compliance items |
| "Run monthly compliance review" | Update dashboard, check deadlines, identify actions |