SkillHub

afrexai-compliance-engine

v1.0.0

指导初创及扩张期企业完成SOC 2、ISO 27001、GDPR、HIPAA、PCI DSS合规,无需外部顾问即可实现审计就绪。

Sourced from ClawHub, Authored by 1kalin

Installation

Please help me install the skill `afrexai-compliance-engine` from SkillHub official store. npx skills add 1kalin/afrexai-compliance-engine

Compliance & Audit Readiness Engine

Your AI compliance officer. Guides startups and scale-ups through SOC 2, ISO 27001, GDPR, HIPAA, and PCI DSS — from zero to audit-ready. No consultants needed.

Phase 1 — Compliance Discovery

Framework Selection Matrix

Framework Who Needs It Trigger Timeline Cost Range
SOC 2 Type I Any B2B SaaS Enterprise prospect asks 3-6 months $20K-$80K
SOC 2 Type II Established SaaS After Type I, or direct 6-12 months $30K-$100K
ISO 27001 Global/EU-facing SaaS EU enterprise deals 6-12 months $40K-$120K
GDPR Anyone with EU users Day 1 if EU data 1-3 months $5K-$30K
HIPAA Health data handlers Before first PHI 3-6 months $20K-$60K
PCI DSS Payment processors Before card data 3-9 months $15K-$50K
SOX Public companies IPO prep 12-18 months $100K-$500K

Readiness Assessment Brief

company_profile:
  name: ""
  industry: ""
  employee_count: 0
  annual_revenue: ""
  data_types_handled:
    - PII (names, emails, addresses)
    - Financial (payment cards, bank accounts)
    - Health (PHI, medical records)
    - Children (COPPA scope)
    - Biometric
    - Government/classified
  customer_segments:
    - SMB
    - Mid-market
    - Enterprise
    - Government
  geographic_scope:
    - US only
    - US + EU
    - Global
  current_state:
    existing_frameworks: []
    security_team_size: 0
    has_written_policies: false
    has_asset_inventory: false
    has_risk_assessment: false
    has_incident_response: false
    has_vendor_management: false
    previous_audits: []
    known_gaps: []
  drivers:
    - Customer requirement
    - Board/investor mandate
    - Regulatory obligation
    - Competitive advantage
    - Insurance requirement
  target_frameworks: []
  target_date: ""
  budget_range: ""

Priority Decision Rules

  1. Customer asking for SOC 2? → Start there (most requested in B2B SaaS)
  2. EU customers? → GDPR is non-negotiable, do it alongside SOC 2
  3. Health data? → HIPAA first, then layer SOC 2
  4. Payment data? → PCI DSS is legally required, do immediately
  5. Multiple frameworks? → Map common controls (40-60% overlap between SOC 2 and ISO 27001)

Phase 2 — SOC 2 Deep Dive

Trust Service Criteria (TSC)

SOC 2 is built on 5 categories. Security is mandatory. Others are optional but often expected.

CC1 — Control Environment (Foundation)

  • [ ] Board/management oversight of security
  • [ ] Organizational structure with clear security roles
  • [ ] Code of conduct / acceptable use policy
  • [ ] HR processes (background checks, onboarding, offboarding)
  • [ ] Performance evaluations include security responsibilities

CC2 — Communication & Information

  • [ ] Security policies documented and accessible to all employees
  • [ ] External communication channels for security (status page, security@)
  • [ ] Whistleblower / anonymous reporting mechanism
  • [ ] Security awareness training program (annual + onboarding)
  • [ ] System description document maintained

CC3 — Risk Assessment

  • [ ] Annual risk assessment process documented
  • [ ] Risk register maintained with likelihood × impact scoring
  • [ ] Risk treatment plans for high/critical risks
  • [ ] Risk appetite statement approved by management
  • [ ] Changes in business/technology trigger risk re-assessment

CC4 — Monitoring Activities

  • [ ] Continuous monitoring of controls (not just annual)
  • [ ] Internal audit or self-assessment program
  • [ ] Deficiency tracking and remediation
  • [ ] Management review of monitoring results
  • [ ] Penetration testing (annual minimum)

CC5 — Control Activities

  • [ ] Logical access controls (RBAC, least privilege)
  • [ ] Physical access controls (offices, data centers)
  • [ ] Change management process
  • [ ] System development lifecycle (SDLC)
  • [ ] Data backup and recovery procedures

CC6 — Logical & Physical Access

  • [ ] User provisioning and deprovisioning process
  • [ ] MFA enforced on all critical systems
  • [ ] Password policy (12+ chars, complexity, rotation)
  • [ ] Access reviews (quarterly minimum)
  • [ ] Physical access logs for sensitive areas
  • [ ] Encryption at rest (AES-256) and in transit (TLS 1.2+)
  • [ ] Firewall rules reviewed quarterly
  • [ ] VPN or zero-trust network access

CC7 — System Operations

  • [ ] Monitoring and alerting (uptime, errors, security events)
  • [ ] Incident detection and response procedures
  • [ ] Vulnerability management (scan weekly, patch critical <72h)
  • [ ] Anti-malware / endpoint protection
  • [ ] Capacity planning and performance monitoring

CC8 — Change Management

  • [ ] Formal change request and approval process
  • [ ] Separation of duties (dev ≠ prod deploy)
  • [ ] Testing before production deployment
  • [ ] Rollback procedures documented
  • [ ] Emergency change process with post-hoc approval

CC9 — Risk Mitigation (Vendors)

  • [ ] Vendor risk assessment before onboarding
  • [ ] Vendor inventory with criticality ratings
  • [ ] Annual vendor reviews
  • [ ] BAAs / DPAs with sub-processors
  • [ ] Vendor offboarding process

Additional Criteria

Availability (A1): - [ ] SLAs defined and monitored - [ ] Disaster recovery plan tested annually - [ ] Business continuity plan documented - [ ] RTO/RPO defined for critical systems - [ ] Redundancy for critical infrastructure

Confidentiality (C1): - [ ] Data classification scheme (Public, Internal, Confidential, Restricted) - [ ] Handling procedures per classification level - [ ] Confidentiality agreements (NDA) with employees and vendors - [ ] Data retention and disposal policies - [ ] DLP controls for sensitive data

Processing Integrity (PI1): - [ ] Input validation controls - [ ] Processing completeness and accuracy checks - [ ] Output reconciliation procedures - [ ] Error handling and correction processes

Privacy (P1): - [ ] Privacy notice published - [ ] Consent mechanisms for data collection - [ ] Data subject rights procedures (access, deletion, portability) - [ ] Privacy impact assessments for new features - [ ] Data breach notification procedures

SOC 2 Project Plan (16-Week Sprint)

Week Phase Key Activities
1-2 Scoping Define system boundaries, select TSC, choose auditor
3-4 Gap Assessment Audit current state against TSC, document gaps
5-6 Policy Writing Draft all required policies (see policy list below)
7-8 Control Implementation Deploy technical controls, configure tools
9-10 Process Implementation Establish operational processes, train team
11-12 Evidence Collection Gather evidence for all controls, test internally
13-14 Readiness Assessment Mock audit, remediate findings
15-16 Type I Audit Auditor fieldwork, management response, report

Required Policy Documents

  1. Information Security Policy — Master policy, scope, objectives
  2. Access Control Policy — Authentication, authorization, reviews
  3. Change Management Policy — SDLC, deployment, emergency changes
  4. Incident Response Policy — Detection, response, notification
  5. Risk Management Policy — Assessment methodology, treatment, appetite
  6. Data Classification Policy — Levels, handling, retention, disposal
  7. Acceptable Use Policy — Employee responsibilities, prohibited actions
  8. Vendor Management Policy — Assessment, monitoring, offboarding
  9. Business Continuity / DR Policy — Plans, testing, RTO/RPO
  10. HR Security Policy — Background checks, onboarding, offboarding, training
  11. Encryption Policy — Standards, key management, certificate handling
  12. Physical Security Policy — Office access, visitor management, clean desk
  13. Logging & Monitoring Policy — What to log, retention, alerting
  14. Password & Authentication Policy — Standards, MFA requirements
  15. Backup & Recovery Policy — Schedule, testing, retention

Policy Template

# [Policy Name]

**Version:** 1.0
**Owner:** [Name, Title]
**Approved by:** [Name, Title]
**Effective date:** [Date]
**Next review:** [Date + 1 year]
**Classification:** Internal

## 1. Purpose
[Why this policy exists — 2-3 sentences]

## 2. Scope
[Who and what this policy applies to]

## 3. Policy Statements
[Numbered, actionable requirements — not aspirational]

### 3.1 [Topic]
- SHALL [requirement]
- SHALL NOT [prohibition]
- SHOULD [recommendation]

## 4. Roles & Responsibilities
| Role | Responsibility |
|------|---------------|
| [Role] | [What they must do] |

## 5. Exceptions
[Process for requesting exceptions — who approves, how long, documentation]

## 6. Enforcement
[Consequences of non-compliance]

## 7. Definitions
[Technical terms used in the policy]

## 8. Related Documents
[Links to related policies, standards, procedures]

## 9. Revision History
| Version | Date | Author | Changes |
|---------|------|--------|---------|
| 1.0 | [Date] | [Author] | Initial release |

Phase 3 — ISO 27001 Framework

ISMS Implementation Roadmap

Clause 4 — Context of the Organization

  • [ ] Define ISMS scope and boundaries
  • [ ] Identify interested parties and their requirements
  • [ ] Determine internal and external issues
  • [ ] Document scope statement

Clause 5 — Leadership

  • [ ] Management commitment statement
  • [ ] Information security policy (signed by CEO/CTO)
  • [ ] Assign ISMS roles and responsibilities
  • [ ] Allocate resources (budget, people, tools)

Clause 6 — Planning

  • [ ] Risk assessment methodology (ISO 27005 or custom)
  • [ ] Risk assessment execution
  • [ ] Risk treatment plan
  • [ ] Statement of Applicability (SoA) — map all 93 Annex A controls
  • [ ] Information security objectives (measurable, time-bound)

Clause 7 — Support

  • [ ] Determine required competencies
  • [ ] Security awareness program
  • [ ] Internal and external communication plan
  • [ ] Document control process

Clause 8 — Operation

  • [ ] Execute risk treatment plan
  • [ ] Implement controls from SoA
  • [ ] Manage operational changes
  • [ ] Conduct risk assessments on changes

Clause 9 — Performance Evaluation

  • [ ] Monitoring and measurement program
  • [ ] Internal audit schedule and execution
  • [ ] Management review (at least annually)
  • [ ] Corrective action tracking

Clause 10 — Improvement

  • [ ] Nonconformity and corrective action process
  • [ ] Continual improvement program
  • [ ] Lessons learned integration

ISO 27001:2022 Annex A Control Categories

Category Controls Key Areas
A.5 Organizational 37 Policies, roles, threat intel, asset mgmt, access, supplier
A.6 People 8 Screening, T&C, awareness, disciplinary, termination
A.7 Physical 14 Perimeters, entry, offices, monitoring, utilities, cabling
A.8 Technological 34 Endpoints, access rights, auth, malware, vuln mgmt, logging, crypto, SDLC

SOC 2 ↔ ISO 27001 Control Mapping (Save 40-60% effort)

SOC 2 TSC ISO 27001 Annex A Overlap
CC1 Control Environment A.5.1-5.6 (Org controls) ~80%
CC2 Communication A.5.1, A.6.3 (Awareness) ~70%
CC3 Risk Assessment Clause 6.1, A.5.7 (Threat intel) ~90%
CC5 Control Activities A.8 (Technological) ~75%
CC6 Access A.5.15-5.18, A.8.1-8.5 ~85%
CC7 Operations A.8.7-8.16 (Monitoring) ~80%
CC8 Change Mgmt A.8.25-8.33 (SDLC) ~70%
CC9 Vendors A.5.19-5.23 (Supplier) ~85%

Strategy: Build for one framework, extend to the other. SOC 2 first (faster) → ISO 27001 (adds clauses 4-10 management system).

Phase 4 — GDPR Compliance Program

12 Core Requirements

  1. Lawful Basis for Processing — Document legal basis for each data processing activity
  2. Consent | Contract | Legal obligation | Vital interest | Public task | Legitimate interest
  3. [ ] Data processing register (Article 30)

  4. [ ] Legitimate Interest Assessments (LIAs) where applicable

  5. Data Subject Rights — Respond within 30 days

  6. [ ] Right of access (SAR) process
  7. [ ] Right to rectification
  8. [ ] Right to erasure ("right to be forgotten")
  9. [ ] Right to data portability (machine-readable export)
  10. [ ] Right to restrict processing
  11. [ ] Right to object

  12. [ ] Automated decision-making opt-out

  13. Privacy by Design & Default — Build privacy into products

  14. [ ] Privacy Impact Assessment (PIA/DPIA) template
  15. [ ] Data minimization review for each feature

  16. [ ] Default privacy settings (opt-in, not opt-out)

  17. Data Protection Officer (DPO) — Required if:

  18. Public authority, OR
  19. Large-scale systematic monitoring, OR

  20. Large-scale processing of special category data

  21. Consent Management

  22. [ ] Granular consent mechanisms (not bundled)
  23. [ ] Easy withdrawal (as easy as giving consent)
  24. [ ] Consent records with timestamp, version, scope

  25. [ ] Cookie consent banner (ePrivacy)

  26. Data Processing Agreements (DPAs)

  27. [ ] DPA template for sub-processors
  28. [ ] Article 28 requirements checklist
  29. [ ] Sub-processor notification process

  30. [ ] Sub-processor register

  31. International Transfers

  32. [ ] Transfer mechanism (SCCs, adequacy decision, BCRs)
  33. [ ] Transfer Impact Assessment

  34. [ ] Supplementary measures where needed

  35. Breach Notification

  36. [ ] 72-hour notification to supervisory authority
  37. [ ] "Undue delay" notification to affected individuals
  38. [ ] Breach register with risk assessment

  39. [ ] Breach response team and escalation path

  40. Records of Processing Activities (ROPA)

processing_activity:
  name: ""
  purpose: ""
  lawful_basis: ""
  data_categories: []
  data_subjects: []
  recipients: []
  retention_period: ""
  transfers_outside_eea: false
  transfer_mechanism: ""
  technical_measures: []
  organizational_measures: []
  dpia_required: false
  last_reviewed: ""

  1. Privacy Notice — Must include:

    • Identity of controller
    • DPO contact (if applicable)
    • Purposes and lawful basis
    • Categories of data
    • Recipients / transfers
    • Retention periods
    • Data subject rights
    • Right to complain to supervisory authority
    • Whether providing data is statutory/contractual requirement

  2. Data Retention Schedule

Data Type Retention Period Legal Basis Disposal Method
Customer PII Duration + 3 years Contract + legitimate interest Automated deletion
Employee records Duration + 7 years Legal obligation Secure shred
Financial records 7 years Legal obligation Secure shred
Server logs 90 days Legitimate interest Automated rotation
Marketing consent Until withdrawn Consent Database purge
Support tickets 2 years after resolution Legitimate interest Automated deletion
  1. Training & Awareness
    • [ ] Mandatory GDPR training for all employees (annual)
    • [ ] Role-specific training (developers, support, marketing, HR)
    • [ ] Training records with completion tracking

Phase 5 — HIPAA Compliance (Health Data)

HIPAA Security Rule — 3 Safeguard Categories

Administrative Safeguards

  • [ ] Security Management Process (risk analysis, risk management)
  • [ ] Assigned Security Responsibility (HIPAA Security Officer)
  • [ ] Workforce Security (authorization, clearance, termination)
  • [ ] Information Access Management (access authorization, establishment, modification)
  • [ ] Security Awareness Training (reminders, malware, login monitoring, password mgmt)
  • [ ] Security Incident Procedures (response, reporting)
  • [ ] Contingency Plan (backup, DR, emergency mode, testing)
  • [ ] Evaluation (periodic technical/non-technical)
  • [ ] BAAs with all business associates

Physical Safeguards

  • [ ] Facility Access Controls (contingency ops, facility security plan, access control, maintenance records)
  • [ ] Workstation Use (policies, restrictions)
  • [ ] Workstation Security (physical safeguards)
  • [ ] Device and Media Controls (disposal, re-use, accountability, data backup)

Technical Safeguards

  • [ ] Access Control (unique user ID, emergency access, automatic logoff, encryption)
  • [ ] Audit Controls (hardware, software, procedural mechanisms)
  • [ ] Integrity Controls (authentication of ePHI, transmission security)
  • [ ] Person or Entity Authentication (verify identity)
  • [ ] Transmission Security (integrity controls, encryption)

HIPAA Breach Rule

  • ≤500 individuals: Annual batch notification to HHS (within 60 days of year end)
  • >500 individuals: Notify HHS within 60 days + media notification
  • All breaches: Notify affected individuals without unreasonable delay (≤60 days)
  • Penalties: $100-$50,000 per violation, up to $1.5M per year per category

Phase 6 — PCI DSS 4.0 (Payment Data)

12 Requirements Summary

# Requirement Key Controls
1 Install/maintain network security controls Firewalls, network segmentation
2 Apply secure configurations No vendor defaults, CIS benchmarks
3 Protect stored account data Encryption, masking, key mgmt
4 Encrypt transmission over open networks TLS 1.2+, no SSL/early TLS
5 Protect from malicious software Anti-malware, regular updates
6 Develop secure systems SDLC, vuln mgmt, WAF
7 Restrict access by business need RBAC, least privilege
8 Identify users and authenticate MFA, password standards
9 Restrict physical access Badges, cameras, visitor logs
10 Log and monitor all access Centralized logging, review
11 Test security regularly Vuln scans, pen tests, IDS
12 Support security with policies Policies, training, incident response

Scope Reduction Strategy

  • Use tokenization — Replace card data with tokens (Stripe, Braintree handle PCI for you)
  • Use hosted payment pages — Never touch raw card data (SAQ A instead of SAQ D)
  • Network segmentation — Isolate cardholder data environment
  • Cloud provider compliance — Leverage AWS/GCP/Azure PCI certifications

SAQ Decision: - Fully outsourced (Stripe Checkout) → SAQ A (22 controls, simplest) - API-based (Stripe Elements) → SAQ A-EP (~140 controls) - You store/process card data → SAQ D (300+ controls, avoid this)

Phase 7 — Compliance Tooling Stack

Essential Tools by Category

Category Budget Option Mid-Range Enterprise
GRC Platform Notion/Sheets Vanta, Drata ServiceNow, OneTrust
Policy Mgmt Google Docs + versioning Vanta policies Hyperproof
Vulnerability Scanning OWASP ZAP, Trivy Qualys, Tenable Rapid7
SIEM/Logging ELK Stack, Wazuh Datadog, Sumo Logic Splunk
Endpoint Protection CrowdStrike Falcon Go SentinelOne CrowdStrike Enterprise
Identity/Access Google Workspace + Okta JumpCloud Azure AD P2
Training KnowBe4 Free KnowBe4 Proofpoint
Pen Testing HackerOne Community Cobalt Bishop Fox
Backup Native cloud backups Veeam Commvault

Automation-First Compliance

What to automate (saves 70%+ of audit prep): - Evidence collection (screenshots of configs → API pulls) - Access reviews (quarterly manual → continuous monitoring) - Vulnerability scanning (manual → scheduled + auto-ticket) - Policy acknowledgment (email → onboarding workflow) - Vendor assessments (spreadsheets → intake forms with scoring) - Training tracking (manual → LMS with auto-reminders)

Compliance-as-Code Patterns

# Infrastructure compliance
- Terraform with Sentinel policies (enforce encryption, tagging)
- OPA/Rego for Kubernetes admission control
- AWS Config Rules / Azure Policy for cloud compliance
- GitHub branch protection rules as change management evidence

# Application compliance
- Automated dependency scanning in CI (Snyk, Dependabot)
- SAST in PR pipeline (Semgrep, CodeQL)
- Container scanning (Trivy, Grype)
- License compliance (FOSSA, Licensee)

Phase 8 — Audit Preparation

90-Day Audit Prep Checklist

Days 90-60: Foundation - [ ] Confirm audit scope with auditor - [ ] Complete system description document - [ ] Verify all policies are current (reviewed within 12 months) - [ ] Confirm all employees completed security training - [ ] Run vulnerability scan and remediate critical/high findings - [ ] Schedule penetration test (results needed before audit)

Days 60-30: Evidence Gathering - [ ] Collect evidence for each control (organized by TSC/clause) - [ ] Access review documentation (screenshots of reviews, action items) - [ ] Change management evidence (sample of tickets showing approval flow) - [ ] Incident response test evidence (tabletop exercise minutes) - [ ] DR test evidence (recovery test results, RTO achieved) - [ ] Vendor review evidence (assessment records, DPAs) - [ ] Risk assessment and treatment plan (current year) - [ ] Board/management meeting minutes discussing security

Days 30-0: Final Prep - [ ] Internal mock audit — walk through every control - [ ] Remediate any mock audit findings - [ ] Brief team on auditor interviews (what to expect, who answers what) - [ ] Prepare management assertion letter - [ ] Set up auditor access (read-only to evidence repository) - [ ] Confirm all monitoring/alerting is functioning - [ ] Verify offboarding was completed for all departed employees

Evidence Organization

/compliance-evidence/
  /SOC2-2026/
    /CC1-control-environment/
      org-chart.pdf
      code-of-conduct-signed.pdf
      background-check-process.pdf
    /CC2-communication/
      security-training-completion.csv
      security-policy-acknowledgments.pdf
    /CC3-risk-assessment/
      risk-assessment-2026.xlsx
      risk-treatment-plan.pdf
    /CC6-access/
      access-review-Q1.pdf
      access-review-Q2.pdf
      mfa-enforcement-screenshot.png
      offboarding-checklist-samples/
    /CC7-operations/
      vulnerability-scan-reports/
      pentest-report-2026.pdf
      incident-log-2026.csv
    /CC8-change-management/
      sample-change-tickets/
      deployment-pipeline-config.png
    /CC9-vendors/
      vendor-inventory.xlsx
      vendor-assessments/
      dpas-and-baas/

Auditor Interview Prep

Common questions and who should answer:

Question Best Respondent Key Points
"Walk me through your risk assessment process" CISO/Security Lead Methodology, frequency, treatment
"How do you manage access to production?" Engineering Lead RBAC, approval flow, reviews
"Describe your change management process" Engineering Lead PR review, testing, deployment
"How do you handle security incidents?" Security Lead Detection, response, communication
"How do you evaluate vendors?" Security/Procurement Assessment, monitoring, contracts
"Describe your backup and recovery process" Infrastructure Lead Schedule, testing, RTO/RPO
"How do you track and remediate vulnerabilities?" Security Lead Scanning, SLAs, patching
"Walk me through employee onboarding/offboarding" HR + IT Checklist, timing, verification

Phase 9 — Continuous Compliance

Monthly Compliance Dashboard

compliance_dashboard:
  month: ""

  control_health:
    total_controls: 0
    controls_passing: 0
    controls_failing: 0
    controls_not_tested: 0
    health_percentage: 0

  action_items:
    open: 0
    overdue: 0
    closed_this_month: 0

  key_metrics:
    mean_time_to_patch_critical: ""
    access_reviews_completed: "X/X"
    security_training_completion: ""
    incidents_this_month: 0
    vendor_reviews_due: 0
    policies_due_for_review: 0

  risk_register:
    high_risks: 0
    risks_without_treatment: 0
    new_risks_identified: 0

  upcoming:
    next_pen_test: ""
    next_dr_test: ""
    next_audit: ""
    next_access_review: ""

Compliance Calendar

Frequency Activity
Weekly Review security alerts, patch critical vulln
Monthly Control testing sample, metrics dashboard, policy exception review
Quarterly Access reviews, vendor risk check, risk register update, tabletop exercise
Semi-annual Vulnerability scan (external), BCP/DR test, security training refresh
Annual Full risk assessment, penetration test, policy review cycle, SOC 2/ISO audit, security awareness training, management review

Compliance Debt Tracker

compliance_debt:
  - id: "CD-001"
    framework: "SOC 2"
    control: "CC6.1"
    finding: "MFA not enforced on staging environment"
    severity: "High"
    identified: "2026-01-15"
    owner: ""
    target_remediation: "2026-02-15"
    status: "In Progress"
    compensating_control: "VPN + IP allowlisting"

When Controls Fail

Severity-based response:

Severity Response Time Actions
Critical 24 hours Immediate remediation, notify management, consider if breach occurred
High 7 days Remediation plan, compensating control if needed, risk acceptance by CISO
Medium 30 days Add to sprint, track in compliance debt
Low 90 days Batch with next review cycle

Phase 10 — Multi-Framework Management

Common Control Framework (CCF)

Build controls ONCE, map to MULTIPLE frameworks:

control:
  id: "CCF-AC-001"
  title: "Multi-Factor Authentication"
  description: "MFA required for all access to production systems and sensitive data"
  owner: "Security Team"

  framework_mapping:
    soc2: ["CC6.1", "CC6.6"]
    iso27001: ["A.8.5"]
    gdpr: ["Article 32"]
    hipaa: ["§164.312(d)"]
    pci_dss: ["Req 8.4"]

  evidence:
    - type: "Configuration screenshot"
      source: "Okta MFA policy"
      frequency: "Quarterly"
    - type: "Access review"
      source: "Okta user report"
      frequency: "Quarterly"

  test_procedure: "Verify MFA policy is enforced, test with non-MFA login attempt"
  last_tested: ""
  result: ""
  next_test: ""

Framework Expansion Strategy

Year 1: SOC 2 Type I → establishes baseline Year 1-2: SOC 2 Type II → proves sustained operation Year 2: + GDPR → covers EU expansion Year 2-3: + ISO 27001 → international credibility As needed: + HIPAA / PCI DSS → industry-specific

Audit Fatigue Prevention

  • Single evidence repository — collect once, map to all frameworks
  • Continuous monitoring — evidence auto-collected, not scrambled at audit time
  • Control owner accountability — each control has ONE owner, not "security team"
  • Compliance sprints — 2-week sprints dedicated to compliance work, not crammed before audit
  • Auditor relationship — same firm for multiple frameworks if possible (they know your environment)

Phase 11 — Scoring & Quality

Compliance Readiness Score (0-100)

Dimension Weight Score 0-10
Policy Coverage — All required policies exist, reviewed, approved 15%
Technical Controls — Security tools deployed and configured 20%
Process Maturity — Operational processes followed consistently 20%
Evidence Quality — Complete, organized, recent evidence 15%
Training & Awareness — All employees trained, records maintained 10%
Vendor Management — All critical vendors assessed and contracted 10%
Risk Management — Current assessment, treatment plans, monitoring 10%

Scoring guide: - 0-2: Not started / major gaps - 3-4: In progress / significant gaps - 5-6: Partially implemented / some gaps - 7-8: Implemented / minor improvements needed - 9-10: Mature / audit-ready

Interpretation: - < 40: Not ready — significant work needed (3-6 months) - 40-60: Getting there — focus on gaps (1-3 months) - 60-80: Nearly ready — polish and evidence gathering (2-6 weeks) - 80+: Audit-ready — schedule the audit

Edge Cases & Special Situations

Startup with Zero Compliance

  • Start with security basics (MFA, encryption, access control, backups) before any framework
  • Use a GRC platform from Day 1 (Vanta/Drata cost $10-15K/yr but save 100+ hours)
  • Don't wait for perfect — "documented and improving" beats "undocumented and perfect"
  • Budget $20-40K for first SOC 2 Type I (auditor + tools + time)

Multi-Cloud / Hybrid Infrastructure

  • Map shared responsibility model for each provider
  • Ensure consistent controls across environments
  • Consider cloud-specific compliance tools (AWS Audit Manager, Azure Compliance Manager)
  • Network segmentation especially important

Acquired Company Integration

  • Conduct compliance gap assessment within 30 days of close
  • Identify highest-risk gaps (access control, data handling)
  • 90-day integration plan to bring to baseline
  • Don't assume their compliance posture matches claims

International (Multi-Jurisdiction)

  • Map all jurisdictions where you operate or store data
  • GDPR applies if you have EU users — not just EU office
  • Data residency requirements (Russia, China, India, Brazil)
  • Consider local DPA registrations

Regulated Industries (FinTech, HealthTech)

  • Layer industry regulations ON TOP of SOC 2/ISO
  • FinTech: SOC 2 + PCI DSS + potentially banking regs (state MTLs, FinCEN)
  • HealthTech: SOC 2 + HIPAA + potentially FDA (SaMD)
  • EdTech: SOC 2 + FERPA + COPPA (if under 13)

Natural Language Commands

Command What It Does
"Assess our compliance readiness" Run readiness assessment, score, identify gaps
"Create SOC 2 project plan" Generate 16-week implementation timeline
"Write [policy name] policy" Generate policy from template with your context
"Map controls across frameworks" Build common control framework mapping
"Prepare for audit" Generate 90-day audit prep checklist with evidence needs
"Review our GDPR compliance" Check all 12 GDPR requirements against current state
"Score our compliance posture" Run 7-dimension scoring rubric
"Generate evidence checklist" List all evidence needed for specific framework
"Build vendor assessment" Create vendor risk assessment for a specific vendor
"Plan framework expansion" Recommend next framework based on business needs
"Track compliance debt" Review and prioritize open compliance items
"Run monthly compliance review" Update dashboard, check deadlines, identify actions