--- name: afrexai-compliance-engine description: "Compliance & Audit Readiness Engine" --- # Compliance & Audit Readiness Engine Your AI compliance officer. Guides startups and scale-ups through SOC 2, ISO 27001, GDPR, HIPAA, and PCI DSS — from zero to audit-ready. No consultants needed. --- ## Phase 1 — Compliance Discovery ### Framework Selection Matrix | Framework | Who Needs It | Trigger | Timeline | Cost Range | |-----------|-------------|---------|----------|------------| | **SOC 2 Type I** | Any B2B SaaS | Enterprise prospect asks | 3-6 months | $20K-$80K | | **SOC 2 Type II** | Established SaaS | After Type I, or direct | 6-12 months | $30K-$100K | | **ISO 27001** | Global/EU-facing SaaS | EU enterprise deals | 6-12 months | $40K-$120K | | **GDPR** | Anyone with EU users | Day 1 if EU data | 1-3 months | $5K-$30K | | **HIPAA** | Health data handlers | Before first PHI | 3-6 months | $20K-$60K | | **PCI DSS** | Payment processors | Before card data | 3-9 months | $15K-$50K | | **SOX** | Public companies | IPO prep | 12-18 months | $100K-$500K | ### Readiness Assessment Brief ```yaml company_profile: name: "" industry: "" employee_count: 0 annual_revenue: "" data_types_handled: - PII (names, emails, addresses) - Financial (payment cards, bank accounts) - Health (PHI, medical records) - Children (COPPA scope) - Biometric - Government/classified customer_segments: - SMB - Mid-market - Enterprise - Government geographic_scope: - US only - US + EU - Global current_state: existing_frameworks: [] security_team_size: 0 has_written_policies: false has_asset_inventory: false has_risk_assessment: false has_incident_response: false has_vendor_management: false previous_audits: [] known_gaps: [] drivers: - Customer requirement - Board/investor mandate - Regulatory obligation - Competitive advantage - Insurance requirement target_frameworks: [] target_date: "" budget_range: "" ``` ### Priority Decision Rules 1. **Customer asking for SOC 2?** → Start there (most requested in B2B SaaS) 2. **EU customers?** → GDPR is non-negotiable, do it alongside SOC 2 3. **Health data?** → HIPAA first, then layer SOC 2 4. **Payment data?** → PCI DSS is legally required, do immediately 5. **Multiple frameworks?** → Map common controls (40-60% overlap between SOC 2 and ISO 27001) --- ## Phase 2 — SOC 2 Deep Dive ### Trust Service Criteria (TSC) SOC 2 is built on 5 categories. **Security** is mandatory. Others are optional but often expected. #### CC1 — Control Environment (Foundation) - [ ] Board/management oversight of security - [ ] Organizational structure with clear security roles - [ ] Code of conduct / acceptable use policy - [ ] HR processes (background checks, onboarding, offboarding) - [ ] Performance evaluations include security responsibilities #### CC2 — Communication & Information - [ ] Security policies documented and accessible to all employees - [ ] External communication channels for security (status page, security@) - [ ] Whistleblower / anonymous reporting mechanism - [ ] Security awareness training program (annual + onboarding) - [ ] System description document maintained #### CC3 — Risk Assessment - [ ] Annual risk assessment process documented - [ ] Risk register maintained with likelihood × impact scoring - [ ] Risk treatment plans for high/critical risks - [ ] Risk appetite statement approved by management - [ ] Changes in business/technology trigger risk re-assessment #### CC4 — Monitoring Activities - [ ] Continuous monitoring of controls (not just annual) - [ ] Internal audit or self-assessment program - [ ] Deficiency tracking and remediation - [ ] Management review of monitoring results - [ ] Penetration testing (annual minimum) #### CC5 — Control Activities - [ ] Logical access controls (RBAC, least privilege) - [ ] Physical access controls (offices, data centers) - [ ] Change management process - [ ] System development lifecycle (SDLC) - [ ] Data backup and recovery procedures #### CC6 — Logical & Physical Access - [ ] User provisioning and deprovisioning process - [ ] MFA enforced on all critical systems - [ ] Password policy (12+ chars, complexity, rotation) - [ ] Access reviews (quarterly minimum) - [ ] Physical access logs for sensitive areas - [ ] Encryption at rest (AES-256) and in transit (TLS 1.2+) - [ ] Firewall rules reviewed quarterly - [ ] VPN or zero-trust network access #### CC7 — System Operations - [ ] Monitoring and alerting (uptime, errors, security events) - [ ] Incident detection and response procedures - [ ] Vulnerability management (scan weekly, patch critical <72h) - [ ] Anti-malware / endpoint protection - [ ] Capacity planning and performance monitoring #### CC8 — Change Management - [ ] Formal change request and approval process - [ ] Separation of duties (dev ≠ prod deploy) - [ ] Testing before production deployment - [ ] Rollback procedures documented - [ ] Emergency change process with post-hoc approval #### CC9 — Risk Mitigation (Vendors) - [ ] Vendor risk assessment before onboarding - [ ] Vendor inventory with criticality ratings - [ ] Annual vendor reviews - [ ] BAAs / DPAs with sub-processors - [ ] Vendor offboarding process ### Additional Criteria **Availability (A1):** - [ ] SLAs defined and monitored - [ ] Disaster recovery plan tested annually - [ ] Business continuity plan documented - [ ] RTO/RPO defined for critical systems - [ ] Redundancy for critical infrastructure **Confidentiality (C1):** - [ ] Data classification scheme (Public, Internal, Confidential, Restricted) - [ ] Handling procedures per classification level - [ ] Confidentiality agreements (NDA) with employees and vendors - [ ] Data retention and disposal policies - [ ] DLP controls for sensitive data **Processing Integrity (PI1):** - [ ] Input validation controls - [ ] Processing completeness and accuracy checks - [ ] Output reconciliation procedures - [ ] Error handling and correction processes **Privacy (P1):** - [ ] Privacy notice published - [ ] Consent mechanisms for data collection - [ ] Data subject rights procedures (access, deletion, portability) - [ ] Privacy impact assessments for new features - [ ] Data breach notification procedures ### SOC 2 Project Plan (16-Week Sprint) | Week | Phase | Key Activities | |------|-------|---------------| | 1-2 | **Scoping** | Define system boundaries, select TSC, choose auditor | | 3-4 | **Gap Assessment** | Audit current state against TSC, document gaps | | 5-6 | **Policy Writing** | Draft all required policies (see policy list below) | | 7-8 | **Control Implementation** | Deploy technical controls, configure tools | | 9-10 | **Process Implementation** | Establish operational processes, train team | | 11-12 | **Evidence Collection** | Gather evidence for all controls, test internally | | 13-14 | **Readiness Assessment** | Mock audit, remediate findings | | 15-16 | **Type I Audit** | Auditor fieldwork, management response, report | ### Required Policy Documents 1. **Information Security Policy** — Master policy, scope, objectives 2. **Access Control Policy** — Authentication, authorization, reviews 3. **Change Management Policy** — SDLC, deployment, emergency changes 4. **Incident Response Policy** — Detection, response, notification 5. **Risk Management Policy** — Assessment methodology, treatment, appetite 6. **Data Classification Policy** — Levels, handling, retention, disposal 7. **Acceptable Use Policy** — Employee responsibilities, prohibited actions 8. **Vendor Management Policy** — Assessment, monitoring, offboarding 9. **Business Continuity / DR Policy** — Plans, testing, RTO/RPO 10. **HR Security Policy** — Background checks, onboarding, offboarding, training 11. **Encryption Policy** — Standards, key management, certificate handling 12. **Physical Security Policy** — Office access, visitor management, clean desk 13. **Logging & Monitoring Policy** — What to log, retention, alerting 14. **Password & Authentication Policy** — Standards, MFA requirements 15. **Backup & Recovery Policy** — Schedule, testing, retention ### Policy Template ```markdown # [Policy Name] **Version:** 1.0 **Owner:** [Name, Title] **Approved by:** [Name, Title] **Effective date:** [Date] **Next review:** [Date + 1 year] **Classification:** Internal ## 1. Purpose [Why this policy exists — 2-3 sentences] ## 2. Scope [Who and what this policy applies to] ## 3. Policy Statements [Numbered, actionable requirements — not aspirational] ### 3.1 [Topic] - SHALL [requirement] - SHALL NOT [prohibition] - SHOULD [recommendation] ## 4. Roles & Responsibilities | Role | Responsibility | |------|---------------| | [Role] | [What they must do] | ## 5. Exceptions [Process for requesting exceptions — who approves, how long, documentation] ## 6. Enforcement [Consequences of non-compliance] ## 7. Definitions [Technical terms used in the policy] ## 8. Related Documents [Links to related policies, standards, procedures] ## 9. Revision History | Version | Date | Author | Changes | |---------|------|--------|---------| | 1.0 | [Date] | [Author] | Initial release | ``` --- ## Phase 3 — ISO 27001 Framework ### ISMS Implementation Roadmap #### Clause 4 — Context of the Organization - [ ] Define ISMS scope and boundaries - [ ] Identify interested parties and their requirements - [ ] Determine internal and external issues - [ ] Document scope statement #### Clause 5 — Leadership - [ ] Management commitment statement - [ ] Information security policy (signed by CEO/CTO) - [ ] Assign ISMS roles and responsibilities - [ ] Allocate resources (budget, people, tools) #### Clause 6 — Planning - [ ] Risk assessment methodology (ISO 27005 or custom) - [ ] Risk assessment execution - [ ] Risk treatment plan - [ ] Statement of Applicability (SoA) — map all 93 Annex A controls - [ ] Information security objectives (measurable, time-bound) #### Clause 7 — Support - [ ] Determine required competencies - [ ] Security awareness program - [ ] Internal and external communication plan - [ ] Document control process #### Clause 8 — Operation - [ ] Execute risk treatment plan - [ ] Implement controls from SoA - [ ] Manage operational changes - [ ] Conduct risk assessments on changes #### Clause 9 — Performance Evaluation - [ ] Monitoring and measurement program - [ ] Internal audit schedule and execution - [ ] Management review (at least annually) - [ ] Corrective action tracking #### Clause 10 — Improvement - [ ] Nonconformity and corrective action process - [ ] Continual improvement program - [ ] Lessons learned integration ### ISO 27001:2022 Annex A Control Categories | Category | Controls | Key Areas | |----------|----------|-----------| | A.5 Organizational | 37 | Policies, roles, threat intel, asset mgmt, access, supplier | | A.6 People | 8 | Screening, T&C, awareness, disciplinary, termination | | A.7 Physical | 14 | Perimeters, entry, offices, monitoring, utilities, cabling | | A.8 Technological | 34 | Endpoints, access rights, auth, malware, vuln mgmt, logging, crypto, SDLC | ### SOC 2 ↔ ISO 27001 Control Mapping (Save 40-60% effort) | SOC 2 TSC | ISO 27001 Annex A | Overlap | |-----------|------------------|---------| | CC1 Control Environment | A.5.1-5.6 (Org controls) | ~80% | | CC2 Communication | A.5.1, A.6.3 (Awareness) | ~70% | | CC3 Risk Assessment | Clause 6.1, A.5.7 (Threat intel) | ~90% | | CC5 Control Activities | A.8 (Technological) | ~75% | | CC6 Access | A.5.15-5.18, A.8.1-8.5 | ~85% | | CC7 Operations | A.8.7-8.16 (Monitoring) | ~80% | | CC8 Change Mgmt | A.8.25-8.33 (SDLC) | ~70% | | CC9 Vendors | A.5.19-5.23 (Supplier) | ~85% | **Strategy:** Build for one framework, extend to the other. SOC 2 first (faster) → ISO 27001 (adds clauses 4-10 management system). --- ## Phase 4 — GDPR Compliance Program ### 12 Core Requirements 1. **Lawful Basis for Processing** — Document legal basis for each data processing activity - Consent | Contract | Legal obligation | Vital interest | Public task | Legitimate interest - [ ] Data processing register (Article 30) - [ ] Legitimate Interest Assessments (LIAs) where applicable 2. **Data Subject Rights** — Respond within 30 days - [ ] Right of access (SAR) process - [ ] Right to rectification - [ ] Right to erasure ("right to be forgotten") - [ ] Right to data portability (machine-readable export) - [ ] Right to restrict processing - [ ] Right to object - [ ] Automated decision-making opt-out 3. **Privacy by Design & Default** — Build privacy into products - [ ] Privacy Impact Assessment (PIA/DPIA) template - [ ] Data minimization review for each feature - [ ] Default privacy settings (opt-in, not opt-out) 4. **Data Protection Officer (DPO)** — Required if: - Public authority, OR - Large-scale systematic monitoring, OR - Large-scale processing of special category data 5. **Consent Management** - [ ] Granular consent mechanisms (not bundled) - [ ] Easy withdrawal (as easy as giving consent) - [ ] Consent records with timestamp, version, scope - [ ] Cookie consent banner (ePrivacy) 6. **Data Processing Agreements (DPAs)** - [ ] DPA template for sub-processors - [ ] Article 28 requirements checklist - [ ] Sub-processor notification process - [ ] Sub-processor register 7. **International Transfers** - [ ] Transfer mechanism (SCCs, adequacy decision, BCRs) - [ ] Transfer Impact Assessment - [ ] Supplementary measures where needed 8. **Breach Notification** - [ ] 72-hour notification to supervisory authority - [ ] "Undue delay" notification to affected individuals - [ ] Breach register with risk assessment - [ ] Breach response team and escalation path 9. **Records of Processing Activities (ROPA)** ```yaml processing_activity: name: "" purpose: "" lawful_basis: "" data_categories: [] data_subjects: [] recipients: [] retention_period: "" transfers_outside_eea: false transfer_mechanism: "" technical_measures: [] organizational_measures: [] dpia_required: false last_reviewed: "" ``` 10. **Privacy Notice** — Must include: - Identity of controller - DPO contact (if applicable) - Purposes and lawful basis - Categories of data - Recipients / transfers - Retention periods - Data subject rights - Right to complain to supervisory authority - Whether providing data is statutory/contractual requirement 11. **Data Retention Schedule** | Data Type | Retention Period | Legal Basis | Disposal Method | |-----------|-----------------|-------------|-----------------| | Customer PII | Duration + 3 years | Contract + legitimate interest | Automated deletion | | Employee records | Duration + 7 years | Legal obligation | Secure shred | | Financial records | 7 years | Legal obligation | Secure shred | | Server logs | 90 days | Legitimate interest | Automated rotation | | Marketing consent | Until withdrawn | Consent | Database purge | | Support tickets | 2 years after resolution | Legitimate interest | Automated deletion | 12. **Training & Awareness** - [ ] Mandatory GDPR training for all employees (annual) - [ ] Role-specific training (developers, support, marketing, HR) - [ ] Training records with completion tracking --- ## Phase 5 — HIPAA Compliance (Health Data) ### HIPAA Security Rule — 3 Safeguard Categories #### Administrative Safeguards - [ ] Security Management Process (risk analysis, risk management) - [ ] Assigned Security Responsibility (HIPAA Security Officer) - [ ] Workforce Security (authorization, clearance, termination) - [ ] Information Access Management (access authorization, establishment, modification) - [ ] Security Awareness Training (reminders, malware, login monitoring, password mgmt) - [ ] Security Incident Procedures (response, reporting) - [ ] Contingency Plan (backup, DR, emergency mode, testing) - [ ] Evaluation (periodic technical/non-technical) - [ ] BAAs with all business associates #### Physical Safeguards - [ ] Facility Access Controls (contingency ops, facility security plan, access control, maintenance records) - [ ] Workstation Use (policies, restrictions) - [ ] Workstation Security (physical safeguards) - [ ] Device and Media Controls (disposal, re-use, accountability, data backup) #### Technical Safeguards - [ ] Access Control (unique user ID, emergency access, automatic logoff, encryption) - [ ] Audit Controls (hardware, software, procedural mechanisms) - [ ] Integrity Controls (authentication of ePHI, transmission security) - [ ] Person or Entity Authentication (verify identity) - [ ] Transmission Security (integrity controls, encryption) ### HIPAA Breach Rule - **≤500 individuals:** Annual batch notification to HHS (within 60 days of year end) - **>500 individuals:** Notify HHS within 60 days + media notification - **All breaches:** Notify affected individuals without unreasonable delay (≤60 days) - **Penalties:** $100-$50,000 per violation, up to $1.5M per year per category --- ## Phase 6 — PCI DSS 4.0 (Payment Data) ### 12 Requirements Summary | # | Requirement | Key Controls | |---|------------|-------------| | 1 | Install/maintain network security controls | Firewalls, network segmentation | | 2 | Apply secure configurations | No vendor defaults, CIS benchmarks | | 3 | Protect stored account data | Encryption, masking, key mgmt | | 4 | Encrypt transmission over open networks | TLS 1.2+, no SSL/early TLS | | 5 | Protect from malicious software | Anti-malware, regular updates | | 6 | Develop secure systems | SDLC, vuln mgmt, WAF | | 7 | Restrict access by business need | RBAC, least privilege | | 8 | Identify users and authenticate | MFA, password standards | | 9 | Restrict physical access | Badges, cameras, visitor logs | | 10 | Log and monitor all access | Centralized logging, review | | 11 | Test security regularly | Vuln scans, pen tests, IDS | | 12 | Support security with policies | Policies, training, incident response | ### Scope Reduction Strategy - **Use tokenization** — Replace card data with tokens (Stripe, Braintree handle PCI for you) - **Use hosted payment pages** — Never touch raw card data (SAQ A instead of SAQ D) - **Network segmentation** — Isolate cardholder data environment - **Cloud provider compliance** — Leverage AWS/GCP/Azure PCI certifications **SAQ Decision:** - Fully outsourced (Stripe Checkout) → **SAQ A** (22 controls, simplest) - API-based (Stripe Elements) → **SAQ A-EP** (~140 controls) - You store/process card data → **SAQ D** (300+ controls, avoid this) --- ## Phase 7 — Compliance Tooling Stack ### Essential Tools by Category | Category | Budget Option | Mid-Range | Enterprise | |----------|-------------|-----------|-----------| | GRC Platform | Notion/Sheets | Vanta, Drata | ServiceNow, OneTrust | | Policy Mgmt | Google Docs + versioning | Vanta policies | Hyperproof | | Vulnerability Scanning | OWASP ZAP, Trivy | Qualys, Tenable | Rapid7 | | SIEM/Logging | ELK Stack, Wazuh | Datadog, Sumo Logic | Splunk | | Endpoint Protection | CrowdStrike Falcon Go | SentinelOne | CrowdStrike Enterprise | | Identity/Access | Google Workspace + Okta | JumpCloud | Azure AD P2 | | Training | KnowBe4 Free | KnowBe4 | Proofpoint | | Pen Testing | HackerOne Community | Cobalt | Bishop Fox | | Backup | Native cloud backups | Veeam | Commvault | ### Automation-First Compliance **What to automate (saves 70%+ of audit prep):** - Evidence collection (screenshots of configs → API pulls) - Access reviews (quarterly manual → continuous monitoring) - Vulnerability scanning (manual → scheduled + auto-ticket) - Policy acknowledgment (email → onboarding workflow) - Vendor assessments (spreadsheets → intake forms with scoring) - Training tracking (manual → LMS with auto-reminders) ### Compliance-as-Code Patterns ``` # Infrastructure compliance - Terraform with Sentinel policies (enforce encryption, tagging) - OPA/Rego for Kubernetes admission control - AWS Config Rules / Azure Policy for cloud compliance - GitHub branch protection rules as change management evidence # Application compliance - Automated dependency scanning in CI (Snyk, Dependabot) - SAST in PR pipeline (Semgrep, CodeQL) - Container scanning (Trivy, Grype) - License compliance (FOSSA, Licensee) ``` --- ## Phase 8 — Audit Preparation ### 90-Day Audit Prep Checklist **Days 90-60: Foundation** - [ ] Confirm audit scope with auditor - [ ] Complete system description document - [ ] Verify all policies are current (reviewed within 12 months) - [ ] Confirm all employees completed security training - [ ] Run vulnerability scan and remediate critical/high findings - [ ] Schedule penetration test (results needed before audit) **Days 60-30: Evidence Gathering** - [ ] Collect evidence for each control (organized by TSC/clause) - [ ] Access review documentation (screenshots of reviews, action items) - [ ] Change management evidence (sample of tickets showing approval flow) - [ ] Incident response test evidence (tabletop exercise minutes) - [ ] DR test evidence (recovery test results, RTO achieved) - [ ] Vendor review evidence (assessment records, DPAs) - [ ] Risk assessment and treatment plan (current year) - [ ] Board/management meeting minutes discussing security **Days 30-0: Final Prep** - [ ] Internal mock audit — walk through every control - [ ] Remediate any mock audit findings - [ ] Brief team on auditor interviews (what to expect, who answers what) - [ ] Prepare management assertion letter - [ ] Set up auditor access (read-only to evidence repository) - [ ] Confirm all monitoring/alerting is functioning - [ ] Verify offboarding was completed for all departed employees ### Evidence Organization ``` /compliance-evidence/ /SOC2-2026/ /CC1-control-environment/ org-chart.pdf code-of-conduct-signed.pdf background-check-process.pdf /CC2-communication/ security-training-completion.csv security-policy-acknowledgments.pdf /CC3-risk-assessment/ risk-assessment-2026.xlsx risk-treatment-plan.pdf /CC6-access/ access-review-Q1.pdf access-review-Q2.pdf mfa-enforcement-screenshot.png offboarding-checklist-samples/ /CC7-operations/ vulnerability-scan-reports/ pentest-report-2026.pdf incident-log-2026.csv /CC8-change-management/ sample-change-tickets/ deployment-pipeline-config.png /CC9-vendors/ vendor-inventory.xlsx vendor-assessments/ dpas-and-baas/ ``` ### Auditor Interview Prep **Common questions and who should answer:** | Question | Best Respondent | Key Points | |----------|----------------|-----------| | "Walk me through your risk assessment process" | CISO/Security Lead | Methodology, frequency, treatment | | "How do you manage access to production?" | Engineering Lead | RBAC, approval flow, reviews | | "Describe your change management process" | Engineering Lead | PR review, testing, deployment | | "How do you handle security incidents?" | Security Lead | Detection, response, communication | | "How do you evaluate vendors?" | Security/Procurement | Assessment, monitoring, contracts | | "Describe your backup and recovery process" | Infrastructure Lead | Schedule, testing, RTO/RPO | | "How do you track and remediate vulnerabilities?" | Security Lead | Scanning, SLAs, patching | | "Walk me through employee onboarding/offboarding" | HR + IT | Checklist, timing, verification | --- ## Phase 9 — Continuous Compliance ### Monthly Compliance Dashboard ```yaml compliance_dashboard: month: "" control_health: total_controls: 0 controls_passing: 0 controls_failing: 0 controls_not_tested: 0 health_percentage: 0 action_items: open: 0 overdue: 0 closed_this_month: 0 key_metrics: mean_time_to_patch_critical: "" access_reviews_completed: "X/X" security_training_completion: "" incidents_this_month: 0 vendor_reviews_due: 0 policies_due_for_review: 0 risk_register: high_risks: 0 risks_without_treatment: 0 new_risks_identified: 0 upcoming: next_pen_test: "" next_dr_test: "" next_audit: "" next_access_review: "" ``` ### Compliance Calendar | Frequency | Activity | |-----------|----------| | **Weekly** | Review security alerts, patch critical vulln | | **Monthly** | Control testing sample, metrics dashboard, policy exception review | | **Quarterly** | Access reviews, vendor risk check, risk register update, tabletop exercise | | **Semi-annual** | Vulnerability scan (external), BCP/DR test, security training refresh | | **Annual** | Full risk assessment, penetration test, policy review cycle, SOC 2/ISO audit, security awareness training, management review | ### Compliance Debt Tracker ```yaml compliance_debt: - id: "CD-001" framework: "SOC 2" control: "CC6.1" finding: "MFA not enforced on staging environment" severity: "High" identified: "2026-01-15" owner: "" target_remediation: "2026-02-15" status: "In Progress" compensating_control: "VPN + IP allowlisting" ``` ### When Controls Fail **Severity-based response:** | Severity | Response Time | Actions | |----------|-------------|---------| | **Critical** | 24 hours | Immediate remediation, notify management, consider if breach occurred | | **High** | 7 days | Remediation plan, compensating control if needed, risk acceptance by CISO | | **Medium** | 30 days | Add to sprint, track in compliance debt | | **Low** | 90 days | Batch with next review cycle | --- ## Phase 10 — Multi-Framework Management ### Common Control Framework (CCF) Build controls ONCE, map to MULTIPLE frameworks: ```yaml control: id: "CCF-AC-001" title: "Multi-Factor Authentication" description: "MFA required for all access to production systems and sensitive data" owner: "Security Team" framework_mapping: soc2: ["CC6.1", "CC6.6"] iso27001: ["A.8.5"] gdpr: ["Article 32"] hipaa: ["§164.312(d)"] pci_dss: ["Req 8.4"] evidence: - type: "Configuration screenshot" source: "Okta MFA policy" frequency: "Quarterly" - type: "Access review" source: "Okta user report" frequency: "Quarterly" test_procedure: "Verify MFA policy is enforced, test with non-MFA login attempt" last_tested: "" result: "" next_test: "" ``` ### Framework Expansion Strategy **Year 1:** SOC 2 Type I → establishes baseline **Year 1-2:** SOC 2 Type II → proves sustained operation **Year 2:** + GDPR → covers EU expansion **Year 2-3:** + ISO 27001 → international credibility **As needed:** + HIPAA / PCI DSS → industry-specific ### Audit Fatigue Prevention - **Single evidence repository** — collect once, map to all frameworks - **Continuous monitoring** — evidence auto-collected, not scrambled at audit time - **Control owner accountability** — each control has ONE owner, not "security team" - **Compliance sprints** — 2-week sprints dedicated to compliance work, not crammed before audit - **Auditor relationship** — same firm for multiple frameworks if possible (they know your environment) --- ## Phase 11 — Scoring & Quality ### Compliance Readiness Score (0-100) | Dimension | Weight | Score 0-10 | |-----------|--------|-----------| | **Policy Coverage** — All required policies exist, reviewed, approved | 15% | | | **Technical Controls** — Security tools deployed and configured | 20% | | | **Process Maturity** — Operational processes followed consistently | 20% | | | **Evidence Quality** — Complete, organized, recent evidence | 15% | | | **Training & Awareness** — All employees trained, records maintained | 10% | | | **Vendor Management** — All critical vendors assessed and contracted | 10% | | | **Risk Management** — Current assessment, treatment plans, monitoring | 10% | | **Scoring guide:** - 0-2: Not started / major gaps - 3-4: In progress / significant gaps - 5-6: Partially implemented / some gaps - 7-8: Implemented / minor improvements needed - 9-10: Mature / audit-ready **Interpretation:** - **< 40:** Not ready — significant work needed (3-6 months) - **40-60:** Getting there — focus on gaps (1-3 months) - **60-80:** Nearly ready — polish and evidence gathering (2-6 weeks) - **80+:** Audit-ready — schedule the audit --- ## Edge Cases & Special Situations ### Startup with Zero Compliance - Start with **security basics** (MFA, encryption, access control, backups) before any framework - Use a GRC platform from Day 1 (Vanta/Drata cost $10-15K/yr but save 100+ hours) - Don't wait for perfect — "documented and improving" beats "undocumented and perfect" - Budget $20-40K for first SOC 2 Type I (auditor + tools + time) ### Multi-Cloud / Hybrid Infrastructure - Map shared responsibility model for each provider - Ensure consistent controls across environments - Consider cloud-specific compliance tools (AWS Audit Manager, Azure Compliance Manager) - Network segmentation especially important ### Acquired Company Integration - Conduct compliance gap assessment within 30 days of close - Identify highest-risk gaps (access control, data handling) - 90-day integration plan to bring to baseline - Don't assume their compliance posture matches claims ### International (Multi-Jurisdiction) - Map all jurisdictions where you operate or store data - GDPR applies if you have EU *users* — not just EU office - Data residency requirements (Russia, China, India, Brazil) - Consider local DPA registrations ### Regulated Industries (FinTech, HealthTech) - Layer industry regulations ON TOP of SOC 2/ISO - FinTech: SOC 2 + PCI DSS + potentially banking regs (state MTLs, FinCEN) - HealthTech: SOC 2 + HIPAA + potentially FDA (SaMD) - EdTech: SOC 2 + FERPA + COPPA (if under 13) --- ## Natural Language Commands | Command | What It Does | |---------|-------------| | "Assess our compliance readiness" | Run readiness assessment, score, identify gaps | | "Create SOC 2 project plan" | Generate 16-week implementation timeline | | "Write [policy name] policy" | Generate policy from template with your context | | "Map controls across frameworks" | Build common control framework mapping | | "Prepare for audit" | Generate 90-day audit prep checklist with evidence needs | | "Review our GDPR compliance" | Check all 12 GDPR requirements against current state | | "Score our compliance posture" | Run 7-dimension scoring rubric | | "Generate evidence checklist" | List all evidence needed for specific framework | | "Build vendor assessment" | Create vendor risk assessment for a specific vendor | | "Plan framework expansion" | Recommend next framework based on business needs | | "Track compliance debt" | Review and prioritize open compliance items | | "Run monthly compliance review" | Update dashboard, check deadlines, identify actions |