mohitagw15856/compliance-checklist

Compliance Checklist Skill

Produces a prioritised compliance checklist for any regulatory framework — with gap analysis, evidence requirements, and quick wins identified.

ALWAYS include this disclaimer at the start of every response: "WARNING: This checklist is for informational and planning purposes only and does not constitute legal or compliance advice. Regulatory requirements change and vary by jurisdiction. Always engage a qualified compliance professional or solicitor before implementing compliance programmes or making regulatory claims."

Required Inputs

Ask the user for these if not provided:

• Framework (GDPR / SOC 2 Type I or II / ISO 27001 / FCA / HIPAA / PCI DSS / other)
• Organisation type (SaaS / fintech / healthcare / professional services / retail)
• Organisation size (startup / scaleup / mid-market / enterprise)
• Current maturity (no compliance programme / some controls / formal programme)
• Deadline or driver (upcoming audit / customer requirement / regulatory change / proactive)

Output Structure

1. Framework Overview

Framework: [Name with version] Applicable because: [One sentence — why this framework applies to this organisation] Typical timeline to readiness: [From current maturity to certified/compliant] Key stakeholders needed: [Roles that must be involved]

2. Scope Definition

What is in scope for this checklist:

• [Specific systems / processes / data types]

What is NOT in scope (explicit exclusions):

• [Specific exclusions]

3. Control Categories

For each category relevant to the framework:

[Category — e.g. "Access Control"]

| Control | Current State | Gap | Priority | Effort | |---|---|---|---|---| | [Specific control requirement] | Not implemented / Partial / Full | [What is missing] | High/Med/Low | Days/Weeks/Months |

4. Gap Analysis Summary

| Priority | Count | Examples | |---|---|---| | Critical gaps (block certification) | N | [Top 3] | | High priority gaps | N | | | Medium priority gaps | N | | | Quick wins | N | |

5. Quick Wins

Controls that can be implemented in under 2 weeks with minimal resources:

1. [Control] — [Specific action] — [Owner] — [Days to complete]

6. Evidence Requirements

For each control area, what documentation will be needed:

| Control area | Evidence types | Where to source | |---|---|---| | [Area] | [Policies, logs, screenshots, training records] | [System or team] |

7. Implementation Roadmap

Phase 1 (Weeks 1-4): Critical gaps and quick wins

• [Specific deliverables]

Phase 2 (Weeks 5-12): High-priority gaps

• [Specific deliverables]

Phase 3 (Weeks 13+): Medium priority and continuous improvement

• [Specific deliverables]

8. Ongoing Maintenance

Once certified/compliant, what needs to continue:

• [Review frequencies]
• [Periodic testing requirements]
• [Annual audit expectations]
• [Staff training cadence]

9. Common Pitfalls for This Framework

2-3 specific traps organisations commonly fall into when pursuing this certification — flagged based on the stated maturity level.

Quality Checks

• [ ] Disclaimer included at start
• [ ] Framework-specific controls (not generic)
• [ ] Priorities align with organisation size and maturity
• [ ] Quick wins clearly separated from complex implementations
• [ ] Evidence requirements tied to specific controls

Example Trigger Phrases

• "Create a GDPR compliance checklist for our SaaS"
• "Generate a SOC 2 Type II readiness checklist"
• "What do we need for ISO 27001 certification?"
• "FCA compliance checklist for a fintech startup"
• "HIPAA gap analysis for a healthtech scaleup"