openclaw/1kalin/afrexai-compliance-engine

Compliance & Audit Readiness Engine

Your AI compliance officer. Guides startups and scale-ups through SOC 2, ISO 27001, GDPR, HIPAA, and PCI DSS — from zero to audit-ready. No consultants needed.

---

Phase 1 — Compliance Discovery

Framework Selection Matrix

| Framework | Who Needs It | Trigger | Timeline | Cost Range | |-----------|-------------|---------|----------|------------| | SOC 2 Type I | Any B2B SaaS | Enterprise prospect asks | 3-6 months | $20K-$80K | | SOC 2 Type II | Established SaaS | After Type I, or direct | 6-12 months | $30K-$100K | | ISO 27001 | Global/EU-facing SaaS | EU enterprise deals | 6-12 months | $40K-$120K | | GDPR | Anyone with EU users | Day 1 if EU data | 1-3 months | $5K-$30K | | HIPAA | Health data handlers | Before first PHI | 3-6 months | $20K-$60K | | PCI DSS | Payment processors | Before card data | 3-9 months | $15K-$50K | | SOX | Public companies | IPO prep | 12-18 months | $100K-$500K |

Readiness Assessment Brief

company_profile:
  name: ""
  industry: ""
  employee_count: 0
  annual_revenue: ""
  data_types_handled:
    - PII (names, emails, addresses)
    - Financial (payment cards, bank accounts)
    - Health (PHI, medical records)
    - Children (COPPA scope)
    - Biometric
    - Government/classified
  customer_segments:
    - SMB
    - Mid-market
    - Enterprise
    - Government
  geographic_scope:
    - US only
    - US + EU
    - Global
  current_state:
    existing_frameworks: []
    security_team_size: 0
    has_written_policies: false
    has_asset_inventory: false
    has_risk_assessment: false
    has_incident_response: false
    has_vendor_management: false
    previous_audits: []
    known_gaps: []
  drivers:
    - Customer requirement
    - Board/investor mandate
    - Regulatory obligation
    - Competitive advantage
    - Insurance requirement
  target_frameworks: []
  target_date: ""
  budget_range: ""

Priority Decision Rules

1. Customer asking for SOC 2? → Start there (most requested in B2B SaaS)
2. EU customers? → GDPR is non-negotiable, do it alongside SOC 2
3. Health data? → HIPAA first, then layer SOC 2
4. Payment data? → PCI DSS is legally required, do immediately
5. Multiple frameworks? → Map common controls (40-60% overlap between SOC 2 and ISO 27001)

---

Phase 2 — SOC 2 Deep Dive

Trust Service Criteria (TSC)

SOC 2 is built on 5 categories. Security is mandatory. Others are optional but often expected.

CC1 — Control Environment (Foundation)

• [ ] Board/management oversight of security
• [ ] Organizational structure with clear security roles
• [ ] Code of conduct / acceptable use policy
• [ ] HR processes (background checks, onboarding, offboarding)
• [ ] Performance evaluations include security responsibilities

CC2 — Communication & Information

• [ ] Security policies documented and accessible to all employees
• [ ] External communication channels for security (status page, security@)
• [ ] Whistleblower / anonymous reporting mechanism
• [ ] Security awareness training program (annual + onboarding)
• [ ] System description document maintained

CC3 — Risk Assessment

• [ ] Annual risk assessment process documented
• [ ] Risk register maintained with likelihood × impact scoring
• [ ] Risk treatment plans for high/critical risks
• [ ] Risk appetite statement approved by management
• [ ] Changes in business/technology trigger risk re-assessment

CC4 — Monitoring Activities

• [ ] Continuous monitoring of controls (not just annual)
• [ ] Internal audit or self-assessment program
• [ ] Deficiency tracking and remediation
• [ ] Management review of monitoring results
• [ ] Penetration testing (annual minimum)

CC5 — Control Activities

• [ ] Logical access controls (RBAC, least privilege)
• [ ] Physical access controls (offices, data centers)
• [ ] Change management process
• [ ] System development lifecycle (SDLC)
• [ ] Data backup and recovery procedures

CC6 — Logical & Physical Access

• [ ] User provisioning and deprovisioning process
• [ ] MFA enforced on all critical systems
• [ ] Password policy (12+ chars, complexity, rotation)
• [ ] Access reviews (quarterly minimum)
• [ ] Physical access logs for sensitive areas
• [ ] Encryption at rest (AES-256) and in transit (TLS 1.2+)
• [ ] Firewall rules reviewed quarterly
• [ ] VPN or zero-trust network access

CC7 — System Operations

• [ ] Monitoring and alerting (uptime, errors, security events)
• [ ] Incident detection and response procedures
• [ ] Vulnerability management (scan weekly, patch critical <72h)
• [ ] Anti-malware / endpoint protection
• [ ] Capacity planning and performance monitoring

CC8 — Change Management

• [ ] Formal change request and approval process
• [ ] Separation of duties (dev ≠ prod deploy)
• [ ] Testing before production deployment
• [ ] Rollback procedures documented
• [ ] Emergency change process with post-hoc approval

CC9 — Risk Mitigation (Vendors)

• [ ] Vendor risk assessment before onboarding
• [ ] Vendor inventory with criticality ratings
• [ ] Annual vendor reviews
• [ ] BAAs / DPAs with sub-processors
• [ ] Vendor offboarding process

Additional Criteria

Availability (A1):

• [ ] SLAs defined and monitored
• [ ] Disaster recovery plan tested annually
• [ ] Business continuity plan documented
• [ ] RTO/RPO defined for critical systems
• [ ] Redundancy for critical infrastructure

Confidentiality (C1):

• [ ] Data classification scheme (Public, Internal, Confidential, Restricted)
• [ ] Handling procedures per classification level
• [ ] Confidentiality agreements (NDA) with employees and vendors
• [ ] Data retention and disposal policies
• [ ] DLP controls for sensitive data

Processing Integrity (PI1):

• [ ] Input validation controls
• [ ] Processing completeness and accuracy checks
• [ ] Output reconciliation procedures
• [ ] Error handling and correction processes

Privacy (P1):

• [ ] Privacy notice published
• [ ] Consent mechanisms for data collection
• [ ] Data subject rights procedures (access, deletion, portability)
• [ ] Privacy impact assessments for new features
• [ ] Data breach notification procedures

SOC 2 Project Plan (16-Week Sprint)

| Week | Phase | Key Activities | |------|-------|---------------| | 1-2 | Scoping | Define system boundaries, select TSC, choose auditor | | 3-4 | Gap Assessment | Audit current state against TSC, document gaps | | 5-6 | Policy Writing | Draft all required policies (see policy list below) | | 7-8 | Control Implementation | Deploy technical controls, configure tools | | 9-10 | Process Implementation | Establish operational processes, train team | | 11-12 | Evidence Collection | Gather evidence for all controls, test internally | | 13-14 | Readiness Assessment | Mock audit, remediate findings | | 15-16 | Type I Audit | Auditor fieldwork, management response, report |

Required Policy Documents

1. Information Security Policy — Master policy, scope, objectives
2. Access Control Policy — Authentication, authorization, reviews
3. Change Management Policy — SDLC, deployment, emergency changes
4. Incident Response Policy — Detection, response, notification
5. Risk Management Policy — Assessment methodology, treatment, appetite
6. Data Classification Policy — Levels, handling, retention, disposal
7. Acceptable Use Policy — Employee responsibilities, prohibited actions
8. Vendor Management Policy — Assessment, monitoring, offboarding
9. Business Continuity / DR Policy — Plans, testing, RTO/RPO
10. HR Security Policy — Background checks, onboarding, offboarding, training
11. Encryption Policy — Standards, key management, certificate handling
12. Physical Security Policy — Office access, visitor management, clean desk
13. Logging & Monitoring Policy — What to log, retention, alerting
14. Password & Authentication Policy — Standards, MFA requirements
15. Backup & Recovery Policy — Schedule, testing, retention

Policy Template

# [Policy Name]

**Version:** 1.0
**Owner:** [Name, Title]
**Approved by:** [Name, Title]
**Effective date:** [Date]
**Next review:** [Date + 1 year]
**Classification:** Internal

## 1. Purpose
[Why this policy exists — 2-3 sentences]

## 2. Scope
[Who and what this policy applies to]

## 3. Policy Statements
[Numbered, actionable requirements — not aspirational]

### 3.1 [Topic]
- SHALL [requirement]
- SHALL NOT [prohibition]
- SHOULD [recommendation]

## 4. Roles & Responsibilities
| Role | Responsibility |
|------|---------------|
| [Role] | [What they must do] |

## 5. Exceptions
[Process for requesting exceptions — who approves, how long, documentation]

## 6. Enforcement
[Consequences of non-compliance]

## 7. Definitions
[Technical terms used in the policy]

## 8. Related Documents
[Links to related policies, standards, procedures]

## 9. Revision History
| Version | Date | Author | Changes |
|---------|------|--------|---------|
| 1.0 | [Date] | [Author] | Initial release |

---

Phase 3 — ISO 27001 Framework

ISMS Implementation Roadmap

Clause 4 — Context of the Organization

• [ ] Define ISMS scope and boundaries
• [ ] Identify interested parties and their requirements
• [ ] Determine internal and external issues
• [ ] Document scope statement

Clause 5 — Leadership

• [ ] Management commitment statement
• [ ] Information security policy (signed by CEO/CTO)
• [ ] Assign ISMS roles and responsibilities
• [ ] Allocate resources (budget, people, tools)

Clause 6 — Planning

• [ ] Risk assessment methodology (ISO 27005 or custom)
• [ ] Risk assessment execution
• [ ] Risk treatment plan
• [ ] Statement of Applicability (SoA) — map all 93 Annex A controls
• [ ] Information security objectives (measurable, time-bound)

Clause 7 — Support

• [ ] Determine required competencies
• [ ] Security awareness program
• [ ] Internal and external communication plan
• [ ] Document control process

Clause 8 — Operation

• [ ] Execute risk treatment plan
• [ ] Implement controls from SoA
• [ ] Manage operational changes
• [ ] Conduct risk assessments on changes

Clause 9 — Performance Evaluation

• [ ] Monitoring and measurement program
• [ ] Internal audit schedule and execution
• [ ] Management review (at least annually)
• [ ] Corrective action tracking

Clause 10 — Improvement

• [ ] Nonconformity and corrective action process
• [ ] Continual improvement program
• [ ] Lessons learned integration

ISO 27001:2022 Annex A Control Categories

| Category | Controls | Key Areas | |----------|----------|-----------| | A.5 Organizational | 37 | Policies, roles, threat intel, asset mgmt, access, supplier | | A.6 People | 8 | Screening, T&C, awareness, disciplinary, termination | | A.7 Physical | 14 | Perimeters, entry, offices, monitoring, utilities, cabling | | A.8 Technological | 34 | Endpoints, access rights, auth, malware, vuln mgmt, logging, crypto, SDLC |

SOC 2 ↔ ISO 27001 Control Mapping (Save 40-60% effort)

| SOC 2 TSC | ISO 27001 Annex A | Overlap | |-----------|------------------|---------| | CC1 Control Environment | A.5.1-5.6 (Org controls) | ~80% | | CC2 Communication | A.5.1, A.6.3 (Awareness) | ~70% | | CC3 Risk Assessment | Clause 6.1, A.5.7 (Threat intel) | ~90% | | CC5 Control Activities | A.8 (Technological) | ~75% | | CC6 Access | A.5.15-5.18, A.8.1-8.5 | ~85% | | CC7 Operations | A.8.7-8.16 (Monitoring) | ~80% | | CC8 Change Mgmt | A.8.25-8.33 (SDLC) | ~70% | | CC9 Vendors | A.5.19-5.23 (Supplier) | ~85% |

Strategy: Build for one framework, extend to the other. SOC 2 first (faster) → ISO 27001 (adds clauses 4-10 management system).

---

Phase 4 — GDPR Compliance Program

12 Core Requirements

1. Lawful Basis for Processing — Document legal basis for each data processing activity

   • Consent | Contract | Legal obligation | Vital interest | Public task | Legitimate interest
   • [ ] Data processing register (Article 30)
   • [ ] Legitimate Interest Assessments (LIAs) where applicable

2. Data Subject Rights — Respond within 30 days

   • [ ] Right of access (SAR) process
   • [ ] Right to rectification
   • [ ] Right to erasure ("right to be forgotten")
   • [ ] Right to data portability (machine-readable export)
   • [ ] Right to restrict processing
   • [ ] Right to object
   • [ ] Automated decision-making opt-out

3. Privacy by Design & Default — Build privacy into products

   • [ ] Privacy Impact Assessment (PIA/DPIA) template
   • [ ] Data minimization review for each feature
   • [ ] Default privacy settings (opt-in, not opt-out)

4. Data Protection Officer (DPO) — Required if:

   • Public authority, OR
   • Large-scale systematic monitoring, OR
   • Large-scale processing of special category data

5. Consent Management

   • [ ] Granular consent mechanisms (not bundled)
   • [ ] Easy withdrawal (as easy as giving consent)
   • [ ] Consent records with timestamp, version, scope
   • [ ] Cookie consent banner (ePrivacy)

6. Data Processing Agreements (DPAs)

   • [ ] DPA template for sub-processors
   • [ ] Article 28 requirements checklist
   • [ ] Sub-processor notification process
   • [ ] Sub-processor register

7. International Transfers

   • [ ] Transfer mechanism (SCCs, adequacy decision, BCRs)
   • [ ] Transfer Impact Assessment
   • [ ] Supplementary measures where needed

8. Breach Notification

   • [ ] 72-hour notification to supervisory authority
   • [ ] "Undue delay" notification to affected individuals
   • [ ] Breach register with risk assessment
   • [ ] Breach response team and escalation path

9. Records of Processing Activities (ROPA)

processing_activity:
  name: ""
  purpose: ""
  lawful_basis: ""
  data_categories: []
  data_subjects: []
  recipients: []
  retention_period: ""
  transfers_outside_eea: false
  transfer_mechanism: ""
  technical_measures: []
  organizational_measures: []
  dpia_required: false
  last_reviewed: ""

10. Privacy Notice — Must include:

    • Identity of controller
    • DPO contact (if applicable)
    • Purposes and lawful basis
    • Categories of data
    • Recipients / transfers
    • Retention periods
    • Data subject rights
    • Right to complain to supervisory authority
    • Whether providing data is statutory/contractual requirement

11. Data Retention Schedule

| Data Type | Retention Period | Legal Basis | Disposal Method | |-----------|-----------------|-------------|-----------------| | Customer PII | Duration + 3 years | Contract + legitimate interest | Automated deletion | | Employee records | Duration + 7 years | Legal obligation | Secure shred | | Financial records | 7 years | Legal obligation | Secure shred | | Server logs | 90 days | Legitimate interest | Automated rotation | | Marketing consent | Until withdrawn | Consent | Database purge | | Support tickets | 2 years after resolution | Legitimate interest | Automated deletion |

12. Training & Awareness
    • [ ] Mandatory GDPR training for all employees (annual)
    • [ ] Role-specific training (developers, support, marketing, HR)
    • [ ] Training records with completion tracking

---

Phase 5 — HIPAA Compliance (Health Data)

HIPAA Security Rule — 3 Safeguard Categories

Administrative Safeguards

• [ ] Security Management Process (risk analysis, risk management)
• [ ] Assigned Security Responsibility (HIPAA Security Officer)
• [ ] Workforce Security (authorization, clearance, termination)
• [ ] Information Access Management (access authorization, establishment, modification)
• [ ] Security Awareness Training (reminders, malware, login monitoring, password mgmt)
• [ ] Security Incident Procedures (response, reporting)
• [ ] Contingency Plan (backup, DR, emergency mode, testing)
• [ ] Evaluation (periodic technical/non-technical)
• [ ] BAAs with all business associates

Physical Safeguards

• [ ] Facility Access Controls (contingency ops, facility security plan, access control, maintenance records)
• [ ] Workstation Use (policies, restrictions)
• [ ] Workstation Security (physical safeguards)
• [ ] Device and Media Controls (disposal, re-use, accountability, data backup)

Technical Safeguards

• [ ] Access Control (unique user ID, emergency access, automatic logoff, encryption)
• [ ] Audit Controls (hardware, software, procedural mechanisms)
• [ ] Integrity Controls (authentication of ePHI, transmission security)
• [ ] Person or Entity Authentication (verify identity)
• [ ] Transmission Security (integrity controls, encryption)

HIPAA Breach Rule

• ≤500 individuals: Annual batch notification to HHS (within 60 days of year end)
• >500 individuals: Notify HHS within 60 days + media notification
• All breaches: Notify affected individuals without unreasonable delay (≤60 days)
• Penalties: $100-$50,000 per violation, up to $1.5M per year per category

---

Phase 6 — PCI DSS 4.0 (Payment Data)

12 Requirements Summary

| # | Requirement | Key Controls | |---|------------|-------------| | 1 | Install/maintain network security controls | Firewalls, network segmentation | | 2 | Apply secure configurations | No vendor defaults, CIS benchmarks | | 3 | Protect stored account data | Encryption, masking, key mgmt | | 4 | Encrypt transmission over open networks | TLS 1.2+, no SSL/early TLS | | 5 | Protect from malicious software | Anti-malware, regular updates | | 6 | Develop secure systems | SDLC, vuln mgmt, WAF | | 7 | Restrict access by business need | RBAC, least privilege | | 8 | Identify users and authenticate | MFA, password standards | | 9 | Restrict physical access | Badges, cameras, visitor logs | | 10 | Log and monitor all access | Centralized logging, review | | 11 | Test security regularly | Vuln scans, pen tests, IDS | | 12 | Support security with policies | Policies, training, incident response |

Scope Reduction Strategy

• Use tokenization — Replace card data with tokens (Stripe, Braintree handle PCI for you)
• Use hosted payment pages — Never touch raw card data (SAQ A instead of SAQ D)
• Network segmentation — Isolate cardholder data environment
• Cloud provider compliance — Leverage AWS/GCP/Azure PCI certifications

SAQ Decision:

• Fully outsourced (Stripe Checkout) → SAQ A (22 controls, simplest)
• API-based (Stripe Elements) → SAQ A-EP (~140 controls)
• You store/process card data → SAQ D (300+ controls, avoid this)

---

Phase 7 — Compliance Tooling Stack

Essential Tools by Category

| Category | Budget Option | Mid-Range | Enterprise | |----------|-------------|-----------|-----------| | GRC Platform | Notion/Sheets | Vanta, Drata | ServiceNow, OneTrust | | Policy Mgmt | Google Docs + versioning | Vanta policies | Hyperproof | | Vulnerability Scanning | OWASP ZAP, Trivy | Qualys, Tenable | Rapid7 | | SIEM/Logging | ELK Stack, Wazuh | Datadog, Sumo Logic | Splunk | | Endpoint Protection | CrowdStrike Falcon Go | SentinelOne | CrowdStrike Enterprise | | Identity/Access | Google Workspace + Okta | JumpCloud | Azure AD P2 | | Training | KnowBe4 Free | KnowBe4 | Proofpoint | | Pen Testing | HackerOne Community | Cobalt | Bishop Fox | | Backup | Native cloud backups | Veeam | Commvault |

Automation-First Compliance

What to automate (saves 70%+ of audit prep):

• Evidence collection (screenshots of configs → API pulls)
• Access reviews (quarterly manual → continuous monitoring)
• Vulnerability scanning (manual → scheduled + auto-ticket)
• Policy acknowledgment (email → onboarding workflow)
• Vendor assessments (spreadsheets → intake forms with scoring)
• Training tracking (manual → LMS with auto-reminders)

Compliance-as-Code Patterns

# Infrastructure compliance
- Terraform with Sentinel policies (enforce encryption, tagging)
- OPA/Rego for Kubernetes admission control
- AWS Config Rules / Azure Policy for cloud compliance
- GitHub branch protection rules as change management evidence

# Application compliance
- Automated dependency scanning in CI (Snyk, Dependabot)
- SAST in PR pipeline (Semgrep, CodeQL)
- Container scanning (Trivy, Grype)
- License compliance (FOSSA, Licensee)

---

Phase 8 — Audit Preparation

90-Day Audit Prep Checklist

Days 90-60: Foundation

• [ ] Confirm audit scope with auditor
• [ ] Complete system description document
• [ ] Verify all policies are current (reviewed within 12 months)
• [ ] Confirm all employees completed security training
• [ ] Run vulnerability scan and remediate critical/high findings
• [ ] Schedule penetration test (results needed before audit)

Days 60-30: Evidence Gathering

• [ ] Collect evidence for each control (organized by TSC/clause)
• [ ] Access review documentation (screenshots of reviews, action items)
• [ ] Change management evidence (sample of tickets showing approval flow)
• [ ] Incident response test evidence (tabletop exercise minutes)
• [ ] DR test evidence (recovery test results, RTO achieved)
• [ ] Vendor review evidence (assessment records, DPAs)
• [ ] Risk assessment and treatment plan (current year)
• [ ] Board/management meeting minutes discussing security

Days 30-0: Final Prep

• [ ] Internal mock audit — walk through every control
• [ ] Remediate any mock audit findings
• [ ] Brief team on auditor interviews (what to expect, who answers what)
• [ ] Prepare management assertion letter
• [ ] Set up auditor access (read-only to evidence repository)
• [ ] Confirm all monitoring/alerting is functioning
• [ ] Verify offboarding was completed for all departed employees

Evidence Organization

/compliance-evidence/
  /SOC2-2026/
    /CC1-control-environment/
      org-chart.pdf
      code-of-conduct-signed.pdf
      background-check-process.pdf
    /CC2-communication/
      security-training-completion.csv
      security-policy-acknowledgments.pdf
    /CC3-risk-assessment/
      risk-assessment-2026.xlsx
      risk-treatment-plan.pdf
    /CC6-access/
      access-review-Q1.pdf
      access-review-Q2.pdf
      mfa-enforcement-screenshot.png
      offboarding-checklist-samples/
    /CC7-operations/
      vulnerability-scan-reports/
      pentest-report-2026.pdf
      incident-log-2026.csv
    /CC8-change-management/
      sample-change-tickets/
      deployment-pipeline-config.png
    /CC9-vendors/
      vendor-inventory.xlsx
      vendor-assessments/
      dpas-and-baas/

Auditor Interview Prep

Common questions and who should answer:

| Question | Best Respondent | Key Points | |----------|----------------|-----------| | "Walk me through your risk assessment process" | CISO/Security Lead | Methodology, frequency, treatment | | "How do you manage access to production?" | Engineering Lead | RBAC, approval flow, reviews | | "Describe your change management process" | Engineering Lead | PR review, testing, deployment | | "How do you handle security incidents?" | Security Lead | Detection, response, communication | | "How do you evaluate vendors?" | Security/Procurement | Assessment, monitoring, contracts | | "Describe your backup and recovery process" | Infrastructure Lead | Schedule, testing, RTO/RPO | | "How do you track and remediate vulnerabilities?" | Security Lead | Scanning, SLAs, patching | | "Walk me through employee onboarding/offboarding" | HR + IT | Checklist, timing, verification |

---

Phase 9 — Continuous Compliance

Monthly Compliance Dashboard

compliance_dashboard:
  month: ""
  
  control_health:
    total_controls: 0
    controls_passing: 0
    controls_failing: 0
    controls_not_tested: 0
    health_percentage: 0
    
  action_items:
    open: 0
    overdue: 0
    closed_this_month: 0
    
  key_metrics:
    mean_time_to_patch_critical: ""
    access_reviews_completed: "X/X"
    security_training_completion: ""
    incidents_this_month: 0
    vendor_reviews_due: 0
    policies_due_for_review: 0
    
  risk_register:
    high_risks: 0
    risks_without_treatment: 0
    new_risks_identified: 0
    
  upcoming:
    next_pen_test: ""
    next_dr_test: ""
    next_audit: ""
    next_access_review: ""

Compliance Calendar

| Frequency | Activity | |-----------|----------| | Weekly | Review security alerts, patch critical vulln | | Monthly | Control testing sample, metrics dashboard, policy exception review | | Quarterly | Access reviews, vendor risk check, risk register update, tabletop exercise | | Semi-annual | Vulnerability scan (external), BCP/DR test, security training refresh | | Annual | Full risk assessment, penetration test, policy review cycle, SOC 2/ISO audit, security awareness training, management review |

Compliance Debt Tracker

compliance_debt:
  - id: "CD-001"
    framework: "SOC 2"
    control: "CC6.1"
    finding: "MFA not enforced on staging environment"
    severity: "High"
    identified: "2026-01-15"
    owner: ""
    target_remediation: "2026-02-15"
    status: "In Progress"
    compensating_control: "VPN + IP allowlisting"

When Controls Fail

Severity-based response:

| Severity | Response Time | Actions | |----------|-------------|---------| | Critical | 24 hours | Immediate remediation, notify management, consider if breach occurred | | High | 7 days | Remediation plan, compensating control if needed, risk acceptance by CISO | | Medium | 30 days | Add to sprint, track in compliance debt | | Low | 90 days | Batch with next review cycle |

---

Phase 10 — Multi-Framework Management

Common Control Framework (CCF)

Build controls ONCE, map to MULTIPLE frameworks:

control:
  id: "CCF-AC-001"
  title: "Multi-Factor Authentication"
  description: "MFA required for all access to production systems and sensitive data"
  owner: "Security Team"
  
  framework_mapping:
    soc2: ["CC6.1", "CC6.6"]
    iso27001: ["A.8.5"]
    gdpr: ["Article 32"]
    hipaa: ["§164.312(d)"]
    pci_dss: ["Req 8.4"]
    
  evidence:
    - type: "Configuration screenshot"
      source: "Okta MFA policy"
      frequency: "Quarterly"
    - type: "Access review"
      source: "Okta user report"
      frequency: "Quarterly"
      
  test_procedure: "Verify MFA policy is enforced, test with non-MFA login attempt"
  last_tested: ""
  result: ""
  next_test: ""

Framework Expansion Strategy

Year 1: SOC 2 Type I → establishes baseline Year 1-2: SOC 2 Type II → proves sustained operation Year 2: + GDPR → covers EU expansion Year 2-3: + ISO 27001 → international credibility As needed: + HIPAA / PCI DSS → industry-specific

Audit Fatigue Prevention

• Single evidence repository — collect once, map to all frameworks
• Continuous monitoring — evidence auto-collected, not scrambled at audit time
• Control owner accountability — each control has ONE owner, not "security team"
• Compliance sprints — 2-week sprints dedicated to compliance work, not crammed before audit
• Auditor relationship — same firm for multiple frameworks if possible (they know your environment)

---

Phase 11 — Scoring & Quality

Compliance Readiness Score (0-100)

| Dimension | Weight | Score 0-10 | |-----------|--------|-----------| | Policy Coverage — All required policies exist, reviewed, approved | 15% | | | Technical Controls — Security tools deployed and configured | 20% | | | Process Maturity — Operational processes followed consistently | 20% | | | Evidence Quality — Complete, organized, recent evidence | 15% | | | Training & Awareness — All employees trained, records maintained | 10% | | | Vendor Management — All critical vendors assessed and contracted | 10% | | | Risk Management — Current assessment, treatment plans, monitoring | 10% | |

Scoring guide:

• 0-2: Not started / major gaps
• 3-4: In progress / significant gaps
• 5-6: Partially implemented / some gaps
• 7-8: Implemented / minor improvements needed
• 9-10: Mature / audit-ready

Interpretation:

• < 40: Not ready — significant work needed (3-6 months)
• 40-60: Getting there — focus on gaps (1-3 months)
• 60-80: Nearly ready — polish and evidence gathering (2-6 weeks)
• 80+: Audit-ready — schedule the audit

---

Edge Cases & Special Situations

Startup with Zero Compliance

• Start with security basics (MFA, encryption, access control, backups) before any framework
• Use a GRC platform from Day 1 (Vanta/Drata cost $10-15K/yr but save 100+ hours)
• Don't wait for perfect — "documented and improving" beats "undocumented and perfect"
• Budget $20-40K for first SOC 2 Type I (auditor + tools + time)

Multi-Cloud / Hybrid Infrastructure

• Map shared responsibility model for each provider
• Ensure consistent controls across environments
• Consider cloud-specific compliance tools (AWS Audit Manager, Azure Compliance Manager)
• Network segmentation especially important

Acquired Company Integration

• Conduct compliance gap assessment within 30 days of close
• Identify highest-risk gaps (access control, data handling)
• 90-day integration plan to bring to baseline
• Don't assume their compliance posture matches claims

International (Multi-Jurisdiction)

• Map all jurisdictions where you operate or store data
• GDPR applies if you have EU users — not just EU office
• Data residency requirements (Russia, China, India, Brazil)
• Consider local DPA registrations

Regulated Industries (FinTech, HealthTech)

• Layer industry regulations ON TOP of SOC 2/ISO
• FinTech: SOC 2 + PCI DSS + potentially banking regs (state MTLs, FinCEN)
• HealthTech: SOC 2 + HIPAA + potentially FDA (SaMD)
• EdTech: SOC 2 + FERPA + COPPA (if under 13)

---

Natural Language Commands

| Command | What It Does | |---------|-------------| | "Assess our compliance readiness" | Run readiness assessment, score, identify gaps | | "Create SOC 2 project plan" | Generate 16-week implementation timeline | | "Write [policy name] policy" | Generate policy from template with your context | | "Map controls across frameworks" | Build common control framework mapping | | "Prepare for audit" | Generate 90-day audit prep checklist with evidence needs | | "Review our GDPR compliance" | Check all 12 GDPR requirements against current state | | "Score our compliance posture" | Run 7-dimension scoring rubric | | "Generate evidence checklist" | List all evidence needed for specific framework | | "Build vendor assessment" | Create vendor risk assessment for a specific vendor | | "Plan framework expansion" | Recommend next framework based on business needs | | "Track compliance debt" | Review and prioritize open compliance items | | "Run monthly compliance review" | Update dashboard, check deadlines, identify actions |