Compliance & Audit Readiness Engine
by @1kalin
Guides startups and scale-ups through SOC 2, ISO 27001, GDPR, HIPAA, and PCI DSS compliance to achieve audit readiness without external consultants.
clawhub install afrexai-compliance-engineπ About This Skill
Compliance & Audit Readiness Engine
Your AI compliance officer. Guides startups and scale-ups through SOC 2, ISO 27001, GDPR, HIPAA, and PCI DSS β from zero to audit-ready. No consultants needed.
Phase 1 β Compliance Discovery
Framework Selection Matrix
| Framework | Who Needs It | Trigger | Timeline | Cost Range | |-----------|-------------|---------|----------|------------| | SOC 2 Type I | Any B2B SaaS | Enterprise prospect asks | 3-6 months | $20K-$80K | | SOC 2 Type II | Established SaaS | After Type I, or direct | 6-12 months | $30K-$100K | | ISO 27001 | Global/EU-facing SaaS | EU enterprise deals | 6-12 months | $40K-$120K | | GDPR | Anyone with EU users | Day 1 if EU data | 1-3 months | $5K-$30K | | HIPAA | Health data handlers | Before first PHI | 3-6 months | $20K-$60K | | PCI DSS | Payment processors | Before card data | 3-9 months | $15K-$50K | | SOX | Public companies | IPO prep | 12-18 months | $100K-$500K |
Readiness Assessment Brief
company_profile:
name: ""
industry: ""
employee_count: 0
annual_revenue: ""
data_types_handled:
- PII (names, emails, addresses)
- Financial (payment cards, bank accounts)
- Health (PHI, medical records)
- Children (COPPA scope)
- Biometric
- Government/classified
customer_segments:
- SMB
- Mid-market
- Enterprise
- Government
geographic_scope:
- US only
- US + EU
- Global
current_state:
existing_frameworks: []
security_team_size: 0
has_written_policies: false
has_asset_inventory: false
has_risk_assessment: false
has_incident_response: false
has_vendor_management: false
previous_audits: []
known_gaps: []
drivers:
- Customer requirement
- Board/investor mandate
- Regulatory obligation
- Competitive advantage
- Insurance requirement
target_frameworks: []
target_date: ""
budget_range: ""
Priority Decision Rules
1. Customer asking for SOC 2? β Start there (most requested in B2B SaaS) 2. EU customers? β GDPR is non-negotiable, do it alongside SOC 2 3. Health data? β HIPAA first, then layer SOC 2 4. Payment data? β PCI DSS is legally required, do immediately 5. Multiple frameworks? β Map common controls (40-60% overlap between SOC 2 and ISO 27001)
Phase 2 β SOC 2 Deep Dive
Trust Service Criteria (TSC)
SOC 2 is built on 5 categories. Security is mandatory. Others are optional but often expected.
#### CC1 β Control Environment (Foundation)
#### CC2 β Communication & Information
#### CC3 β Risk Assessment
#### CC4 β Monitoring Activities
#### CC5 β Control Activities
#### CC6 β Logical & Physical Access
#### CC7 β System Operations
#### CC8 β Change Management
#### CC9 β Risk Mitigation (Vendors)
Additional Criteria
Availability (A1):
Confidentiality (C1):
Processing Integrity (PI1):
Privacy (P1):
SOC 2 Project Plan (16-Week Sprint)
| Week | Phase | Key Activities | |------|-------|---------------| | 1-2 | Scoping | Define system boundaries, select TSC, choose auditor | | 3-4 | Gap Assessment | Audit current state against TSC, document gaps | | 5-6 | Policy Writing | Draft all required policies (see policy list below) | | 7-8 | Control Implementation | Deploy technical controls, configure tools | | 9-10 | Process Implementation | Establish operational processes, train team | | 11-12 | Evidence Collection | Gather evidence for all controls, test internally | | 13-14 | Readiness Assessment | Mock audit, remediate findings | | 15-16 | Type I Audit | Auditor fieldwork, management response, report |
Required Policy Documents
1. Information Security Policy β Master policy, scope, objectives 2. Access Control Policy β Authentication, authorization, reviews 3. Change Management Policy β SDLC, deployment, emergency changes 4. Incident Response Policy β Detection, response, notification 5. Risk Management Policy β Assessment methodology, treatment, appetite 6. Data Classification Policy β Levels, handling, retention, disposal 7. Acceptable Use Policy β Employee responsibilities, prohibited actions 8. Vendor Management Policy β Assessment, monitoring, offboarding 9. Business Continuity / DR Policy β Plans, testing, RTO/RPO 10. HR Security Policy β Background checks, onboarding, offboarding, training 11. Encryption Policy β Standards, key management, certificate handling 12. Physical Security Policy β Office access, visitor management, clean desk 13. Logging & Monitoring Policy β What to log, retention, alerting 14. Password & Authentication Policy β Standards, MFA requirements 15. Backup & Recovery Policy β Schedule, testing, retention
Policy Template
# [Policy Name]Version: 1.0
Owner: [Name, Title]
Approved by: [Name, Title]
Effective date: [Date]
Next review: [Date + 1 year]
Classification: Internal
1. Purpose
[Why this policy exists β 2-3 sentences]2. Scope
[Who and what this policy applies to]3. Policy Statements
[Numbered, actionable requirements β not aspirational]3.1 [Topic]
SHALL [requirement]
SHALL NOT [prohibition]
SHOULD [recommendation] 4. Roles & Responsibilities
| Role | Responsibility |
|------|---------------|
| [Role] | [What they must do] |5. Exceptions
[Process for requesting exceptions β who approves, how long, documentation]6. Enforcement
[Consequences of non-compliance]7. Definitions
[Technical terms used in the policy]8. Related Documents
[Links to related policies, standards, procedures]9. Revision History
| Version | Date | Author | Changes |
|---------|------|--------|---------|
| 1.0 | [Date] | [Author] | Initial release |
Phase 3 β ISO 27001 Framework
ISMS Implementation Roadmap
#### Clause 4 β Context of the Organization
#### Clause 5 β Leadership
#### Clause 6 β Planning
#### Clause 7 β Support
#### Clause 8 β Operation
#### Clause 9 β Performance Evaluation
#### Clause 10 β Improvement
ISO 27001:2022 Annex A Control Categories
| Category | Controls | Key Areas | |----------|----------|-----------| | A.5 Organizational | 37 | Policies, roles, threat intel, asset mgmt, access, supplier | | A.6 People | 8 | Screening, T&C, awareness, disciplinary, termination | | A.7 Physical | 14 | Perimeters, entry, offices, monitoring, utilities, cabling | | A.8 Technological | 34 | Endpoints, access rights, auth, malware, vuln mgmt, logging, crypto, SDLC |
SOC 2 β ISO 27001 Control Mapping (Save 40-60% effort)
| SOC 2 TSC | ISO 27001 Annex A | Overlap | |-----------|------------------|---------| | CC1 Control Environment | A.5.1-5.6 (Org controls) | ~80% | | CC2 Communication | A.5.1, A.6.3 (Awareness) | ~70% | | CC3 Risk Assessment | Clause 6.1, A.5.7 (Threat intel) | ~90% | | CC5 Control Activities | A.8 (Technological) | ~75% | | CC6 Access | A.5.15-5.18, A.8.1-8.5 | ~85% | | CC7 Operations | A.8.7-8.16 (Monitoring) | ~80% | | CC8 Change Mgmt | A.8.25-8.33 (SDLC) | ~70% | | CC9 Vendors | A.5.19-5.23 (Supplier) | ~85% |
Strategy: Build for one framework, extend to the other. SOC 2 first (faster) β ISO 27001 (adds clauses 4-10 management system).
Phase 4 β GDPR Compliance Program
12 Core Requirements
1. Lawful Basis for Processing β Document legal basis for each data processing activity - Consent | Contract | Legal obligation | Vital interest | Public task | Legitimate interest - [ ] Data processing register (Article 30) - [ ] Legitimate Interest Assessments (LIAs) where applicable
2. Data Subject Rights β Respond within 30 days - [ ] Right of access (SAR) process - [ ] Right to rectification - [ ] Right to erasure ("right to be forgotten") - [ ] Right to data portability (machine-readable export) - [ ] Right to restrict processing - [ ] Right to object - [ ] Automated decision-making opt-out
3. Privacy by Design & Default β Build privacy into products - [ ] Privacy Impact Assessment (PIA/DPIA) template - [ ] Data minimization review for each feature - [ ] Default privacy settings (opt-in, not opt-out)
4. Data Protection Officer (DPO) β Required if: - Public authority, OR - Large-scale systematic monitoring, OR - Large-scale processing of special category data
5. Consent Management - [ ] Granular consent mechanisms (not bundled) - [ ] Easy withdrawal (as easy as giving consent) - [ ] Consent records with timestamp, version, scope - [ ] Cookie consent banner (ePrivacy)
6. Data Processing Agreements (DPAs) - [ ] DPA template for sub-processors - [ ] Article 28 requirements checklist - [ ] Sub-processor notification process - [ ] Sub-processor register
7. International Transfers - [ ] Transfer mechanism (SCCs, adequacy decision, BCRs) - [ ] Transfer Impact Assessment - [ ] Supplementary measures where needed
8. Breach Notification - [ ] 72-hour notification to supervisory authority - [ ] "Undue delay" notification to affected individuals - [ ] Breach register with risk assessment - [ ] Breach response team and escalation path
9. Records of Processing Activities (ROPA)
processing_activity:
name: ""
purpose: ""
lawful_basis: ""
data_categories: []
data_subjects: []
recipients: []
retention_period: ""
transfers_outside_eea: false
transfer_mechanism: ""
technical_measures: []
organizational_measures: []
dpia_required: false
last_reviewed: ""
10. Privacy Notice β Must include: - Identity of controller - DPO contact (if applicable) - Purposes and lawful basis - Categories of data - Recipients / transfers - Retention periods - Data subject rights - Right to complain to supervisory authority - Whether providing data is statutory/contractual requirement
11. Data Retention Schedule
| Data Type | Retention Period | Legal Basis | Disposal Method | |-----------|-----------------|-------------|-----------------| | Customer PII | Duration + 3 years | Contract + legitimate interest | Automated deletion | | Employee records | Duration + 7 years | Legal obligation | Secure shred | | Financial records | 7 years | Legal obligation | Secure shred | | Server logs | 90 days | Legitimate interest | Automated rotation | | Marketing consent | Until withdrawn | Consent | Database purge | | Support tickets | 2 years after resolution | Legitimate interest | Automated deletion |
12. Training & Awareness - [ ] Mandatory GDPR training for all employees (annual) - [ ] Role-specific training (developers, support, marketing, HR) - [ ] Training records with completion tracking
Phase 5 β HIPAA Compliance (Health Data)
HIPAA Security Rule β 3 Safeguard Categories
#### Administrative Safeguards
#### Physical Safeguards
#### Technical Safeguards
HIPAA Breach Rule
Phase 6 β PCI DSS 4.0 (Payment Data)
12 Requirements Summary
| # | Requirement | Key Controls | |---|------------|-------------| | 1 | Install/maintain network security controls | Firewalls, network segmentation | | 2 | Apply secure configurations | No vendor defaults, CIS benchmarks | | 3 | Protect stored account data | Encryption, masking, key mgmt | | 4 | Encrypt transmission over open networks | TLS 1.2+, no SSL/early TLS | | 5 | Protect from malicious software | Anti-malware, regular updates | | 6 | Develop secure systems | SDLC, vuln mgmt, WAF | | 7 | Restrict access by business need | RBAC, least privilege | | 8 | Identify users and authenticate | MFA, password standards | | 9 | Restrict physical access | Badges, cameras, visitor logs | | 10 | Log and monitor all access | Centralized logging, review | | 11 | Test security regularly | Vuln scans, pen tests, IDS | | 12 | Support security with policies | Policies, training, incident response |
Scope Reduction Strategy
SAQ Decision:
Phase 7 β Compliance Tooling Stack
Essential Tools by Category
| Category | Budget Option | Mid-Range | Enterprise | |----------|-------------|-----------|-----------| | GRC Platform | Notion/Sheets | Vanta, Drata | ServiceNow, OneTrust | | Policy Mgmt | Google Docs + versioning | Vanta policies | Hyperproof | | Vulnerability Scanning | OWASP ZAP, Trivy | Qualys, Tenable | Rapid7 | | SIEM/Logging | ELK Stack, Wazuh | Datadog, Sumo Logic | Splunk | | Endpoint Protection | CrowdStrike Falcon Go | SentinelOne | CrowdStrike Enterprise | | Identity/Access | Google Workspace + Okta | JumpCloud | Azure AD P2 | | Training | KnowBe4 Free | KnowBe4 | Proofpoint | | Pen Testing | HackerOne Community | Cobalt | Bishop Fox | | Backup | Native cloud backups | Veeam | Commvault |
Automation-First Compliance
What to automate (saves 70%+ of audit prep):
Compliance-as-Code Patterns
# Infrastructure compliance
Terraform with Sentinel policies (enforce encryption, tagging)
OPA/Rego for Kubernetes admission control
AWS Config Rules / Azure Policy for cloud compliance
GitHub branch protection rules as change management evidence Application compliance
Automated dependency scanning in CI (Snyk, Dependabot)
SAST in PR pipeline (Semgrep, CodeQL)
Container scanning (Trivy, Grype)
License compliance (FOSSA, Licensee)
Phase 8 β Audit Preparation
90-Day Audit Prep Checklist
Days 90-60: Foundation
Days 60-30: Evidence Gathering
Days 30-0: Final Prep
Evidence Organization
/compliance-evidence/
/SOC2-2026/
/CC1-control-environment/
org-chart.pdf
code-of-conduct-signed.pdf
background-check-process.pdf
/CC2-communication/
security-training-completion.csv
security-policy-acknowledgments.pdf
/CC3-risk-assessment/
risk-assessment-2026.xlsx
risk-treatment-plan.pdf
/CC6-access/
access-review-Q1.pdf
access-review-Q2.pdf
mfa-enforcement-screenshot.png
offboarding-checklist-samples/
/CC7-operations/
vulnerability-scan-reports/
pentest-report-2026.pdf
incident-log-2026.csv
/CC8-change-management/
sample-change-tickets/
deployment-pipeline-config.png
/CC9-vendors/
vendor-inventory.xlsx
vendor-assessments/
dpas-and-baas/
Auditor Interview Prep
Common questions and who should answer:
| Question | Best Respondent | Key Points | |----------|----------------|-----------| | "Walk me through your risk assessment process" | CISO/Security Lead | Methodology, frequency, treatment | | "How do you manage access to production?" | Engineering Lead | RBAC, approval flow, reviews | | "Describe your change management process" | Engineering Lead | PR review, testing, deployment | | "How do you handle security incidents?" | Security Lead | Detection, response, communication | | "How do you evaluate vendors?" | Security/Procurement | Assessment, monitoring, contracts | | "Describe your backup and recovery process" | Infrastructure Lead | Schedule, testing, RTO/RPO | | "How do you track and remediate vulnerabilities?" | Security Lead | Scanning, SLAs, patching | | "Walk me through employee onboarding/offboarding" | HR + IT | Checklist, timing, verification |
Phase 9 β Continuous Compliance
Monthly Compliance Dashboard
compliance_dashboard:
month: ""
control_health:
total_controls: 0
controls_passing: 0
controls_failing: 0
controls_not_tested: 0
health_percentage: 0
action_items:
open: 0
overdue: 0
closed_this_month: 0
key_metrics:
mean_time_to_patch_critical: ""
access_reviews_completed: "X/X"
security_training_completion: ""
incidents_this_month: 0
vendor_reviews_due: 0
policies_due_for_review: 0
risk_register:
high_risks: 0
risks_without_treatment: 0
new_risks_identified: 0
upcoming:
next_pen_test: ""
next_dr_test: ""
next_audit: ""
next_access_review: ""
Compliance Calendar
| Frequency | Activity | |-----------|----------| | Weekly | Review security alerts, patch critical vulln | | Monthly | Control testing sample, metrics dashboard, policy exception review | | Quarterly | Access reviews, vendor risk check, risk register update, tabletop exercise | | Semi-annual | Vulnerability scan (external), BCP/DR test, security training refresh | | Annual | Full risk assessment, penetration test, policy review cycle, SOC 2/ISO audit, security awareness training, management review |
Compliance Debt Tracker
compliance_debt:
- id: "CD-001"
framework: "SOC 2"
control: "CC6.1"
finding: "MFA not enforced on staging environment"
severity: "High"
identified: "2026-01-15"
owner: ""
target_remediation: "2026-02-15"
status: "In Progress"
compensating_control: "VPN + IP allowlisting"
When Controls Fail
Severity-based response:
| Severity | Response Time | Actions | |----------|-------------|---------| | Critical | 24 hours | Immediate remediation, notify management, consider if breach occurred | | High | 7 days | Remediation plan, compensating control if needed, risk acceptance by CISO | | Medium | 30 days | Add to sprint, track in compliance debt | | Low | 90 days | Batch with next review cycle |
Phase 10 β Multi-Framework Management
Common Control Framework (CCF)
Build controls ONCE, map to MULTIPLE frameworks:
control:
id: "CCF-AC-001"
title: "Multi-Factor Authentication"
description: "MFA required for all access to production systems and sensitive data"
owner: "Security Team"
framework_mapping:
soc2: ["CC6.1", "CC6.6"]
iso27001: ["A.8.5"]
gdpr: ["Article 32"]
hipaa: ["Β§164.312(d)"]
pci_dss: ["Req 8.4"]
evidence:
- type: "Configuration screenshot"
source: "Okta MFA policy"
frequency: "Quarterly"
- type: "Access review"
source: "Okta user report"
frequency: "Quarterly"
test_procedure: "Verify MFA policy is enforced, test with non-MFA login attempt"
last_tested: ""
result: ""
next_test: ""
Framework Expansion Strategy
Year 1: SOC 2 Type I β establishes baseline Year 1-2: SOC 2 Type II β proves sustained operation Year 2: + GDPR β covers EU expansion Year 2-3: + ISO 27001 β international credibility As needed: + HIPAA / PCI DSS β industry-specific
Audit Fatigue Prevention
Phase 11 β Scoring & Quality
Compliance Readiness Score (0-100)
| Dimension | Weight | Score 0-10 | |-----------|--------|-----------| | Policy Coverage β All required policies exist, reviewed, approved | 15% | | | Technical Controls β Security tools deployed and configured | 20% | | | Process Maturity β Operational processes followed consistently | 20% | | | Evidence Quality β Complete, organized, recent evidence | 15% | | | Training & Awareness β All employees trained, records maintained | 10% | | | Vendor Management β All critical vendors assessed and contracted | 10% | | | Risk Management β Current assessment, treatment plans, monitoring | 10% | |
Scoring guide:
Interpretation:
Edge Cases & Special Situations
Startup with Zero Compliance
Multi-Cloud / Hybrid Infrastructure
Acquired Company Integration
International (Multi-Jurisdiction)
Regulated Industries (FinTech, HealthTech)
Natural Language Commands
| Command | What It Does | |---------|-------------| | "Assess our compliance readiness" | Run readiness assessment, score, identify gaps | | "Create SOC 2 project plan" | Generate 16-week implementation timeline | | "Write [policy name] policy" | Generate policy from template with your context | | "Map controls across frameworks" | Build common control framework mapping | | "Prepare for audit" | Generate 90-day audit prep checklist with evidence needs | | "Review our GDPR compliance" | Check all 12 GDPR requirements against current state | | "Score our compliance posture" | Run 7-dimension scoring rubric | | "Generate evidence checklist" | List all evidence needed for specific framework | | "Build vendor assessment" | Create vendor risk assessment for a specific vendor | | "Plan framework expansion" | Recommend next framework based on business needs | | "Track compliance debt" | Review and prioritize open compliance items | | "Run monthly compliance review" | Update dashboard, check deadlines, identify actions |