Use this when a client needs to understand their compliance posture against SOC 2, ISO 27001, GDPR, HIPAA, or other frameworks -- whether preparing for an audit, assessing current gaps, or building a compliance program from scratch.
Related skills: Use
/threat-modelto validate that controls address identified threats. Use/decision-briefwhen compliance investments need stakeholder approval. Use/vendor-security-assessmentfor vendor compliance evaluation. Use/security-reviewfor feature-level compliance implications.
Process
Step 1: Gather inputs
Collect from the user:
- Target framework(s) -- SOC 2 Type I/II, ISO 27001, GDPR, HIPAA, PCI-DSS, NIST CSF, FedRAMP, or combinations
- Current security controls -- policies, procedures, technical controls already in place
- Previous audit findings -- past reports, open remediation items, auditor observations
- Target audit date -- when is the audit or assessment?
- Team responsible -- who owns compliance day-to-day?
- Budget constraints -- are there limits on tooling, staffing, or consulting spend?
- Scope boundaries -- which systems, data types, and business processes are in scope?
Step 2: Select framework domains
Break the target framework into auditable domains. Examples:
SOC 2 Trust Service Criteria:
- CC1: Control Environment
- CC2: Communication and Information
- CC3: Risk Assessment
- CC4: Monitoring Activities
- CC5: Control Activities
- CC6: Logical and Physical Access Controls
- CC7: System Operations
- CC8: Change Management
- CC9: Risk Mitigation
- Plus: Availability, Processing Integrity, Confidentiality, Privacy (if in scope)
ISO 27001 Annex A (2022):
- A.5: Organizational Controls
- A.6: People Controls
- A.7: Physical Controls
- A.8: Technological Controls
For each domain, list the specific control requirements that apply given the organization's scope.
Step 3: Map existing controls
For each domain requirement, document the current state:
| Req ID | Requirement Description | Current Control | Control Type | Maturity (1-5) | Evidence Available | Gap Status |
|---|---|---|---|---|---|---|
| {{req_id}} | {{requirement}} | {{current_control_or_none}} | Preventive / Detective / Corrective | {{1-5}} | {{yes/partial/no}} | Fully Met / Partially Met / Not Met |
Maturity scale:
- Ad hoc -- done inconsistently, no documentation
- Repeatable -- done consistently but not documented
- Defined -- documented policy and procedure exists
- Managed -- documented, measured, and reviewed periodically
- Optimized -- continuously improved based on metrics
The critical distinction: "we do this informally" vs. "we have documented evidence." Auditors care about evidence. An undocumented control is, for audit purposes, a gap.
Step 4: Gap analysis
For each gap (Partially Met or Not Met), produce a remediation plan:
| Req ID | Gap Description | Remediation Action | Effort (S/M/L) | Suggested Control | Evidence Needed | Owner |
|---|---|---|---|---|---|---|
| {{req_id}} | {{what_is_missing}} | {{specific_action}} | {{effort}} | {{control_description}} | {{what_auditor_wants}} | {{team_or_person}} |
Distinguish between:
- Documentation gaps -- the control exists but isn't written down (often quick wins)
- Process gaps -- the procedure doesn't exist and needs to be built
- Technical gaps -- tooling or infrastructure changes required
- Evidence gaps -- the control runs but doesn't produce audit-ready evidence
Step 5: Generate compliance readiness scorecard
Produce a summary view:
## Readiness Scorecard -- {{framework}} -- {{date}}
| Domain | Total Requirements | Fully Met | Partially Met | Not Met | Coverage % |
|---|---|---|---|---|---|
| {{domain}} | {{total}} | {{met}} | {{partial}} | {{not_met}} | {{percentage}} |
**Overall readiness:** {{percentage}}%
**Critical gaps blocking certification/attestation:** {{count}}
**Estimated remediation timeline:** {{weeks/months}}
Flag any single gap that would block certification on its own (e.g., no encryption at rest for a SOC 2 confidentiality criterion).
Step 6: Produce audit preparation checklist
Working backward from the target audit date:
## Audit Preparation Timeline
### {{audit_date - 12 weeks}}: Evidence gathering begins
- [ ] Assign evidence owners per domain
- [ ] Create shared evidence repository with access controls
- [ ] Begin collecting {{specific_evidence_types}}
### {{audit_date - 8 weeks}}: Gap remediation deadline
- [ ] All critical gaps remediated
- [ ] Documentation reviewed and updated
- [ ] Control testing completed internally
### {{audit_date - 4 weeks}}: Dry run
- [ ] Internal audit simulation
- [ ] Interview preparation for key personnel
- [ ] Evidence package reviewed for completeness
### {{audit_date - 1 week}}: Final preparation
- [ ] Evidence repository finalized
- [ ] Logistics confirmed (auditor access, rooms, schedules)
- [ ] Point of contact assigned for auditor questions
Step 7: HIPAA-specific playbook (if applicable)
When HIPAA is a target framework, add these proven patterns:
BAA execution strategy:
- Inventory all vendors and subprocessors that touch PHI
- Classify by access level: stores PHI, processes PHI, transmits PHI, or incidental access
- Execute BAAs before any PHI flows -- not after. A retroactive BAA is a documented violation.
- Template BAAs are acceptable for low-risk vendors; negotiate custom terms for primary infrastructure providers
PHI data handling rules:
- URL parameter protection: Never pass PHI in URL parameters (query strings appear in server logs, browser history, and referrer headers). Use POST bodies or encrypted tokens.
- "Track B" token pattern: Generate opaque session tokens that map to PHI server-side. The token travels through the application; the PHI stays in the encrypted store.
- Data at rest: AES-256 encryption minimum. Key management via AWS KMS, Azure Key Vault, or equivalent -- never application-managed keys.
- Data in transit: TLS 1.2+ for all connections. No exceptions for internal services.
- Minimum necessary: Every access request should answer "why does this role need this specific data field?"
Vendor compliance audit checklist:
- BAA executed and on file
- SOC 2 Type II report reviewed (current year)
- Data residency confirmed (where is PHI stored geographically?)
- Breach notification process documented (72-hour requirement)
- Subprocessor list obtained and reviewed
- Data deletion/return process confirmed for contract termination
- Encryption at rest and in transit confirmed
- Access logging enabled and reviewable
HIPAA-specific gap priorities:
- Missing BAAs (immediate -- every day without one is a violation)
- Unencrypted PHI at rest (critical -- blocks any audit)
- Missing access logs (high -- auditors check these first)
- No breach response plan (high -- required by Breach Notification Rule)
- Incomplete workforce training (medium -- required annually)
Step 7b: AI-specific controls (if applicable)
When the organization uses AI tools that process sensitive data, add these controls:
AI data handling:
| Control | Requirement | Evidence |
|---|---|---|
| Training data governance | No customer/patient data used for model training without explicit consent and legal review | Data processing agreement with AI vendor; training data opt-out confirmed |
| Input sanitization | PII/PHI stripped or tokenized before sending to external AI models | Technical architecture doc showing data flow; sanitization logic reviewed |
| Output review | AI-generated content reviewed by qualified human before use in regulated context | Review log with timestamps, reviewer identity, and disposition |
| Model transparency | AI decision factors documented for any output affecting patients, customers, or compliance | Model card or decision documentation available |
| Vendor AI policies | AI vendor's data retention, training, and sharing policies reviewed and acceptable | Vendor policy review on file; DPA/BAA covers AI processing |
AI risk classification for compliance:
- Tier 1 (low risk): AI used for internal productivity with non-sensitive data (e.g., summarizing meeting notes)
- Tier 2 (medium risk): AI processing confidential data or producing outputs used in business decisions
- Tier 3 (high risk): AI processing regulated data (PHI, PII, financial) or producing outputs that affect regulated decisions
- Prohibited: AI making autonomous decisions in regulated domains without human review
Related skills: See
/ai-governance-frameworkfor comprehensive AI governance policy design.
Step 8: Review
Ask the user:
- Is the target audit date realistic given the gaps identified?
- Who owns remediation for each domain? Are those people aware and resourced?
- Are there budget constraints that affect control choices (e.g., open-source vs. commercial SIEM)?
- Any framework-specific concerns from legal counsel?
- Are there overlapping frameworks where a single control can satisfy multiple requirements?
- (If HIPAA) Have all vendor BAAs been executed? Is the PHI data flow documented?
- (If AI) Are AI tools inventoried and classified by risk tier?
Output location
Deliver as a markdown document. Suggested filename: compliance-map-{{framework}}-{{org-name}}-{{date}}.md. The readiness scorecard section should be extractable for executive reporting.
Example Output
Input
- Target framework(s): SOC 2 Type II + HIPAA
- Company: Meridian Health Analytics — a 55-person SaaS company providing revenue cycle analytics to hospital systems; processes de-identified and identified patient data on behalf of covered entities
- Current controls: SSO via Okta, MFA enforced for all employees, AWS infrastructure with S3 encryption at rest, basic incident response runbook (Google Doc, last updated 18 months ago), annual security awareness training (completion rate ~60%), no formal vendor management process, no BAAs executed with subprocessors (Datadog, Snowflake, OpenAI API)
- Target audit date: March 31, 2025 (SOC 2 Type II observation window begins January 1)
- Previous audit findings: First audit — no prior SOC 2 report; one prior HIPAA risk analysis conducted in 2021, never remediated
- Team responsible: Head of Engineering (de facto compliance owner), no dedicated security staff
- Budget: $80K available for tooling and one part-time compliance consultant
Output (abbreviated)
Compliance Map: SOC 2 Type II + HIPAA
Organization: Meridian Health Analytics
Prepared: 2024-11-14
Target Audit Date: March 31, 2025 (SOC 2 Type II); HIPAA ongoing
File: compliance-map-soc2-hipaa-meridian-2024-11-14.md
Readiness Scorecard
SOC 2 Type II
| Domain | Total Req | Fully Met | Partially Met | Not Met | Coverage % |
|---|---|---|---|---|---|
| CC1: Control Environment | 8 | 3 | 3 | 2 | 38% |
| CC3: Risk Assessment | 5 | 0 | 2 | 3 | 20% |
| CC6: Logical & Physical Access | 10 | 5 | 3 | 2 | 50% |
| CC7: System Operations | 7 | 2 | 3 | 2 | 29% |
| CC8: Change Management | 6 | 2 | 2 | 2 | 33% |
| CC9: Risk Mitigation / Vendor Mgmt | 5 | 0 | 1 | 4 | 10% |
| Confidentiality (in scope) | 6 | 2 | 2 | 2 | 33% |
| Total | 47 | 14 | 16 | 17 | 30% |
Overall SOC 2 readiness: 30% Critical gaps blocking attestation: 6 Estimated remediation timeline: 10–12 weeks to audit-ready
HIPAA
| Domain | Total Req | Fully Met | Partially Met | Not Met | Coverage % |
|---|---|---|---|---|---|
| Administrative Safeguards | 9 | 2 | 3 | 4 | 22% |
| Physical Safeguards | 4 | 3 | 1 | 0 | 75% |
| Technical Safeguards | 6 | 3 | 2 | 1 | 50% |
| Breach Notification Rule | 3 | 0 | 1 | 2 | 0% |
| BAA / Business Associate Mgmt | 4 | 0 | 0 | 4 | 0% |
| Total | 26 | 8 | 7 | 11 | 31% |
Overall HIPAA readiness: 31% Immediate violations (active risk today): 2 — missing BAAs with Datadog, Snowflake, and OpenAI; no current HIPAA risk analysis
Control Mapping (Selected Requirements)
| Req ID | Requirement | Current Control | Type | Maturity | Evidence Available | Gap Status |
|---|---|---|---|---|---|---|
| CC6.1 | Logical access provisioning with least privilege | Okta SSO + MFA; no formal access review process | Preventive | 2 | Partial | Partially Met |
| CC6.3 | Periodic access reviews | None — access never formally reviewed | Detective | 1 | No | Not Met |
| CC7.2 | System monitoring and alerting | Datadog in use; no documented alert thresholds or runbook | Detective | 2 | Partial | Partially Met |
| CC8.1 | Change management with approval gates | GitHub PRs required; no documented policy linking to SOC 2 | Preventive | 2 | Partial | Partially Met |
| CC9.2 | Vendor risk assessments | No process; no vendor inventory | Preventive | 1 | No | Not Met |
| HIPAA §164.308(b) | BAA with all business associates touching PHI | No BAAs executed with Datadog, Snowflake, or OpenAI | Preventive | 1 | No | Not Met |
| HIPAA §164.308(a)(1) | Current risk analysis | 2021 analysis, not remediated, scope outdated | Detective | 1 | Partial | Partially Met |
| HIPAA §164.312(a)(2)(i) | Unique user identification for PHI access | Okta enforces unique IDs; no PHI-specific access logging | Preventive | 3 | Partial | Partially Met |
| HIPAA §164.404 | Breach notification policy and tested process | No breach notification plan exists | Corrective | 1 | No | Not Met |
| CC3.2 | Formal risk assessment process | No documented risk assessment cadence | Detective | 1 | No | Not Met |
Gap Analysis — Priority Remediation Items
| Req ID | Gap Description | Remediation Action | Effort | Suggested Control | Evidence Needed | Owner |
|---|---|---|---|---|---|---|
| HIPAA §164.308(b) | No BAAs with Datadog, Snowflake, OpenAI | Execute BAAs immediately; Snowflake and Datadog have standard BAAs; negotiate OpenAI DPA or prohibit PHI from API calls | S | Signed BAA on file per vendor | Executed agreements, dated | Head of Eng + Legal |
| HIPAA §164.308(a)(1) | Risk analysis is 3 years stale, findings unaddressed | Commission updated risk analysis covering current AWS architecture; document remediation plan | M | Annual risk analysis with tracked findings | Risk analysis document, remediation log | Compliance Consultant |
| CC6.3 | No user access reviews | Implement quarterly access reviews in Okta; document results | S | Access review log with approvals | Completed review records, quarterly | Head of Eng |
| CC9.2 | No vendor inventory or risk ratings | Build vendor register; rate by data access level; collect SOC 2 reports from critical vendors | M | Vendor management policy + register | Vendor list, SOC 2 reports on file, risk ratings | Compliance Consultant |
| CC3.2 | No formal risk register | Stand up risk register; assign owners; review quarterly | M | Risk register in GRC tool or structured doc | Risk register with dates and ownership | Head of Eng |
| HIPAA §164.404 | No breach response plan | Draft breach notification policy; define 72-hour notification workflow; tabletop exercise | M | Breach response policy | Policy doc, tabletop exercise record | Head of Eng + Legal |
| CC7.2 | Datadog alerts undocumented | Document alert thresholds, escalation paths, and on-call runbook | S | Documented monitoring runbook | Runbook with revision history | Engineering |
| CC1.2 | Security policies not formalized | Draft InfoSec policy suite (AUP, access control, incident response, data classification) | L | Policy library | Signed policies with review dates | Compliance Consultant |
| OpenAI / AI data | PHI potentially sent to OpenAI API without controls | Audit all API calls; implement input sanitization layer stripping PHI tokens before API submission; document architecture | M | Technical sanitization layer + AI data handling policy | Architecture diagram, sanitization code review, vendor DPA | Head of Eng |
HIPAA — Immediate Actions (This Week)
**⚠️ Every day without a BAA for a vendor processing PHI is an ongoing violation.