---

name: "compliance" description: "Shared compliance and audit framework across all phases. Regulatory requirements, compliance matrix, audit readiness, documentation requirements, and gap analysis. Warm, story-driven Expert Mentor style for 2026." type: "shared" used_by: ["all_phases"]

Compliance Framework

---

What You'll Learn

By the time you finish this guide, you'll understand:

Which regulations apply to you (and which don't) How to build compliance into every phase (not scramble at the end) What auditors actually look for (spoiler: it's not scary) How to stay audit-ready (always prepared, never panicked) How compliance builds trust (and revenue)

Time Investment: 50 minutes to read, months to implement (but we break it down) Difficulty Level: Medium (we explain regulations in plain English) Emotional Difficulty: Low (we replace anxiety with clarity)

---

Quick Navigation

New to Compliance? Start here:

• Which Compliance Applies? - Find out what you need
• Compliance by Phase - Your action plan

Ready to Implement? Jump to:

• Compliance Matrix - Track your compliance status
• Audit Readiness - Be ready for audits

Need Specifics? Go to:

• Regulatory Frameworks - What each regulation requires
• Documentation - What you need to document
• Compliance Tools - What to use (with free options)

---

Which Compliance Applies to You?

Emotional Reality Check: 😰

"Compliance sounds expensive!"

Here's the truth: Compliance IS expensive. But non-compliance is MORE expensive:

• HIPAA fines: $100-$50,000 per violation (max $1.5 million per year)
• PCI DSS fines: $5,000-$100,000 per month (from payment brands)
• GDPR fines: Up to €20 million or 4% of global revenue (whichever is higher)
• SOX fines: Up to $5 million + 20 years in prison for willful violations
• Lost revenue: Customers won't buy from non-compliant vendors

Compliance is expensive, but it's cheaper than non-compliance.

---

📜 Common Regulatory Frameworks Explained Simply

HIPAA (Health Insurance Portability and Accountability Act)

Applies to: Healthcare providers, health plans, healthcare clearinghouses + business associates (anyone handling healthcare data)

What it protects: PHI (Protected Health Information) - any health data that can be linked to a person

Key Requirements:

Privacy Rule:

• PHI must be protected from unauthorized access
• Patients have rights to access their data
• Patients can request corrections to their data
• Patients can request an accounting of disclosures
• Only minimum necessary PHI should be accessed
• PHI should not be used for marketing without permission

Security Rule:

• Administrative Safeguards: Policies and procedures (risk assessment, training, incident response)
• Physical Safeguards: Physical access controls (facility access, device security)
• Technical Safeguards: Technical controls (access controls, audit controls, integrity controls, transmission security)

Breach Notification:

• Report breaches affecting 500+ individuals within 60 days
• Report breaches affecting <500 individuals within 60 days of end of calendar year
• Notify affected individuals
• Notify media (for breaches affecting 500+ in one state)
• Notify HHS OCR (Department of Health and Human Services)

Minimum Necessary:

• Only access minimum necessary PHI to do the job
• Implement role-based access controls
• Implement data minimization practices

Audits: HHS OCR can audit (though rare—usually triggered by breach)

Fines: $100-$50,000 per violation (max $1.5 million per year)

Timeline: 6-12 months to achieve compliance (for most organizations)

---

SOC 2 (Service Organization Control 2)

Applies to: Technology service providers storing customer data (especially SaaS companies)

What it protects: Customer data based on Trust Services Criteria

Key Requirements:

Trust Services Criteria (you choose which apply):

Security (required): System is protected against unauthorized access

• Access controls (authentication, authorization)
• Network security (firewalls, encryption)
• Physical security (data center access)
• Change management (controlled changes to systems)
• Incident response (process for handling incidents)

Availability (optional): System is available for operation and use

• Uptime monitoring and reporting
• Disaster recovery and business continuity
• Performance monitoring
• Maintenance procedures

Processing Integrity (optional): System processing is complete, valid, accurate, timely

• Input validation
• Processing accuracy
• Data completeness
• Timeliness of processing

Confidentiality (optional): Information is protected from unauthorized disclosure

• Data encryption (at rest and in transit)
• Access controls
• Network security
• Data classification

Privacy (optional): Personal information is collected, used, retained, disclosed, and disposed of properly

• Notice and consent
• Data subject rights
• Data retention and disposal
• Data transfer protections

Control Implementation:

• Documented policies and procedures
• Control activities (specific controls for each criteria)
• Evidence collection (audit trail for all controls)
• Regular testing and monitoring

Evidence Collection:

• Every control must have evidence
• Evidence must be retained for 7 years (typical)
• Evidence must be verifiable (auditor can confirm it's accurate)

Annual Audit:

• SOC 2 Type I: Snapshot in time (less valuable, faster, cheaper)
• SOC 2 Type II: 6-12 months of data (more valuable, slower, more expensive)

Audits: Annual SOC 2 Type II audit (6-12 months of data collection)

Fines: No government fines (unlike HIPAA), but customers may require it

Timeline: 6-18 months to achieve compliance (Type II)

---

PCI DSS (Payment Card Industry Data Security Standard)

Applies to: Any organization handling payment card data (credit/debit cards)

What it protects: Payment card data (PAN - Primary Account Number)

Key Requirements:

1. Install and maintain a firewall configuration to protect cardholder data

• Firewall rules reviewed every 6 months
• Firewall rules deny all, allow only necessary traffic

2. Do not use vendor-supplied defaults for system passwords and other security parameters

• Change all default passwords
• Remove all default accounts
• Disable unnecessary features

3. Protect stored cardholder data

• Never store full card data (only store last 4 digits)
• Encrypt cardholder data (at rest and in transit)
• Securely delete cardholder data when no longer needed
• Securely store encryption keys

4. Encrypt transmission of cardholder data across open, public networks

• Use strong cryptography (TLS 1.2 or higher)
• Never use weak encryption protocols (SSL, TLS 1.0, TLS 1.1)

5. Use and regularly update anti-virus software or programs

• Anti-virus on all systems commonly affected by malware
• Regularly update anti-virus definitions
• Regularly scan for malware

6. Develop and maintain secure systems and applications

• Patch all systems within 1 month of security patch release
• Follow secure coding guidelines
• Train developers on secure coding

7. Restrict access to cardholder data by business need to know

• Only grant access to those who need it
• Role-based access controls
• Access reviews every 6 months

8. Identify and authenticate access to system components

• Unique ID for each user (no shared accounts)
• Multi-factor authentication for remote access
• Lock accounts after 6 failed login attempts

9. Restrict physical access to cardholder data

• Physical access controls (badges, biometrics)
• Visitor logs
• Video monitoring for data centers

10. Track and monitor all access to network resources and cardholder data

• Audit logs for all access
• Audit logs include: who, what, when, where, why
• Audit logs retained for 1 year (3 months immediately available)
• Review audit logs daily

11. Regularly test security systems and processes

• Quarterly vulnerability scans by ASV (Approved Scanning Vendor)
• Annual penetration test
• Intrusion detection/prevention systems

12. Maintain a policy that addresses information security for all personnel

• Written security policy
• Security awareness training for all personnel
• Incident response plan
• Annual risk assessment

Audits: Annual PCI DSS audit + quarterly vulnerability scans

Fines: $5,000-$100,000 per month (from payment brands)

Timeline: 6-12 months to achieve compliance

---

SOX (Sarbanes-Oxley Act)

Applies to: Public companies, companies planning IPO

What it protects: Financial reporting accuracy

Key Requirements:

Section 404: Internal Control Over Financial Reporting

• Document all internal controls over financial reporting
• Test all internal controls (ensure they're effective)
• External auditor attestation (auditor confirms controls are effective)
• Management assessment (management must assess control effectiveness)

Section 302: Executive Certification of Financial Reports

• CEOs and CFOs must certify financial reports
• Certification includes:
  • They are responsible for internal controls
  • They have designed internal controls
  • They have evaluated internal controls (within 90 days)
  • They have disclosed all significant control deficiencies
  • They have disclosed all fraud to auditors

Segregation of Duties:

• Separate roles for financial processes
• No single person can initiate, approve, and record financial transactions
• Prevents fraud (requires collusion to commit fraud)

Audit Trail:

• Complete audit trail for all financial transactions
• Audit trail includes: who, what, when, where, why
• Audit trail cannot be altered (immutable)
• Audit trail retained for 7 years

Audits: Quarterly reviews + annual audit by external auditor

Fines: Up to $5 million + 20 years in prison for willful violations

Timeline: 12-24 months to achieve compliance

---

GDPR (General Data Protection Regulation)

Applies to: Any organization processing EU residents' data (regardless of where organization is located)

What it protects: Personal data (any data that can identify a person)

Key Requirements:

Lawful Basis for Processing: You must have a lawful basis for data processing:

• Consent: User gave clear, specific, informed consent
• Contract: Data needed for contract performance
• Legal Obligation: Data needed to comply with law
• Vital Interests: Data needed to protect someone's life
• Public Task: Data needed for public interest task
• Legitimate Interests: Data needed for legitimate business interests (must balance with individual rights)

Data Subject Rights:

• Right to Access: User can request copy of their data
• Right to Rectification: User can correct inaccurate data
• Right to Erasure ("Right to be Forgotten"): User can request deletion
• Right to Portability: User can request data in portable format
• Right to Object: User can object to processing
• Right to Restrict Processing: User can limit how data is used

Data Protection by Design and Default:

• Build privacy into systems from the start
• Privacy by design: Consider privacy throughout development
• Privacy by default: Most privacy-friendly settings by default
• Data minimization: Only collect data you need
• Purpose limitation: Only use data for stated purpose

Breach Notification:

• Report breaches to authorities within 72 hours
• Report breaches to affected individuals if high risk
• Include: what happened, what data, what's being done, what to do

Data Protection Officer (DPO):

• Required unless small-scale processing
• DPO responsibilities: oversee compliance, advise on GDPR, cooperate with authorities

Records of Processing Activities:

• Document all data processing activities
• Include: purposes, data categories, recipients, retention periods, security measures

Audits: Data Protection Authorities can audit (national authorities in each EU country)

Fines: Up to €20 million or 4% of global annual revenue (whichever is higher)

Timeline: 6-12 months to achieve compliance

---

DoD/ITAR (Department of Defense / International Traffic in Arms Regulations)

Applies to: Defense contractors, organizations handling controlled technical data

What it protects: Defense articles and services (ITAR), CUI (Controlled Unclassified Information)

Key Requirements:

CMMC (Cybersecurity Maturity Model Certification):

• Level 1: Basic cyber hygiene (17 practices)
• Level 2: Intermediate cyber hygiene (72 practices)
• Level 3: Good cyber hygiene (130 practices)
• Level 4: Proactive cyber hygiene (156 practices)
• Level 5: Advanced/progressive cyber hygiene (171 practices)

NIST 800-171: Protecting CUI:

• 130 security requirements across 18 domains
• Key domains: access control, incident response, security awareness, maintenance, protection of CUI

ITAR:

• Control of defense articles and services
• Registration with DDTC (Directorate of Defense Trade Controls)
• Licensing for exports and temporary imports
• Technical data agreements

DFARS (Defense Federal Acquisition Regulation Supplement):

• Contract requirements for cybersecurity
• NIST 800-171 compliance requirement
• CMMC certification requirement (for some contracts)

Audits: CMMC assessment by C3PAO (CMMC Third-Party Assessment Organization), DoD audits

Fines: Contract termination, fines, potential criminal penalties

Timeline: 12-36 months to achieve compliance

---

🔄 Compliance by Phase: When to Do What

Phase 1: Vision & Strategy - "What Regulations Apply?"

Compliance Activities:

• Identify applicable regulations (what applies to your business)
• Conduct compliance gap analysis (where are you vs. where you need to be)
• Define compliance requirements (what do you need to do)
• Estimate compliance costs (budget for compliance)

Common Mistake to Avoid: 🚫

"We'll figure out compliance later."

Why it's a problem: Compliance requirements affect architecture, data storage, vendor selection, and more. Discovering compliance requirements late can require complete rework.

Deliverables:

• Applicable regulations identified (what applies to you)
• Compliance gap analysis (where are you vs. where you need to be)
• Compliance requirements documented (what you need to do)
• Compliance budget estimate (how much will it cost)

Owner: Compliance Officer

⏱️ Time Investment: 2-4 weeks

---

Phase 2: Requirements & Scope - "What Does Compliance Require?"

Compliance Activities:

• Map regulatory requirements to technical requirements (compliance → technical)
• Define compliance requirements specification (what compliance requires)
• Define audit requirements (what evidence do you need to collect)
• Define documentation requirements (what do you need to document)
• Define data retention requirements (how long to keep data)
• Create compliance matrix (track compliance status)

Deliverables:

• Compliance requirements specification (what compliance requires)
• Regulatory compliance matrix (track status)
• Audit requirements (what evidence you need)
• Documentation requirements list (what you need to document)
• Data retention policies (how long to keep data)
• Compliance gap analysis (updated)

Owner: Compliance Officer + Audit Manager

⏱️ Time Investment: 3-6 weeks

---

Phase 3: Architecture & Design - "Designing Compliance In"

Compliance Activities:

• Design compliance controls into architecture (build compliance in)
• Design audit trail capabilities (can you prove compliance?)
• Design data protection controls (encryption, access controls, etc.)
• Design access controls (segregation of duties, least privilege)
• Validate compliance requirements in design (does design meet requirements?)

Emotional Reality Check: 😰

"Compliance constraints are limiting our architecture!"

Here's the truth: Compliance constraints DO limit your options. But they also prevent expensive rework. It's better to design for compliance from the start than to retrofit later.

Deliverables:

• Compliance controls in architecture (built into design)
• Audit trail design (how you'll track compliance)
• Data protection controls design (encryption, access controls)
• Access control design (RBAC, segregation of duties)
• Compliance validation report (design meets requirements)

Owner: Compliance Officer + Security Architect

⏱️ Time Investment: 4-8 weeks

---

Phase 4: Development Planning - "Planning for Compliance"

Compliance Activities:

• Plan compliance testing (how will you verify compliance?)
• Plan audit readiness activities (how will you stay audit-ready?)
• Plan documentation generation (what documentation do you need?)
• Plan compliance training (what training does the team need?)
• Define compliance metrics (how will you measure compliance?)

Deliverables:

• Compliance testing plan (how to verify compliance)
• Audit readiness plan (how to stay audit-ready)
• Documentation plan (what documentation you need)
• Training plan (what training team needs)
• Compliance metrics (how to measure compliance)

Owner: Compliance Officer

⏱️ Time Investment: 2-4 weeks

---

Phase 5: Development Execution - "Implementing Compliance"

Compliance Activities:

• Implement compliance controls (build them into code)
• Generate audit trail logs (track all compliance-relevant events)
• Implement access controls (RBAC, segregation of duties)
• Implement data protection (encryption, masking, etc.)
• Document compliance features (what did you build and why?)

Deliverables:

• Implemented compliance controls (in code)
• Audit trail logging (collecting evidence)
• Access control implementation (RBAC, segregation of duties)
• Data protection implementation (encryption, masking)
• Compliance documentation (what you built and why)

Owner: Developers + Tech Lead + Security Architect

⏱️ Time Investment: Ongoing (throughout development)

---

Phase 6: Quality & Security Validation - "Validating Compliance"

Compliance Activities:

• Test compliance controls (do they work?)
• Validate audit trail completeness (is evidence complete?)
• Validate access controls (do they enforce requirements?)
• Validate data protection (is data protected?)
• Conduct compliance gap analysis (are there gaps?)
• Prepare for external audit (are you ready?)

Deliverables:

• Compliance control testing results (do controls work?)
• Audit trail verification (is evidence complete?)
• Access control validation (do access controls work?)
• Data protection validation (is data protected?)
• Compliance gap analysis (are there gaps?)
• Audit readiness report (are you audit-ready?)

Owner: Compliance Officer + QA Lead

⏱️ Time Investment: 4-8 weeks

---

Phase 7: Deployment & Release - "Compliance in Production"

Compliance Activities:

• Validate compliance in production (does production comply?)
• Configure compliance monitoring (track compliance in production)
• Validate audit trail in production (is audit trail working?)
• Conduct pre-production compliance check (ready to deploy?)
• Define compliance rollback triggers (what causes rollback?)

Deliverables:

• Production compliance validation (production complies)
• Compliance monitoring configuration (monitoring compliance)
• Audit trail validation (audit trail working)
• Pre-production compliance check (ready to deploy?)

Owner: Compliance Officer + SRE

⏱️ Time Investment: 1-2 weeks

---

Phase 8: Operations & Maintenance - "Maintaining Compliance"

Compliance Activities:

• Maintain compliance documentation (keep it up to date)
• Monitor compliance controls (ensure they're working)
• Conduct internal compliance audits (self-assessment)
• Prepare for and coordinate external audits (external auditor)
• Manage compliance exceptions (document exceptions)
• Update compliance documentation (keep it current)

Deliverables:

• Compliance documentation (maintained and current)
• Internal audit reports (self-assessment results)
• External audit coordination (external auditor results)
• Compliance status reports (current compliance status)
• Remediation plans (fixing gaps)
• Compliance metrics (tracking over time)

Owner: Compliance Officer + Audit Manager

⏱️ Time Investment: Ongoing (10-20% of operational time)

---

Compliance Matrix: Your Tracking System

Compliance Matrix Template

Use this matrix to map requirements to controls:

Status Values:

• Planned: Control is planned but not yet implemented
• In Progress: Control is being implemented
• Implemented: Control is implemented but not yet tested
• Validated: Control is implemented and tested
• Exception: Control has an approved exception (documented)

---

Audit Readiness Checklist: Always Prepared

Pre-Audit Preparation

Daily:

• ☐ Collect evidence (automated collection where possible)
• ☐ Monitor compliance controls (ensure they're working)
• ☐ Document exceptions (if any)

Weekly:

• ☐ Review compliance metrics (track trends)
• ☐ Update compliance documentation (keep current)
• ☐ Follow up on remediation items (fix gaps)

Monthly:

• ☐ Internal compliance review (self-assessment)
• ☐ Compliance status report (update stakeholders)
• ☐ Training compliance (ensure team is trained)

Quarterly:

• ☐ Internal compliance audit (formal self-assessment)
• ☐ Compliance gap analysis (identify gaps)
• ☐ Remediation planning (fix gaps)

Annually:

• ☐ External audit preparation (get ready for auditor)
• ☐ Compliance review (full review of all controls)
• ☐ Update compliance documentation (ensure everything is current)

---

During Audit

Preparation:

• ☐ Compliance documentation complete and up-to-date
• ☐ Audit trail complete and verifiable
• ☐ All compliance controls implemented and tested
• ☐ Evidence collection procedures defined
• ☐ Audit response team assigned
• ☐ Audit workspace prepared (physical or virtual)

During Audit:

• ☐ Provide evidence requested by auditors
• ☐ Facilitate auditor interviews (schedule, prepare interviewees)
• ☐ Document audit findings (track what auditor finds)
• ☐ Track audit progress (know where auditor is in process)

Communication:

• ☐ Single point of contact for auditor (consistency)
• ☐ Regular updates to stakeholders (keep leadership informed)
• ☐ Clear documentation of findings (no surprises)

---

Post-Audit

Immediate (within 1 week):

• ☐ Address audit findings (fix issues)
• ☐ Implement remediation plans (address gaps)
• ☐ Follow up on auditor recommendations (take action)

Short-term (within 1 month):

• ☐ Verify remediation (ensure fixes worked)
• ☐ Update compliance documentation (reflect changes)
• ☐ Communicate lessons learned (share with team)

Long-term (within 3 months):

• ☐ Process improvements (prevent recurrence)
• ☐ Update compliance training (train on lessons learned)
• ☐ Monitor for similar issues (ensure they don't recur)

---

Documentation Requirements

Common Documentation by Regulation

---

Evidence Collection

Automated Evidence:

• What: Collect evidence through automation (logs, metrics, reports)
• Examples: Audit logs, access logs, change logs, scan reports
• Benefits: Consistent, reliable, cost-effective
• Tools: SIEM, log aggregation, automated reports

Manual Evidence:

• What: Collect evidence manually (policies, procedures, meeting notes)
• Examples: Policies, procedures, risk assessments, training records
• Benefits: Necessary for certain types of evidence
• Challenges: Labor-intensive, inconsistent

Evidence Storage:

• Location: Secure, access-controlled storage
• Access: Role-based access (need-to-know)
• Retention: Per regulatory requirements (varies by regulation)
• Backup: Secure backup (evidence is critical)
• Immutable: Cannot be altered (audit trail integrity)

---

Compliance Tools

Tool Recommendations by Category

---

Getting Started: Minimal Compliance Toolstack

For Small Teams (1-50 employees, budget-conscious):

Total Monthly Cost: ~$500-$1,000

For Mid-Size Teams (50-500 employees, growing compliance needs):

Total Monthly Cost: ~$20,000-$40,000

---

📈 Compliance Metrics

Track these metrics for compliance:

---

Expected Outcomes

By following this compliance framework, you will:

Understand which regulations apply (and which don't) Build compliance into every phase (not scramble at the end) Stay audit-ready (always prepared, never panicked) Pass audits (first time, every time) Build customer trust (compliance = trust) Avoid fines (compliance is cheaper than non-compliance)

Compliance is not a destination. It's a journey of continuous improvement. This framework gives you the map—you just need to walk the path.

---

💬 Final Thoughts

Compliance is an investment, not an expense.

Every dollar you spend on compliance:

• Prevents $10-$100 in fines (non-compliance is expensive)
• Enables revenue (customers won't buy from non-compliant vendors)
• Protects reputation (compliance breaches are public and damaging)
• Builds trust (compliance demonstrates commitment)

You don't need to fear compliance. You just need to understand it, plan for it, and implement it consistently.

Start early. Identify applicable regulations in Phase 1. Design for compliance in Phase 3. Implement throughout development.

Ask for help. Compliance professionals, auditors, and consultants want to help. Use them.

Remember: Compliance builds trust. Trust builds revenue. Compliance is a competitive advantage.

---

Resources and Further Learning

Free Resources

Learning:

• HIPAA: hhs.gov/hipaa - Official HIPAA information
• SOC 2: aicpa.org/soc4so - Official SOC 2 information
• PCI DSS: pcisecuritystandards.org - Official PCI DSS information
• GDPR: gdpr.eu - GDPR explained in plain language

Tools:

• Compliance Templates: [various sources] - Policy and procedure templates
• Checklists: [various sources] - Compliance checklists

Communities:

• Compliance and Audit LinkedIn Groups: Active communities
• ISACA: Professional association for IT governance
• Local compliance meetups: Networking and learning

---

Templates and Checklists

See ./templates/ for:

• Compliance Matrix Template - Track your compliance status
• Audit Readiness Checklist Template - Always be audit-ready
• Compliance Gap Analysis Template - Identify and fix gaps
• Remediation Plan Template - Fix audit findings

---

This shared skill is referenced by all phase skills.

---

Transformed by: OCTALUME EXPERT MENTOR Transformation: Complete rewrite to Expert Mentor style (warm, story-driven, emotionally intelligent, progressive disclosure, plain language, 2026 trends)

---

Version 1.0.0 | OCTALUME Enterprise Lifecycle Framework