Pillar · Security Compliance
Compliance Without the $50K Consultant
SOC 2, PCI DSS, HIPAA, and GDPR readiness resources built for practitioners. Checklists, evidence guides, and audit preparation tools you can use today.
5
Compliance Standards
6
Templates
2
Interactive Tools
The Evidence Layer
What Is Security Compliance?
Security compliance is the evidence layer that proves your controls work. Governance decides what needs to happen. Risk management decides what matters most. Compliance proves you did what governance decided and risk management prioritized.
In practice, compliance means collecting evidence, passing audits, meeting regulatory requirements, and maintaining documentation that demonstrates your organization follows the rules it agreed to follow. Whether those rules come from SOC 2, PCI DSS, HIPAA, GDPR, or an internal policy framework, the work is the same: document, implement, measure, and prove.
Compliance programs fail when they become checkbox exercises disconnected from actual security operations. They succeed when they are built on top of a functioning security program and used as a feedback mechanism to validate that controls are working as intended.
Compliance is not security
Compliance proves you followed the rules. Security means the rules actually protect something. An organization can be fully compliant and still get breached if the controls they implemented were insufficient for the actual threat landscape. Compliance is necessary, but it is the floor, not the ceiling.
Who needs this
Deep Dive
The Big Four Standards
Four compliance standards dominate security questionnaires, procurement requirements, and regulatory obligations. Each has a different scope, audience, and enforcement mechanism.
SOC 2
AICPA Trust Services Criteria
SOC 2 is the most commonly requested compliance report for SaaS and technology companies. Developed by the AICPA, it evaluates an organization's controls against five Trust Services Criteria. SOC 2 reports are issued by licensed CPA firms after an independent audit. Type I evaluates control design at a point in time. Type II evaluates control effectiveness over an observation period (typically 6 to 12 months).
What It Covers
5 Trust Services Criteria: Security (required), Availability, Processing Integrity, Confidentiality, Privacy
Who Must Comply
Any organization providing services to other businesses, especially SaaS, cloud, and managed service providers
Audit Type
Type I (point-in-time) or Type II (observation period, 6-12 months). Type II is the standard for enterprise procurement.
Audit Cycle
Annual. Reports are valid for 12 months. Most customers require a current Type II report.
Typical Cost
$20K-$100K+ for audit fees, depending on scope, auditor, and organizational complexity. Readiness assessments add $10K-$30K.
Timeline
3-12 months from readiness to issued report, depending on existing control maturity and gap remediation needs.
PCI DSS v4.0.1
Payment Card Industry Data Security Standard
PCI DSS applies to any organization that stores, processes, or transmits cardholder data. Version 4.0 introduced a customized approach alongside the traditional defined approach, giving organizations flexibility in how they meet each requirement. As of March 31, 2025, all organizations must comply with v4.0.1 requirements, including previously future-dated items. Version 3.2.1 is no longer acceptable.
What It Covers
12 requirements across 6 goals: Build/maintain secure networks, protect cardholder data, maintain a vulnerability management program, implement strong access control, monitor/test networks, maintain an information security policy
Who Must Comply
Any entity that stores, processes, or transmits cardholder data, including merchants, service providers, and payment processors
Merchant Levels
Level 1: 6M+ transactions/year (mandatory on-site QSA audit). Level 2: 1M-6M (QSA audit or SAQ, per acquirer). Level 3: 20K-1M transactions. Level 4: fewer than 20K transactions/year.
Assessment Type
SAQ (Self-Assessment Questionnaire) for smaller merchants. QSA (Qualified Security Assessor) audit for Level 1 and some Level 2 merchants.
Typical Cost
SAQ: $5K-$20K (internal effort + ASV scans). QSA assessment: $30K-$200K+ depending on scope and environment complexity.
Enforcement
Card brands (Visa, Mastercard) enforce through acquiring banks. Non-compliance can result in fines, increased transaction fees, or loss of card processing privileges.
HIPAA
Health Insurance Portability and Accountability Act
HIPAA establishes national standards for protecting the privacy and security of individually identifiable health information. The Security Rule specifies administrative, physical, and technical safeguards. The Privacy Rule governs how PHI can be used and disclosed. The Breach Notification Rule requires covered entities and their business associates to notify affected individuals, HHS, and (for large breaches) the media.
What It Covers
Three rules: Security Rule (administrative, physical, technical safeguards), Privacy Rule (use/disclosure of PHI), Breach Notification Rule (without unreasonable delay, no later than 60 days)
Who Must Comply
Covered entities (health plans, healthcare clearinghouses, healthcare providers) and their business associates who handle PHI
Key Requirements
Risk analysis, workforce security training, access controls, audit controls, transmission security, integrity controls, contingency planning, business associate agreements
Breach Notification
Without unreasonable delay and in no case later than 60 days after discovery. Breaches affecting 500+ individuals in a state require concurrent HHS and major media notification. All breaches must be reported to the HHS breach portal.
Penalties
Four penalty tiers: Tier 1 (unaware) $100-$50K, Tier 2 (reasonable cause) $1K-$50K, Tier 3 (willful neglect, corrected) $10K-$50K, Tier 4 (willful neglect, not corrected) $50K per violation. Annual maximum: $1.5M per violation category. HHS OCR enforces through corrective action plans and civil monetary penalties.
Audit
No mandatory audit cycle. HHS OCR conducts complaint-driven investigations and periodic random audits. Organizations must maintain their own compliance evidence.
GDPR
General Data Protection Regulation (EU)
The GDPR is the European Union's data protection regulation that applies to any organization processing personal data of EU residents, regardless of where the organization is located. It established the most stringent data protection requirements globally and introduced the concept of "privacy by design" as a legal requirement.
What It Covers
99 articles governing the processing of personal data. 7 core principles: lawfulness, purpose limitation, data minimization, accuracy, storage limitation, integrity/confidentiality, accountability
Who Must Comply
Any organization processing personal data of EU/EEA residents, regardless of the organization's location. Applies to both data controllers and data processors.
Key Requirements
Lawful basis for processing, Data Protection Impact Assessments (DPIAs), Data Protection Officer (DPO) appointment (in some cases), data subject rights (access, erasure, portability), records of processing activities
Breach Notification
72 hours to notify the supervisory authority after becoming aware of a personal data breach. Affected individuals must be notified "without undue delay" if the breach poses high risk.
Penalties
Up to 4% of global annual revenue or 20 million euros (whichever is higher) for the most serious violations. Lower-tier violations: up to 2% of revenue or 10 million euros.
Enforcement
National supervisory authorities (e.g., CNIL in France, ICO in the UK, BfDI in Germany) investigate complaints and conduct audits. No mandatory certification, but codes of conduct and certification mechanisms exist under Articles 40-42.
Audit Preparation
Evidence Collection Guide
Auditors don't take your word for it. They want evidence. These six categories cover what every audit (SOC 2, PCI, HIPAA, or ISO) will request. Click any category to see what to collect and where teams commonly fall short.
Policies & Procedures
Written documentation that defines security requirements, standards, and operational procedures.
What to Collect
Information security policy, acceptable use policy, access control policy, data classification policy, incident response plan, change management procedures, vendor management policy, password/authentication policy. Each policy must show approval date, version number, review cycle, and executive sign-off.
Common Gaps
Policies that haven't been reviewed or updated in over a year. Missing version history. No evidence of employee acknowledgment or training. Procedures that don't match actual operational practices.
Auditor Red Flags
Generic templates with the vendor's name still in the header. Policies dated three years ago with "annual review" requirements. Procedures that describe tools or systems the organization no longer uses.
Access Control Evidence
Documentation proving that access to systems and data is restricted to authorized personnel.
What to Collect
User access listings for critical systems. Evidence of quarterly or semi-annual access reviews. Onboarding/offboarding checklists showing access provisioning and deprovisioning. MFA enrollment reports. Privileged access management logs. Role-based access control (RBAC) documentation.
Common Gaps
Terminated employees with active accounts. Shared service accounts without individual accountability. No documented access reviews. Overly broad admin privileges ("everyone is an admin" syndrome).
Auditor Red Flags
Active accounts for employees who left months ago. Access review artifacts that show no changes were made (suggesting the review was not meaningful). Lack of MFA on cloud platforms and VPN.
Change Management
Records showing that changes to systems are authorized, tested, and tracked.
What to Collect
Change request tickets with approval workflows. Evidence of testing before deployment. Emergency change procedures and post-implementation review records. Deployment logs showing who made changes, when, and to which systems. Separation of duties between development and production environments.
Common Gaps
Direct production changes without a change ticket. Developers deploying their own code to production. No rollback procedures documented. Emergency changes that never receive retroactive approval.
Auditor Red Flags
Production changes that don't match any approved change ticket. Same person approving and implementing changes. No evidence of testing or peer review before deployment.
Monitoring & Logging
Evidence that systems are monitored, logs are retained, and alerts are investigated.
What to Collect
SIEM dashboard screenshots or reports showing active monitoring. Log retention policy and evidence of implementation (log storage duration settings). Alert investigation records showing how security events are triaged. Network monitoring coverage maps. Uptime and availability reports (if Availability is in scope for SOC 2).
Common Gaps
Logs collected but never reviewed. No alerting rules configured. Insufficient log retention (PCI DSS requires 12 months, with 3 months immediately available). Critical systems not sending logs to the central platform.
Auditor Red Flags
Alert fatigue: thousands of alerts with no investigation records. Gaps in log collection from critical systems. No evidence of regular log review or monitoring procedures.
Incident Response Records
Documentation showing the organization can detect, respond to, and learn from security incidents.
What to Collect
Incident response plan (current, approved, and tested). Incident tickets from the audit period showing detection, classification, containment, and resolution. Tabletop exercise records with after-action reports. Lessons-learned documentation. Breach notification records if applicable.
Common Gaps
An IR plan that has never been tested. No documented incidents during the audit period (auditors will ask how you know, not just accept zero incidents). Missing post-incident reviews. No evidence of tabletop exercises.
Auditor Red Flags
Claiming zero incidents without evidence of monitoring that would detect them. An IR plan with no test records. Incident timelines with unexplained gaps between detection and response.
Risk Assessment Documentation
Evidence of a structured process for identifying, evaluating, and treating security risks.
What to Collect
Risk assessment methodology documentation. Risk register with identified risks, likelihood/impact scores, treatment decisions, and assigned owners. Evidence of periodic risk reviews (at least annually). Risk treatment plans for identified gaps. Vendor risk assessments for critical third parties.
Common Gaps
Risk registers that haven't been updated since the initial assessment. Risks without assigned owners or treatment deadlines. No vendor risk management process. Risk assessments that don't align with the organization's actual threat landscape.
Auditor Red Flags
A risk register with zero "high" risks in an organization that clearly has them. No evidence of risk review meetings. Treatment plans with no progress or overdue deadlines. HIPAA specifically requires a documented risk analysis (45 CFR 164.308(a)(1)(ii)(A)).
Self-Assessment
Compliance Readiness Assessment
Answer eight questions to get a baseline score. This is not a substitute for a formal audit, but it will help you identify the biggest gaps before you engage an assessor.
Question 1 of 8
Do you have documented, approved information security policies that are reviewed at least annually?
Question 2 of 8
Do you perform formal access reviews (at least quarterly) and promptly revoke access for terminated employees?
Question 3 of 8
Are security-relevant logs collected from critical systems, retained per your policy, and actively monitored?
Question 4 of 8
Do you have a documented incident response plan that has been tested (tabletop or live) within the past 12 months?
Question 5 of 8
Have you completed a formal risk assessment within the past 12 months with a documented risk register?
Question 6 of 8
Do you assess the security posture of critical third-party vendors before engagement and on an ongoing basis?
Question 7 of 8
Do all employees complete security awareness training at least annually, with completion tracked and documented?
Question 8 of 8
Do you have a documented change management process that requires approval, testing, and review before production deployments?
0
of 8
Toolkit
Compliance Template Toolkit
Practitioner-ready templates for audit preparation and compliance management. Each template is designed to be customized for your organization's specific standards and scope.
SOC 2 Readiness Checklist
Trust Services Criteria mapped to control activities. Track readiness across Security, Availability, Confidentiality, Processing Integrity, and Privacy.
Coming Soon
PCI DSS Requirements Summary
All 12 PCI DSS v4.0.1 requirements with sub-requirements, testing procedures, and SAQ mapping. Includes the customized approach option.
Coming Soon
HIPAA Security Checklist
Administrative, physical, and technical safeguards mapped to 45 CFR 164 requirements. Includes addressable vs. required specification tracking.
Coming Soon
Evidence Tracker Template
Centralized evidence log with control mapping, collection status, owner assignment, and auditor request tracking. Works for any standard.
Coming Soon
Compliance Gap Analysis Template
Structured gap assessment with current state, target state, gap description, remediation plan, priority, owner, and deadline fields.
Coming Soon
Audit Preparation Guide
Step-by-step audit readiness playbook covering pre-audit preparation, evidence organization, auditor communication, and post-audit remediation tracking.
Coming Soon
Mockup Note
Download buttons are non-functional in this mockup. In production, these will link to downloadable templates via the TJS content delivery system.
Deep Dives
Compliance Articles
Practitioner-written guides that go beyond the summary. Each article provides specific, practical guidance for real compliance work.
SOC 2 Readiness Checklist: What You Need Before the Audit
A pre-audit checklist covering all five Trust Services Criteria. Walks through the evidence every SOC 2 auditor will request, common readiness gaps, and the timeline from kickoff to issued report.
PCI DSS v4.0 Compliance Guide for Non-QSAs
A plain-language walkthrough of all 12 PCI DSS requirements for practitioners who need to implement controls but aren't certified assessors. Covers the defined approach, the new customized approach, and what changed from v3.2.1.
HIPAA Security Requirements: What Actually Applies to You
The HIPAA Security Rule has 42 implementation specifications, but not all are "required." This guide explains the difference between required and addressable specifications, and how to document your decisions for each.
Evidence Collection Guide: What Auditors Actually Want
Auditors request evidence in predictable patterns. This guide maps the six evidence categories to specific control objectives across SOC 2, PCI DSS, HIPAA, and ISO 27001, with examples of what "good" evidence looks like.
Certifications
Which Certs Map to Compliance?
Five certifications align directly with compliance, audit, and risk management competencies. Each validates a different aspect of the discipline.
ISACA
CISA: Certified Information Systems Auditor
The gold standard for IT audit and assurance. Covers audit processes, IT governance, information systems acquisition and development, and protection of information assets. Directly relevant to compliance audit work, evidence evaluation, and control testing.
ISACA
CISM: Certified Information Security Manager
Validates security management and governance expertise. Covers information security governance, risk management, program development, and incident management. Relevant to compliance program leadership and regulatory strategy.
ISACA
CRISC: Certified in Risk and Information Systems Control
The only certification focused specifically on IT risk management. Covers risk identification, assessment, response, and monitoring. Directly maps to the risk assessment requirements embedded in SOC 2, HIPAA, and ISO 27001.
ISC2
CISSP Domain 1: Security and Risk Management
Domain 1 of the CISSP (16% weight) covers security governance, compliance, legal/regulatory requirements, risk management, and professional ethics. While CISSP spans all 8 domains, Domain 1 is the compliance and regulatory core.
CSA
CCSK: Certificate of Cloud Security Knowledge
Validates cloud security knowledge with specific coverage of cloud compliance, legal issues, and audit processes. Relevant for organizations managing compliance in cloud environments (SOC 2, FedRAMP, ISO 27017/27018).
Related Pillars
Continue Your Security Journey
Compliance doesn't exist in isolation. These pillars cover the governance structure compliance proves and the operational capabilities it measures.
More from TJS
Related Hubs
Sources
AICPA Trust Services Criteria
PCI DSS v4.0.1
HIPAA Security Rule (45 CFR 164)
GDPR (Regulation 2016/679)
NIST SP 800-53r5
CMMC Model Overview v2.13
ISO 27001:2022