compliance-assessment

Goal

A clear picture of where the org stands against the chosen framework: which controls are met, partial, or missing; the evidence for each; and a prioritized path to compliant + audit-ready.

Steps

1. Scope & framework — pick the framework(s) and define scope (systems, data, business units, the audit boundary). See reference.md for a per-framework map.
2. Map controls — enumerate the framework's controls/requirements; map each to the org's existing controls and the evidence that demonstrates it (policy, config, logs, tickets, attestations).
3. Assess each control — Met / Partial / Not met, with the evidence or the gap. Be honest; reuse outputs from the operational plugins as technical evidence (e.g. cloud-security, sast-sca, detection-engineering).
4. Identify gaps & risk — for each gap, the control intent, the exposure it leaves (link risk-assessment), and the effort to close.
5. Prioritize remediation — by risk and by audit deadline; assign owners and target dates.
6. Audit readiness — organize evidence, dry-run control testing, and a remediation tracker an auditor can follow.

Output

A compliance gap analysis: control · requirement · status · evidence · gap · owner · priority · target date, plus a remediation roadmap and an evidence index. Use security-reporting; visualize control coverage with security-diagramming.

Notes

Compliance ≠ security, but done well it raises the floor — map controls to real evidence, not aspirational policy. Many frameworks overlap heavily (ISO 27001, SOC 2, NIST); assess once and map to several to avoid duplicate work. Verify the current version of each framework. Track gaps with owners and dates — an audit is a deadline.