Compliance frameworks.
Readiness guides for the frameworks our customers actually face — SOC 2, HIPAA, ISO 27001, PCI DSS, NIST/CIS, GDPR. Each guide covers what auditors expect, where the framework maps to our 8-category methodology, and the gaps we see most often.
6 frameworks · CloudCheck 360° aligned · Audit-package ready
Frameworks
Six guides. Pick the framework you face.
Each guide explains what the framework requires, who needs to comply, how readiness is structured, where the framework maps to our 8-category CloudCheck 360° methodology, what an engagement looks like, and the gaps we see most often. Written for engineering leaders preparing for an audit, not for auditors.
-
SOC 2
AICPA SSAE 18 attestation. Trust Services Criteria. Type 1 vs Type 2 readiness. The framework most US SaaS startups face first.
Read the SOC 2 readiness guide → -
HIPAA
US Security Rule, Privacy Rule, Breach Notification. For digital health, healthtech, and any platform handling Protected Health Information (PHI) on behalf of US healthcare organizations.
Read the HIPAA readiness guide → -
ISO 27001
ISO/IEC 27001:2022 Information Security Management System. International standard recognized by enterprise buyers globally — particularly in Europe, the Middle East, and Asia.
Read the ISO 27001 readiness guide → -
PCI DSS
Payment Card Industry Data Security Standard v4.0. For platforms storing, processing, or transmitting cardholder data — and the SAQ levels that determine which controls apply.
Read the PCI DSS readiness guide → -
NIST / CIS
NIST 800-53r5, NIST CSF 2.0, CIS Controls v8.1, CIS Benchmarks. Foundation frameworks that underpin the others — particularly relevant for federal contractors and infrastructure with US government adjacency.
Read the NIST / CIS guide → -
GDPR
EU General Data Protection Regulation. For any platform processing personal data of EU residents — applies extraterritorially, regardless of where the platform is hosted.
Read the GDPR readiness guide →
All six guides reference the same CloudCheck 360° 8-category methodology. Engagements typically combine a methodology pass with framework-specific readiness work — see /methodology for the audit framework.
Methodology
Compliance evidence comes from the methodology.
CloudCheck 360° findings map to NIST 800-53r5 control families and CIS Controls v8.1 implementation groups in every report. For a compliance engagement (SOC 2, HIPAA, ISO 27001, PCI DSS, GDPR), we add explicit framework cross-references — Trust Services Criteria, HIPAA Security Rule citations, ISO Annex A controls, PCI DSS requirements, GDPR articles — alongside each finding. Auditors drop the report directly into evidence packages.
| What we deliver | Format | Auditor accepts |
|---|---|---|
| Findings + framework cross-references | Signed PDF + per-framework appendix | Direct evidence |
| Risk analysis + gap assessment | Structured document | As required by framework |
| Remediation roadmap + retest | PDF + 60-day re-scan | Demonstrates closure |
Compliance work is layered on top of audit work. We don't run “compliance audits” separately — we run CloudCheck 360° engagements with explicit framework cross-references. Single methodology, framework-specific deliverables.
Read the CloudCheck 360° methodology →Start with a free audit.
Submit your AWS account ID. We deliver severity counts, a category breakdown, and top issues — same scan engine as our paid tiers, no credit card required to start.