Compliance & Governance
Control mapping against SOC 2, HIPAA, ISO 27001, PCI DSS, NIST CSF / CIS, and GDPR. Audit-logging posture, policy review, vendor-risk program, and the documentation an auditor actually expects.
Audit category · 07 of 08
01 Scope
What this audit covers
+
Scope
What this audit covers
The Compliance & Governance category is the cross-cutting layer — the controls, policies, and records that express the other seven categories in the language an auditor or regulator speaks. We run it two ways: as a general posture audit against a chosen framework, and as a deep readiness engagement for a specific one.
For framework-specific deep-dives — scope, timeline, engagement model, typical findings — jump straight to the dedicated guide:
SOC 2
Type I & II. AICPA Trust Services Criteria.
Readiness guide →
HIPAA
Security, Privacy, Breach Notification Rules.
Readiness guide →
ISO 27001
ISMS. 2022 revision. Annex A.
Readiness guide →
PCI DSS
v4.0.1. SAQ or full RoC.
Readiness guide →
NIST CSF / CIS
CSF 2.0 + CIS Controls v8.
Readiness guide →
GDPR
EU and UK. DPIA, DPA, SCCs.
Readiness guide →
02 Why it matters
Evidence is the deliverable
+
Why it matters
Evidence is the deliverable
Security controls keep you safe. Compliance artifacts keep you sold. Every enterprise buyer, cyber-insurance underwriter, and regulated partner now runs a vendor-risk process that asks for the same handful of attestations, questionnaires, and policy documents.
The goal of a governance audit is not to create paperwork. It is to make sure that the paperwork reflects the real state of the environment — so that a buyer who reads your SOC 2 and then inspects your environment finds the same thing in both.
03 Method
How we assess it
+
Method
How we assess it
Every governance audit has the same three layers regardless of the framework on top.
Layer A
Technical control mapping
Every control in the target framework mapped to the actual CloudCheck 360° finding that proves or disproves it. No hand-waving — each control links to specific evidence.
Layer B
Policy & procedure review
Every policy required by the framework reviewed for adequacy and for alignment with the technical reality. Policies that describe what the company actually does, not what the template assumed.
Layer C
Evidence package
Artifacts organized the way an auditor consumes them — by control family, with pointers to the source systems for continuous evidence (SIEM, ticketing, HR).
04 Deliverables
What you get
+
Deliverables
What you get
- Control gap assessment — every framework control marked ready, partial, or gap, with the specific evidence behind the call.
- Policy set — adequacy review, rewrite suggestions, drafts for any missing policies required by the chosen framework.
- Audit-logging posture review — what is logged, what is retained, what is tamper-evident, where gaps would hurt during an audit or an incident investigation.
- Vendor-risk program — subprocessor inventory, risk tier per vendor, review cadence, contract-clause recommendations.
- Evidence package — the artifacts an auditor expects, organized by control family.
- Remediation roadmap — sequenced to hit a specific audit date or certification window, not an abstract finish line.
05 Patterns
Common findings
+
Patterns
Common findings
Policies describe a company that does not exist.
Off-the-shelf templates adopted verbatim, full of procedures that the company never performs. An auditor reads the policy, asks for evidence, and finds the disconnect immediately.
Control ownership is tribal knowledge.
Nobody is assigned to quarterly access reviews, to change-approval records, to vendor re-assessment. Things happen ad hoc when someone remembers. Evidence is patchy.
Audit logging exists but nobody reviews it.
CloudTrail / Activity Log / Audit Log is enabled. Retention is set. Nobody has looked at the logs in six months. A breach investigation — or an auditor sample — is a bad time to discover the gaps.
Subprocessors inventoried once, never updated.
A spreadsheet from 2023 lists fifteen vendors; procurement has since added forty-two more. Every new SaaS connection is a subprocessor; every subprocessor is in scope for GDPR, HIPAA, and most SOC 2 reports.
Mapping to multiple frameworks treated as independent projects.
SOC 2 evidence, ISO 27001 evidence, and HIPAA evidence curated separately, often by different teams. Eighty percent of controls overlap. One evidence system with a multi-framework mapping layer saves quarters of work.
06 FAQ
Questions we get asked
+
FAQ
Questions we get asked
Which framework should we start with? +
If buyers ask for SOC 2, start with SOC 2. If you handle PHI, HIPAA is non-negotiable. If you sell internationally, ISO 27001 travels better. If nobody has asked for anything specific yet, NIST CSF is the neutral starting point — it converts cleanly into any of the others later.
Do you issue the attestation / certificate? +
No. Readiness consultants and auditors of record are different firms by design (AICPA independence, ISO 27006 accreditation). We prepare you to pass; a qualified auditor or certification body issues the report.
Can we stack frameworks? +
Yes. Most clients end up with SOC 2 + ISO 27001 + one regulatory framework (HIPAA, PCI, or GDPR). A unified control catalog with per-framework mappings saves roughly 40 percent of evidence work compared with running each framework independently.
Do we need a GRC platform? +
Vanta, Drata, Secureframe, Sprinto, and similar platforms automate evidence collection and cut audit-prep time meaningfully. They do not replace human judgment on policy adequacy, scoping, or architectural gaps. If you already own one, we work on top of it. If you do not, we make a build-versus-buy recommendation.
What does an audit cost end-to-end? +
Readiness engagement, the auditor / certification-body fee, and any platform subscriptions are separate line items. For SOC 2 Type II, expect the auditor to run $15K–$40K, the readiness effort $25K–$80K, and a GRC platform $8K–$30K / year depending on size.
Deep-dive guides
SOC 2 · HIPAA · ISO 27001 · PCI DSS · NIST / CIS · GDPR. Or start at the compliance hub.
Start with a free Cloud Health Check.
A scoped-down CloudCheck 360° of your current environment. Delivered in five business days, no commitment.