Compliance Checklist Generation

Compliance Checklist Generation

Create structured, actionable compliance checklists for major regulatory frameworks including SOC2, HIPAA, PCI-DSS, and GDPR. This skill maps controls to requirements, assesses readiness against each control, identifies gaps, and produces prioritized remediation plans. Output includes status tracking, evidence requirements, and effort estimates for each control item.

Workflow

1. Identify Applicable Frameworks — Determine which compliance frameworks apply based on the business type, data handled, customer requirements, and geographic reach. A healthcare SaaS needs HIPAA. A company processing credit cards needs PCI-DSS. Enterprise B2B SaaS customers almost universally request SOC2. Serving EU users triggers GDPR. Multiple frameworks often overlap — identify shared controls to reduce duplicate effort.

2. Map Controls to Requirements — Break each framework into its constituent control categories and individual requirements. For SOC2, map across the five Trust Services Criteria (Security, Availability, Processing Integrity, Confidentiality, Privacy). For HIPAA, cover Administrative, Physical, and Technical Safeguards. For PCI-DSS, address all 12 requirement families. For GDPR, map to Articles 5-49 covering principles, rights, and obligations.

3. Assess Current State — For each control, evaluate the current implementation status: Implemented (evidence exists), Partially Implemented (control exists but has gaps), Not Implemented (no control in place), or Not Applicable (with documented justification). Where possible, reference existing documentation, tool configurations, or process artifacts as evidence.

4. Generate Checklist with Status and Gaps — Produce a structured checklist organized by control category, with each item showing: the requirement description, current status, evidence needed, gap description (if any), and remediation effort estimate (hours/days). Include a summary dashboard showing overall readiness percentage per category.

5. Prioritize Remediation — Rank gaps by a combination of risk severity, audit impact, implementation effort, and shared coverage across frameworks. Quick wins (high impact, low effort) should be prioritized first. Group related remediation items that can be addressed together, such as implementing a single logging solution that satisfies SOC2, HIPAA, and PCI-DSS log requirements simultaneously.

Usage

Specify which framework(s) you need, your business type, current security posture, and any upcoming audit deadlines. The more context about existing controls, the more accurate the gap analysis.

Example prompt:

Generate a SOC2 Type II readiness checklist for our Series A startup. We're a B2B SaaS running on AWS. We use GitHub for code, Datadog for monitoring, and have about 20 employees. We need to be audit-ready in 6 months.

Examples

Example 1: SOC2 Type II Readiness for a Startup

Input: 20-person B2B SaaS startup on AWS. Uses GitHub, Datadog, Google Workspace, Slack. No formal security program yet. SOC2 audit in 6 months.

Output:

Readiness Summary: 34% ready (estimated)

Sample Controls (Access Control category):

Priority Remediation (Month 1): Risk assessment (required foundation for all other controls), MFA enforcement across all systems, formal access control policy document, incident response plan draft.

Example 2: GDPR Compliance for E-Commerce

Input: EU-based e-commerce site selling consumer electronics. Collects name, address, email, payment data, browsing behavior. Uses Google Analytics, Meta Pixel, Mailchimp for email marketing. Ships to all EU countries.

Output:

Readiness Summary: 42% ready (estimated)

Sample Controls (Data Subject Rights):

Best Practices

• Start with a single framework and expand — SOC2 Security criteria overlap significantly with HIPAA Technical Safeguards and PCI-DSS, so the first framework provides a foundation.
• Map controls across frameworks to identify shared requirements and avoid duplicating effort on controls that satisfy multiple standards simultaneously.
• Use compliance automation platforms (Vanta, Drata, Secureframe) to continuously collect evidence rather than scrambling before audits.
• Document "Not Applicable" justifications formally — auditors will question every N/A item and require documented rationale.
• Set calendar reminders for recurring controls (quarterly access reviews, annual risk assessments, penetration tests) to avoid lapses between audit periods.
• Treat the checklist as a living document — update status weekly during active remediation and review quarterly once compliant.

Edge Cases

• Startups with no existing security program — Begin with a risk assessment to establish baseline. Many controls can be implemented quickly using cloud-native features (AWS CloudTrail, GitHub branch protection, Google Workspace security settings). Prioritize foundational policies first: information security, acceptable use, incident response.
• Multi-framework audits — When pursuing SOC2 + HIPAA + PCI-DSS simultaneously, build a unified control framework that maps each internal control to every applicable requirement across standards. Auditors may accept shared evidence for overlapping controls.
• Companies using serverless or PaaS architectures — Many infrastructure controls shift to the cloud provider under the shared responsibility model. Document which controls are inherited (physical security, hypervisor patching) versus which remain the customer's responsibility (application security, access management).
• Rapid growth or frequent organizational changes — Controls that depend on employee count or role structure (access reviews, security training completion) need processes that scale. Automate onboarding/offboarding checklists and tie security training to HR onboarding flows.
• Inherited compliance from acquisitions — When acquiring a company, their compliance status doesn't transfer automatically. Conduct a compliance gap assessment of the acquired entity and build an integration timeline for bringing them under your compliance umbrella.