Compliance Checklist Generation

Create structured, actionable compliance checklists for major regulatory frameworks including SOC2, HIPAA, PCI-DSS, and GDPR. This skill maps controls to requirements, assesses readiness against each control, identifies gaps, and produces prioritized remediation plans. Output includes status tracking, evidence requirements, and effort estimates for each control item.

Workflow

1. Identify Applicable Frameworks — Determine which compliance frameworks apply based on the business type, data handled, customer requirements, and geographic reach. A healthcare SaaS needs HIPAA. A company processing credit cards needs PCI-DSS. Enterprise B2B SaaS customers almost universally request SOC2. Serving EU users triggers GDPR. Multiple frameworks often overlap — identify shared controls to reduce duplicate effort.

2. Map Controls to Requirements — Break each framework into its constituent control categories and individual requirements. For SOC2, map across the five Trust Services Criteria (Security, Availability, Processing Integrity, Confidentiality, Privacy). For HIPAA, cover Administrative, Physical, and Technical Safeguards. For PCI-DSS, address all 12 requirement families. For GDPR, map to Articles 5-49 covering principles, rights, and obligations.

3. Assess Current State — For each control, evaluate the current implementation status: Implemented (evidence exists), Partially Implemented (control exists but has gaps), Not Implemented (no control in place), or Not Applicable (with documented justification). Where possible, reference existing documentation, tool configurations, or process artifacts as evidence.

4. Generate Checklist with Status and Gaps — Produce a structured checklist organized by control category, with each item showing: the requirement description, current status, evidence needed, gap description (if any), and remediation effort estimate (hours/days). Include a summary dashboard showing overall readiness percentage per category.

5. Prioritize Remediation — Rank gaps by a combination of risk severity, audit impact, implementation effort, and shared coverage across frameworks. Quick wins (high impact, low effort) should be prioritized first. Group related remediation items that can be addressed together, such as implementing a single logging solution that satisfies SOC2, HIPAA, and PCI-DSS log requirements simultaneously.

Usage

Specify which framework(s) you need, your business type, current security posture, and any upcoming audit deadlines. The more context about existing controls, the more accurate the gap analysis.