Skip to main content
This section contains documentation and guides on security frameworks, governance, risk management, and compliance requirements. It focuses on aligning infrastructure and operations with industry standards and regulations.

Overview

Compliance is treated as infrastructure-as-code — policies, controls, and audit evidence are versioned, peer-reviewed, and subject to the same quality standards as infrastructure.

Standards & Frameworks

NIST 800-53, ISO 27001, Cyber Essentials+, CIS Benchmarks

Policies

Internal security policies, access controls, operational standards

Audits & Checklists

Self-assessment templates, readiness checklists, audit preparation

Regulatory

Sector-specific requirements: GDPR, CE+, HIPAA

Sections

Standards & Frameworks

Industry-recognized security and compliance frameworks:
Comprehensive catalog of security and privacy controls for federal information systems. Widely adopted as a baseline for security architecture.Key Focus Areas:
  • Access Control (AC)
  • Audit and Accountability (AU)
  • Security Assessment and Authorization (CA)
  • Configuration Management (CM)
  • Incident Response (IR)
  • System and Communications Protection (SC)
International standard for information security management systems (ISMS). Focuses on risk management and continuous improvement.Core Components:
  • Asset management
  • Access control
  • Cryptography
  • Physical security
  • Operations security
  • Communications security
UK government-backed scheme providing baseline security controls against common cyber threats.Five Control Areas:
  • Firewalls
  • Secure configuration
  • User access control
  • Malware protection
  • Patch management
Consensus-based security configuration guides for operating systems, cloud platforms, and applications.

Policies

Internal security policies and operational standards:
1

Access Control Policy

Defines authentication requirements, privilege management, and least-privilege principles.
2

Backup & Recovery Policy

Retention schedules, backup verification, and disaster recovery procedures.
3

Incident Response Policy

Detection, containment, eradication, and post-incident analysis procedures.
4

Change Management Policy

Controlled changes to production systems with peer review and rollback procedures.
All policies should be reviewed annually and updated when infrastructure or threat landscape changes.

Audits & Checklists

Self-assessment tools and audit preparation resources:

Readiness Checklist

Pre-audit verification of controls and evidence collection

Control Mapping

Map technical implementations to framework requirements

Evidence Collection

Automated collection of logs, configs, and proof of controls

Gap Analysis

Identify missing or incomplete controls before formal audit

Regulatory

Sector-specific compliance requirements:
Scope: EU/UK data protection and privacy lawKey Requirements:
  • Lawful basis for processing personal data
  • Data subject rights (access, erasure, portability)
  • Data breach notification (72-hour window)
  • Privacy by design and by default
  • Data Protection Impact Assessments (DPIA)
Scope: UK baseline security certificationAssessment: Technical verification of security controls via vulnerability scan and configuration reviewRenewal: Annual re-certification required
Scope: Protected Health Information (PHI) security and privacyKey Controls:
  • Access controls and audit logs
  • Encryption at rest and in transit
  • Business Associate Agreements (BAA)
  • Breach notification procedures

Getting Started

1

Choose Your Framework

Start with Standards & Frameworks section for baseline controls. NIST 800-53 and Cyber Essentials+ provide excellent starting points.
2

Establish Policies

Define internal security policies based on your chosen framework. Document acceptance criteria and ownership.
3

Implement Controls

Deploy technical and administrative controls. Use infrastructure-as-code where possible for auditability.
4

Continuous Assessment

Use audit checklists and gap analysis tools to validate controls remain effective as your environment evolves.
Treat compliance as a continuous process, not a one-time project. Automate evidence collection and control validation wherever possible.

Compliance Philosophy

Compliance is not security — but it provides a structured baseline and audit trail.The goal is to:
  • Establish repeatable, verifiable controls
  • Maintain audit evidence for regulatory and insurance purposes
  • Create operational discipline around security practices
  • Enable risk-based decision making

Design Principles

  • Evidence-based: All controls must be measurable and auditable
  • Automation-first: Use code and automation for consistency
  • Least privilege: Default deny with explicit allow
  • Defense in depth: Multiple layers of controls
  • Continuous improvement: Regular review and refinement

Resources

Build docs developers (and LLMs) love

Get started for freeTalk to us