Implement and maintain compliance with SOC 2, HIPAA, PCI-DSS, and GDPR using unified control mapping, policy-as-code enforcement, and automated evidence collection. Use when building systems requiring regulatory compliance, implementing security controls across multiple frameworks, or automating audit preparation.
View on GitHubskills/implementing-compliance/SKILL.md
February 1, 2026
Select agents to install to:
npx add-skill https://github.com/ancoleman/ai-design-components/blob/main/skills/implementing-compliance/SKILL.md -a claude-code --skill implementing-complianceInstallation paths:
.claude/skills/implementing-compliance/# Compliance Frameworks Implement continuous compliance with major regulatory frameworks through unified control mapping, policy-as-code enforcement, and automated evidence collection. ## Purpose Modern compliance is a continuous engineering discipline requiring technical implementation of security controls. This skill provides patterns for SOC 2 Type II, HIPAA, PCI-DSS 4.0, and GDPR compliance using infrastructure-as-code, policy automation, and evidence collection. Focus on unified controls that satisfy multiple frameworks simultaneously to reduce implementation effort by 60-80%. ## When to Use Invoke when: - Building SaaS products requiring SOC 2 Type II for enterprise sales - Handling healthcare data (PHI) requiring HIPAA compliance - Processing payment cards requiring PCI-DSS validation - Serving EU residents and processing personal data under GDPR - Implementing security controls that satisfy multiple compliance frameworks - Automating compliance evidence collection and audit preparation - Enforcing compliance policies in CI/CD pipelines ## Framework Selection ### Tier 1: Trust & Security Certifications **SOC 2 Type II** - Audience: SaaS vendors, cloud service providers - When required: Enterprise B2B sales, handling customer data - Timeline: 6-12 month observation period - 2025 updates: Monthly control testing, AI governance, 72-hour breach disclosure **ISO 27001** - Audience: Global enterprises - When required: International business, government contracts - Timeline: 3-6 month certification, annual surveillance ### Tier 2: Industry-Specific Regulations **HIPAA (Healthcare)** - Audience: Healthcare providers, health tech handling PHI - When required: Processing Protected Health Information - 2025 focus: Zero Trust Architecture, EDR/XDR, AI assessments **PCI-DSS 4.0 (Payment Card Industry)** - Audience: Merchants, payment processors - When required: Processing, storing, transmitting cardholder data - Effective: April 1, 2025 (mandatory) - Key chang