implementing-compliance

# Compliance Frameworks

Implement continuous compliance with major regulatory frameworks through unified control mapping, policy-as-code enforcement, and automated evidence collection.

## Purpose

Modern compliance is a continuous engineering discipline requiring technical implementation of security controls. This skill provides patterns for SOC 2 Type II, HIPAA, PCI-DSS 4.0, and GDPR compliance using infrastructure-as-code, policy automation, and evidence collection. Focus on unified controls that satisfy multiple frameworks simultaneously to reduce implementation effort by 60-80%.

## When to Use

Invoke when:
- Building SaaS products requiring SOC 2 Type II for enterprise sales
- Handling healthcare data (PHI) requiring HIPAA compliance
- Processing payment cards requiring PCI-DSS validation
- Serving EU residents and processing personal data under GDPR
- Implementing security controls that satisfy multiple compliance frameworks
- Automating compliance evidence collection and audit preparation
- Enforcing compliance policies in CI/CD pipelines

## Framework Selection

### Tier 1: Trust & Security Certifications

**SOC 2 Type II**
- Audience: SaaS vendors, cloud service providers
- When required: Enterprise B2B sales, handling customer data
- Timeline: 6-12 month observation period
- 2025 updates: Monthly control testing, AI governance, 72-hour breach disclosure

**ISO 27001**
- Audience: Global enterprises
- When required: International business, government contracts
- Timeline: 3-6 month certification, annual surveillance

### Tier 2: Industry-Specific Regulations

**HIPAA (Healthcare)**
- Audience: Healthcare providers, health tech handling PHI
- When required: Processing Protected Health Information
- 2025 focus: Zero Trust Architecture, EDR/XDR, AI assessments

**PCI-DSS 4.0 (Payment Card Industry)**
- Audience: Merchants, payment processors
- When required: Processing, storing, transmitting cardholder data
- Effective: April 1, 2025 (mandatory)
- Key chang