Services · ASSESS
SOC 2. HIPAA. PCI-DSS. ISO 27001. GDPR. We close the gap between where you are and where the auditor needs you to be.
A structured compliance readiness assessment covering the full control scope — technical, procedural, and organisational — against the framework your auditor, customer, or regulator is asking for. We produce the evidence packet, the gap list, and the closure roadmap. Your team executes; we stay available to verify.
How we deliver this: AI handles the routine analysis (audits, IaC drafts, runbook scaffolds, alert triage). A senior engineer reviews every change before it touches your production. Consultancy speed at consultancy quality.
Read more →When you need this
A certification deadline is moving the deal forward — or blocking it
An enterprise prospect is asking for SOC 2 Type II before countersigning. A healthcare partner needs a signed BAA backed by a HIPAA assessment. A payment integration requires PCI-DSS compliance evidence. The deadline is real; the audit programme is not.
You passed last year's questionnaire but nobody audited the controls
Self-assessed compliance and auditor-verified compliance are different things. Many teams have policies that no longer match what the system actually does — the IAM roles, the data-retention config, the incident-response procedure. We find the delta before the auditor does.
You don't know which framework applies or what it actually requires
SOC 2, ISO 27001, HIPAA, PCI-DSS, and GDPR overlap significantly but differ in what they explicitly require. Teams waste months preparing for the wrong scope. We scope correctly in the first session.
How it works
-
Phase 01
Framework scoping and applicability
One working session to determine which frameworks apply to your business model and data types, which controls are in scope, and what evidence format the auditor or certifying body will accept. We work from the actual framework requirements, not a generic checklist.
-
Phase 02
Technical controls assessment
Read-only review of cloud configuration, IAM policies, encryption posture, network segmentation, logging and monitoring, and backup/recovery — mapped directly to framework control IDs. Automated where possible; manual for the controls automation misses.
-
Phase 03
Procedural and organisational controls review
Policies, procedures, access reviews, training records, incident-response runbooks, vendor management, change management — the non-technical half of every compliance framework that technical teams underestimate. We review what exists, flag what is missing, and provide template language for the gaps.
-
Phase 04
Gap report and remediation roadmap
Every failing control is documented with the specific requirement, the current state, and a closure path — prioritised by certification risk, not severity alone. We separate quick fixes (an hour each) from structural work (weeks) so you can plan the sprint realistically.
What you get
- → Framework applicability memo with scoping decisions documented
- → Control-by-control assessment mapped to framework IDs (e.g. SOC 2 CC6–CC9, HIPAA §164.312, PCI-DSS Req. 7–10)
- → Evidence packet for passing controls — formatted for auditor submission
- → Gap register with closure owners and effort estimates
- → Policy and procedure templates for the most common gaps
- → 30/60/90-day remediation roadmap prioritised by certification risk
What changes for you
Audit-ready output, not a gap list you have to interpret
Evidence is formatted to match what your auditor or certifying body expects — not a raw export that requires further translation. The passing-controls packet goes directly into your audit room.
No scope creep in the assessment itself
Compliance audits fail when scope is poorly defined. We agree scope in writing before any assessment work begins — which frameworks, which systems, which control families. Fixed-fee, no surprises.
Technical and procedural controls in one engagement
Most teams either review the technical controls (cloud config) or the policies — not both. Both are required. We do both in a single engagement rather than handing off the policy work to a separate firm.
Honest about what you need vs. what looks good on paper
We tell you which controls matter for your specific risk model and which are checkbox theatre. A startup with two engineers and no payment card data does not need the same PCI-DSS scope as a Level 1 merchant.
Usable templates, not boilerplate
Policy templates are adapted to your actual technology stack and operating model — not pulled from a generic library and reformatted. Your engineers can update them without a compliance consultant on the phone.
Faster path to certification
Clients who enter a formal audit after this engagement typically reduce audit cycles by 40–60% — fewer back-and-forth evidence requests because the gaps were closed before the auditor arrived.
What clients say
"CloudWizz rebuilt our delivery pipeline in eight weeks. Deploys went from a Friday-night ritual to a non-event we ship four times a day."
Director of Engineering
Fintech, Series C · 2025-11
"Moving 132TB of patient imaging data while keeping the platform live — I didn't think we could do it without a maintenance window. The team just figured it out. GKE has been rock solid since, and the CI/CD they set up is something our own engineers actually want to work with."
Joseph Sokol
CEO & Founder · iCardio.ai · 2025-12
Frequently asked questions
How is this different from the Security Audit? +
Security Audit is a technical depth review — IAM, cloud config, network exposure, secrets, code security — scored against a framework baseline. Compliance Audit covers the full control scope a certifying body or regulator assesses, including procedural and organisational controls (policies, training, vendor management, access reviews) that a technical scan cannot touch. If you need SOC 2 Type II, HIPAA, or ISO 27001 certification, you need a Compliance Audit. If you need to harden your technical posture, you need a Security Audit. Many clients do both.
Which frameworks do you cover? +
SOC 2 (Type I and Type II readiness), HIPAA (Security Rule §164.312 and Privacy Rule), PCI-DSS (v4.0 SAQ and ROC scopes), ISO/IEC 27001 (Annex A controls), and GDPR (Article 5, 25, 32 technical and organisational measures). We can also assess against NIST 800-53, HITRUST CSF, and CIS Controls if your industry or contracts require them.
Do you work with our existing auditor or certifying body? +
Yes — we can work alongside your chosen QSA (PCI), CPA firm (SOC 2), or ISO certification body. We produce evidence in the format they request and can attend kick-off calls to align on scope. We do not replace the certifying body; we get you ready for them.
How long does a compliance audit take? +
Three to five weeks for a focused single-framework readiness assessment (e.g. SOC 2 Type I readiness). Multi-framework assessments (e.g. HIPAA + SOC 2 simultaneously) run four to eight weeks. Elapsed time depends on how quickly your team can respond to evidence requests and access setup.
What happens after the gap report? +
You choose. The assessment stands on its own — your team can execute the roadmap. If you want us to close specific gaps (write policies, fix technical controls, stand up logging infrastructure), we scope a follow-on remediation engagement. We can also stay available as an advisory resource through your formal audit.
What access do you need? +
Read-only access to cloud accounts and relevant systems for the technical controls review. For procedural controls, we need existing policies, procedure documents, and interviews with the people who own them. No write access, no production changes.
Can you help with a GDPR Article 32 assessment specifically? +
Yes — Article 32 requires appropriate technical and organisational measures relative to the risk. We assess encryption at rest and in transit, access controls, pseudonymisation, ongoing confidentiality/integrity/availability, and your ability to restore data after an incident. We produce the documented assessment Article 32 requires — not just a checklist, but a written risk analysis with the measures in place.
How do you handle compliance for AI and LLM workloads? +
AI workloads introduce specific compliance questions — training data provenance, model artefact access controls, inference-time data isolation, prompt logging and retention. We assess these against relevant framework controls and emerging AI-specific guidance (EU AI Act, NIST AI RMF) where applicable.
Is this relevant if we're a startup with no compliance history? +
Often more relevant. Starting a compliance programme correctly from the first assessment is significantly cheaper than retrofitting it after an audit failure or a breach. Many of our most effective engagements are with teams that have a certification deadline in six months and no programme yet.
How does the AI-driven, human-reviewed model apply here? +
AI accelerates the broad coverage — automated control scanning across cloud resources, policy-document analysis, evidence-collection drafts, gap-register population. A senior compliance-experienced engineer reviews every control assessment for two things AI cannot reliably do well — judging whether a control is substantively met given the actual risk context, and writing the evidence narrative that an auditor will accept. AI never determines the final compliance status of a control or signs the assessment report.