compliance-audit
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
ChineseCompliance Audit
合规审计
Systematic regulatory compliance auditing with automated evidence collection, control mapping,
gap analysis, and remediation planning across major compliance frameworks.
针对主流合规框架的系统性监管合规审计,涵盖自动化证据收集、控制映射、差距分析及整改规划。
When to Use This Skill
何时使用该技能
- Conducting compliance assessments for GDPR, HIPAA, PCI DSS, SOC 2, or ISO 27001
- Preparing for external audits or certifications
- Building or validating compliance control frameworks
- Automating evidence collection and audit trail maintenance
- Performing gap analysis against regulatory requirements
- Creating remediation plans for compliance deficiencies
- Evaluating third-party vendor compliance posture
- 针对GDPR、HIPAA、PCI DSS、SOC 2或ISO 27001开展合规评估
- 准备外部审计或认证
- 构建或验证合规控制框架
- 自动化证据收集与审计跟踪维护
- 针对监管要求进行差距分析
- 为合规缺陷制定整改计划
- 评估第三方供应商合规状况
Quick Reference
快速参考
| Resource | Purpose | Load when |
|---|---|---|
| Key requirements, control mappings, and certification paths for GDPR, HIPAA, PCI DSS, SOC 2, ISO 27001 | Scoping which regulations apply |
| Automated evidence gathering, artifact organization, retention policies, audit trail patterns | Setting up or running evidence collection |
| Control mapping methodology, gap identification, risk scoring, remediation planning | Analyzing compliance gaps |
| 资源 | 用途 | 加载时机 |
|---|---|---|
| GDPR、HIPAA、PCI DSS、SOC 2、ISO 27001的核心要求、控制映射及认证路径 | 确定适用的监管规则时 |
| 自动化证据收集、工件整理、保留策略、审计跟踪模式 | 设置或运行证据收集流程时 |
| 控制映射方法、差距识别、风险评分、整改规划 | 分析合规差距时 |
Workflow Overview
工作流程概述
Phase 1: Scope → Identify applicable regulations, data types, and geographical scope
Phase 2: Assess → Map controls, review policies, analyze data flows, test implementations
Phase 3: Evidence → Collect and organize audit artifacts automatically
Phase 4: Gap Analyze → Identify control gaps, score risks, prioritize findings
Phase 5: Remediate → Create remediation plans, assign owners, set timelines
Phase 6: Report → Generate audit-ready documentation and compliance dashboards
Phase 7: Monitor → Establish continuous compliance monitoring and drift detectionPhase 1: Scope → 确定适用的监管规则、数据类型及地域范围
Phase 2: Assess → 映射控制措施、审查政策、分析数据流、测试实施情况
Phase 3: Evidence → 自动收集并整理审计工件
Phase 4: Gap Analyze → 识别控制差距、进行风险评分、优先处理发现问题
Phase 5: Remediate → 制定整改计划、分配负责人、设置时间线
Phase 6: Report → 生成符合审计要求的文档及合规仪表板
Phase 7: Monitor → 建立持续合规监控及偏差检测机制Phase 1: Scope the Audit
阶段1:确定审计范围
Determine the regulatory landscape before testing anything.
Key questions:
- What data types does the system process (PII, PHI, cardholder data)?
- What jurisdictions apply (EU, US states, industry-specific)?
- What existing controls and certifications are in place?
- What is the audit history and any prior findings?
Applicability matrix:
| Framework | Applies when |
|---|---|
| GDPR | Processing personal data of EU residents |
| HIPAA | Handling protected health information (PHI) |
| PCI DSS | Storing, processing, or transmitting cardholder data |
| SOC 2 | Providing services where trust principles matter |
| ISO 27001 | Organization wants certified ISMS |
| CCPA/CPRA | Collecting California consumer personal information |
| NIST CSF | Federal systems or voluntary cybersecurity framework adoption |
在开展测试前先明确监管环境。
核心问题:
- 系统处理哪些数据类型(PII、PHI、持卡人数据)?
- 适用哪些司法管辖区(欧盟、美国各州、特定行业)?
- 已部署哪些控制措施及获得哪些认证?
- 审计历史及过往发现有哪些?
适用性矩阵:
| 框架 | 适用场景 |
|---|---|
| GDPR | 处理欧盟居民个人数据时 |
| HIPAA | 处理受保护健康信息(PHI)时 |
| PCI DSS | 存储、处理或传输持卡人数据时 |
| SOC 2 | 提供涉及信任原则的服务时 |
| ISO 27001 | 组织希望获得认证的信息安全管理体系(ISMS)时 |
| CCPA/CPRA | 收集加州消费者个人信息时 |
| NIST CSF | 联邦系统或自愿采用网络安全框架时 |
Phase 2: Assess Current State
阶段2:评估当前状态
Control Inventory
控制措施清单
Map existing controls against the applicable framework requirements:
- Enumerate all technical controls (encryption, access control, logging)
- Enumerate all administrative controls (policies, training, procedures)
- Enumerate all physical controls (facility access, media handling)
- Map each control to specific framework requirements
- Test control effectiveness through sampling and verification
将现有控制措施与适用框架要求进行映射:
- 列举所有技术控制措施(加密、访问控制、日志记录)
- 列举所有管理控制措施(政策、培训、流程)
- 列举所有物理控制措施(设施访问、介质处理)
- 将每项控制措施映射到具体框架要求
- 通过抽样和验证测试控制措施有效性
Data Flow Analysis
数据流分析
- Map data ingress, processing, storage, and egress points
- Identify data classification for each flow
- Document lawful basis for processing (GDPR)
- Verify data minimization and purpose limitation
- Review cross-border transfer mechanisms
- 绘制数据流入、处理、存储及流出节点
- 识别每个数据流的数据分类
- 记录处理的合法依据(GDPR)
- 验证数据最小化及目的限制原则
- 审查跨境传输机制
Policy Review
政策审查
- Assess policy coverage against framework requirements
- Verify policy distribution and acknowledgment
- Check policy version control and update cadence
- Validate exception management processes
- 评估政策对框架要求的覆盖情况
- 验证政策的分发及确认情况
- 检查政策的版本控制及更新频率
- 验证例外管理流程
Phase 3: Evidence Collection
阶段3:证据收集
Load for detailed patterns.
references/evidence-collection.mdAutomation priorities:
- Configuration exports from cloud providers and infrastructure
- Access control lists and permission matrices
- Log retention and monitoring dashboards
- Vulnerability scan results and patch status
- Training completion records
- Incident response test results
Artifact organization:
evidence/
{framework}/
{control-id}/
artifact-{date}.{ext}
metadata.yaml # source, collection method, timestamp加载获取详细模式。
references/evidence-collection.md自动化优先级:
- 云服务商及基础设施的配置导出
- 访问控制列表及权限矩阵
- 日志保留及监控仪表板
- 漏洞扫描结果及补丁状态
- 培训完成记录
- 事件响应测试结果
工件整理结构:
evidence/
{framework}/
{control-id}/
artifact-{date}.{ext}
metadata.yaml # 来源、收集方法、时间戳Phase 4: Gap Analysis
阶段4:差距分析
Load for the full methodology.
references/gap-analysis.mdFor each framework requirement:
- Map to existing controls (full, partial, or none)
- Assess implementation effectiveness
- Score the gap by risk impact and likelihood
- Categorize as documentation, process, technology, or training gap
- Prioritize based on risk score and remediation effort
加载获取完整方法。
references/gap-analysis.md针对每项框架要求:
- 映射到现有控制措施(完全覆盖、部分覆盖或无覆盖)
- 评估实施有效性
- 根据风险影响及可能性对差距进行评分
- 分类为文档、流程、技术或培训差距
- 根据风险评分及整改难度确定优先级
Phase 5: Remediation Planning
阶段5:整改规划
For each identified gap:
| Field | Content |
|---|---|
| Gap ID | Unique identifier |
| Framework Requirement | Specific clause or control |
| Current State | What exists today |
| Target State | What compliance requires |
| Remediation Action | Specific steps to close the gap |
| Owner | Responsible person/team |
| Priority | P0-P4 based on risk score |
| Timeline | Target completion date |
| Dependencies | Other gaps or actions this depends on |
针对每个已识别的差距:
| 字段 | 内容 |
|---|---|
| 差距ID | 唯一标识符 |
| 框架要求 | 具体条款或控制措施 |
| 当前状态 | 现有情况 |
| 目标状态 | 合规要求的状态 |
| 整改措施 | 缩小差距的具体步骤 |
| 负责人 | 负责的人员/团队 |
| 优先级 | 基于风险评分的P0-P4 |
| 时间线 | 目标完成日期 |
| 依赖项 | 该整改措施依赖的其他差距或动作 |
Phase 6: Reporting
阶段6:报告生成
Generate audit-ready documentation:
- Executive summary: Compliance posture, key risks, readiness score
- Technical findings: Detailed control assessment results
- Risk matrix: Heat map of gaps by severity and likelihood
- Remediation roadmap: Prioritized timeline with owners
- Evidence package: Organized artifacts indexed to controls
- Compliance attestation: Framework-specific certification readiness
生成符合审计要求的文档:
- 执行摘要:合规状况、核心风险、就绪度评分
- 技术发现:详细的控制措施评估结果
- 风险矩阵:基于严重性及可能性的差距热图
- 整改路线图:带负责人的优先级时间线
- 证据包:按控制措施索引整理的工件
- 合规证明:针对特定框架的认证就绪情况
Phase 7: Continuous Monitoring
阶段7:持续监控
Establish ongoing compliance posture management:
- Configure automated scanning for drift detection
- Set alert thresholds for control degradation
- Schedule periodic re-assessment cadence
- Track remediation progress against timelines
- Maintain metric dashboards (control coverage, evidence freshness, audit readiness)
建立持续合规状况管理机制:
- 配置自动化扫描以检测偏差
- 设置控制措施退化的警报阈值
- 安排定期重新评估周期
- 跟踪整改计划的时间线进度
- 维护指标仪表板(控制覆盖范围、证据新鲜度、审计就绪度)
Core Principles
核心原则
- Evidence over assertion — every compliance claim must be backed by verifiable artifacts
- Automate first — manual evidence collection does not scale and introduces errors
- Risk-based prioritization — address the highest-risk gaps first
- Continuous posture — compliance is a state, not a one-time event
- Defense in depth — layer controls so single-point failures do not cause non-compliance
- 证据优先于声明 — 每项合规主张都必须有可验证的工件支持
- 自动化优先 — 手动证据收集无法扩展且易出错
- 基于风险的优先级 — 优先处理最高风险的差距
- 持续合规 — 合规是一种状态,而非一次性事件
- 纵深防御 — 分层控制措施,避免单点故障导致不合规
Anti-Patterns
反模式
- Treating compliance as a checkbox exercise without testing control effectiveness
- Collecting evidence manually when automation is available
- Ignoring gaps because "we've always done it this way"
- Waiting until audit season to gather evidence
- Conflating compliance with security (compliance is a subset)
- Skipping third-party/vendor compliance assessments
- 将合规视为勾选框任务,不测试控制措施有效性
- 在可自动化的情况下仍手动收集证据
- 因“一直如此操作”而忽略差距
- 等到审计季才开始收集证据
- 将合规与安全混淆(合规是安全的子集)
- 跳过第三方/供应商合规评估