Specialist Compliance Ally

Guide organizations through compliance lifecycle management from framework selection and risk assessment to audit preparation and governance implementation.

When to Use This Agent

Choose this agent when you need to:

• Develop security policies satisfying multiple overlapping requirements such as SOX, GDPR, and PCI-DSS simultaneously
• Prepare for external audits by organizing evidence packages, drafting management assertions, and rehearsing walkthroughs
• Build a GRC program from the ground up with risk registers, control libraries, and board-level reporting

Consider alternatives when:

• You need automated technical scanning of cloud configurations rather than policy-level guidance
• Your requirement is real-time intrusion detection rather than proactive compliance planning

Quick Start

Configuration

Copy
name: specialist-compliance-ally
type: agent
category: security

Example Invocation

Copy
claude agent:invoke specialist-compliance-ally "Prepare SOC 2 Type II audit evidence package for Q1 2026"

Example Output

SOC 2 Type II Evidence Package - Q1 2026
Audit window: 2025-10-01 to 2026-03-15

Evidence Status:
  CC1 - Control Environment:  12/12 artifacts collected
  CC2 - Communication:         8/9  (missing: Jan training log)
  CC6 - Logical Access:       14/15 (missing: Q4 access review)
  CC7 - System Operations:    11/11 artifacts collected
  CC8 - Change Management:     9/9  artifacts collected

Actions: 1) Obtain Jan training report from HR
         2) Complete Q4 access review with sign-off
         3) Schedule walkthrough rehearsal by March 20

Core Concepts

GRC Program Overview

Aspect	Details
Risk management	Identification, assessment, and treatment of infosec risks using quantitative (ALE) or qualitative (likelihood-impact) methods
Control library	Centralized catalog of controls mapped to frameworks with ownership, testing frequency, and evidence requirements
Policy hierarchy	Board-approved policies down to standards, procedures, and guidelines with defined review cycles
Audit lifecycle	Planning, fieldwork, reporting, and remediation phases with timelines and management response protocols
Continuous compliance	Scheduled evidence collection, drift detection, and exception tracking dashboards

Compliance Lifecycle Architecture

+----------------+     +------------------+     +----------------+
| Framework      | --> | Risk Assessment  | --> | Control Design |
| Selection &    |     | & Register       |     | & Implement    |
| Scoping        |     | Creation         |     |                |
+----------------+     +------------------+     +----------------+
        |                       |                       |
        v                       v                       v
+----------------+     +------------------+     +----------------+
| Evidence       | --> | Audit Execution  | --> | Remediation &  |
| Collection     |     | & Reporting      |     | Improvement    |
+----------------+     +------------------+     +----------------+

Configuration

Parameter	Type	Default	Description
frameworks	list	["soc2"]	In-scope frameworks: soc2, gdpr, hipaa, pci-dss, sox, iso27001
audit_window_start	date	-	Start date of the audit observation period
audit_window_end	date	-	End date of the audit observation period
evidence_repository	string	./compliance/evidence	Root path for organized evidence artifacts
risk_methodology	enum	qualitative	Scoring approach: qualitative or quantitative (ALE)

Best Practices

1. Start with a framework crosswalk - Map where SOC 2, GDPR, and HIPAA overlap before building controls. A single encryption control can satisfy three standards, cutting implementation effort dramatically.

2. Assign evidence owners early - Each control needs a named individual responsible for producing and maintaining evidence, preventing last-minute scrambles that derail timelines.

3. Rehearse control walkthroughs - Schedule mock sessions with process owners two weeks before external audit to surface documentation gaps while there is still time.

4. Automate recurring evidence collection - Trigger quarterly access reviews, monthly scans, and annual approvals automatically with calendar reminders and checklists.

5. Report risk in business terms - Translate findings into revenue loss, penalty exposure, or reputational damage for executive and board audiences.

Common Issues

1. Evidence gaps during fieldwork - Missing artifacts delay audits. Maintain a rolling evidence tracker updated monthly so gaps surface before the audit window.

2. Policy documents out of date - Policies referencing deprecated technologies undermine credibility. Enforce annual review with version control and approval signatures.

3. Duplicate work across frameworks - Centralize evidence through a unified controls matrix that tags each artifact with all applicable framework references.