Part 10: Compliance & Risk, Operationalized
In one line: Knowing a framework exists is useless; this chapter is about operationalizing it — mapping controls to real engineering work, preparing for an audit, running a risk register, and managing third-party risk — so compliance becomes a byproduct of good security rather than a paperwork fire drill.
Compliance frameworks (SOC 2, ISO 27001, PCI-DSS, HIPAA, FedRAMP, GDPR) are lists of controls an organization must demonstrably follow. The gap most teams hit isn't knowing the frameworks — it's doing them: turning "encrypt data at rest" into specific configurations and evidence, surviving an auditor's questions, keeping a living risk register, and vetting vendors who touch your data. This chapter treats compliance as engineering and process, not a checkbox — and connects to the breach-notification obligations from the IR chapter.
What this chapter covers
- The major frameworks — SOC 2, ISO 27001, PCI-DSS, HIPAA, FedRAMP, GDPR — what each actually requires.
- Controls mapping — translating requirements into concrete engineering controls and evidence.
- Audit preparation — what auditors ask for and how to be ready (Type II, evidence collection).
- Risk register — tracking, scoring, and treating risks over time.
- Vendor & third-party risk — assessing the security of who you depend on.
The lessons in this chapter
- The Major Frameworks → — SOC 2, ISO 27001, PCI-DSS, HIPAA, FedRAMP, GDPR by purpose, and why compliance is a floor, not security.
- Controls Mapping → — requirement → concrete control → evidence, and mapping one control to many frameworks.
- Audit Preparation → — Type I vs. Type II, and continuous readiness over cramming.
- The Risk Register → — scoring, owning, treating, and keeping risk alive and accountable.
- Vendor & Third-Party Risk → — proportional assessment, least privilege, and you-can't-outsource-the-risk.
Finish with the Chapter 10 checkpoint → to certify the toolkit before Chapter 11.
→ Start here: The Major Frameworks.