# Compliance and Assurance ![Compliance and Assurance](/files/9g1IgyycH6AhMX64O7j5) ## Compliance and Assurance > **Section focus:** practical standards, assurance models, and compliance overlays for product, cloud, and DevSecOps teams.\ > **Best use:** start here when you need to translate a standard or regulatory requirement into engineering decisions, review scope, or evidence expectations. ### Start with these pages | Page | Why open it first | | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------- | | [Cloud Security Frameworks and Standards — Practical Map](/metrics-audit-risk-evidence-and-compliance/index-1/cloud-security-frameworks-and-standards-practical-map.md) | Fast orientation across ISO, NIST, CSA CCM, CIS, PCI DSS, FedRAMP, HIPAA, and adjacent frameworks. | | [CSA Cloud Controls Matrix (CCM) — Practical Guide](/metrics-audit-risk-evidence-and-compliance/index-1/csa-cloud-controls-matrix-ccm-practical-guide.md) | Direct working view of the 17 CCM domains, shared responsibility, engineering anchors, and evidence expectations. | | [Compliance-to-Engineering Evidence Pass](/metrics-audit-risk-evidence-and-compliance/index-1/compliance-to-engineering-evidence-pass.md) | Maps standards and frameworks to concrete release artifacts, recurring evidence, owners, and reporting packs. | | [🩹 Vulnerability Management / Remediation / Audit / Compliance Mapping](/metrics-audit-risk-evidence-and-compliance/index-1/vulnerability-management-remediation-audit-and-compliance-mapping.md) | Connects findings inventory, prioritization, remediation, risk acceptance, evidence, and scanner usage into one lifecycle view. | | [🧾 SOX 404-Style ITGC for Product Security, DevSecOps, Cloud, and Kubernetes](/metrics-audit-risk-evidence-and-compliance/index-1/sox404-style-itgc-for-product-security-devsecops-cloud-and-kubernetes.md) | Translates a SOX-style ITGC audit mindset into software-delivery, cloud, cluster, and evidence controls. | | [🧾 SOC 2 Product Security Audit Template Pack](/metrics-audit-risk-evidence-and-compliance/index-1/soc2-product-security-audit-template-pack.md) | Template shelf for Product Security control narratives and evidence-friendly policy skeletons used in SOC 2 readiness work. | | [U.S. Cybersecurity Laws and Sector Compliance — Quick Map](/metrics-audit-risk-evidence-and-compliance/index-1/us-cybersecurity-laws-and-sector-compliance-quick-map.md) | Short, pragmatic view of the U.S. laws and sector obligations that show up in real assurance conversations. | | [Vendor Guides and Standards Map](/metrics-audit-risk-evidence-and-compliance/index-1/vendor-guides-and-standards-map.md) | Explains how to combine standards with vendor-native implementation docs instead of treating them as separate worlds. | | [🧭 DevSecOps Assessment Framework (DAF) and DSOMM — Practical Positioning](/metrics-audit-risk-evidence-and-compliance/index-3/devsecops-assessment-framework-daf-and-dsomm-practical-positioning.md) | Helps program owners turn maturity models into assessment and roadmap tools. | ### Related sections * [DevSecOps Lifecycle](/devsecops-cicd-and-supply-chain/index.md) * [Threat Modeling](/application-security-and-secure-sdlc/index.md) * [CI/CD and Software Supply Chain Security](/devsecops-cicd-and-supply-chain/index-1.md) * [Security Maturity Models](/metrics-audit-risk-evidence-and-compliance/index-3.md) *** ![Compliance Framework Landscape](/files/pQBln7qLuZ5LSptW4kBN) *Figure: use broad frameworks to shape policy and operating model, then link them to platform-specific controls, evidence, and review workflows.* ### What this section is trying to solve Security teams regularly hit the same three failure modes: 1. they know a framework name but cannot explain when to use it; 2. they know the requirement but cannot translate it into deployable controls; 3. they collect evidence late, manually, and expensively. This section exists to reduce those gaps. ### Reading model Use the pages here in this order: 1. identify whether you are dealing with a **framework**, a **law/regulation**, or a **platform implementation guide**; 2. open the CCM and evidence pages when you need to turn a framework into owners, artifacts, and recurring evidence; 3. map the requirement into control families such as identity, logging, encryption, SDLC, incident response, or evidence; 4. jump from here into the deeper engineering section that actually owns the implementation. ### What belongs here versus elsewhere This section is intentionally **brief and translational**. Keep detailed implementation in the engineering sections: * browser and web-server controls live in [Frontend and Browser Security](/application-security-and-secure-sdlc/index-2.md); * pipeline and delivery evidence live in [CI/CD and Software Supply Chain Security](/devsecops-cicd-and-supply-chain/index-1.md); * cloud service hardening lives in [Infrastructure and Cloud Security](/cloud-kubernetes-and-infrastructure-security/index.md); * maturity overlays live in [Security Maturity Models](/metrics-audit-risk-evidence-and-compliance/index-3.md). ### Suggested cross-links * [CSA Cloud Controls Matrix (CCM) — Practical Guide](/metrics-audit-risk-evidence-and-compliance/index-1/csa-cloud-controls-matrix-ccm-practical-guide.md) * [Compliance-to-Engineering Evidence Pass](/metrics-audit-risk-evidence-and-compliance/index-1/compliance-to-engineering-evidence-pass.md) * [🩹 Vulnerability Management / Remediation / Audit / Compliance Mapping](/metrics-audit-risk-evidence-and-compliance/index-1/vulnerability-management-remediation-audit-and-compliance-mapping.md) * [🧾 SOX 404-Style ITGC for Product Security, DevSecOps, Cloud, and Kubernetes](/metrics-audit-risk-evidence-and-compliance/index-1/sox404-style-itgc-for-product-security-devsecops-cloud-and-kubernetes.md) * [🧾 SOC 2 Product Security Audit Template Pack](/metrics-audit-risk-evidence-and-compliance/index-1/soc2-product-security-audit-template-pack.md) * [Product Security Maturity, Scale, and Business Translation](/metrics-audit-risk-evidence-and-compliance/index/product-security-maturity-metrics-and-business-translation.md) * [Risk Acceptance, Exceptions, and Decision Records](/strategy-governance-and-leadership/index/risk-acceptance-exceptions-and-decision-records.md) * [GitLab Release Evidence](/devsecops-cicd-and-supply-chain/index-1/gitlab-release-evidence.md) * [Security Quality Gates and Release Blocking](/devsecops-cicd-and-supply-chain/index-1/security-quality-gates-and-release-blocking.md) *** *Author attribution: Ivan Piskunov, 2026 - Educational and defensive-engineering use.* --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.product-security.expert/metrics-audit-risk-evidence-and-compliance/index-1.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.