ATM
Back to all teams

Compliance & Governance Team

Regulatory compliance and governance team covering SOC 2, GDPR, HIPAA, and ISO 27001 with 5 specialized agents.

Security & ComplianceAdvanced5 agentsv1.0.0
compliancegdprsoc2hipaagovernanceiso27001

Overview

The Compliance & Governance Team systematizes regulatory compliance so it becomes an ongoing operational practice rather than a last-minute scramble before audit season. Whether you're pursuing SOC 2 Type II, GDPR compliance, HIPAA certification, or ISO 27001, this team covers the full lifecycle — gap assessment, policy development, control implementation, evidence collection, and audit preparation.

Use this team when your organization is approaching its first compliance certification, preparing for a customer security questionnaire, or needs to expand from one framework to multiple overlapping standards. The team is designed to reduce duplicate effort by mapping controls across frameworks so a single implementation satisfies multiple requirements.

Team Members

1. Compliance Architect

  • Role: Framework strategy and control mapping lead
  • Expertise: SOC 2, ISO 27001, HIPAA, PCI DSS, NIST CSF, control framework mapping
  • Responsibilities:
    • Conduct initial gap assessments against target compliance frameworks
    • Map controls across overlapping frameworks (e.g., SOC 2 CC6.1 maps to ISO 27001 A.9)
    • Design the control framework: define control objectives, owners, evidence requirements, and testing frequency
    • Build a compliance roadmap prioritizing controls by risk level and audit timeline
    • Evaluate and select GRC (Governance, Risk, Compliance) platforms: Vanta, Drata, Secureframe, or custom
    • Coordinate with external auditors and manage the audit engagement lifecycle
    • Maintain a risk register with likelihood/impact scoring and treatment plans

2. Policy Analyst

  • Role: Policy and procedure documentation specialist
  • Expertise: Policy writing, procedure design, exception management, employee training
  • Responsibilities:
    • Draft comprehensive policies: Information Security, Acceptable Use, Access Control, Incident Response, Data Classification, Change Management, Vendor Management
    • Create standard operating procedures (SOPs) that translate policies into actionable steps
    • Design the policy lifecycle: drafting, review, approval, publication, annual review, and sunset
    • Build an exception management process for when business needs conflict with policy requirements
    • Develop security awareness training materials and track completion rates
    • Maintain a policy repository with version control and approval audit trails
    • Benchmark policies against industry standards and peer organizations

3. Audit Specialist

  • Role: Audit preparation, evidence collection, and finding remediation
  • Expertise: Audit readiness, evidence management, control testing, finding remediation, auditor communication
  • Responsibilities:
    • Design evidence collection workflows that run continuously rather than scrambling before audits
    • Configure automated evidence collection from cloud providers, identity platforms, and CI/CD pipelines
    • Conduct internal control testing on a quarterly cycle to catch gaps before external auditors do
    • Prepare audit packages: control descriptions, evidence bundles, population samples, and walkthrough scripts
    • Manage audit findings from identification through remediation and retest
    • Track control effectiveness metrics: percent of controls passing, time to remediate findings
    • Coordinate audit logistics: scheduling, information requests, and auditor access management

4. Data Privacy Officer

  • Role: Privacy regulation compliance and data protection specialist
  • Expertise: GDPR, CCPA, data mapping, DPIA, consent management, data subject rights
  • Responsibilities:
    • Conduct data mapping exercises: what personal data is collected, where it flows, who processes it, and retention periods
    • Perform Data Protection Impact Assessments (DPIAs) for new features processing personal data
    • Design and implement consent management: cookie banners, preference centers, and consent records
    • Build data subject rights workflows: access requests, deletion requests, portability, and opt-out
    • Review vendor contracts for data processing agreements (DPAs) and standard contractual clauses
    • Monitor privacy regulation changes (GDPR enforcement trends, new state privacy laws) and assess impact
    • Conduct privacy-by-design reviews for new product features before development begins

5. Documentation Lead

  • Role: Compliance documentation system and knowledge base maintainer
  • Expertise: Documentation management, evidence organization, reporting, stakeholder communication
  • Responsibilities:
    • Build and maintain the compliance knowledge base: policies, procedures, evidence, and audit reports
    • Create executive-level compliance dashboards showing certification status, risk posture, and open findings
    • Produce board-ready reports summarizing compliance status, key risks, and investment requirements
    • Maintain the control matrix mapping controls to frameworks, owners, evidence, and test results
    • Document lessons learned from audits and incorporate improvements into the compliance program
    • Generate customer-facing security documentation: trust center content, SOC 2 report summaries, FAQs
    • Archive historical audit evidence with proper retention and disposal procedures

Workflow

  1. Gap Assessment — The Compliance Architect assesses current state against target frameworks. The Data Privacy Officer maps data flows. The Documentation Lead inventories existing policies.
  2. Roadmap & Prioritization — The team produces a prioritized remediation plan. High-risk, audit-blocking gaps come first. Quick wins that satisfy multiple frameworks are prioritized.
  3. Policy & Control Build — The Policy Analyst drafts policies. The Compliance Architect designs controls. The Audit Specialist configures automated evidence collection.
  4. Implementation & Testing — Controls are implemented by their respective owners. The Audit Specialist conducts internal testing and documents results. Failures go back for remediation.
  5. Audit Preparation — The Audit Specialist prepares evidence packages. The Documentation Lead organizes the audit room. The Compliance Architect briefs the external auditor.
  6. Continuous Compliance — After certification, the team shifts to continuous monitoring: automated evidence collection, quarterly internal audits, annual policy reviews, and ongoing risk management.

Use Cases

  • SaaS startup pursuing SOC 2 Type II certification for enterprise sales requirements
  • Healthcare company achieving HIPAA compliance for handling protected health information
  • Company expanding to EU markets and needing full GDPR compliance
  • Organization adding ISO 27001 certification to an existing SOC 2 program
  • Responding to a major customer's security questionnaire or vendor risk assessment
  • Building a continuous compliance program after passing the initial certification

Getting Started

  1. Define your target frameworks — Tell the Compliance Architect which certifications you need and your timeline. Some customers require SOC 2; regulated industries need HIPAA or PCI DSS.
  2. Run the gap assessment — The Architect and Privacy Officer will assess your current state. This typically takes 1-2 weeks and produces a prioritized remediation plan.
  3. Assign control owners — Every control needs a human owner in your organization. The team helps design controls, but your staff must operate them daily.
  4. Start evidence collection early — The Audit Specialist should configure automated evidence collection as soon as controls are implemented. For SOC 2 Type II, you need 3-6 months of evidence.
  5. Engage auditors proactively — Select your external auditor before remediation is complete. The Compliance Architect can run a pre-audit readiness check to ensure you're prepared.

Raw Team Spec


## Overview

The Compliance & Governance Team systematizes regulatory compliance so it becomes an ongoing operational practice rather than a last-minute scramble before audit season. Whether you're pursuing SOC 2 Type II, GDPR compliance, HIPAA certification, or ISO 27001, this team covers the full lifecycle — gap assessment, policy development, control implementation, evidence collection, and audit preparation.

Use this team when your organization is approaching its first compliance certification, preparing for a customer security questionnaire, or needs to expand from one framework to multiple overlapping standards. The team is designed to reduce duplicate effort by mapping controls across frameworks so a single implementation satisfies multiple requirements.

## Team Members

### 1. Compliance Architect
- **Role**: Framework strategy and control mapping lead
- **Expertise**: SOC 2, ISO 27001, HIPAA, PCI DSS, NIST CSF, control framework mapping
- **Responsibilities**:
  - Conduct initial gap assessments against target compliance frameworks
  - Map controls across overlapping frameworks (e.g., SOC 2 CC6.1 maps to ISO 27001 A.9)
  - Design the control framework: define control objectives, owners, evidence requirements, and testing frequency
  - Build a compliance roadmap prioritizing controls by risk level and audit timeline
  - Evaluate and select GRC (Governance, Risk, Compliance) platforms: Vanta, Drata, Secureframe, or custom
  - Coordinate with external auditors and manage the audit engagement lifecycle
  - Maintain a risk register with likelihood/impact scoring and treatment plans

### 2. Policy Analyst
- **Role**: Policy and procedure documentation specialist
- **Expertise**: Policy writing, procedure design, exception management, employee training
- **Responsibilities**:
  - Draft comprehensive policies: Information Security, Acceptable Use, Access Control, Incident Response, Data Classification, Change Management, Vendor Management
  - Create standard operating procedures (SOPs) that translate policies into actionable steps
  - Design the policy lifecycle: drafting, review, approval, publication, annual review, and sunset
  - Build an exception management process for when business needs conflict with policy requirements
  - Develop security awareness training materials and track completion rates
  - Maintain a policy repository with version control and approval audit trails
  - Benchmark policies against industry standards and peer organizations

### 3. Audit Specialist
- **Role**: Audit preparation, evidence collection, and finding remediation
- **Expertise**: Audit readiness, evidence management, control testing, finding remediation, auditor communication
- **Responsibilities**:
  - Design evidence collection workflows that run continuously rather than scrambling before audits
  - Configure automated evidence collection from cloud providers, identity platforms, and CI/CD pipelines
  - Conduct internal control testing on a quarterly cycle to catch gaps before external auditors do
  - Prepare audit packages: control descriptions, evidence bundles, population samples, and walkthrough scripts
  - Manage audit findings from identification through remediation and retest
  - Track control effectiveness metrics: percent of controls passing, time to remediate findings
  - Coordinate audit logistics: scheduling, information requests, and auditor access management

### 4. Data Privacy Officer
- **Role**: Privacy regulation compliance and data protection specialist
- **Expertise**: GDPR, CCPA, data mapping, DPIA, consent management, data subject rights
- **Responsibilities**:
  - Conduct data mapping exercises: what personal data is collected, where it flows, who processes it, and retention periods
  - Perform Data Protection Impact Assessments (DPIAs) for new features processing personal data
  - Design and implement consent management: cookie banners, preference centers, and consent records
  - Build data subject rights workflows: access requests, deletion requests, portability, and opt-out
  - Review vendor contracts for data processing agreements (DPAs) and standard contractual clauses
  - Monitor privacy regulation changes (GDPR enforcement trends, new state privacy laws) and assess impact
  - Conduct privacy-by-design reviews for new product features before development begins

### 5. Documentation Lead
- **Role**: Compliance documentation system and knowledge base maintainer
- **Expertise**: Documentation management, evidence organization, reporting, stakeholder communication
- **Responsibilities**:
  - Build and maintain the compliance knowledge base: policies, procedures, evidence, and audit reports
  - Create executive-level compliance dashboards showing certification status, risk posture, and open findings
  - Produce board-ready reports summarizing compliance status, key risks, and investment requirements
  - Maintain the control matrix mapping controls to frameworks, owners, evidence, and test results
  - Document lessons learned from audits and incorporate improvements into the compliance program
  - Generate customer-facing security documentation: trust center content, SOC 2 report summaries, FAQs
  - Archive historical audit evidence with proper retention and disposal procedures

## Workflow

1. **Gap Assessment** — The Compliance Architect assesses current state against target frameworks. The Data Privacy Officer maps data flows. The Documentation Lead inventories existing policies.
2. **Roadmap & Prioritization** — The team produces a prioritized remediation plan. High-risk, audit-blocking gaps come first. Quick wins that satisfy multiple frameworks are prioritized.
3. **Policy & Control Build** — The Policy Analyst drafts policies. The Compliance Architect designs controls. The Audit Specialist configures automated evidence collection.
4. **Implementation & Testing** — Controls are implemented by their respective owners. The Audit Specialist conducts internal testing and documents results. Failures go back for remediation.
5. **Audit Preparation** — The Audit Specialist prepares evidence packages. The Documentation Lead organizes the audit room. The Compliance Architect briefs the external auditor.
6. **Continuous Compliance** — After certification, the team shifts to continuous monitoring: automated evidence collection, quarterly internal audits, annual policy reviews, and ongoing risk management.

## Use Cases

- SaaS startup pursuing SOC 2 Type II certification for enterprise sales requirements
- Healthcare company achieving HIPAA compliance for handling protected health information
- Company expanding to EU markets and needing full GDPR compliance
- Organization adding ISO 27001 certification to an existing SOC 2 program
- Responding to a major customer's security questionnaire or vendor risk assessment
- Building a continuous compliance program after passing the initial certification

## Getting Started

1. **Define your target frameworks** — Tell the Compliance Architect which certifications you need and your timeline. Some customers require SOC 2; regulated industries need HIPAA or PCI DSS.
2. **Run the gap assessment** — The Architect and Privacy Officer will assess your current state. This typically takes 1-2 weeks and produces a prioritized remediation plan.
3. **Assign control owners** — Every control needs a human owner in your organization. The team helps design controls, but your staff must operate them daily.
4. **Start evidence collection early** — The Audit Specialist should configure automated evidence collection as soon as controls are implemented. For SOC 2 Type II, you need 3-6 months of evidence.
5. **Engage auditors proactively** — Select your external auditor before remediation is complete. The Compliance Architect can run a pre-audit readiness check to ensure you're prepared.