Compliance & Governance
The authority hub for compliance and governance — HIPAA, PCI DSS, SOC 2, NIST CSF, CIS Controls, and cyber insurance readiness.
Tools
Compliance & Governance Tools
Free, client-side tools — nothing is transmitted or stored.
Compliance Readiness Assessment
Evaluate SOC 2, HIPAA, and NIST CSF governance maturity across seven areas.
Open →
Compliance Framework Selector
Identify which compliance frameworks actually apply to your organization.
Open →
NIST CSF Assessment
Evaluate maturity across all six NIST Cybersecurity Framework functions.
Open →
CIS Controls Assessment
Evaluate coverage of the CIS Controls Implementation Group 1 safeguards.
Open →
HIPAA Readiness Assessment
Evaluate Administrative, Physical, and Technical Safeguard coverage against the HIPAA Security Rule.
Open →
PCI DSS Readiness Assessment
Evaluate cardholder data environment scope, segmentation, and control coverage against PCI DSS 4.0.
Open →
CMMC Readiness Assessment
Evaluate readiness against CMMC 2.0 Level 1 and Level 2 practices.
Open →
NIST 800-171 Assessment
Evaluate coverage across the 14 NIST SP 800-171 control families protecting CUI.
Open →
ISO 27001 Readiness Assessment
Evaluate Information Security Management System maturity against ISO 27001 requirements.
Open →
Vendor Risk Assessment
Evaluate third-party vendor risk management discipline — inventory, due diligence, and ongoing monitoring.
Open →
Audit Evidence Checklist Generator
Generate a tailored audit evidence collection checklist based on your applicable frameworks.
Open →
Downloads
Downloadable Resources
Free templates and guides — preview, copy, or download as Markdown or plain text.
Checklist
Compliance Readiness Checklist
A cross-framework checklist covering the core governance and compliance controls most audits and frameworks expect to see in place.
Open →
Workbook
Audit Preparation Workbook
A structured workbook for organizing scope, evidence, and internal review ahead of a compliance or security audit.
Open →
Quick Reference
NIST CSF 2.0 Quick Reference
A one-page-style reference to the six NIST Cybersecurity Framework 2.0 functions and representative activities for each.
Open →
Checklist
CIS Controls IG1 Starter Checklist
A practical starter checklist of representative CIS Controls Implementation Group 1 (IG1) safeguards across several of the 18 controls.
Open →
Checklist
HIPAA Compliance Checklist
A checklist organized by the three HIPAA Security Rule safeguard categories — Administrative, Physical, and Technical.
Open →
Guide
PCI DSS Preparation Guide
A practical guide to preparing for PCI DSS 4.0 covering scope reduction, the six control goals, and reducing audit burden.
Open →
Guide
CMMC Preparation Guide
A practical guide to determining your CMMC level, mapping practices to NIST SP 800-171, and preparing for a C3PAO assessment.
Open →
Checklist
NIST SP 800-171 Control Family Checklist
A checklist of representative implementation items organized by NIST SP 800-171 control family, for organizations protecting CUI.
Open →
Workbook
ISO 27001 Readiness Workbook
A workbook for scoping the ISMS, running the risk assessment, and preparing for Stage 1 and Stage 2 certification audits.
Open →
Questionnaire
Vendor Security Risk Questionnaire
A representative vendor security questionnaire covering data handling, certifications, access controls, incident history, and audit rights.
Open →
Workbook
Audit Evidence Collection Workbook
A workbook for mapping controls to evidence types, building a continuous collection cadence, and tracking evidence quality.
Open →
Template
Compliance Policy Documentation Template
A reusable template structure for writing compliance and security policy documents, with version control guidance.
Open →
Foundations
Compliance Fundamentals and Governance
What compliance actually means, how frameworks relate, and why governance is what sustains it.
Compliance Fundamentals: What It Actually Means for a Business
What 'compliance' means in practice, how the major frameworks relate to each other, and why compliance readiness is an ongoing discipline rather than a one-time audit event.
Beginner
Open →
Governance vs. Compliance: Why the Distinction Matters
The specific difference between compliance and governance, why compliance-only organizations fail audits repeatedly, and what a functioning governance operating model looks like.
Beginner
Open →
Risk & Maturity Frameworks
NIST CSF, CIS Controls, CMMC, NIST 800-171, and ISO 27001
The general-purpose and certifiable maturity models — how they relate, and how to choose which to lead with.
NIST Cybersecurity Framework Overview
What NIST CSF actually is, the six functions in CSF 2.0, and how organizations use it as a structure rather than a certification.
Intermediate
Open →
CIS Controls Overview
What the CIS Controls are, the three Implementation Groups, and why IG1 is the practical starting point for most small-to-midsize organizations.
Intermediate
Open →
CMMC 2.0 Overview
What CMMC 2.0 is, the three certification levels, and how it builds directly on NIST SP 800-171 rather than inventing a separate control set.
Intermediate
Open →
NIST SP 800-171 Explained
What NIST SP 800-171 protects, its 14 control families, how it differs from NIST CSF, and why it matters beyond direct DoD contractors.
Intermediate
Open →
ISO 27001 Overview
What ISO 27001 actually certifies, the Plan-Do-Check-Act cycle, the Statement of Applicability, and how the certification audit process works.
Intermediate
Open →
Cybersecurity Maturity Models Compared
How NIST CSF, CIS Controls, ISO 27001, and CMMC differ, and practical guidance on which one to lead with.
Intermediate
Open →
Regulatory & Attestation
HIPAA, PCI DSS, and SOC 2
HIPAA Security Rule Explained
What the HIPAA Security Rule actually governs, the three safeguard categories, and why 'addressable' does not mean optional.
Intermediate
Open →
PCI DSS 4.0 Overview
What PCI DSS actually requires, what changed in version 4.0, and why scope reduction is the highest-leverage compliance decision most organizations can make.
Intermediate
Open →
SOC 2 Explained
What a SOC 2 report actually is, the five Trust Services Criteria, the Type I vs. Type II distinction, and why it's become a de facto B2B requirement.
Intermediate
Open →
Cyber Insurance
Insurance as a De Facto Framework
Operational Practices
Evidence, Documentation, and Risk Assessment
The cross-framework operational disciplines every compliance program depends on, regardless of which framework applies.
Audit Evidence Collection: What Auditors Actually Accept
What counts as credible audit evidence, why continuous collection beats pre-audit scrambling, common evidence-quality mistakes, and a practical control-to-evidence mapping approach.
Intermediate
Open →
Compliance Documentation Best Practices
Why documentation quality directly affects audit outcomes, what makes a policy credible, version control discipline, and the difference between policies and procedures.
Beginner
Open →
Risk Assessments vs. Compliance Assessments: What's the Difference?
The specific distinction between a risk assessment and a compliance assessment, why passing a compliance audit doesn't mean risk is well-managed, and why organizations need both.
Intermediate
Open →
Quick Reference
The Short Version
Full treatment lives in the articles above.
Compliance ≠ Governance
Compliance is meeting a defined external checklist at a point in time. Governance is the operating model that keeps you compliant continuously, not just before an audit.
"Addressable" Is Not Optional
Under HIPAA, an addressable safeguard still must be implemented, replaced with an equivalent alternative, or its omission formally documented — it is never simply skippable.
Scope Reduction Is the Highest-Leverage PCI DSS Decision
Segmenting the cardholder data environment and minimizing where card data touches your network reduces audit cost and effort more than any individual control.
Cyber Insurance Is a De Facto Framework
Insurers now verify specific controls — MFA, EDR, immutable backups, tested incident response — before issuing or paying out on a policy, whether or not any other framework applies to you.
CMMC Certifies Against NIST 800-171, Not a Separate Control Set
CMMC Level 2 doesn't invent new requirements — it certifies an organization's implementation of the same 110 practices already defined in NIST SP 800-171.
Vendor Risk Is the Most Under-Managed Control Category
Nearly every framework in this cluster requires vendor due diligence, but most organizations only assess vendors at onboarding and never reassess — a gap auditors consistently flag.
FAQ
Common Questions
Which framework should we start with?
Use the Compliance Framework Selector to identify which frameworks actually apply based on your industry, data types, and customer requirements — most organizations are only genuinely obligated under one or two of the frameworks covered in this cluster, not all of them.
How does this cluster relate to Identity & Access Management and Microsoft 365 Security?
Those clusters cover the technical controls — MFA, Conditional Access, encryption, backup — that every framework in this cluster ultimately requires as evidence. This cluster explains the frameworks and audit process; the other clusters explain how to actually implement the underlying controls.
Do we need a formal audit to benefit from these articles?
No — NIST CSF and CIS Controls in particular are widely used as internal planning frameworks with no certification requirement at all. HIPAA, PCI DSS, and SOC 2 do involve formal assessment processes, but the governance discipline covered throughout this cluster benefits any organization regardless of audit requirements.
Operational Support
Need help building an audit-ready compliance program?
IT KORR can assess your framework obligations, close control gaps, and build the governance operating model that keeps you compliant continuously — not just before an audit.
No commitment required — we respond within one business day.