Skip to main content
Settings
Search
Appearance
Theme Mode
About
Jekyll v3.10.0
Environment Production
Last Build
2026-07-02 02:06 UTC
Current Environment Production
Build Time Jul 02, 02:06
Jekyll v3.10.0
Build env (JEKYLL_ENV) production
Quick Links
Page Location
Page Info
Layout quest
Collection quests
Path _quests/1011/compliance-standards.md
URL /quests/1011/compliance-standards/
Date 2025-11-29
Theme Skin
SVG Backgrounds
Layer Opacity
0.6
0.04
0.08

Compliance Standards: SOC 2, ISO 27001, GDPR, and PCI-DSS

Navigate the major security compliance frameworks - SOC 2, ISO 27001, GDPR, and PCI-DSS - learning controls mapping, audit evidence, and audit prep.

Table of Contents

🔥 Lvl 1011Warrior 🏰 Main Quest 🟡 Medium 90-120 minutes

Compliance Standards: SOC 2, ISO 27001, GDPR, and PCI-DSS

Master SOC 2, ISO 27001, GDPR, and PCI-DSS - controls, audit evidence, and audit readiness

Primary Tech
🛠️ compliance
Skill Focus
Security
Series
Security Mastery
Author
IT-Journey Team
XP Range
⚡ 5250-6000

Greetings, brave adventurer! You have built strong walls and tested them well - but in the wider world, strength is not enough. You must also prove it, in writing, to skeptical auditors and wary customers. This quest, Compliance Standards, teaches the scribe’s discipline: mapping the controls you already have to the great frameworks of trust - SOC 2, ISO 27001, GDPR, and PCI-DSS - and gathering the evidence that shows they truly operate.

Compliance is where security meets the ledger. A control that works but cannot be evidenced is, to an auditor, a control that does not exist. Master this quest and you can translate technical defenses into the language of attestation, certification, and regulation.

📖 The Legend Behind This Quest

As commerce moved into the cloud, a problem of trust arose: how could one company rely on another to guard its data? The answer was independent frameworks and audits - SOC 2 attestations, ISO 27001 certifications, and laws like GDPR and PCI-DSS - that let an outside party vouch for a system’s controls. The clever defender soon realized a secret: most of these frameworks ask for the same handful of controls under different names. Map once, satisfy many.

🎯 Quest Objectives

By the time you complete this journey, you will have mastered:

Primary Objectives (Required for Quest Completion)

  • SOC 2 - The five Trust Services Criteria and what a Type I vs Type II report means
  • ISO 27001 - An ISMS, Annex A controls, and how certification differs from attestation
  • GDPR - Lawful basis, data-subject rights, and the core privacy obligations
  • PCI-DSS - The intent of the requirements protecting cardholder data
  • Controls Mapping & Evidence - Map one control to many frameworks and gather audit evidence

Secondary Objectives (Bonus Achievements)

  • Gap Assessment - Compare current state to a framework’s requirements
  • Continuous Compliance - Automate evidence collection rather than scrambling at audit time
  • Shared Responsibility - Understand who owns which control in a cloud environment

Mastery Indicators

You’ll know you’ve truly mastered this quest when you can:

  • Explain how SOC 2 and ISO 27001 differ in form and outcome
  • Describe two GDPR data-subject rights
  • State what PCI-DSS exists to protect
  • Build a row of a controls matrix that satisfies several frameworks at once

🗺️ Quest Prerequisites

📋 Knowledge Requirements

  • Completion of Security Fundamentals (recommended)
  • Understanding of security controls and the CIA triad
  • General awareness of how organizations collect and store data

🛠️ System Requirements

  • Modern operating system (Windows 10+, macOS 10.14+, or Linux)
  • A spreadsheet tool or text editor for building a controls matrix
  • A web browser to read framework references

🧠 Skill Level Indicators

This 🟡 Medium quest expects:

  • You can reason about processes and evidence, not just code
  • You are ready to translate technical controls into framework language
  • Ready for 90-120 minutes of focused study

🌍 Choose Your Adventure Platform

This quest is documentation- and process-heavy. Your “tools” are a controls matrix and the framework references. Any platform works.

🍎 macOS Kingdom Path

Click to expand macOS instructions ```bash # Build your controls matrix as version-controlled, plain-text Markdown/CSV mkdir -p ~/compliance && cd ~/compliance printf "Control,SOC2,ISO27001,GDPR,PCI-DSS,Evidence\n" > controls-matrix.csv open -a "Numbers" controls-matrix.csv 2>/dev/null || cat controls-matrix.csv ```

🪟 Windows Empire Path

Click to expand Windows instructions ```powershell # Start a controls matrix you can track in git New-Item -ItemType Directory -Force -Path "$HOME\compliance" | Out-Null Set-Content "$HOME\compliance\controls-matrix.csv" "Control,SOC2,ISO27001,GDPR,PCI-DSS,Evidence" Get-Content "$HOME\compliance\controls-matrix.csv" ```

🐧 Linux Territory Path

Click to expand Linux instructions ```bash # Plain-text, version-controlled evidence beats a sprawling shared drive mkdir -p ~/compliance && cd ~/compliance echo "Control,SOC2,ISO27001,GDPR,PCI-DSS,Evidence" > controls-matrix.csv git init -q && git add controls-matrix.csv ```

☁️ Cloud Realms Path

Click to expand Cloud/Container instructions ```bash # Cloud providers publish their own attestations you inherit under the # shared responsibility model. Pull them from the trust portals: # AWS Artifact, Azure Service Trust Portal, Google Cloud Compliance Reports. echo "Inherit provider controls; you remain responsible for your config + data." ```

🧙‍♂️ Chapter 1: SOC 2 and ISO 27001 - Attestation vs Certification

The two most common frameworks a software company meets are SOC 2 and ISO 27001. They overlap heavily but differ in form.

⚔️ Skills You’ll Forge in This Chapter

  • The SOC 2 Trust Services Criteria and report types
  • The ISO 27001 ISMS and Annex A controls
  • When each is asked for

🏗️ SOC 2

SOC 2 is an attestation report produced by a licensed CPA firm, built around five Trust Services Criteria (TSC):

Criterion Concern
Security (required) Protection against unauthorized access
Availability The system is available for operation as agreed
Processing Integrity Processing is complete, valid, accurate, timely
Confidentiality Confidential information is protected
Privacy Personal information is handled per the privacy notice
  • A Type I report assesses control design at a point in time.
  • A Type II report assesses operating effectiveness over a period (typically 3-12 months) - this is what customers usually demand.

🏗️ ISO 27001

ISO/IEC 27001 is an international standard for an Information Security Management System (ISMS). Unlike SOC 2’s attestation, ISO 27001 yields a formal certification from an accredited body. Its Annex A (revised in the 2022 edition to 93 controls across four themes - Organizational, People, Physical, Technological) is the control catalog.

SOC 2                            ISO 27001
- US-centric, AICPA              - International standard
- Attestation report (CPA)       - Certification (accredited body)
- Trust Services Criteria        - ISMS + Annex A controls
- Type I (design) / Type II (op) - Stage 1 (docs) / Stage 2 (operation) audit
- Renewed annually               - 3-year cycle with surveillance audits

🔍 Knowledge Check: SOC 2 & ISO 27001

  • Which SOC 2 criterion is always required?
  • What does a Type II report add over a Type I?
  • How does ISO 27001 certification differ from a SOC 2 attestation?

🧙‍♂️ Chapter 2: GDPR and PCI-DSS - Regulation and Mandate

SOC 2 and ISO 27001 are voluntary frameworks. GDPR is law; PCI-DSS is a contractual mandate. Both carry real penalties.

⚔️ Skills You’ll Forge in This Chapter

  • GDPR lawful basis and data-subject rights
  • The intent behind PCI-DSS

🏗️ GDPR (General Data Protection Regulation)

The EU’s GDPR governs the processing of personal data of people in the EU/EEA, regardless of where the processor is located. Core ideas:

  • Lawful basis - you need a legal reason to process personal data (consent, contract, legal obligation, vital interests, public task, or legitimate interests).
  • Data-subject rights - access, rectification, erasure (“right to be forgotten”), portability, objection, and restriction.
  • Principles - data minimization, purpose limitation, storage limitation, and accountability.
  • Breach notification - report qualifying breaches to the supervisory authority within 72 hours.
  • Penalties - up to €20 million or 4% of global annual turnover, whichever is higher.

🏗️ PCI-DSS (Payment Card Industry Data Security Standard)

PCI-DSS is mandated by the card brands for any organization that stores, processes, or transmits cardholder data. The current major version is PCI-DSS v4.0. Its requirements protect the cardholder data environment (CDE):

1–2  Build and maintain a secure network (firewalls, no vendor defaults)
3–4  Protect stored cardholder data and encrypt it in transit
5–6  Maintain a vulnerability program (anti-malware, secure development)
7–8  Strong access control (need-to-know, unique IDs, MFA)
9    Restrict physical access to cardholder data
10–11 Monitor and test networks (logging, scans, penetration tests)
12   Maintain an information security policy

The cheapest path to compliance is often to reduce scope - e.g., never store card numbers yourself; use a tokenizing payment processor so the CDE barely touches your systems.

🔍 Knowledge Check: GDPR & PCI-DSS

  • Name two GDPR data-subject rights
  • What is the GDPR breach-notification deadline?
  • Why does reducing PCI scope reduce compliance burden?

🧙‍♂️ Chapter 3: Controls Mapping and Audit Evidence

Here is the secret that makes compliance tractable: the frameworks overlap enormously. A single technical control - say, enforcing MFA - satisfies a requirement in every one of them. Map once, evidence once, satisfy many.

⚔️ Skills You’ll Forge in This Chapter

  • Building a controls-mapping matrix
  • Identifying valid audit evidence

🏗️ A Controls-Mapping Matrix

Control: Multi-Factor Authentication on admin access
  SOC 2      -> CC6.1 (logical access security)
  ISO 27001  -> A.8.5 (secure authentication)
  GDPR       -> Art. 32 (security of processing — appropriate measures)
  PCI-DSS    -> Req. 8.4/8.5 (MFA for access to the CDE)
  Evidence   -> IdP config screenshot + MFA enrollment report + access log sample

One control, four frameworks. Maintain this matrix as the spine of your compliance program.

🏗️ What Counts as Audit Evidence

Auditors do not take your word for it; they want artifacts proving a control is designed and operating over time:

Strong evidence types:
  - Configuration exports (IAM policies, firewall rules, encryption settings)
  - System-generated logs and reports (access reviews, vulnerability scans)
  - Tickets showing a process ran (offboarding, change approvals)
  - Signed policies and training completion records
  - Screenshots with timestamps (least preferred — easy to fake, hard to date)

For a Type II / certification: evidence must span the AUDIT PERIOD,
not just a single moment. One screenshot is design; a quarter of access
reviews is operation.

Mature teams pursue continuous compliance - automating evidence collection (e.g., with tools like Vanta, Drata, or custom scripts pulling cloud config) so an audit is a query, not a fire drill.

🔍 Knowledge Check: Mapping & Evidence

  • How can one control satisfy multiple frameworks?
  • Why must Type II evidence span a period, not a moment?
  • What makes a configuration export stronger evidence than a screenshot?

🎮 Mastery Challenges

🟢 Novice Challenge: Map One Control

Objective: Pick one control you actually use (encryption at rest, MFA, logging) and map it to all four frameworks.

Requirements:

  • One control, four framework references
  • One concrete piece of evidence that proves it
  • Note which framework’s wording is strictest

Validation: Each mapping cites a plausible requirement area.

🟡 Intermediate Challenge: Gap Assessment

Objective: Choose three SOC 2 Security criteria controls and assess whether a system you know meets them.

Requirements:

  • State each control’s intent
  • Mark met / partial / gap with justification
  • Propose how to close each gap

Validation: Each “met” claim has evidence behind it.

🔴 Advanced Challenge: Mini Audit Package

Objective: Assemble an evidence package for one control as if for a Type II audit.

Requirements:

  • Document the control’s design (the policy/config)
  • Provide operating evidence spanning a period
  • Map it across at least three frameworks
  • Identify how the evidence could be collected automatically

Validation: An auditor could conclude the control operated for the period.

🏆 Quest Rewards & Achievements

🎖️ Badges Earned:

  • 🏆 Scribe of Trust - You mapped controls to the great frameworks
  • 🛡️ Keeper of the Ledger - You prepared evidence auditors accept

🛠️ Skills Unlocked:

  • Controls Mapping Across Frameworks - Satisfy many standards with one matrix
  • Audit Evidence Preparation - Prove controls operate over time

🔓 Unlocked Quests:

  • You have completed the core Security & Compliance arc - advance toward the Master tier

📊 Progression Points: +90 XP

🗺️ Next Steps in Your Journey

Continue the Main Story:

  • 🎯 Advance to the Master tier (Level 1100+) - Data Engineering and beyond

Explore Side Adventures:

Character Class Recommendations

💻 Software Developer: Revisit Secure Coding Practices
🏗️ System Engineer: Explore Penetration Testing
🛡️ Security Specialist: Deepen Threat Modeling

📚 Resources

Official Documentation

Community Resources

Tools & Utilities

🤝 Quest Completion Checklist

  • ✅ Completed all primary objectives
  • ✅ Built a controls-mapping matrix row across frameworks
  • ✅ Answered all knowledge check questions
  • ✅ Completed at least one mastery challenge
  • ✅ Explored the resource library
  • ✅ Identified your next quest in the journey

🕸️ Knowledge Graph

Structured wiki-links connect this quest to the IT-Journey knowledge graph. Open the Obsidian Graph View to explore connections.

Level hub: [[Level 1011 - Security & Compliance]] Overworld: [[🏰 Overworld - Master Quest Map]] Prerequisites: [[Security Fundamentals: CIA Triad and Defense in Depth Strategies]] Related quests: [[Penetration Testing: Tools and Ethical Hacking Methodologies]] · [[Threat Modeling: STRIDE Framework and Attack Trees Analysis]] · [[Secure Coding Practices: OWASP Top 10 Vulnerability Prevention]] Obsidian docs: [[Obsidian Knowledge Graph and Wiki Links]]

🎁 Rewards

90 XP

Badges

  • 🏆 Scribe of Trust - Mapped controls to the great compliance frameworks
  • 🛡️ Keeper of the Ledger - Prepared evidence that satisfies auditors

Skills unlocked

  • 🛠️ Controls Mapping Across Frameworks
  • 📜 Audit Evidence Preparation

Features unlocked

  • Ability to help an organization prepare for a real security audit

🕸️ Quest Network

Loading quest graph…

Click a node to open the quest · ⌘/Ctrl-click for a new tab · drag to reposition · scroll to zoom.