Compliance

Compliance, mapped

Practical compliance checklists and landing pages for the regulations and frameworks teams ask about most - each paired with a BPMN process map showing how the obligation actually flows.

Regulation Deep Dives

Regulation landing pages

Deep dives on individual regulations - what they require, who they apply to, and how to operationalise them.

APRA CPS 230 (Australia)

Operational resilience for APRA-regulated banks, insurers and super funds - in force since 1 July 2025; legacy service-provider contracts must comply by 1 July 2026.

OSFI E-21 (Canada)

Operational resilience for Canadian FRFIs - applicable 1 September 2026.

EU AI Act - Annex IV

Annex IV technical documentation for high-risk AI systems - applicable 2 August 2026.

HIPAA Compliance Processes

Catalogue of the seven compliance processes that surround HIPAA, with breach notification featured as an editable BPMN map.

Compliance Checklists (Free PDF + DOCX)

Compliance checklists

Step-by-step checklists for the regulations and frameworks that drive most software-team compliance work. Each page pairs the checklist with a BPMN process map of how the regulation flows in practice.

US DEPARTMENT OF DEFENSE SUPPLY CHAIN

CMMC 2.0 compliance checklist

Cybersecurity Maturity Model Certification 2.0

US HEALTHCARE (COVERED ENTITIES AND BUSINESS ASSOCIATES)

HIPAA compliance checklist

Health Insurance Portability and Accountability Act

US SERVICE ORGANISATIONS (GLOBAL BY RECIPROCAL TRUST)

SOC 2 compliance checklist

Service Organization Control 2 (AICPA attestation standards - AT-C 105 and AT-C 205, as amended through SSAE No. 23 effective for engagements beginning on or after 15 December 2025)

GLOBAL - ANY ENTITY HANDLING PAYMENT CARD DATA

PCI DSS 4.0.1 compliance checklist

Payment Card Industry Data Security Standard 4.0.1

US PUBLIC COMPANIES (AND THEIR MATERIAL SUBSIDIARIES)

SOX compliance checklist

Sarbanes-Oxley Act of 2002

BUSINESSES SUBJECT TO CALIFORNIA CONSUMER PRIVACY LAW

CCPA / CPRA compliance checklist

California Consumer Privacy Act, as amended by the CPRA

US FEDERAL INFORMATION SYSTEMS AND THE CONTRACTORS THAT BUILD THEM

NIST RMF compliance checklist

NIST Risk Management Framework (SP 800-37 Rev 2)

CLOUD SERVICE PROVIDERS SERVING US FEDERAL AGENCIES

FedRAMP compliance checklist

Federal Risk and Authorization Management Program

US DEFENSE INDUSTRIAL BASE AND DOWNSTREAM DEFENSE EXPORTS

ITAR compliance checklist

International Traffic in Arms Regulations

EU FINANCIAL ENTITIES + THEIR ICT THIRD-PARTY SERVICE PROVIDERS

DORA compliance checklist

Digital Operational Resilience Act (Regulation 2022/2554)

Turn a compliance checklist into a working process

Pick the regulation that worries you most. Open the process template, adapt the steps to your organisation, and turn the checklist into a working procedure your team actually runs.

Map a compliance process