Skip to main content

Compliance Frameworks

Meet regulatory requirements with CastellanAI's comprehensive compliance reporting and audit capabilities.

Supported Compliance Frameworks

CastellanAI provides pre-built reporting templates and compliance mappings for major regulatory frameworks:

FrameworkDescriptionKey Mappings
SOC 2 Type IITrust Services Criteria: Security, Availability, Processing Integrity, ConfidentialityCC6.1, CC7.2, CC8.1
HIPAAHealth Insurance Portability and Accountability Act compliance§164.308, §164.312
PCI DSSPayment Card Industry Data Security Standard v4.0Requirements 10, 11, 12
GDPRGeneral Data Protection Regulation (EU)Articles 32, 33, 34
ISO 27001Information Security Management System standardsA.12, A.16, A.18 Controls
NIST CSFNIST Cybersecurity Framework 2.0DE, PR, RS Functions
CMMCCybersecurity Maturity Model Certification (DoD)Level 2, 3 Requirements
CIS ControlsCenter for Internet Security Critical Security ControlsControls 4, 6, 8, 13

Generating Compliance Reports

Step 1: Select Compliance Framework

Navigate to Reports and choose the compliance framework you need to report on.

Navigation Path: Reports → Compliance → Select Framework

Step 2: Configure Report Period

Select the time period for your compliance report (e.g., quarterly, annual audit period).

  • Last 90 Days (Quarterly)
  • Last 365 Days (Annual)
  • Custom Date Range

Step 3: Select Control Scope

Choose which controls or requirements to include in the report.

Example: SOC 2 Control Selection

  • CC6.1 - Logical and Physical Access Controls
  • CC7.2 - System Monitoring
  • CC8.1 - Change Management

Step 4: Generate and Download

Generate the compliance report and download in your preferred format:

  • PDF Report - Formatted for presentation
  • Excel - For detailed analysis
  • CSV - For data integration

Compliance Report Contents

Each compliance report includes comprehensive evidence and documentation:

Executive Summary

High-level overview of compliance posture, key findings, and control effectiveness summary.

Control Mapping

Detailed mapping of CastellanAI capabilities to framework requirements and controls.

Evidence Collection

Audit logs, security events, user activity records, and configuration snapshots as compliance evidence.

Gap Analysis

Identification of compliance gaps, non-conformities, and recommendations for remediation.

Security Metrics

Quantitative security metrics: mean time to detect (MTTD), mean time to respond (MTTR), incident counts.

Automated Compliance Monitoring

CastellanAI continuously monitors your compliance posture and provides real-time visibility:

Continuous Control Monitoring

Real-time assessment of control effectiveness with automated testing and validation.

Compliance Drift Detection

Automatic alerts when configurations or policies drift from compliant state.

Examples: Disabled MFA, removed access controls, audit log gaps

Scheduled Report Generation

Automatically generate and deliver compliance reports on a recurring schedule.

Frequencies: Daily, Weekly, Monthly, Quarterly, Annual

Evidence Retention

Automatic archival of audit evidence to meet regulatory retention requirements.

Retention periods: 1-7 years based on framework requirements

Framework-Specific Requirements

SOC 2 Type II Requirements

Required Evidence:

  • Access control logs (90+ days)
  • Change management records
  • Security monitoring data
  • Incident response documentation

Key Controls:

  • MFA enforcement
  • Continuous monitoring
  • Audit logging
  • User access reviews

HIPAA Compliance Requirements

Required Evidence:

  • ePHI access logs (6 years)
  • Risk assessments
  • Breach notification records
  • Business associate agreements

Key Controls:

  • Encryption at rest/transit
  • Access control (§164.312)
  • Audit controls (§164.312)
  • Integrity controls

PCI DSS v4.0 Requirements

Required Evidence:

  • Audit trails (1 year, 3 months online)
  • Vulnerability scans (quarterly)
  • Penetration tests (annual)
  • Security awareness training

Key Controls:

  • Log monitoring (Req 10)
  • Vulnerability management (Req 11)
  • Security policies (Req 12)
  • File integrity monitoring

Compliance Best Practices

  • Schedule Regular Reports - Configure automated quarterly compliance reports to maintain audit readiness year-round.
  • Enable Continuous Monitoring - Turn on compliance drift detection to immediately identify non-conformities before they become audit findings.
  • Document Exceptions - Maintain clear documentation for any compliance exceptions or compensating controls.
  • Retain Evidence Properly - Ensure evidence retention periods match or exceed regulatory requirements (typically 1-7 years).
  • Coordinate with Auditors - Share CastellanAI compliance reports with external auditors early to address questions proactively.

What's Next?