Compliance Frameworks

Meet regulatory requirements with CastellanAI's comprehensive compliance reporting and audit capabilities.

Audit-Ready

Pre-built templates and control mappings help you maintain continuous compliance with major regulatory frameworks.

Supported Frameworks

Framework	Description	Key Mappings
SOC 2 Type II	Trust Services Criteria	CC6.1, CC7.2, CC8.1
HIPAA	Health Insurance Portability	§164.308, §164.312
PCI DSS	Payment Card Industry v4.0	Requirements 10, 11, 12
GDPR	EU Data Protection	Articles 32, 33, 34
ISO 27001	Information Security Management	A.12, A.16, A.18 Controls
NIST CSF	Cybersecurity Framework 2.0	DE, PR, RS Functions
CMMC	DoD Cybersecurity Maturity	Level 2, 3 Requirements
CIS Controls	Critical Security Controls	Controls 4, 6, 8, 13

Generating Compliance Reports

1️⃣ Select Framework
2️⃣ Configure Period
3️⃣ Select Controls
4️⃣ Generate

Step 1: Select Compliance Framework

Navigate to Reports and choose your framework.

Navigation: Reports → Compliance → Select Framework

Framework	Typical Use Case
SOC 2	SaaS providers, service organizations
HIPAA	Healthcare, health data processors
PCI DSS	Payment processing, e-commerce
GDPR	EU data handling
ISO 27001	International security certification

Period	Use Case
Last 90 Days	Quarterly reviews
Last 365 Days	Annual audits
Custom Range	Specific audit windows

Step 3: Select Control Scope

Choose which controls to include in the report.

Example: SOC 2 Control Selection

Control	Description
CC6.1	Logical and Physical Access Controls
CC7.2	System Monitoring
CC8.1	Change Management

Format	Best For
PDF	Formatted presentation
Excel	Detailed analysis
CSV	Data integration

Report Contents

📊 Executive Summary
🗺️ Control Mapping
📁 Evidence Collection
⚠️ Gap Analysis
📈 Security Metrics

Executive Summary

High-level overview of compliance posture.

Section	Content
Compliance Score	Overall posture percentage
Key Findings	Critical observations
Control Effectiveness	Summary by control category
Recommendations	Priority actions

Control Mapping

Detailed mapping of capabilities to framework requirements.

Element	Description
Requirement	Framework control text
CastellanAI Feature	Mapped capability
Evidence	Supporting documentation
Status	Met, Partial, Gap

Evidence Collection

Audit logs and records as compliance evidence.

Evidence Type	Description
Audit Logs	User and system activity
Security Events	Threat detection records
User Activity	Access and changes
Config Snapshots	Point-in-time settings

Gap Analysis

Identification of compliance gaps and recommendations.

Element	Description
Gap Identified	Non-conformity description
Risk Level	High, Medium, Low
Remediation	Recommended actions
Timeline	Suggested completion date

Metric	Description
MTTD	Mean time to detect
MTTR	Mean time to respond
Incident Count	Events by severity
Coverage	Monitoring percentage

Framework Requirements

SOC 2
HIPAA
PCI DSS
GDPR

SOC 2 Type II Requirements

Required Evidence:

Evidence	Retention
Access control logs	90+ days
Change management records	1 year
Security monitoring data	90+ days
Incident response docs	1 year

Key Controls:

Control	Requirement
MFA enforcement	All users
Continuous monitoring	24/7
Audit logging	All systems
Access reviews	Quarterly

HIPAA Compliance Requirements

Required Evidence:

Evidence	Retention
ePHI access logs	6 years
Risk assessments	6 years
Breach notification records	6 years
Business associate agreements	6 years

Key Controls:

Control	Reference
Encryption at rest/transit	§164.312(a)(2)(iv)
Access control	§164.312(a)(1)
Audit controls	§164.312(b)
Integrity controls	§164.312(c)(1)

ePHI Protection

All ePHI access must be logged and encrypted.

PCI DSS v4.0 Requirements

Required Evidence:

Evidence	Retention
Audit trails	1 year (3 months online)
Vulnerability scans	Quarterly
Penetration tests	Annual
Security training	Annual

Key Controls:

Control	Requirement
Log monitoring	Requirement 10
Vulnerability management	Requirement 11
Security policies	Requirement 12
File integrity monitoring	Requirement 11.5

Required Evidence:

Evidence	Requirement
Processing records	Article 30
Consent documentation	Article 7
Breach notifications	Article 33
DPIA records	Article 35

Key Controls:

Control	Article
Data protection	Article 32
Breach notification	Article 33
Data subject rights	Articles 15-22

Automated Compliance Monitoring

🔄 Continuous Monitoring
⚠️ Drift Detection
📅 Scheduled Reports
📦 Evidence Retention

Continuous Control Monitoring

Real-time assessment of control effectiveness.

Feature	Description
Automated Testing	Continuous control validation
Real-time Alerts	Immediate non-conformity notification
Dashboard View	Compliance posture at a glance

Compliance Drift Detection

Automatic alerts when configurations drift from compliant state.

Drift Type	Example
Access Control	MFA disabled
Configuration	Audit logging disabled
Policy	Password policy weakened

Immediate Action

Compliance drift alerts require immediate investigation.

Scheduled Report Generation

Automatically generate and deliver compliance reports.

Frequency	Use Case
Daily	Operations monitoring
Weekly	Team reviews
Monthly	Management reporting
Quarterly	Compliance reviews
Annual	Audit preparation

Framework	Retention Period
SOC 2	1 year
HIPAA	6 years
PCI DSS	1 year
SOX	7 years
GDPR	Varies by data type

Best Practices

Practice	Description
Schedule Regular Reports	Quarterly reports for audit readiness
Enable Continuous Monitoring	Detect drift before audits
Document Exceptions	Clear records for compensating controls
Retain Evidence Properly	Meet or exceed retention requirements
Coordinate with Auditors	Share reports early for proactive discussion

📝 Compliance Readiness Checklist

Identify applicable compliance frameworks
Map controls to CastellanAI capabilities
Configure continuous monitoring
Set up scheduled reports
Establish evidence retention policies
Document any exceptions or compensating controls
Test report generation before audit
Share reports with auditors proactively

What's Next?

Guide	Description
Exporting Data	Export security and audit data
Custom Reports	Create custom compliance reports
Generating Reports	General report generation guide

Compliance Frameworks

Supported Frameworks

Generating Compliance Reports

Step 1: Select Compliance Framework

Step 2: Configure Report Period

Step 3: Select Control Scope

Step 4: Generate and Download

Report Contents

Executive Summary

Control Mapping

Evidence Collection

Gap Analysis

Security Metrics

Framework Requirements

SOC 2 Type II Requirements

HIPAA Compliance Requirements

PCI DSS v4.0 Requirements

Automated Compliance Monitoring

Continuous Control Monitoring

Compliance Drift Detection

Scheduled Report Generation

Evidence Retention

Best Practices

What's Next?

Supported Frameworks​

Generating Compliance Reports​

Step 1: Select Compliance Framework​

Step 2: Configure Report Period​

Step 3: Select Control Scope​

Step 4: Generate and Download​

Report Contents​

Executive Summary​

Control Mapping​

Evidence Collection​

Gap Analysis​

Security Metrics​

Framework Requirements​

SOC 2 Type II Requirements​

HIPAA Compliance Requirements​

PCI DSS v4.0 Requirements​

GDPR Requirements​

Automated Compliance Monitoring​

Continuous Control Monitoring​

Compliance Drift Detection​

Scheduled Report Generation​

Evidence Retention​

Best Practices​

What's Next?​

Supported Frameworks

Generating Compliance Reports

Step 1: Select Compliance Framework

Step 2: Configure Report Period

Step 3: Select Control Scope

Step 4: Generate and Download

Report Contents

Executive Summary

Control Mapping

Evidence Collection

Gap Analysis

Security Metrics

Framework Requirements

SOC 2 Type II Requirements

HIPAA Compliance Requirements

PCI DSS v4.0 Requirements

GDPR Requirements

Automated Compliance Monitoring

Continuous Control Monitoring

Compliance Drift Detection

Scheduled Report Generation

Evidence Retention

Best Practices

What's Next?