Compliance Tracking
Maintain a living control inventory, audit calendar, and evidence map so a solo SaaS founder can see SOC 2, ISO 27001, GDPR, HIPAA, or PCI gaps before an auditor asks.
Overview
Compliance Tracking is an agent skill most often used in Ship (also Validate scope, Operate iterate) that helps solo builders track framework controls, audit timelines, evidence, and gap remediation for regulatory readin
Install
npx skills add https://github.com/anthropics/knowledge-work-plugins --skill compliance-trackingWhat is this skill?
- Reference matrix for 5 common frameworks (SOC 2, ISO 27001, GDPR, HIPAA, PCI DSS) with focus areas and key requirements
- Control inventory workflow: map controls to framework clauses, owners, and effectiveness evidence
- Audit calendar for deadlines, evidence collection windows, and remediation due dates
- Evidence management checklist: what to collect, where it lives, and last-updated tracking
- Gap analysis output: current state vs requirement, prioritized remediation, timeline to compliance
- Documents 5 common compliance frameworks in a reference table
- Structures tracking around 4 components: control inventory, audit calendar, evidence management, and gap analysis
Adoption & trust: 1.6k installs on skills.sh; 19.6k GitHub stars; 3/3 security scanners passed (skills.sh audits).
What problem does it solve?
You know SOC 2, GDPR, or another framework matters for your next customer, but controls, owners, evidence, and deadlines live in scattered notes with no honest gap picture.
Who is it for?
Indie SaaS founders prepping first SOC 2 or ISO 27001, handling GDPR requests, or answering enterprise security portals without a dedicated compliance hire.
Skip if: Teams that need certified legal interpretation, formal penetration-test reports, or fully automated compliance SaaS replacement—use qualified counsel and vetted tools instead of agent-generated policy alone.
When should I use this skill?
User mentions compliance, audit prep, SOC 2, ISO 27001, GDPR, regulatory requirements, or needs help tracking, preparing for, or documenting compliance activities.
What do I get? / Deliverables
You leave with a mapped control inventory, audit calendar, evidence plan, and prioritized remediation timeline you can execute before the next audit or security questionnaire.
- Control inventory mapped to framework requirements with owners and evidence notes
- Audit calendar with evidence and remediation deadlines
- Prioritized gap analysis and timeline toward compliance
Recommended Skills
Journey fit
Spans multiple journey phases - primary shelf plus alternate fits below.
Canonical shelf on Ship because audit readiness and control evidence are what block safe launches and enterprise deals; the skill is written for prep and documentation of security controls, not greenfield ideation. Security subphase fits framework mapping, control owners, evidence collection, and gap remediation timelines that auditors expect before you call a release production-ready.
Where it fits
Decide whether GDPR, HIPAA, or PCI applies to your MVP data flows before you hard-code retention and consent.
Build the control-to-evidence map and remediation dates ahead of a customer security review or SOC 2 Type I window.
Refresh evidence and gap status after rotating secrets, changing subprocessors, or shipping a new data export feature.
How it compares
Use for structured GRC tracking and audit prep narratives instead of dumping generic “make me SOC 2 compliant” prompts without control-level evidence.
Common Questions / FAQ
Who is compliance-tracking for?
Solo builders and tiny teams shipping B2B SaaS, APIs, or products handling sensitive data who must demonstrate audit readiness to customers or regulators.
When should I use compliance-tracking?
In Validate when scoping which frameworks apply; in Ship security before launch or vendor review; in Operate iterate after infra, auth, or data-handling changes; whenever you say “audit prep,” “SOC 2,” “GDPR,” or “regulatory requirement.”
Is compliance-tracking safe to install?
Treat outputs as drafts for your own review; check the Security Audits panel on this Prism page and your repo policy before granting broad filesystem or secret access to an agent.
SKILL.md
READMESKILL.md - Compliance Tracking
# Compliance Tracking Help track compliance requirements, prepare for audits, and maintain regulatory readiness. ## Common Frameworks | Framework | Focus | Key Requirements | |-----------|-------|-----------------| | SOC 2 | Service organizations | Security, availability, processing integrity, confidentiality, privacy | | ISO 27001 | Information security | Risk assessment, security controls, continuous improvement | | GDPR | Data privacy (EU) | Consent, data rights, breach notification, DPO | | HIPAA | Healthcare data (US) | PHI protection, access controls, audit trails | | PCI DSS | Payment card data | Encryption, access control, vulnerability management | ## Compliance Tracking Components ### Control Inventory - Map controls to framework requirements - Document control owners and evidence - Track control effectiveness ### Audit Calendar - Upcoming audit dates and deadlines - Evidence collection timelines - Remediation deadlines ### Evidence Management - What evidence is needed for each control - Where evidence is stored - When evidence was last collected ### Gap Analysis - Requirements vs. current state - Prioritized remediation plan - Timeline to compliance ## Output Produce compliance status dashboards, gap analyses, audit prep checklists, and evidence collection plans.