SOC 2 readiness — from initial Type I through ongoing Type II surveillance
SOC 2 attestations are issued by independent CPA firms against the AICPA Trust Services Criteria. Aegis AI™ does the readiness work: continuous control validation across the Security category by default, with Availability, Processing Integrity, Confidentiality, and Privacy added per your scoping decisions. Each control objective is mapped to a live evidence artifact from your AWS, Azure, Microsoft 365, Okta, or CrowdStrike telemetry, with a SHA-256 hash and a validation timestamp.
What Aegis AI produces for your SOC 2 engagement
- System description draft. Section 3 narrative scaffolding mapped to in-scope services, infrastructure, software, people, procedures, and data.
- Control matrix. Every applicable Common Criteria (CC1.x–CC9.x) and category-specific criterion (A1.x, PI1.x, C1.x, P1.x–P9.x), with current evidence status and the source of truth cited.
- Audit-ready exhibits. Pre-staged in the format your CPA firm consumes during walkthroughs and sample-testing: control objective, evidence artifact, system of record, owner, validation timestamp.
- Risk register + POA&M. Open gaps with owner, target date, and the specific Trust Services Criterion the remediation closes.
How Aegis AI sits next to your CPA firm
We don’t conduct the attestation. Your CPA firm does. We sit on the readiness side of the audit firewall — assembling and continuously refreshing the artifact set so when your CPA opens fieldwork, they start validating instead of asking your team to author evidence on the fly. This is the difference between a six-week SOC 2 engagement and a twelve-week SOC 2 engagement.
ISO 27001 readiness — Statement of Applicability through surveillance audit
ISO 27001 certification is issued by an accredited certification body (UKAS-, ANAB-, or equivalent-accredited) against the 2022 revision. Aegis AI™ supports the readiness path: ISMS scope authoring, Statement of Applicability (SoA) drafting against the 93 Annex A controls (themed into Organizational, People, Physical, and Technological), internal-audit evidence assembly, and management-review pack preparation. The work product carries forward to your initial certification audit and every surveillance cycle thereafter.
What Aegis AI produces for your ISO 27001 engagement
- SoA draft. Annex A control-by-control applicability with justification, implementation status, and reference to the underlying control evidence.
- ISMS scope statement. In-scope locations, services, processes, and information assets aligned to your business context (clause 4) and interested-party requirements.
- Internal audit evidence pack. Refreshed every cycle, with finding tracking, corrective action, and management-review inputs ready for clause 9 / clause 10 review.
- Risk register. Per clause 6.1, risks identified against the in-scope assets with owner, treatment plan, and residual risk acceptance.
SOC 2 + ISO 27001 cross-mapping
For companies pursuing both, Aegis AI shows you which single remediation closes the most cross-framework gaps. Your evidence binder is rendered once and consumed by both your CPA firm and your certification body. You don’t pay to fix MFA enforcement, vendor risk, or access review three times.
HIPAA readiness — Security Rule safeguards plus Breach Notification readiness
HIPAA compliance is enforced by HHS Office for Civil Rights and by State Attorneys General. There is no central HIPAA certification body — instead, covered entities and business associates must be able to produce evidence of compliance with the Security Rule’s administrative, physical, and technical safeguards during an OCR investigation, a state AG inquiry, or a downstream business associate audit. Aegis AI™ assembles that evidence continuously, so the request that arrives by certified mail doesn’t turn into a three-week scramble.
What Aegis AI produces for your HIPAA program
- Risk analysis documentation. Per 45 CFR 164.308(a)(1)(ii)(A), the foundational risk analysis with asset inventory, threat sources, and risk-determination rationale, refreshed every cycle.
- Administrative safeguard evidence. Workforce training records, sanction policy enforcement, access authorization, termination procedures, periodic evaluation.
- Physical safeguard evidence. Facility access controls, workstation use, device and media controls.
- Technical safeguard evidence. Access control, audit controls, integrity controls, transmission security, encryption.
- Business Associate Agreement (BAA) inventory. Counterparty list with BAA execution status, last reviewed date, and renewal triggers.
- Breach Notification readiness. Incident-response runbook with the 60-day notification clock, OCR submission template, and individual notice template pre-staged.
What Aegis AI doesn’t do
We are not your Privacy Officer of record. We are not your designated Security Official under 164.308(a)(2). Those are human roles inside your organization. We are the software that gives those humans an audit-ready evidence set so when OCR asks for proof, the answer is in writing the same day.
PCI-DSS v4.0 readiness — SAQ-A through Level 1 service provider
PCI-DSS v4.0 is enforced by the PCI Security Standards Council via acquiring banks and brand programs (Visa, Mastercard, Amex, Discover, JCB). Validation methods range from self-assessment (SAQ-A through SAQ-D) through QSA-led Report on Compliance (RoC) for Level 1 merchants and service providers. Aegis AI™ assembles the evidence trail across all 12 PCI-DSS requirements, scoped to your Cardholder Data Environment (CDE).
What Aegis AI produces for your PCI engagement
- CDE scope diagram. Network segmentation evidence, in-scope systems, cardholder data flows, and the boundary between CDE and connected-to systems.
- 12-requirement control matrix. Each of Requirements 1–12 mapped to current evidence, with the customized approach option flagged where you elected one under v4.0.
- Quarterly ASV scan tracking. Requirement 11.3 external vulnerability scan history, with pass/fail status and remediation cycle visibility.
- QSA-ready exhibits. Pre-staged in the format Level 1 QSAs consume during fieldwork: control, evidence artifact, source system, owner, validation timestamp.
- Annual PCI roadmap. The work product you need for your Attestation of Compliance (AOC) submission, refreshed every cycle so the AOC isn’t a Q4 fire drill.
QSA relationship
For Level 1 merchants and service providers, a QSA still produces the Report on Compliance. Aegis AI is the readiness tool you use to make the QSA’s job take six weeks instead of fourteen. We are not a QSA. We sit on the readiness side of the audit firewall, same as with SOC 2 and ISO 27001.
NIST CSF 2.0 readiness — Govern through Recover, profile and tier authoring
NIST CSF 2.0 added the Govern function alongside Identify, Protect, Detect, Respond, and Recover. It is widely adopted as the lingua franca for cybersecurity risk by federal-adjacent contractors, regulated industries (energy, utilities, transportation), and any company whose customers, insurers, or board uses CSF as the shared reference. Aegis AI™ produces the CSF artifacts the security leader uses to brief executives and the artifacts the board uses to set risk appetite.
What Aegis AI produces for your NIST CSF program
- Current Profile. Subcategory-by-subcategory current implementation tier across all six functions (GV / ID / PR / DE / RS / RC), with the evidence for each tier judgment cited.
- Target Profile. Where your security program is heading over the next 12–24 months, with the executive rationale and the gap-closure roadmap.
- Maturity assessment. Implementation Tier rating (Partial / Risk Informed / Repeatable / Adaptive) per function, refreshed every cycle.
- Governance evidence. The GV function evidence: cybersecurity strategy, roles and responsibilities, risk-management policy, supply-chain risk management, oversight mechanism.
- Continuous improvement record. What moved between cycles and why — the artifact your board uses to evaluate whether the security investment is producing measurable posture change.
Why a CSF profile matters even when you don’t have a CSF audit
Most companies don’t get audited against CSF directly — but their cyber insurer, their largest customers, and their board use CSF language as the shared reference. A current and target CSF profile is the artifact that translates “we’re investing in security” into a tier movement an executive can evaluate.
GDPR readiness — Article 32 technical measures and Article 30 records
GDPR is enforced by supervisory authorities across the EU (and the UK ICO post-Brexit) with fines up to 4% of global annual turnover. The two operational pillars for any controller or processor are Article 32 (security of processing) and Article 30 (records of processing activities). Aegis AI™ produces and continuously refreshes both, plus the supporting documentation a supervisory authority expects to see when it opens an inquiry.
What Aegis AI produces for your GDPR program
- Article 32 evidence. Technical and organizational measures: pseudonymization and encryption, ongoing confidentiality / integrity / availability / resilience, restoration capability after incident, regular testing.
- Article 30 Records of Processing Activities (RoPA). Maintained for both controller and processor roles, with processing purposes, data categories, recipient categories, transfer mechanisms, and retention periods.
- DPIA scaffolding. Article 35 Data Protection Impact Assessment template pre-populated with your processing context, ready for the qualifying use cases (large-scale special category processing, systematic monitoring, automated decision-making).
- Cross-border transfer documentation. Standard Contractual Clauses inventory, Transfer Impact Assessments, UK IDTA where applicable, supplementary measures evidence.
- Breach-notification readiness. Article 33 / 34 runbook with the 72-hour clock, supervisory authority submission template, and individual notice template pre-staged.
What Aegis AI doesn’t do
We are not your Data Protection Officer of record. Where you require a DPO under Article 37, that is a designated human role inside your organization or a contracted external DPO. We are the software that gives your DPO an evidence set, a refreshed RoPA, and a documented set of technical measures so the supervisory-authority inquiry doesn’t turn into a 90-day evidence-collection sprint.