Sample · Multi-Framework Readiness Snapshot™

See exactly what the $1,995 deliverable contains.

Specimen report · Anonymized data · Real format

The actual PDF you receive follows this format with your company’s measured findings across every framework you sell into. Per-framework coverage matrix, cross-framework gap table, and a remediation list ranked by how many audits each fix advances. Below is the full structure with sample data from a specimen healthtech SaaS pursuing SOC 2, HIPAA, and ISO 27001.

Run my Snapshot — $1,995 → Try the free gap check first
Page 1 of 3 · Cover & Coverage Matrix
Multi-Framework Readiness Snapshot™ Report

Northwind Health Apps, Inc.

Scope: 1 production environment (AWS us-east-1, Microsoft 365) · Scan date: March 18, 2026 · Frameworks in scope: SOC 2, HIPAA, ISO 27001, NIST CSF 2.0 (PCI: limited — card data outsourced to Stripe)

Current coverage by framework

SOC 2 (Trust Services)80%
41 of 51 applicable criteria covered or partial
HIPAA Security Rule76%
Administrative, physical & technical safeguards
ISO 27001 (Annex A)73%
68 of 93 controls covered or partial
NIST CSF 2.077%
Govern / Identify / Protect / Detect / Respond / Recover

What this means

Northwind is in good shape for SOC 2 but has five cross-cutting gaps that hold back every framework at once. The headline finding: the same eight remediations close 23 distinct control gaps across all four frameworks. Page 2 lists the gaps; Page 3 sequences the fixes by how many audits each one advances.

Methodology

Live read-only configuration metadata was pulled from the connected environments (AWS via SecurityAudit + ReadOnlyAccess IAM role; Microsoft 365 via Service Principal with Reader + Security Reader) on the scan date above. Each finding is mapped to the relevant control in every in-scope framework and cites the telemetry signal that produced it. No PHI, no customer data, no card data was accessed.

Page 2 of 3 · Cross-Framework Gaps

Control gaps — and the frameworks each one blocks

Specimen findings shown. “Frameworks” counts how many in-scope audits this single gap touches — the higher the number, the more leverage in fixing it.

Control gap Maps to Frwks Severity
MFA not enforced on 9 privileged accounts. Admin access to AWS + M365 without MFA on 9 of 24 privileged users.
signal: iam-list-users, aad-privileged-roles		 SOC 2 CC6.1
ISO A.8.5
HIPAA 164.312(d)
CSF PR.AA		 4 High
No centralized log monitoring / alerting. CloudTrail + M365 audit logs retained but not aggregated to a SIEM; no alerting on privileged activity.
signal: cloudtrail-describe-trails, no-siem-sink		 SOC 2 CC7.2
ISO A.8.15
HIPAA 164.312(b)
CSF DE.CM		 4 High
Incident-response plan never exercised. IR plan documented Aug 2025; no tabletop or drill on record in the last 12 months.
signal: intake-q7 (process control)		 SOC 2 CC7.4
ISO A.5.24
HIPAA 164.308(a)(6)
CSF RS		 4 High
No formal vendor / subprocessor risk review. 14 subprocessors with no documented security review or register.
signal: intake-q9 (process control)		 SOC 2 CC9.2
ISO A.5.19
HIPAA 164.308(b)
CSF GV.SC		 4 Medium
Backup recovery never tested. Automated RDS + S3 backups configured; no documented restore test.
signal: rds-describe-db-snapshots, intake-q11		 SOC 2 A1.3
ISO A.8.13
HIPAA 164.308(a)(7)
CSF RC		 4 Medium
3 S3 buckets allow non-TLS access. Bucket policies don’t deny aws:SecureTransport=false.
signal: s3-get-bucket-policy		 SOC 2 CC6.7
ISO A.8.24
HIPAA 164.312(e)
CSF PR.DS-02		 4 Medium
Access reviews not performed. No evidence of periodic least-privilege review; 6 dormant accounts >90 days.
signal: iam-credential-report		 SOC 2 CC6.2
ISO A.5.18
HIPAA 164.308(a)(4)
CSF PR.AA		 4 Medium
No documented change-management approvals. Production deploys lack recorded review/approval separation.
signal: intake-q14 (process control)		 SOC 2 CC8.1
ISO A.8.32
CSF PR.PS		 3 Medium

The full report lists all 23 control gaps with their per-framework mappings, severity, and the telemetry signal behind each. Findings are cross-referenced to every in-scope framework.

Page 3 of 3 · Remediation, Ranked by Audits Advanced

Remediation list — ordered by how many audits each fix closes

The headline

Eight fixes close 23 gaps across all four frameworks. The first three alone — MFA, centralized log monitoring, and an IR tabletop — each advance SOC 2, HIPAA, ISO 27001, and NIST CSF simultaneously. You fix once; the gap closes in four audits.

Week 1
Enforce MFA on all 9 privileged accounts. Apply conditional-access MFA in M365 + AWS IAM MFA enforcement. Closes the #1 gap in all four frameworks.
4 audits
Week 1–2
Aggregate logs to a SIEM with privileged-activity alerting. Route CloudTrail + M365 audit to a SIEM (or CloudWatch + EventBridge), alert on privileged actions.
4 audits
Week 2
Run an incident-response tabletop and record the after-action. 60-minute scenario with the on-call + leadership; document and file it.
4 audits
Week 2–3
Deny non-TLS on the 3 S3 buckets + run an access review. Add the SecureTransport deny condition; review privileged access, disable 6 dormant accounts.
4 audits
Week 3–4
Stand up vendor-risk register + run a backup restore test. Document the 14 subprocessors with review dates; perform and record one restore from backup.
4 audits
Week 4
Add change-management approvals to the deploy pipeline. Require recorded review/approval with author/shipper separation before production.
3 audits

Projected coverage after the 30-day plan: SOC 2 ~94% · HIPAA ~91% · ISO 27001 ~90% · NIST CSF ~92% — audit-ready, with evidence assembled.

Plan delivered as a working document. Your team executes; on a subscription, Aegis AI re-scans and refreshes the coverage matrix every cycle.

Your real report — with your company’s measured findings — in your inbox within hours.

$1,995 one-time. Connect a cloud (read-only, revocable in one click), answer ten short questions, and your cross-framework PDF arrives within hours. Async, self-service throughout. Credits 100% to month one of any tier within 30 days.

Run my Snapshot — $1,995 →