Compliance Questions

Map every control to evidence. Spot gaps before the auditor does.

What Escher is great at

You ask	What you get	Time
"Are we SOC 2 Type II ready?"	Control-by-control status + gap list + evidence pack	~8 min
"Which CIS Benchmark controls fail?"	Failing controls + affected resources + remediation order	~6 min
"Map our PCI-DSS scope."	Resources in scope + control coverage + boundary diagram	~10 min
"Show evidence for HIPAA Security Rule §164.312."	Per-subsection evidence with citations	~5 min
"What changed since our last audit pack?"	Diff vs last evidence snapshot, by control	~4 min

Frameworks Escher supports

SOC 2 (Trust Services Criteria — CC, A, C, P, PI series)
ISO 27001 Annex A
HIPAA Security Rule
PCI-DSS v4.0
GDPR (data handling and access controls)
CIS Benchmarks (AWS and Azure foundational profiles)

Example: SOC 2 readiness

"Are we SOC 2 Type II ready? Show gaps."

Example output (illustrative — the actual Canvas you see will be specific to your estate):

Conclusion: 87 of 99 SOC 2 controls have sufficient evidence.
12 controls have gaps or insufficient evidence.

Gaps (12):
  CC6.1  Logical access controls
         Issue: 3 IAM users without MFA in production
         Affected: prod-aws (3 users)
         Remediation: enforce MFA via IAM policy

  CC7.1  System monitoring
         Issue: CloudTrail not enabled in 1 region (eu-west-2)
         Affected: prod-aws / eu-west-2
         Remediation: enable multi-region trail

  CC8.1  Change management
         Issue: 14 production deployments lack PR approval evidence
         Affected: deploy-pipeline (prod)
         Remediation: enforce PR-required branch protection

  ... (9 more)

Evidence pack: 142 citations across 87 satisfied controls.
Export: PDF (auditor-ready) — JSON for GRC-tool ingest is on the roadmap

Every cited piece of evidence is a real config value, log entry, or deployment record — not a checklist someone manually filled out. Auditors love this.

Example: Continuous compliance

Escher snapshots your compliance state on every estate refresh. Ask:

"What changed in our SOC 2 control coverage since last week?"

Get a diff: which controls newly pass, which newly fail, what changed.

This is the difference between a yearly audit scramble and continuous readiness.

Tips that get better compliance answers

TIP

Start with a framework. Escher supports the major frameworks out of the box. "SOC 2," "ISO 27001," "PCI" — pick one and Escher applies the right control map.

TIP

Ask for the gap list first. Auditors care about what fails, not what passes. "Show only failing controls" gets you a prioritized fix list.

TIP

Generate the evidence pack early. Don't wait until the week of the audit. Generate the pack now, see what's missing, fix it, regenerate.

What's next

Compliance Skill
Canvas Export — How to export an auditor-ready PDF
Security & Privacy — How Escher handles your data

Compliance Questions ​

What Escher is great at ​

Frameworks Escher supports ​

Example: SOC 2 readiness ​

Example: Continuous compliance ​

Tips that get better compliance answers ​