CoursesCompliance as codeFrameworks & controls

Frameworks demystified

CIS, SOC 2, PCI, NIST, ISO as checkable controls.

Advanced30 min · lesson 1 of 15

Compliance as code starts by demystifying the frameworks. To an engineer they can look like impenetrable binders, but each one is really a structured set of controls — requirements you can implement, automate, and evidence. This lesson maps the major frameworks so the rest of the course can turn them into running policy.

The frameworks you will meet

A handful of frameworks cover most engineering work. CIS Benchmarks are concrete configuration-hardening guides (for an OS, a cloud, Kubernetes) you can assess systems directly against. SOC 2 is built on the Trust Services Criteria (security, availability, confidentiality, and more) and is common for SaaS. PCI-DSS applies prescriptively wherever cardholder data is stored, processed, or transmitted. NIST 800-53 is a comprehensive control catalog many other frameworks map to, and underpins FedRAMP for US federal cloud services. ISO 27001 defines an information-security management system. They differ in scope and audience, but all reduce to controls you can express and check.

frameworks reduce to checkable controls
# A single technical control, expressed once, satisfies many frameworks:
#
# control: "Enforce MFA for all console/admin access"
# ├─ SOC 2 → CC6.1 (logical access)
# ├─ PCI-DSS → 8.4 (multi-factor authentication)
# ├─ ISO → A.9.4 (access control)
# └─ NIST → IA-2 (identification & authentication)
#
# Implement + evidence it ONCE; map it to every framework in scope.

From binder to backlog

The mental shift that makes compliance tractable is treating a framework not as a document to read but as a set of controls to implement, automate, and evidence. A control like "enforce encryption at rest" or "log all admin actions" is something you can turn into policy-as-code, a preventive guardrail, and continuous evidence — the subjects of the rest of this course. Framework overlap is your friend here: because one real control often satisfies requirements across SOC 2, PCI, ISO, and NIST at once, you build the control once and map it everywhere, rather than running a separate program per framework.

Major frameworks at a glance
configuration
CIS Benchmarks
hardening baselines to assess against
attestation
SOC 2
Trust Services Criteria (SaaS)
PCI-DSS
cardholder data environment
ISO 27001
ISMS + Annex A controls
catalog / gov
NIST 800-53
control library many map to
FedRAMP
US federal cloud, on NIST baselines
Every framework is a set of controls. Implement each control once and map it to all frameworks it satisfies.
A framework is not a security strategy
Passing a framework proves you meet its checklist — not that you are actually secure. Treat compliance as evidence that real controls operate, and build the controls for genuine risk reduction; a program optimized only for the audit produces "compliant but not secure".