Compliance Consulting¶
Service ownership
Owner: professional-services (ps-pm@clouddigit.ai) — Status: GA — Last audited: 2026-05-11
Map your industry's controls to Cloud Digit services, prepare for audits, design for sovereignty by default.
What it is¶
A consulting engagement that produces documents and runbooks, not code:
- Control-mapping spreadsheet (yours, traceable)
- Sovereignty-attestation pack (for your auditor)
- Gap analysis with remediation backlog
- Pre-audit dry run with mock auditor
- Audit-window support (be on the bridge during the actual audit)
Frameworks we cover¶
| Framework | Engagement length |
|---|---|
| BB ICT Security Guideline 4.0 | 4 – 8 weeks |
| ISO 27001:2022 | 8 – 16 weeks |
| PCI DSS v4.0 | 8 – 12 weeks |
| SOC 2 Type II | 12+ weeks (annual) |
| Bangladesh Personal Data Protection (when enacted) | TBD |
| NBR / Mushak audit readiness | 2 – 4 weeks |
Output¶
Every engagement produces:
- Control mapping — your controls × Cloud Digit services × evidence pointer
- Gap analysis — every "no / partial" with a remediation plan and estimated effort
- Evidence pack template — placeholder structure your team fills in over time
- Audit-prep playbook — 30-day pre-audit checklist tailored to the framework
- Hand-off training — your compliance team can run the next iteration without us
Common combinations¶
- BB ICT 4.0 + PCI DSS — for banks and PSPs
- ISO 27001 + SOC 2 — for SaaS providers
- BB ICT 4.0 + ISO 27001 — for regulated FIs that also want a global cert
- PCI DSS only — for payment processors and card-handling merchants
Pricing¶
Fixed-fee per framework, with T&M for audit-window support. See Pricing.
Related¶
Operate this service¶
Cloud Digit's compliance team helps you achieve and maintain regulatory certifications: ISO 27001, PCI-DSS, BB ICT 4.0, BFRS-specific.
Coverage¶
| Standard | What CD helps with |
|---|---|
| ISO 27001 | ISMS design, control implementation, audit prep |
| PCI-DSS 4.0 | Scope reduction, control evidence, QSA coordination |
| SOC 2 Type II | Control mapping, evidence collection over 6-12 mo |
| BB ICT 4.0 | Bangladesh Bank-specific cloud usage compliance |
| HIPAA equivalent | (BD has no direct equivalent; mapping to BB requirements) |
IAM¶
| Role | Can do |
|---|---|
compliance.viewer | View engagement deliverables |
compliance.requester | Open consultation requests |
compliance.admin | Sign off on engagement scope |
Engagement scope¶
| Phase | Duration | Deliverable |
|---|---|---|
| Assessment | 4-6 weeks | Gap analysis vs target standard |
| Remediation | 3-9 months | Implementation of missing controls |
| Pre-audit | 4-6 weeks | Internal audit + readiness assessment |
| Audit support | Concurrent | Auditor liaison, evidence delivery |
| Maintenance | Ongoing | Annual re-certification support |
Pricing¶
T&M for assessment, fixed-price for remediation milestones, retainer for ongoing.
Related¶
Assessment phase¶
Per requirement / control: - Current state (compliant / partially / not) - Gap analysis - Remediation effort estimate - Priority
Output: Compliance Roadmap.
Remediation patterns¶
CD assists with: - Technical controls — implementing CSPM templates, security agents, audit pipelines - Process controls — drafting policies, RACI matrices, runbooks - People controls — training programs, awareness campaigns
Customer team owns the controls; CD provides expertise and templates.
Evidence collection¶
Auditors need evidence: - Continuous evidence (logs, monitoring data, automated checks) - Periodic evidence (review meeting notes, signed reports) - Point-in-time evidence (configuration snapshots, access reports)
CD's SIEM and CSPM generate continuous evidence; customer collects the periodic.
Pre-audit dry run¶
4-6 weeks before audit: - Internal audit simulates the real audit - Findings prioritized for fix-before-audit - Auditor coordination (mock interviews, evidence packets)
Dry runs typically find 5-15 issues; fixing them pre-audit avoids real findings.
During audit¶
CD compliance lead: - Coordinates with QSA / auditor - Delivers evidence on schedule - Translates findings to customer team - Drafts response to findings
Annual re-certification¶
Most standards require annual or biennial re-cert: - Maintain controls through the year - Surveillance audit at year 1, 2; full audit at year 3 - CD continues as compliance partner
Related¶
Audit finding raised¶
Auditor identifies a non-conformity: - CD compliance lead works with customer to remediate - Categorize: critical → fix within audit window; major → 30 days; minor → 90 days - Document remediation plan - Submit to auditor
Most audits have at least minor findings; severity matters.
Certification failed¶
Audit failed; certification denied or revoked: - Root cause analysis - Remediation plan - Re-audit (3-6 months later)
Failure is rare with proper preparation. If it happens, the engagement extends.
Customer team can't sustain controls¶
Post-certification, controls drift: - Quarterly check-ins from CD - Automated CSPM detection of drift - Re-training as needed
Compliance is ongoing operation, not one-time achievement.
Scope creep during engagement¶
Customer adds new standards mid-engagement: - Renegotiate scope and timeline - Some standards have synergies (ISO 27001 + SOC 2) - Some are independent (PCI-DSS + BB ICT 4.0)
Disagreement with auditor¶
Customer disputes a finding: - CD compliance lead mediates - Document position - Auditor's judgment usually prevails (they're the auditor) - Escalation to certification body in rare cases
Audit delayed¶
Audit not happening on schedule: - Auditor backlog (lead time months) - Customer not ready (remediation incomplete) - Coordination issues
Continuous compliance posture means audit-ready always, regardless of schedule.
Compliance vs business friction¶
Compliance controls add friction (review boards, approvals): - Streamline where possible (automation, delegation) - Risk-based where allowed - Accept some friction; it's the cost of regulated operation