ComplianceToArchitecture.com
Worked examples · 6 crosswalks

How to read these examples.

Each example shows ONE reusable capability satisfying clauses across MANY frameworks — proof you can map evidence once and satisfy several regulators without duplicate work.

1. Pick your nearest auditSOC 2 / ISO 27001 / EU AI Act2. Count the framework refsReuse ratio per capability3. Book the engine demoHow ReguNav implements these
Browse examplesBook a POC walkthrough
/examples

Worked examples

Six concrete crosswalks. Each shows how a single reusable capability satisfies clauses across multiple regulatory frameworks, what architecture it requires, and what evidence it emits. The pattern repeats across every capability in the framework.

Example 1 · #iam-access-review

Periodic identity and access review

Satisfies — 6 clause refs

  • ISO_27001A.5.18Access rights
  • SOC_2CC6.3Logical access removal
  • PCI_DSS7.2.5Access reviewed every 6 months
  • NIST_CSFPR.AA-05Access permissions, entitlements, and authorisations
  • HIPAA§164.308(a)(4)Information access management
  • GDPRArt. 32Security of processing — confidentiality and integrity
Architecture required
  • RBAC / ABAC policy engine (Cerbos / OPA / Cedar)
  • Centralised identity event log (immutable, 7y retention)
  • Quarterly review workflow (four-eyes approval)
  • Joiner-mover-leaver automation
Evidence emitted
  • Access-review attestation (PDF / JSON, signed)
  • Revocation log (delta between reviews)
  • Reviewer + approver identities (with timestamps)
Example 2 · #incident-72h

Breach / incident notification within 72 hours

Satisfies — 6 clause refs

  • GDPRArt. 33Notification of a personal data breach
  • NIS2Art. 23Reporting obligations
  • DORAArt. 19Major ICT-related incident reporting
  • EU_AI_ACTArt. 73Reporting of serious incidents
  • HIPAA§164.408Breach notification — to Secretary
  • PIPL_CHINAArt. 57Notification of personal information leakage
Architecture required
  • Incident-response runbook engine
  • Regulator-shaped notification templates (per jurisdiction)
  • Automated 72h timer + escalation alerting
  • Forensic data-capture pipeline (chain of custody)
Evidence emitted
  • Initial notification with timestamp (within 72h)
  • Full incident report (root cause, scope, mitigation)
  • Affected-subject notifications (if applicable)
Example 3 · #data-retention

Data minimisation and lawful retention

Satisfies — 5 clause refs

  • GDPRArt. 5(1)(e)Storage limitation
  • CCPA§1798.100(c)Retention disclosure
  • DPDP_INDIA§8(7)Erasure on purpose completion
  • ISO_277018.4.2Disposal of media
  • LGPD_BRAZILArt. 15Termination of processing
Architecture required
  • Retention-policy engine (per-tenant, per-data-class)
  • Automated purge jobs (cryptographic erasure)
  • Legal-hold override register
Evidence emitted
  • Retention schedule (signed, versioned)
  • Purge job logs (what was deleted, when, by whom)
  • Legal-hold attestations
Example 4 · #ai-human-oversight

Human oversight of high-risk AI systems

Satisfies — 4 clause refs

  • EU_AI_ACTArt. 14Human oversight
  • ISO_42001§8.3AI system impact assessment
  • NIST_AI_RMFGOVERN 1.3Accountability structures
  • HIPAA§164.312(a)(2)(i)Unique user identification
Architecture required
  • Human-in-the-loop review queue
  • Override + escalation API
  • Model confidence threshold enforcement
  • Audit log of every human override decision
Evidence emitted
  • Override decision log (with reviewer identity)
  • Operator training records
  • Annual oversight-effectiveness report
Example 5 · #encryption-rest-transit

Encryption at rest and in transit

Satisfies — 5 clause refs

  • ISO_27001A.8.24Use of cryptography
  • PCI_DSS3.5Protect stored cardholder data
  • HIPAA§164.312(a)(2)(iv)Encryption and decryption
  • GDPRArt. 32(1)(a)Pseudonymisation and encryption
  • SOC_2CC6.7Transmission of data
Architecture required
  • KMS / HSM integration (AWS KMS / GCP CloudKMS / Azure Key Vault)
  • TLS 1.3 enforcement (cipher suite allowlist)
  • Key-rotation schedule (max 365 days)
  • Envelope encryption for application secrets
Evidence emitted
  • Cipher-suite scan report (Qualys SSL Labs A+)
  • Key-rotation log
  • KMS access audit log
Example 6 · #vendor-risk

Third-party / vendor risk assessment

Satisfies — 5 clause refs

  • ISO_27001A.5.19Information security in supplier relationships
  • SOC_2CC9.2Vendor and business partner management
  • DORAArt. 28ICT third-party risk
  • NIS2Art. 21(2)(d)Supply chain security
  • EU_AI_ACTArt. 25Obligations along the AI value chain
Architecture required
  • Vendor registry (CMDB-integrated)
  • SOC 2 / ISO 27001 attestation tracker
  • Subprocessor change-notification workflow
  • DPA / SCC repository
Evidence emitted
  • Vendor risk score (per vendor, per quarter)
  • Subprocessor list (public, versioned)
  • Incident notifications from vendors

Submit your own crosswalk

Found a capability the open seed doesn't cover? Open a PR on the framework repo with a crosswalk PR following the format above. Each accepted crosswalk ships in the next v0.x release.

Open a PR →