Compliance quick reference for SREs

First PublishedMay 1, 2026ByAtif Alam

Use this page when you need a fast orientation: “We are in scope for X — what should I open or verify first?” It links outward; it does not replace your control register or auditor pack.

Not legal, audit, or compliance advice. Your GRC and legal owners define authoritative mappings and scope.

Matrix: framework × concern

Rows are common regimes; columns are where SREs and platform teams usually spend time. Cells are starting points only.

Concern	SOC 2 (TSC-style)	ISO 27001 (high level)	HIPAA (technical ops angle)	PCI DSS (pipeline / platform slice)	CIS
Pipeline / change	Compliance and audit (SOC 2 table); Security scanning	Same CI/CD evidence story; Policy as code	Change control + access to PHI paths; Compliance	Build/deploy integrity, access to CDE-related automation; Artifact management	CIS controls and cloud benchmarks — secure config + change
Runtime / platform	Production platform checklist; PSS	Hardening, availability, logging	PHI systems segmentation awareness with platform; Network policies and TLS and certificates where applicable	Segmentation, logging, patching discipline; Kubernetes troubleshooting	Same CIS page + benchmarks for AWS/Azure
Identity & secrets	AWS IAM, AWS secrets, Kubeconfig and authentication	Access control evidence	Minimum necessary access, break-glass process with security	Strong auth for CI/CD and admins; secrets rotation	IAM + secrets + Security scanning (secret detection)
Evidence & audit	Audit fieldwork — walkthroughs, sampling	Same page for ISO-style evidence patterns	Audit trails, access reviews (coordinate with compliance)	Evidence for changes touching CDE; ticketing + CI logs	Benchmark reports + continuous assessment story

SOC 2 — quick checks

Pipeline and change

Compliance and audit — SOC 2 criteria ↔ CI/CD controls you can show.
Security scanning — SAST, SCA, container/IaC scans run where policy says.
Policy as code — PR and/or admission checks aligned with risk.

Runtime and platform

Production platform checklist — Ownership, blast radius, upgrades.
Pod Security Standards — Namespace policy posture understood.

Identity and secrets

RBAC and cloud IAM — least privilege for humans and automation.
AWS secrets (or org secret store) — rotation and pipeline access patterns documented.

Evidence and audit

Audit fieldwork and evidence for engineers — Common SOC 2 themes and what engineers actually produce.

ISO 27001 — quick checks

Audit fieldwork — Evidence types and walkthroughs (ISO overlaps heavily with SOC 2-style fieldwork in practice).
Compliance and audit — Change and access evidence from pipelines.
Observability — Logging and retention aligned to policy.

HIPAA — quick checks (technical / ops angle only)

Compliance — Change management and access logs for systems that touch PHI (coordinate scope with compliance).
Network policies and Encryption at edge where applicable — defense in depth, not a HIPAA program by itself.
Incident response and on-call — Breach-style run coordination with legal/security.

PCI DSS — quick checks (platform slice)

Compliance — Separation of duties and deploy evidence for in-scope paths.
Network policies and perimeter docs — AWS networking, VPC connectivity as needed.
Security scanning — Dependency and container risk for in-scope services.

CIS — quick checks

CIS controls and cloud benchmarks — Program vs AWS / Azure Foundations; maps into this library.
AWS security services — CIS AWS Foundations row in vendor tooling context.
Azure security — CIS Microsoft Azure Foundations references.

DevSecOps overview
SOC 2 for platform teams — Even shorter “read this next” hub.
Service readiness checklist — Operational readiness without compliance framing.