Compliance posture overview

The SCO read-only thesis, pointed at compliance: framework coverage, control status, evidence freshness, findings, and audit readiness — observed across your GRC and policy systems to surface drift, not to run your program.

What this is, and what it is not. A preview of a future cluster, not a live product. In production it would sit read-only on top of your GRC, policy, evidence, and identity systems — reading control status, evidence metadata, and policy records to surface coverage, freshness, and audit drift. It is not a system of record, does not file or attest on your behalf, does not remediate, and does not generate compliance claims. The knowledge index references what your operational modules already surface; it makes no autonomous decisions. Figures here are synthetic.

82

Posture score

+6 YoY

6

Frameworks tracked

88%

Control coverage

+4 pts

91%

Evidence current

37

Open findings

9

Findings overdue

94%

Policies current

3 / 6

Audit-ready frameworks

Compliance posture trend & plan synthetic

PosturePlanBand

Open findings by domain synthetic

Signals worth attention

9 findings overdue, 3 on SOC 2 CC6 — the clearest audit exposure; close before the next evidence pull.

11 evidence artifacts expire within 30 days — renew to hold control coverage above 88%.

Posture up 6 points YoY — control automation and faster evidence cycles are compounding toward 90.

Synthetic preview of a future cluster. In production, derived read-only from GRC, policy, evidence, and identity systems with SHA-256-anchored lineage, as in SCO. AssetShop surfaces posture; it does not file, attest, or remediate on your behalf.

Frameworks

Coverage across the frameworks your customers and regulators ask about. Each framework maps to the same shared control set, so evidence collected once satisfies many.

6

Frameworks

389

Controls mapped

82%

Avg coverage

2

Frameworks <80%

Framework coverage synthetic

Control count and current coverage per framework. One control often maps to several frameworks.

Framework	Scope	Controls	Coverage	Status	Next milestone
SOC 2 Type II	Trust services (CC, A, C)	64	89%	on track	Window opens Q3
ISO 27001	ISMS, Annex A	93	82%	in progress	Stage 1 Q4
GDPR	Data protection, DPA	41	90%	on track	DPIA refresh Q3
HIPAA	Security & privacy rules	54	76%	in progress	Risk analysis Q3
NIST CSF 2.0	Govern → Recover	106	71%	baseline	Profile Q4
PCI DSS 4.0	Scoped (SAQ-A)	31	84%	on track	Attestation Q4

Synthetic preview of a future cluster. In production, derived read-only from GRC, policy, evidence, and identity systems with SHA-256-anchored lineage, as in SCO. AssetShop surfaces posture; it does not file, attest, or remediate on your behalf.

Control register

Every control, its frameworks, owner, and the freshness of the last test. Status buckets honestly: met, partial, or gap.

389

Controls

88%

Met

9%

Partial

3%

Gap

Control status synthetic

How to read this

Met controls have current, mapped evidence.

Partial controls have aging or incomplete evidence.

Gap controls have no current evidence — the audit priority.

Control detail (drill-down) synthetic

Control	Frameworks	Description	Status	Owner	Last tested
CC6.1	SOC 2 / ISO A.9	Logical access — least privilege	met	Security	12 days ago
CC7.2	SOC 2 / NIST DE	Continuous monitoring & alerting	met	SecOps	8 days ago
A.12.3	ISO 27001	Backup & restore verification	partial	Platform	41 days ago
164.308	HIPAA	Workforce risk & sanctions	partial	People	aging
CC8.1	SOC 2	Change management approvals	met	Eng	5 days ago
A.18.1	ISO 27001	Records retention & disposal	gap	Legal	not tested

Synthetic preview of a future cluster. In production, derived read-only from GRC, policy, evidence, and identity systems with SHA-256-anchored lineage, as in SCO. AssetShop surfaces posture; it does not file, attest, or remediate on your behalf.

Evidence library

Evidence mapped to controls, with freshness and expiry. Collected once, reused across frameworks. The library is read-only and references where each artifact lives.

1,240

Evidence artifacts

91%

Current

6%

Aging

3%

Expired

Evidence freshness synthetic

Evidence collected per quarter synthetic

Evidence detail synthetic

Artifact	Controls	Freshness	Cadence	Source
Access review export	CC6.1, A.9.2	Current	auto, 90d	IdP
Backup restore log	A.12.3	Aging	manual, 180d	Platform
Pen-test report	CC4.1	Expired	annual	External
Change tickets sample	CC8.1	Current	auto, 30d	ITSM
DPIA record	GDPR Art.35	Current	annual	Legal
Training completion	164.308	Aging	quarterly	LMS

Synthetic preview of a future cluster. In production, derived read-only from GRC, policy, evidence, and identity systems with SHA-256-anchored lineage, as in SCO. AssetShop surfaces posture; it does not file, attest, or remediate on your behalf.

Findings & remediation

Open findings, severity, owner, and due date — with an honest bridge of what opened, what closed, and what remains.

37

Open findings

4

High

9

Overdue

21 days

Median age

Findings bridge (quarter) synthetic

How to read this

Overdue findings are the audit-exposure priority.

In-progress findings have an owner and a date.

Closures are validated against evidence before they leave the register.

Open findings synthetic

Finding	Framework	Severity	Owner	Due	Status
Backup restore not verified this period	A.12.3	high	Platform	overdue 11d	open
Records retention schedule undefined	A.18.1	high	Legal	due in 9d	open
Access review evidence aging	CC6.1	medium	Security	due in 14d	in progress
Pen-test refresh required	CC4.1	high	SecOps	scheduled	planned
HIPAA risk analysis incomplete	164.308	medium	People	due in 20d	in progress
Vendor DPA missing — 1 sub-processor	GDPR	medium	Legal	due in 7d	open

Synthetic preview of a future cluster. In production, derived read-only from GRC, policy, evidence, and identity systems with SHA-256-anchored lineage, as in SCO. AssetShop surfaces posture; it does not file, attest, or remediate on your behalf.

Audit readiness

Readiness per framework, the gaps that remain, and when each window opens. Readiness is the share of in-scope controls with current, mapped evidence.

3 / 6

Audit-ready

82%

Avg readiness

17

Gaps to close

Q3

Next window

Readiness trend synthetic synthetic

Blended readiness across tracked frameworks, trailing 8 quarters with plan.

Readiness by framework synthetic

Framework	Readiness	Gaps	Window
SOC 2 Type II	89%	4	Window opens Q3
ISO 27001	82%	6	Stage 1 Q4
GDPR	90%	2	DPIA refresh Q3
HIPAA	76%	5	Risk analysis Q3
PCI DSS	84%	3	Attestation Q4

Synthetic preview of a future cluster. In production, derived read-only from GRC, policy, evidence, and identity systems with SHA-256-anchored lineage, as in SCO. AssetShop surfaces posture; it does not file, attest, or remediate on your behalf.

Policy register

Policies, versions, owners, review cadence, and attestation. Each policy maps to the controls it supports, so a lapse surfaces as a control risk.

48

Policies

94%

Current

3

Due for review

96%

Attested

Policy detail synthetic

Policy	Version	Owner	Last review	Attestation
Information Security Policy	v3.2	CISO	reviewed 2mo ago	98%
Access Control Policy	v2.1	Security	reviewed 4mo ago	97%
Data Retention Policy	v1.0	Legal	due this quarter	—
Incident Response Plan	v2.4	SecOps	reviewed 1mo ago	99%
Acceptable Use Policy	v3.0	People	reviewed 3mo ago	95%
Vendor Management Policy	v1.3	Procurement	due this quarter	91%

Synthetic preview of a future cluster. In production, derived read-only from GRC, policy, evidence, and identity systems with SHA-256-anchored lineage, as in SCO. AssetShop surfaces posture; it does not file, attest, or remediate on your behalf.

Knowledge index

A read-only, lineage-anchored index across every operational domain — so a control, a finding, or a policy resolves to the source record behind it. The audit-readiness surface that compounds with each module.

A federated index, not an oracle. The knowledge layer indexes what your operational modules already surface — policies, evidence, findings, and the signals from every domain — into one read-only, lineage-anchored reference. It links to source records; it does not generate answers, summaries, or claims on its own. Every reference traces to a system of record.

14

Domains indexed

3,820

Source records

92%

References current

100%

Lineage-anchored

Indexed references per quarter synthetic synthetic

Index coverage by domain synthetic

Domain	Sources	Records	Freshness
Procurement	ERP, eProc	412	current
Finance	ERP, AP, Treasury	308	current
Risk	GRC	221	current
Security	IdP, SIEM	356	aging
Quality	QM, MES	274	current
Legal	CLM	189	current
People	HRIS	246	current

Synthetic preview of a future cluster. In production, derived read-only from GRC, policy, evidence, and identity systems with SHA-256-anchored lineage, as in SCO. AssetShop surfaces posture; it does not file, attest, or remediate on your behalf.

Access & data governance

How data is held, who can reach it, and how that is proven — residency, retention, least privilege, and encryption. The posture AssetShop applies to itself, surfaced honestly.

100%

Data in tenant region

Quarterly

Access reviews

Least-priv

Default posture

0

Standing prod access

Governance controls synthetic

Area	Approach	Status	Cadence	Last verified
Data residency	Per-tenant, region-pinned	met	continuous	verified
Access reviews	Role recertification	met	quarterly	2mo ago
Retention & disposal	Schedule by data class	partial	annual	policy pending
Least privilege	JIT elevation, no standing access	met	continuous	verified
Encryption	At rest & in transit, KMS	met	continuous	verified
Audit logging	Immutable, anchored	met	continuous	verified

Synthetic preview of a future cluster. In production, derived read-only from GRC, policy, evidence, and identity systems with SHA-256-anchored lineage, as in SCO. AssetShop surfaces posture; it does not file, attest, or remediate on your behalf.

Sub-processors & vendor compliance

Every sub-processor, its purpose, DPA status, attestation, and data region — the list a security questionnaire asks for, kept current.

9

Sub-processors

8

DPA in place

1

DPA pending

100%

Region-disclosed

Sub-processor detail synthetic

Mirrors the published sub-processor list. One DPA is in review and flagged as a finding.

Sub-processor	Purpose	DPA	Attestation	Region
Cloud hosting (primary)	Compute & storage	in place	SOC 2 / ISO	US / EU
Object storage	Evidence & backups	in place	SOC 2	US
Error monitoring	Telemetry	in place	SOC 2	US
Email delivery	Transactional mail	in place	SOC 2	US
Analytics (privacy-first)	Product usage	pending	in review	EU
Identity provider	SSO / SCIM	in place	SOC 2 / ISO	US / EU

Synthetic preview of a future cluster. In production, derived read-only from GRC, policy, evidence, and identity systems with SHA-256-anchored lineage, as in SCO. AssetShop surfaces posture; it does not file, attest, or remediate on your behalf.

Connectors & data

Where Knowledge & Compliance would read from, and the posture it would read with — read-only, conformance-certified, never writing back.

Read-only sources synthetic

Each connector declares exactly what it reads. Adapters ship with a conformance certificate; none are write-enabled.

Source	Reads	Mode	Assurance
GRC / control platform	Control status, mappings	read-only	conformance cert
Policy store / CLM	Policies, versions, attestation	read-only	conformance cert
Identity provider	Access, reviews, MFA state	read-only	conformance cert
Evidence stores	Artifacts, freshness, expiry	read-only	conformance cert
Ticketing / ITSM	Findings, change records	read-only	conformance cert
Operational modules	Cross-domain signals & lineage	read-only	internal

Posture

Read-only on top of your systems — control status and evidence metadata, never secrets or write paths.

Adapter conformance is reported honestly; scaffolds return 0/12 until validated on a live tenant.

Synthetic preview of a future cluster. In production, derived read-only from GRC, policy, evidence, and identity systems with SHA-256-anchored lineage, as in SCO. AssetShop surfaces posture; it does not file, attest, or remediate on your behalf.

Signals & opportunities

Compliance signals — control gaps, expiring evidence, overdue findings, attestation lapses — ranked so the audit-exposure items rise first.

9

Open signals

17

Gaps

3

High

11

Addressable

Detected signals synthetic

Each signal is an observation with source lineage; confidence reflects how directly the data supports it.

Signal	Area	Severity	Magnitude	Conf.	Source
Overdue findings — SOC 2 CC6	Audit	high	9 findings	high	GRC
Evidence expiring < 30 days	Evidence	high	11 artifacts	high	evidence store
Control gaps — retention	Controls	medium	3 controls	high	GRC
Policy reviews due	Policy	medium	3 policies	high	CLM
Sub-processor DPA pending	Vendor	medium	1 vendor	high	CLM
Attestation lapse — 1 policy	Policy	low	9% gap	med	CLM
HIPAA risk analysis incomplete	Audit	low	1 item	med	GRC

Opportunities the signals point to

What the observation suggests. AssetShop quantifies; your team decides and acts in the source systems.

9 items

Close overdue findings on SOC 2 CC6 before the evidence pull.

11 art

Renew expiring evidence to hold control coverage above 88%.

3 ctrl

Define retention controls to clear the open gap.

1 DPA

Execute the pending sub-processor DPA ahead of the GDPR review.

How to read this

High signals are concentrated and well-evidenced — act on these first.

Confidence separates observed facts from modeled estimates.

Every figure traces to a read-only source. Nothing here is written back.

Synthetic preview of a future cluster. In production, derived read-only from GRC, policy, evidence, and identity systems with SHA-256-anchored lineage, as in SCO. AssetShop surfaces posture; it does not file, attest, or remediate on your behalf.