Overview
Extend AuditKit beyond technical scanning to generate complete governance documentation (policies, standards, procedures) that maps directly to technical controls and evidence, eliminating "Excel merge week" during audits.
Problem Statement
As highlighted by community feedback from an ex-auditor:
"Auditors don't just ask 'did you scan?', they ask 'show me the policy, the standard, the procedure, and the evidence that it's enforced.' Right now that lives in a mess of Google Docs, Confluence, and screenshots."
Technical compliance scanning is only 30% of audit prep. The other 70% is documentation that proves:
- You have policies defining security requirements
- You have standards implementing those policies
- You have procedures showing how to execute
- Your technical controls actually enforce the above
Proposed Solution
Phase 1: Control Mapping Layer (Priority: HIGH - v0.7.0)
Example:
# /mappings/soc2_cc6_3.yaml
control: CC6.3
name: "Encryption at Rest"
description: "The entity encrypts data at rest"
technical_checks:
- aws.s3.encryption
- azure.storage.encryption
- scubagear.MS.SHAREPOINT.1.2
policy_requirements:
- "All data at rest must be encrypted using AES-256 or stronger"
- "Encryption keys must be rotated annually"
- "Key management must follow principle of least privilege"
evidence_required:
- screenshot: "S3 bucket encryption settings"
- screenshot: "KMS key rotation configuration"
- document: "Key management procedure"
Phase 2: Policy Generation (Priority: MEDIUM - v0.8.0)
Example usage:
# Initialize governance docs for your stack
auditkit docs init \
--framework soc2 \
--providers aws,azure \
--integrations scubagear \
--org "Acme Corp" \
--data-retention 90 \
--key-rotation 365
# Generate complete audit package
auditkit report --unified --include-governance --output audit-package/
Phase 3: Complete Audit Binder (Priority: LOW - Future)
Technical Implementation
Architecture
/docpacks/
├── base/ # Framework-agnostic templates
│ ├── policies/
│ │ ├── information_security.md
│ │ ├── access_control.md
│ │ ├── encryption.md
│ │ ├── logging_monitoring.md
│ │ ├── incident_response.md
│ │ ├── change_management.md
│ │ ├── vendor_risk.md
│ │ └── bcdr.md
│ ├── standards/
│ │ ├── technical_standards.yaml
│ │ └── operational_standards.yaml
│ └── procedures/
│ └── evidence_collection.md
├── soc2/ # SOC2-specific additions
│ ├── control_matrix.yaml
│ └── cuecs.md
├── pci/ # PCI-specific requirements
│ ├── control_matrix.yaml
│ └── network_diagram_template.md
└── iso27001/ # ISO-specific
└── statement_of_applicability.md
/pkg/governance/
├── generator.go # Document generation engine
├── mapper.go # Control↔Policy↔Evidence mapping
├── templates.go # Template processing
└── variables.go # Organization variables
Policy Template Example
<!-- /docpacks/base/policies/encryption.md -->
# {{ORG_NAME}} Encryption Policy
**Document ID:** POL-SEC-003
**Version:** {{VERSION}}
**Effective Date:** {{EFFECTIVE_DATE}}
**Owner:** {{CISO_NAME}}
**Classification:** {{CLASSIFICATION}}
## 1. Purpose
This policy establishes requirements for protecting {{ORG_NAME}} information through encryption.
## 2. Scope
This policy applies to all {{ORG_NAME}} systems processing {{DATA_CLASSIFICATIONS}}.
## 3. Policy Statements
### 3.1 Encryption at Rest
- All {{SENSITIVE_DATA_TYPES}} MUST be encrypted at rest
- Minimum encryption standard: {{MIN_ENCRYPTION_STANDARD}}
- Key length: {{MIN_KEY_LENGTH}} bits minimum
**Technical Implementation:** {{LINK:aws.s3.encryption,azure.storage.encryption}}
**Last Validated:** {{LAST_SCAN_DATE}}
**Compliance Status:** {{COMPLIANCE_STATUS:CC6.3}}
### 3.2 Encryption in Transit
- All data transmission MUST use TLS {{MIN_TLS_VERSION}} or higher
- Deprecated protocols (SSL, TLS 1.0, TLS 1.1) are PROHIBITED
**Technical Implementation:** {{LINK:aws.elb.tls,azure.appgw.ssl}}
**Last Validated:** {{LAST_SCAN_DATE}}
**Compliance Status:** {{COMPLIANCE_STATUS:CC6.3}}
### 3.3 Key Management
- Encryption keys MUST be rotated every {{KEY_ROTATION_DAYS}} days
- Key material MUST NOT be stored with encrypted data
- Keys MUST be managed using {{KMS_SOLUTION}}
## 4. Compliance Mapping
- SOC2: CC6.3, CC6.7
- PCI-DSS: 3.4, 3.4.1, 4.1
- ISO 27001: A.10.1
## 5. Exceptions
Exceptions must be approved by {{APPROVAL_ROLE}} and documented in {{GRC_SYSTEM}}.
## 6. Enforcement
Non-compliance will be automatically detected via AuditKit scans and reported to {{SECURITY_TEAM}}.
Variables Configuration
# /templates/variables.yaml
organization:
ORG_NAME: "Acme Corp"
CISO_NAME: "Jane Smith"
SECURITY_TEAM: "security@acme.com"
technical:
MIN_ENCRYPTION_STANDARD: "AES-256"
MIN_KEY_LENGTH: 256
MIN_TLS_VERSION: "1.2"
KEY_ROTATION_DAYS: 365
KMS_SOLUTION: "AWS KMS"
compliance:
DATA_CLASSIFICATIONS: ["PII", "PCI", "Confidential"]
SENSITIVE_DATA_TYPES: ["customer data", "payment information", "employee records"]
systems:
GRC_SYSTEM: "ServiceNow GRC"
APPROVAL_ROLE: "Chief Information Security Officer"
Success Criteria
Acceptance Testing
-
Document Generation
- Generate full policy set for SOC2
- Variables properly replaced
- Technical controls linked correctly
-
Mapping Accuracy
- Every technical check maps to policy section
- Every policy requirement has technical validation
- Evidence requirements clearly defined
-
Auditor Review
- Get feedback from actual auditors
- Validate against real audit requirements
- Ensure format matches expectations
Risk Considerations
⚠️ Legal Disclaimer Required
- Templates are examples only
- Organizations must review and customize
- Not legal advice
- No guarantee of compliance
Community Contribution
Looking for help with:
- Policy template contributions
- Control mapping validation
- Auditor feedback on format
- Industry-specific requirements (HIPAA, FedRAMP)
Monetization Potential
- Free Tier: Basic templates, community-maintained
- Pro Tier: Industry-specific templates, quarterly updates
- Enterprise: Custom templates, audit support
Related Issues
- #[TBD] - ScubaGear integration
- #[TBD] - Plugin architecture
- #[TBD] - Evidence orchestration
Labels: enhancement, documentation, help-wanted
Milestone: v0.8.0 (Phase 2)
Overview
Extend AuditKit beyond technical scanning to generate complete governance documentation (policies, standards, procedures) that maps directly to technical controls and evidence, eliminating "Excel merge week" during audits.
Problem Statement
As highlighted by community feedback from an ex-auditor:
Technical compliance scanning is only 30% of audit prep. The other 70% is documentation that proves:
Proposed Solution
Phase 1: Control Mapping Layer (Priority: HIGH - v0.7.0)
Example:
Phase 2: Policy Generation (Priority: MEDIUM - v0.8.0)
Example usage:
Phase 3: Complete Audit Binder (Priority: LOW - Future)
Technical Implementation
Architecture
Policy Template Example
Variables Configuration
Success Criteria
Acceptance Testing
Document Generation
Mapping Accuracy
Auditor Review
Risk Considerations
Community Contribution
Looking for help with:
Monetization Potential
Related Issues
Labels: enhancement, documentation, help-wanted
Milestone: v0.8.0 (Phase 2)