COMPLIANCE HAS CHANGED
Compliance became a condition of sale.
It stopped being a checkbox exercise: today the client, the insurer and the regulator ask for proof, not your word.
What changed for your company: large contracts, partnerships and policies now require evidence of compliance before signing. In a due diligence, the one who cannot show the documentation loses the deal to the one who can, even doing the same work in practice.
The detail that catches everyone: compliance is not security. You can be reasonably secure and still fail an audit, because what the auditor demands is not only the tool, but the documented evidence that each control is followed consistently.
If an important client demanded proof of your compliance today as a condition to sign, how long would it take your company to gather the documentation, and would it pass?
Most companies only discover their own compliance gaps once they have already cost a contract or turned into a fine. The global average cost of a data breach reached 4.44 million dollars in 2025 (IBM Cost of a Data Breach Report 2025), and much of the penalty comes not from the attack itself, but from the lack of evidence: 76% of healthcare privacy penalties stemmed from the absence of a documented risk analysis (HIPAA Journal, on OCR settlements). This Compliance Audit Express reverses the order: in three minutes, it applies the same reasoning as an audit, so you know where you stand before someone on the outside finds out for you.
WHICH AUDIT APPLIES TO YOU
Which audit applies to you?
Before measuring readiness, it helps to know which standard your business needs to meet. Open each framework to see, in one line, who needs it, what it requires and the penalty of not being ready.
Who needs it: You store, process or transmit patients' health data: medical records, lab results, health plans.
HIPAA is the United States law that protects the privacy and security of health data. It requires administrative, physical and technical controls over any patient information, and it applies to clinics, hospitals and health plans as well as to the vendors that touch that data.
A documented risk analysis, access control over medical records, encryption, agreements with the vendors that access the data, and a record of who accessed what.
Fines and loss of trust: 76% of healthcare privacy penalties came from the lack of a documented risk analysis (HIPAA Journal, on OCR settlements).
Who needs it: You handle personal data of customers or citizens: from Europe, under the GDPR; from Brazil, under the LGPD.
The GDPR (Europe) and its local counterpart, the LGPD (Brazil), are personal-data protection laws centered on the data subject's rights: consent, access, correction and deletion. There is no certifying body that hands you a seal, but there is a penalty when the requirements are not met, so claiming compliance means doing and documenting the work.
The legal basis for processing each piece of data, how you handle data subject rights, the inventory of where the data lives, and evidence that the program exists and is followed.
Fines proportional to revenue and reputational damage, even with no certifying body to issue a seal.
Who needs it: You accept, process or store payment card data.
PCI DSS is the card-industry standard that defines how to protect cardholder data. It allows self-attestation for smaller volumes and requires an external assessor as volume grows. The evidence of each control is what sustains your adherence.
The separation of the network that touches the card, encryption, access control, regular testing, and continuous logging of the controls.
The penalty is not only financial: it is losing the ability to process card payments.
Who needs it: You want to close with corporate clients, especially in the United States, who require proof of security before signing.
SOC 2 is an audit report that proves a set of security and organizational controls against trust criteria. It is not imposed by law, but the report moves the deal forward and opens enterprise doors. Whoever asks for it wants to see evidence, not a promise.
An independent auditor evaluates the controls over a period (the Type II) and issues a report you can share with your client.
Without it, the enterprise sale stops at the client's security gate.
Who needs it: You want a security backbone to organize everything else on top of.
The NIST CSF is a reference framework that organizes security into five functions: identify, protect, detect, respond and recover. It is not a certification, but the base the other frameworks rely on, because much of the controls are shared.
There is no third-party seal: it serves as a map so you can meet HIPAA, SOC 2 or ISO later without duplicating work.
Without a common base, each new framework becomes a project started from scratch.
Who needs it: You handle consumers' financial data: lenders, accountants, dealerships and others that offer credit.
The FTC Safeguards are a United States rule that requires a formal information-security program from those who handle consumer financial data, with a designated owner, a risk assessment and documented controls.
The presence of a named owner, the risk assessment, the documented controls, and evidence that the program is actually followed.
Fines and FTC action; enforcement looks for the evidence, not just for having tools.
Who needs it: You serve global clients who recognize the international security standard.
ISO 27001 is the international standard for information-security management. It requires a management system with continuous improvement, and certification goes through an external auditor. It is what the global client recognizes, while SOC 2 is more often asked for in the United States.
An external auditor certifies your security management system; documented evidence is the heart of the process.
Without it, the international sale loses an edge the certified competitor already has.
Who needs it: You want to sell, or already sell, to the United States government supply chain.
CMMC is the cybersecurity maturity standard required to supply the United States Department of Defense. It defines a level of control maturity according to the sensitivity of the data, with assessment and evidence.
The assessment of the required maturity level, with evidence of each control according to the sensitivity of the data involved.
The penalty here is not a fine: it is losing eligibility for federal contracts.
READINESS SELF-ASSESSMENT
Measure your readiness for an audit.
Choose the framework that matters most to your business and answer honestly, one domain at a time. The calculation runs instantly, in your browser, and no data is sent at this stage. For each control, choose the option closest to your reality.
Before we start, tell us briefly about your company:
Domain 1 of 6
Governance and policies
Access and identity control
Data protection and privacy
Incident response and continuity
People and vendors
Evidence and audit readiness
WHAT AN AUDIT ACTUALLY EVALUATES
What an auditor actually looks at.
Six control domains decide whether your company is ready or only thinks it is.
A compliance audit always works the same way: there is a list of controls, you demonstrate with evidence that you follow them, and an assessor verifies. Most of those controls, around 60%, are about organization and process, not only technology. These six domains cover what any framework demands, and your Readiness Index measures each of them.
Governance and policies
A compliance owner with leadership support, written and communicated security policies, and a documented risk assessment that guides decisions.
Access and identity control
A second check beyond the password on sensitive access, each person with only the access they need, and access reviewed when someone changes roles or leaves.
Data protection and privacy
Knowing where sensitive data lives and for how long, protecting it with encryption at rest and in transit, and handling data subject requests with secure disposal.
Incident response and continuity
A rehearsed response plan, readiness to report a breach within the deadline the law requires, and an isolated, tested backup with proof the data comes back.
People and vendors
Annual training for everyone, recurring phishing testing and an assessment of the vendors that touch your data, because most breaches start with a person.
Evidence and audit readiness
Being able to show documented evidence of each control, with continuous monitoring and the documentation ready for a client, a regulator or an insurer at any moment.
FROM DIAGNOSIS TO READINESS
Compliance as a Service: from readiness to continuous evidence
The result for you is straightforward: instead of a spreadsheet that ages, you get a real picture of your compliance and a clear path to close the gaps, defensible before a client, a regulator or an insurer.
It all starts with the free Compliance Snapshot: a picture of your compliance against a framework, with a report carrying the Zamak brand, at no cost and no contract. From there, Zamak runs the evolution. You receive:
- The Compliance Snapshot: your readiness by control domain, mapped against the chosen framework, with a clear list of gaps.
- Continuous readiness: the evidence of each control kept current, with a periodic health report that keeps your company always ready for an audit.
- Gap remediation: Zamak closes the technical side of compliance (access, data protection, incident response and backup) and advises on the organization and process side, which is your team's.
We map your compliance
A specialist starts from your answers and the chosen framework to understand where your company is exposed and what each gap represents in real risk, no jargon, in the language of your business.
We compare with the framework
We position your readiness against the framework's controls, separating informal practice from documented evidence, which is what an audit actually demands.
We prescribe the remediation
We present a prioritized roadmap: what to close first, with Zamak delivering the technical side and the continuous evidence that keeps you always ready for the next audit.
What you get is the honest picture of your compliance today and the path to full readiness, starting with a free Compliance Snapshot, at no cost and no contract.
WHAT IF NOTHING CHANGES?
The next audit will not wait.
A compliance gap is not a blank field on a spreadsheet: it is the contract you lose when the client asks for proof and you do not have it, the policy denied when the insurer runs the due diligence, the fine when the regulator arrives. In some cases, like the standard that governs cardholder data or the one that governs government contracts, the penalty is not only financial: it is losing the right to operate or to sell in that market.
The difference between passing and failing an audit is almost never the tool a company bought, but the evidence it can show. Gathering that evidence takes months when done in a rush, and minutes when kept continuously. Building readiness today costs a fraction of the lost deal or the fine tomorrow.
For 15 years Zamak Technologies has sustained the compliance and continuity of companies that cannot afford to stop, from those structuring their first IT to those with their own team that need an enterprise backbone. We operate with tools certified to SOC 2 Type II, ISO 27001, HIPAA and PCI-DSS (SentinelOne for advanced defense, Cove Data Protection from N-able for backup), as a Microsoft Solutions Partner and a member of the Addee Elite Group, with Great Place to Work recognition.
FREQUENTLY ASKED QUESTIONS
What companies ask before measuring their own readiness
NEXT STEP
Turn readiness into a plan.
You already know where your compliance is solid and where it is fragile. Now choose how you want to move forward.
Book a meeting
A specialist reviews your result with you, digs into the most fragile domains and shows how to reach readiness, with no commitment.
Book a meetingFree General Assessment
Assess your operation's continuity and security too, beyond compliance, across six domains.
Open the assessmentUpdated June 2026 · Free tool by Zamak Technologies