Frameworks demystified
CIS, SOC 2, PCI, NIST, ISO as checkable controls.
Compliance as code starts by demystifying the frameworks. To an engineer they can look like impenetrable binders, but each one is really a structured set of controls — requirements you can implement, automate, and evidence. This lesson maps the major frameworks so the rest of the course can turn them into running policy.
The frameworks you will meet
A handful of frameworks cover most engineering work. CIS Benchmarks are concrete configuration-hardening guides (for an OS, a cloud, Kubernetes) you can assess systems directly against. SOC 2 is built on the Trust Services Criteria (security, availability, confidentiality, and more) and is common for SaaS. PCI-DSS applies prescriptively wherever cardholder data is stored, processed, or transmitted. NIST 800-53 is a comprehensive control catalog many other frameworks map to, and underpins FedRAMP for US federal cloud services. ISO 27001 defines an information-security management system. They differ in scope and audience, but all reduce to controls you can express and check.
# A single technical control, expressed once, satisfies many frameworks:## control: "Enforce MFA for all console/admin access"# ├─ SOC 2 → CC6.1 (logical access)# ├─ PCI-DSS → 8.4 (multi-factor authentication)# ├─ ISO → A.9.4 (access control)# └─ NIST → IA-2 (identification & authentication)## Implement + evidence it ONCE; map it to every framework in scope.
From binder to backlog
The mental shift that makes compliance tractable is treating a framework not as a document to read but as a set of controls to implement, automate, and evidence. A control like "enforce encryption at rest" or "log all admin actions" is something you can turn into policy-as-code, a preventive guardrail, and continuous evidence — the subjects of the rest of this course. Framework overlap is your friend here: because one real control often satisfies requirements across SOC 2, PCI, ISO, and NIST at once, you build the control once and map it everywhere, rather than running a separate program per framework.