Sample · Multi-Framework Readiness Snapshot™

See exactly what the $1,995 deliverable contains.

Specimen report · Anonymized data · Real format

The actual PDF you receive follows this format with your company’s measured findings across every framework you sell into. Per-framework coverage matrix, cross-framework gap table, and a remediation list ranked by how many audits each fix advances. Below is the full structure with sample data from a specimen healthtech SaaS pursuing SOC 2, HIPAA, and ISO 27001.

Run my Snapshot · $1,995 → Try the free gap check first
Page 1 of 3 · Cover & Coverage Matrix
Multi-Framework Readiness Snapshot™ Report

Northwind Health Apps, Inc.

Scope: 1 production environment (AWS us-east-1, Microsoft 365) · Scan date: March 18, 2026 · Frameworks in scope: SOC 2, HIPAA, ISO 27001, NIST CSF 2.0 (PCI: limited, card data outsourced to Stripe)

Current coverage by framework

SOC 2 (Trust Services)80%
41 of 51 applicable criteria covered or partial
HIPAA Security Rule76%
Administrative, physical & technical safeguards
ISO 27001 (Annex A)73%
68 of 93 controls covered or partial
NIST CSF 2.077%
Govern / Identify / Protect / Detect / Respond / Recover

What this means

Northwind is in good shape for SOC 2 but has five cross-cutting gaps that hold back every framework at once. The headline finding: the same eight remediations close 23 distinct control gaps across all four frameworks. Page 2 lists the gaps; Page 3 sequences the fixes by how many audits each one advances.

Methodology

Live read-only configuration metadata was pulled from the connected environments (AWS via SecurityAudit + ReadOnlyAccess IAM role; Microsoft 365 via Service Principal with Reader + Security Reader) on the scan date above. Each finding is mapped to the relevant control in every in-scope framework and cites the telemetry signal that produced it. No PHI, no customer data, no card data was accessed.

Page 2 of 3 · Cross-Framework Gaps

Control gaps, and the frameworks each one blocks

Specimen findings shown. “Frameworks” counts how many in-scope audits this single gap touches. The higher the number, the more leverage in fixing it.

Control gap Maps to Frwks Severity
MFA not enforced on 9 privileged accounts. Admin access to AWS + M365 without MFA on 9 of 24 privileged users.
signal: iam-list-users, aad-privileged-roles		 SOC 2 CC6.1
ISO A.8.5
HIPAA 164.312(d)
CSF PR.AA		 4 High
No centralized log monitoring / alerting. CloudTrail + M365 audit logs retained but not aggregated to a SIEM; no alerting on privileged activity.
signal: cloudtrail-describe-trails, no-siem-sink		 SOC 2 CC7.2
ISO A.8.15
HIPAA 164.312(b)
CSF DE.CM		 4 High
Incident-response plan never exercised. IR plan documented Aug 2025; no tabletop or drill on record in the last 12 months.
signal: intake-q7 (process control)		 SOC 2 CC7.4
ISO A.5.24
HIPAA 164.308(a)(6)
CSF RS		 4 High
No formal vendor / subprocessor risk review. 14 subprocessors with no documented security review or register.
signal: intake-q9 (process control)		 SOC 2 CC9.2
ISO A.5.19
HIPAA 164.308(b)
CSF GV.SC		 4 Medium
Backup recovery never tested. Automated RDS + S3 backups configured; no documented restore test.
signal: rds-describe-db-snapshots, intake-q11		 SOC 2 A1.3
ISO A.8.13
HIPAA 164.308(a)(7)
CSF RC		 4 Medium
3 S3 buckets allow non-TLS access. Bucket policies don’t deny aws:SecureTransport=false.
signal: s3-get-bucket-policy		 SOC 2 CC6.7
ISO A.8.24
HIPAA 164.312(e)
CSF PR.DS-02		 4 Medium
Access reviews not performed. No evidence of periodic least-privilege review; 6 dormant accounts >90 days.
signal: iam-credential-report		 SOC 2 CC6.2
ISO A.5.18
HIPAA 164.308(a)(4)
CSF PR.AA		 4 Medium
No documented change-management approvals. Production deploys lack recorded review/approval separation.
signal: intake-q14 (process control)		 SOC 2 CC8.1
ISO A.8.32
CSF PR.PS		 3 Medium

The full report lists all 23 control gaps with their per-framework mappings, severity, and the telemetry signal behind each. Findings are cross-referenced to every in-scope framework.

Page 3 of 3 · Remediation, Ranked by Audits Advanced

Remediation list, ordered by how many audits each fix closes

The headline

Eight fixes close 23 gaps across all four frameworks. The first three alone, MFA, centralized log monitoring, and an IR tabletop, each advance SOC 2, HIPAA, ISO 27001, and NIST CSF simultaneously. You fix once; the gap closes in four audits.

Week 1
Enforce MFA on all 9 privileged accounts. Apply conditional-access MFA in M365 + AWS IAM MFA enforcement. Closes the #1 gap in all four frameworks.
4 audits
Week 1–2
Aggregate logs to a SIEM with privileged-activity alerting. Route CloudTrail + M365 audit to a SIEM (or CloudWatch + EventBridge), alert on privileged actions.
4 audits
Week 2
Run an incident-response tabletop and record the after-action. 60-minute scenario with the on-call + leadership; document and file it.
4 audits
Week 2–3
Deny non-TLS on the 3 S3 buckets + run an access review. Add the SecureTransport deny condition; review privileged access, disable 6 dormant accounts.
4 audits
Week 3–4
Stand up vendor-risk register + run a backup restore test. Document the 14 subprocessors with review dates; perform and record one restore from backup.
4 audits
Week 4
Add change-management approvals to the deploy pipeline. Require recorded review/approval with author/shipper separation before production.
3 audits

Projected coverage after the 30-day plan: SOC 2 ~94% · HIPAA ~91% · ISO 27001 ~90% · NIST CSF ~92%: audit-ready, with evidence assembled.

Plan delivered as a working document. Your team executes; on a subscription, Aegis AI re-scans and refreshes the coverage matrix every cycle.

Your real report, with your company’s measured findings, in your inbox within hours.

$1,995 one-time. Connect a cloud (read-only, revocable in one click), answer ten short questions, and your cross-framework PDF arrives within hours. Async, self-service throughout. Credits 100% to month one of any tier within 30 days.

Run my Snapshot · $1,995 →