Governance & Docs

[mrmoon0986]

Just to add some context, whilst you've explicitly mentioned that the tool is not supposed to cover policies and documentation related to it, I thought it might be useful to share my thoughts as an ex auditor. Auditors don’t just ask “did you scan?”, they ask “show me the policy, the standard, the procedure, and the evidence that it’s enforced.

Right now that lives in a mess of Google Docs, Confluence, and screenshots in most cases.

What if AuditKit didn’t just orchestrate scanners, but also generated a governance pack that maps your policies/standards/procedures directly to the same controls and evidence?

Policies (what we require) → e.g., Access Control, Logging & Monitoring, Encryption, Change Mgmt, Vendor Risk, Incident Response, DR/BCP.

Standards (how we do it) → e.g., “TLS ≥ 1.2 on all endpoints,” “90-day log retention,” “MFA for privileged roles.”

Procedures/SOPs (how to execute + capture evidence) → step-by-step with CLI/console paths.

Mapping: every paragraph tagged to SOC2 CC, PCI 4.0, ISO 27001… and to technical checks in the same report. This can be customised, depending on the scope, as in practice not every single requirement is relevant/applicable.

What it looks like in practice

auditkit scan --all-platforms \
  --integrations prowler,scubagear,github

auditkit docs init --framework soc2 --stack azure,m365,github \
  --org "Acme Ltd" --idp "Entra ID"

auditkit report --unified --out binder/
# binder/ contains: unified report + mapped policies/standards/SOPs + evidence index

As an addition (say, week 5 or week 10, depends), here is what can be potentially added to complement scans:

Policy templates: InfoSec Policy, Access Control, Encryption/KMS, Logging & Monitoring, Change Mgmt, SDLC/SAST/Secrets, Incident Response, Vendor Risk, DR/BCP, Data Classification.

Standards: concrete guardrails (e.g., “S3 BlockPublicAccess=on”, “TLS ≥ 1.2”, “Key rotation ≤ 365d”).

Procedures: evidence playbooks (portal paths + CLI + screenshots) auto-filled from scan results.

Traceability: autogenerated Control Matrix (SOC2 CC1–CC9, PCI, ISO) linking doc clauses to checks and artifacts.

CUECs & Assertions: generate Complementary User Entity Controls, management assertion boilerplate, and a System Description starter (auditors love this).

Concrete bits you can consider implementing (I can help with templates, placeholders, mapping, etc.):

Doc Packs (/docpacks/soc2, /docpacks/pci, /docpacks/iso): Markdown + YAML front-matter with placeholders like{{ORG_NAME}}, {{IDP_NAME}}, {{LOG_RETENTION_DAYS}}.
Mapping schema:

control_id (e.g., CC6.3)

doc_refs (policy/standard/section anchors)

check_ids (scanner/adapters: AZU-STO-001, prowler:iam_1)

evidence_refs (artifact IDs with hashes)

Adapters: adapters/scubagear, adapters/prowler, adapters/github, each emitting a normalized Finding{ control_id, check_id, severity, resources[], evidence[] }.

Binder: auditkit report --unified writes /binder/ControlMatrix.md, /binder/PBC_index.json, /binder/evidence/ with checksums.

As a result, a governance pack (policy/standard/procedure templates with placeholders) mapped to the same controls, so the unified report ties docs ⇄ checks ⇄ evidence. That kills the “Excel merge week.”

[mrmez]

@mrmoon0986 - Your auditor perspective is invaluable to this effort. You're describing the actual problem - it's not just technical controls, it's the literal entire governance-to-evidence chain.

Phase 1 (keeping scope manageable):

• Control mapping layer connecting technical checks ↔ compliance requirements
• Evidence orchestration (what you scan → what auditor needs)
• Basic traceability matrix generation

Phase 2 (with community help):

• Policy stubs with placeholders ({{ORG_NAME}}, {{RETENTION_DAYS}})
• Standards mapping (TLS ≥ 1.2 → specific checks)
• Procedure templates linking to scan results

Phase 3 (if successful):

• Full governance pack generation as you described
• CUEC generation
• System description automation

I'm being cautious about liability with policy templates, but with proper disclaimers and community review, this could eliminate "Excel merge week" entirely.

Would you be interested in contributing policy templates or reviewing our control mappings?

Tracking this in #5 - let's start with the control mapping and evolve from there.

[mrmoon0986]

@mrmez, entirely, I'll come up with my deliverables this week in the issue you've created.