Compliance Automation
Introduction
The Compliance module helps organizations achieve and maintain security certifications like SOC 2, ISO 27001, HIPAA, and more. Bastion automates evidence collection, policy management, and audit preparation. Your dedicated vCISO guides you through the entire compliance journey over Slack — from selecting frameworks to preparing for audit day.
Search
Home
Integrations
Frameworks
Audits
Policies
Vendors
Risk
Access Reviews
Trust Center
Security Assistant
Status
People
Training
Phishing Campaigns
Data Leak
Device List
Security Checks
Web Browsing
Attack Surface
Penetration Testing
Typosquatting
Code Security
Dependencies
Key Features
Framework Tracking
Track progress against compliance frameworks with automated control testing
Evidence Collection
Automatically collect evidence from connected integrations
Policy Management
Create, version, and distribute security policies
Audit Management
Prepare for audits with organized evidence bundles
Module Components
Frameworks
Manage your compliance certifications:
- Supported Frameworks: SOC 2 Type I/II, ISO 27001, HIPAA, GDPR, and custom frameworks
- Control Mapping: Pre-mapped controls to common requirements
- Progress Tracking: Visual dashboards showing completion status
- Test Automation: Many controls auto-verified through integrations
Audits
Prepare for and manage compliance audits:
- Audit Scheduling: Plan audit cycles in advance
- Evidence Bundles: Organize evidence for auditor review
- Auditor Portal: Secure portal for external auditors
- Audit History: Track past audits and findings
Policies & Documents
Manage your security documentation:
- vCISO-Drafted: Your vCISO writes policies tailored to your organization
- Version Control: Track changes over time
- Approval Workflows: Multi-stakeholder review process
- Distribution: Send policies to employees for acknowledgment
Vendors
Third-party vendor risk management:
- Vendor Inventory: Track all third-party vendors
- Risk Assessment: Evaluate vendor security posture
- Suggested Vendors: Recommended security tools
- Compliance Mapping: Map vendors to compliance requirements
Risk Register
Organizational risk management:
- Risk Identification: Document potential risks
- Risk Assessment: Evaluate likelihood and impact
- Treatment Plans: Define mitigation strategies
- Tracking: Monitor risk status over time
Learn more about Risk Register →
Access Reviews
Periodic access control audits:
- Review Campaigns: Schedule regular access reviews
- Automated Detection: Pull access data from integrations
- Approval Workflows: Manager review and approval
- Compliance Evidence: Generate evidence for audits
Learn more about Access Reviews →
Getting Started
Your vCISO will walk you through each of these steps over Slack, but here's the high-level flow:
Connect Integrations
Enable compliance-relevant integrations (identity provider, cloud services) to automate evidence collection.
Select a Framework
Choose your target compliance framework from the Frameworks page. Your vCISO can help you decide which frameworks to prioritize.
Review Controls
Go through each control, verify status, and address gaps.
Review Policies
Your vCISO drafts the required policies for you. Review them and approve when ready.
Schedule Audit
When ready, your vCISO coordinates the audit and helps you prepare evidence bundles.
Integrations for Compliance
Connecting your tools to Bastion maximizes automation. See the Integrations overview for setup guides:
- Identity providers for employee sync and access reviews
- Cloud services for infrastructure evidence
- Version control for code security and SBOM compliance
Compliance Dashboard
The compliance section of the home dashboard shows:
- Framework Progress - Completion percentage for each framework
- Open Issues - Controls requiring attention
- Upcoming Audits - Scheduled audit dates
- Policy Status - Policies pending approval or distribution
Best Practices
Start Early
Begin compliance preparation 3-6 months before your target audit date. This gives time to address gaps and collect sufficient evidence.
Automate Everything
Connect all relevant integrations to maximize automated evidence collection. Manual evidence is more prone to gaps and inconsistencies.
Document Continuously
Keep policies and procedures updated as processes change. Point-in-time documentation leads to compliance drift.
Involve Stakeholders
Compliance is a team effort. Ensure relevant stakeholders are assigned as control owners and policy approvers.