LET'S TALK
← All work
SOC2 TSC 2017ISO/IEC 27001:2022HIPAA Security RulePCI-DSS v4.0Deep Prototype

EvidenceCollector — SOC2 / ISO 27001 / HIPAA / PCI Evidence Tracker

40 evidence requests across 4 frameworks. Per request: source system, collection method (automated / manual), CMMI maturity (1-5), evidence freshness, gap-list. The Vanta / Drata / Secureframe shape — built directly. Surfaces the controls that look 'covered' but actually have manual workflows masking ad-hoc execution.

EvidenceCollector — SOC2 / ISO 27001 / HIPAA / PCI Evidence Tracker preview
Open live →

What it is

The shape behind every continuous-compliance platform — Vanta, Drata, Secureframe, AuditBoard. The artifact every audit cycle starts with: which evidence is current, which is stale, which is automated, which is fragile.

What’s in it

  • 40 evidence requests mapped to specific controls across:
    • SOC2 (CC1-CC9) — code-of-conduct ack, board minutes, security training (TrainingTracker), trust page (TrustCenter), risk register, vendor risk (ThirdPartyRisk), UAR (AccessReview), MFA, privileged-access (ScopeCreep), boundary protection (EgressGate), TLS enforcement (CSPReporter), vulnerability scans (SbomScanner), incident-response register (IncidentLog), backup-recovery testing (ChaosScore), change-management board (ChangeRequestQueue), BCP/DR plan
    • ISO 27001:2022 — SoA, A.5.1 policies, A.5.10 acceptable-use, A.5.12 information classification (PIIScout), A.8.24 cryptographic controls (SecretRotation), A.5.19 supplier relationships (DPADeskbook), A.5.34 RoPA (DataMapInventory), A.8.6 capacity (SLOTracker)
    • HIPAA Security Rule — BAA inventory, workforce training (TrainingTracker), PHI audit log, access management, risk analysis (DPIATracker DPIA-001/004/008)
    • PCI-DSS v4.0 — cardholder data discovery (PIIScout), network segmentation, MFA, pen-test report (PenTestFindings), quarterly ASV scans, logging+monitoring, awareness training, IR plan tested
  • Per-request shape:
    • Source system (HRIS, SSO, audit-log, prototype tools)
    • Collection method (automated 32 / manual 8)
    • CMMI maturity 1-5: initial (ad-hoc) / repeatable (informal) / defined (documented) / managed (measured) / optimizing (continuous)
    • Freshness in days
    • Gap items
  • 6 maturity-gap (≤2) findings surfaced — board minutes, fraud risk assessment, SoA cross-reference, data-warehouse config, risk analysis (PHI annual only).

Why this shape

The killer insight: a control marked “covered” in Vanta isn’t actually covered if its source is “manual upload by GC, refreshed quarterly.” EvidenceCollector surfaces that distinction with the CMMI maturity score — automated + measured = actually-current; manual + ad-hoc = audit-time-scramble. Cross-framework view: one evidence request often satisfies SOC2 + ISO + HIPAA + PCI simultaneously.

How it ships

Single HTML file, ~16KB. Zero dependencies. 40 requests × 4 frameworks × CMMI maturity scoring in 200 lines of vanilla JavaScript.

Open the tool →