Resources & Insights

Long-form intelligence for compliance decision-makers.

Guides, playbooks and comparison research written by our engagement partners. Preserved from the CHNYD Trace archive and continuously extended.

Guide12 min read

SOC 2 — A Critical Standard for Modern Data Security

The five Trust Services Criteria, the CC1–CC9 controls, and why SOC 2 compliance now decides which SaaS vendors close enterprise deals.

Read the guide
Guide10 min read

ISO 27001:2022 — The Four Themes of Annex A

Organizational, people, physical and technological controls: how the 93-control 2022 revision reshapes ISMS implementation.

Read the guide
Guide9 min read

ISO 27701 PIMS — Extending Your ISMS into a Privacy Program

Controller and processor extensions, the GDPR crosswalk, and how PIMS certification changes DPA negotiations.

Read the guide
Guide11 min read

HIPAA Security Rule — Administrative, Physical and Technical Safeguards

The §164.308 risk analysis, encryption expectations, and where BAAs quietly break in real audits.

Read the guide
Playbook8 min read

Building an Article 30 Records-of-Processing Inventory

A pragmatic method for mapping every processing activity, lawful basis, retention and international transfer.

Read the guide
Comparison14 min read

Vanta vs Drata vs Sprinto vs Secureframe — An Auditor's View

Framework coverage, integration depth, evidence quality, and what auditors actually accept from each platform.

Read the guide
Brief7 min read

vCISO — When a Fractional Security Leader Is the Right Call

The three inflection points where a virtual CISO outperforms a full-time hire, and the deliverables you should demand in month one.

Read the guide
Guide10 min read

Web Application VAPT — A Modern OWASP-Aligned Methodology

Beyond OWASP Top 10: business-logic testing, authenticated fuzzing, and reporting that survives an enterprise remediation review.

Read the guide
Guide11 min read

PCI DSS 4.0 — What Actually Changed for Merchants and Service Providers

Customised approach, targeted risk analyses, and the March 2025 future-dated requirements that quietly reshape scoping.

Read the guide
Guide9 min read

NIST CSF 2.0 — Why the New Govern Function Reframes Your Programme

The sixth function, organisational profiles, and how CSF 2.0 finally becomes usable outside critical infrastructure.

Read the guide
Playbook8 min read

CIS Controls v8.1 — Choosing the Right Implementation Group

IG1 as basic cyber hygiene, IG2 for growing enterprises, IG3 for regulated. Where each control belongs in a real programme.

Read the guide
Guide12 min read

DORA — ICT Risk Obligations for EU Financial Entities

The five pillars, third-party register requirements, and threat-led penetration testing under Article 26.

Read the guide
Brief7 min read

NIS2 — Who Is In Scope and What the Fines Actually Look Like

Essential vs important entities, management-body liability, and the €10M / 2% turnover ceiling.

Read the guide
Guide10 min read

CMMC 2.0 Level 2 — Preparing for a C3PAO Assessment

NIST SP 800-171 alignment, POA&M rules, and the evidence structure C3PAOs actually accept.

Read the guide
Playbook12 min read

AWS Security Assessment — A CIS Benchmark and Well-Architected Blend

IAM, network, data protection, logging, and workload isolation checks against real-world attacker paths.

Read the guide
Playbook10 min read

Azure Security Review — Entra ID, Defender, and the Landing Zone

Conditional access, PIM, Defender for Cloud recommendations, and Azure Landing Zone guardrails.

Read the guide
Guide11 min read

Kubernetes Security — Beyond the CIS Benchmark

Admission controllers, workload identity, image supply chain, and runtime detection in production clusters.

Read the guide
Playbook9 min read

Microsoft 365 Security Review — The 20 Settings That Matter Most

Secure Score is a starting point. The controls that actually stop tenant compromise.

Read the guide
Guide13 min read

Zero Trust Architecture — A 24-Month Enterprise Roadmap

NIST SP 800-207 alignment, identity-first sequencing, and how to avoid the 'ZTNA product' trap.

Read the guide
Playbook10 min read

Identity & Access Management Modernisation

SSO, MFA, PAM, JML automation and identity governance in a single 12-month programme.

Read the guide
Playbook11 min read

Vendor Risk Management — Building a Defensible Programme

Tiering, due diligence depth, continuous monitoring, and the questionnaires that actually reduce risk.

Read the guide
Guide9 min read

Business Continuity — Building an ISO 22301-Aligned Programme

BIA, RTO/RPO calibration, exercise cadence, and the plan format regulators expect.

Read the guide
Playbook10 min read

Incident Response Plan — What a Modern Playbook Looks Like

NIST SP 800-61r3 alignment, ransomware runbooks, and the tabletop cadence that actually improves response.

Read the guide
Comparison12 min read

Managed SOC — A Buyer's Guide for Mid-Market and Enterprise

MSSP vs MDR vs co-managed SOC: coverage models, detection engineering ownership, and the SLAs that matter.

Read the guide
Guide10 min read

Vulnerability Management — From CVSS to Risk-Based Prioritisation

EPSS, KEV, asset criticality, and building an SLA regime that engineering will actually meet.

Read the guide
Playbook9 min read

API Security Testing — Beyond the OWASP API Top 10

Authorisation flaws, business-logic abuse, and testing GraphQL and gRPC alongside REST.

Read the guide
Guide10 min read

Mobile Application VAPT — OWASP MASVS-Aligned Testing

Storage, cryptography, authentication, network and platform-interaction testing on iOS and Android.

Read the guide
Guide11 min read

DevSecOps Maturity — A Pragmatic Model for Engineering Leaders

SAST, SCA, DAST, IaC scanning, secret detection, and where each fits in the pipeline without slowing delivery.

Read the guide
Brief7 min read

Security Awareness That Actually Changes Behaviour

Beyond annual e-learning: role-based training, phishing simulations, and metrics your board will accept.

Read the guide
Guide10 min read

AI Governance — Building an ISO 42001 AIMS Alongside Your ISMS

AI risk registers, model cards, EU AI Act crosswalks, and how AIMS extends 27001 without duplicating it.

Read the guide
Newsletter

The Compliance Brief.

Monthly. Regulator updates, framework revisions, and the questionnaires enterprise buyers are asking this quarter.

Migrating from chnydtrace.in

Existing archive content, blogs and framework guides are being professionally rewritten and republished here. All prior URLs will be redirected to preserve SEO equity.

Request the migration map →