US-105US-033US-034US-035US-036US-115
L5 — Compliance Register
Multi-framework gap analysis · GDPR · PCI-DSS · ISO 27001 · SOC2 · Cyber Essentials+
78%
GDPR
61%
PCI-DSS
55%
ISO 27001
40%
Cyber Essentials+
GDPR
PCI-DSS
ISO 27001
SOC2
Cyber Essentials+
Policy Gap Analysis US-105, FR-024A
Drop policy document · Claude maps to ISO 27001 clauses
GDPR Control Status US-033, US-034
| Article | Control | Status | Finding Ref | Evidence |
|---|---|---|---|---|
| Art. 5(1)(f) | Integrity & Confidentiality | Fail | L2-SQLi-001 | |
| Art. 25 | Data Protection by Design | Partial | L4-API-003 | |
| Art. 32 | Security of Processing | Fail | L3-MOB-002 | |
| Art. 33 | Breach Notification (72hr) | Pass | — | ✓ Documented |
| Art. 35 | Data Protection Impact Assessment | Partial | — | |
| Art. 37 | Data Protection Officer | Pass | — | ✓ Documented |
Financial Fine Exposure US-036
GDPR MAXIMUM FINE EXPOSURE
€20,000,000
or 4% of global annual turnover — whichever is higher
Based on 3 failing Art. 32 controls · ICO enforcement average: £284,000 for SMBs in 2023
| Framework | Fine Exposure | Probability |
|---|---|---|
| GDPR (ICO) | Up to €20M or 4% turnover | Medium |
| PCI-DSS card schemes | $5,000–$100,000/month | Low-Med |
| NIS2 (if applicable) | €10M or 2% turnover | Low |
Remediation Tracker US-034
✓
Art. 33 — Breach notification procedure
Completed by J.Smith · 12 Jun 2026
Completed by J.Smith · 12 Jun 2026
▶
Art. 32 — Fix SQL injection (L2-SQLi-001)
In progress · assigned to dev team
In progress · assigned to dev team
3
Art. 25 — API data minimisation review
Not started · due 30 Jun 2026
Not started · due 30 Jun 2026
Overall GDPR compliance progress
78% · 14/18 controls passing
Cyber Essentials+ Self-Assessment US-035
Report pre-filled from scan findings. Review each control and submit to NCSC certification body.
| CE+ Control | Requirement | Assessment | Evidence from Scans | Result |
|---|---|---|---|---|
| Firewalls | All internet-connected devices protected by firewall | Auto-assessed | L1: 2 open high-risk ports (3389, 445) | FAIL |
| Secure Configuration | Default passwords changed; unnecessary software removed | Auto-assessed | L2: Directory listing enabled | FAIL |
| Access Control | User accounts have appropriate privileges; MFA enabled | Manual review needed | L4: No rate limit on /login | PARTIAL |
| Malware Protection | Malware protection on all devices | Auto-assessed | L8: ClamAV active on 12/12 agents | PASS |
| Patch Management | All software patched within 14 days of release | Auto-assessed | L2: jQuery 1.8.3 outdated; WP 6.3.1 outdated | FAIL |