Quick Start: Your First Compliance Project

Goal: Set up a basic compliance foundation in under 30 minutes.

This tutorial walks you through creating your first compliance project using our step-by-step approach. You'll learn by doing, not just reading.

Prerequisites

• Basic understanding of your organization's structure
• Access to your company's security policies (if any)
• 30 minutes of focused time

What You'll Build

By the end of this tutorial, you'll have:

• A compliance project scope document
• A basic risk assessment framework
• Your first security control implemented
• A roadmap for next steps

Step 1: Define Your Scope (5 minutes)

Start by clearly defining what you're protecting:

# Project Scope Template

**Organization**: [Your Company Name]
**Scope**: [What systems/data are in scope?]
**Exclusions**: [What's explicitly out of scope?]
**Stakeholders**: [Who needs to be involved?]

Action: Fill out this template with your organization's details.

Step 2: Identify Your Assets (10 minutes)

List your critical information assets:

| Asset | Type | Owner | Criticality | | ---------------- | ------ | ------ | ----------- | | Customer data | Data | [Name] | High | | Source code | Data | [Name] | High | | Employee records | Data | [Name] | Medium | | Office network | System | [Name] | Medium |

Action: Create your own asset inventory table.

Step 3: Assess Basic Risks (10 minutes)

For each high-criticality asset, identify:

• What could go wrong?
• How likely is it?
• What's the impact?

Example:

• Risk: Customer data breach
• Likelihood: Medium (we have basic security)
• Impact: High (regulatory fines, reputation damage)
• Risk Level: High

Action: Complete a risk assessment for your top 3 assets.

Step 4: Implement Your First Control (5 minutes)

Choose one high-priority risk and implement a basic control:

Example: For customer data protection

• Control: Password policy
• Implementation: Require 12+ character passwords
• Documentation: Create a simple policy document

Action: Implement and document one control for your highest-risk item.

What You've Accomplished

✅ Defined your compliance scope
✅ Identified critical assets
✅ Completed basic risk assessment
✅ Implemented your first security control

Next Steps

Now that you have a foundation, choose your path:

• ISO 27001 Focus: Continue with ISO 27001 Walkthrough
• SOC 2 Focus: Continue with SOC 2 Walkthrough
• Deep Dive: Explore How-to Guides

Troubleshooting

"I don't know what assets we have"

• Start with customer data, employee records, and source code
• Ask your IT team or leadership for input

"Risk assessment seems overwhelming"

• Focus on your top 3 most critical assets
• Use simple High/Medium/Low ratings
• You can refine this later

"I'm not sure about scope"

• Start small - you can always expand later
• Focus on customer-facing systems first
• Document what you exclude and why