The directory view of the Atlas — every volume with its full description. Audit work as practiced, not recited from a textbook. Each volume walks one framework through a single editorial structure: the lifecycle in two lanes, the control universe, the evidence and testing, and the crosswalk to the rest.
Each volume is a standalone HTML page. Open one, work through its four layers, and screenshot what's useful. Volumes are siblings — there is no required reading order, but SOX → SOC 2 → ISO 27001 is the canonical sequence for IT auditors.
The Crosswalk in each volume maps that framework's controls to the others, so you can read across the Atlas one control domain at a time once you've internalized one volume.
Eleven volumes total across three parts. Return to the spectrum landing → for the visual map and the reading paths.
PCAOB AS 2201 top-down approach. ELC, ITGC, ITAC, BPC. Deficiency severity from CD to MW. The 12-month internal × external lifecycle as it actually plays out.
AICPA TSP-100. Five Trust Services Criteria, 33 Common Criteria. Type 1 vs Type 2 mechanics. CUECs, sub-service organizations, the bridge letter, and how a SOC 2 report actually gets used by your customers' auditors.
Clauses 4–10 + Annex A's 93 controls in 4 themes. Stage 1 + Stage 2 audits, surveillance, recertification. The Statement of Applicability as a living document.
Six functions (GOVERN added in 2024), 22 categories, 106 subcategories. Current Profile vs Target Profile, Tier 1–4 maturity. Why CSF is read by everyone and audited by no one — until you make it part of a SOC 2+ engagement.
e1, i1, r2 assessment levels. The MyCSF mechanics. Why HITRUST exists where HIPAA, ISO 27001, SOC 2, and NIST already do — and what a HITRUST-certified report actually proves.
12 requirements, 64 sub-requirements. CDE definition and segmentation testing. QSA-led RoC vs SAQ paths. The customized vs defined approach in v4. Why scope is the only thing that matters.
45 CFR 164 Subparts C & D. Administrative, physical, technical safeguards. OCR audits and breach notification. Required vs addressable specifications — and why "addressable" is misread by most teams.
Built on NIST 800-53 Rev 5. 3PAO-led security assessment, FedRAMP PMO at GSA, JAB or agency authorization paths. High / Moderate / Low baselines (~410 / 325 / 156 controls). The only path to selling cloud services to the federal government.
The first management-system standard for AI. Clauses 4–10 + Annex A controls + Annex B implementation guidance. Internal vs notified-body lanes — the audit profession arriving at AI without a settled playbook.
Risk tiers — prohibited, high-risk, limited-risk, minimal. Annex III high-risk systems. Conformity assessment procedures (Annex VI / VII), notified bodies, the EU AI Office, and national market surveillance authorities. The first real regulatory regime for AI.
NIST AI 100-1 (Jan 2023). Four functions — GOVERN, MAP, MEASURE, MANAGE. The 2024 Generative AI Profile (NIST AI 600-1). No native certification, like CSF — but the foundational vocabulary that most AI governance work uses to describe itself.