VERITY COMPASS

VERITY Compass is Armorstack’s continuous compliance management service for regulated mid-market organizations. Rather than treating compliance as an annual audit fire drill, Compass runs as a year-round program with real-time control evidence collection, gap remediation tracking, and executive-ready reporting. Every control maps to one or more frameworks — NIST CSF 2.0, HIPAA, SOC 2 Type II, CMMC 2.0, ISO 27001, PCI-DSS — so a single piece of evidence satisfies multiple audits. The goal is auditor-ready posture every day of the year, not a 90-day sprint before each examination.

Compass is run by Armorstack VERITY advisors with CISA, CDPP, and CISM credentials. Clients receive a named advisor, quarterly steering committee reports, and 24/7 access to the compliance dashboard. Evidence collection is automated where possible (cloud configuration, IAM audit logs, SIEM data) and supplemented with structured workflows for procedural controls that can’t be automated.

Compass is built for three common situations: (1) organizations in their first formal compliance program — usually SOC 2 Type II or HIPAA — who need structure and expertise without hiring a full-time compliance team; (2) mid-market firms with an existing compliance program that’s drifting because it depends on one person or a quarterly consultant scramble; (3) multi-framework environments where manual evidence collection has become unsustainable (for example: a healthcare system handling HIPAA, SOC 2, and HITRUST simultaneously, or a defense contractor layering CMMC 2.0 on top of NIST 800-171).

Typical client profile: 75-500 employees, regulated industry (healthcare, financial services, defense, legal, SaaS), annual revenue $10M-$250M, existing IT/security team of 1-5 that needs augmentation rather than replacement.

A Compass engagement includes: (a) initial control maturity assessment against the primary framework; (b) multi-framework control crosswalk (so HIPAA controls also satisfy SOC 2 and ISO where they overlap); (c) System Security Plan (SSP) or equivalent authoring and maintenance; (d) continuous evidence collection via the Compass dashboard; (e) gap remediation project management with monthly status; (f) quarterly executive steering reports; (g) pre-audit readiness assessment 90 days before each formal examination; (h) vendor risk management (TPRM) for in-scope third parties; (i) policy and procedure library maintenance; (j) named Armorstack VERITY advisor accessible via email, phone, and scheduled working sessions.

Compass is a retainer-based subscription with three tiers: Foundation (single framework, quarterly cadence, suitable for first-time compliance clients); Multi-Framework (two to three frameworks with a unified control crosswalk); and Enterprise (four or more frameworks, weekly cadence, embedded advisor). All tiers include the compliance dashboard, named advisor, and executive reporting. Pricing is annual with no long-term lock-in; clients can cancel with 30 days’ written notice.

Most clients start with a 60-minute scoping call, followed by a fixed-fee Current State Assessment (2-4 weeks) that produces a gap analysis and implementation roadmap. The retainer begins once the roadmap is agreed.