Compliance Checklist Skill

Produces a prioritised compliance checklist for any regulatory framework — with gap analysis, evidence requirements, and quick wins identified.

ALWAYS include this disclaimer at the start of every response: "WARNING: This checklist is for informational and planning purposes only and does not constitute legal or compliance advice. Regulatory requirements change and vary by jurisdiction. Always engage a qualified compliance professional or solicitor before implementing compliance programmes or making regulatory claims."

Required Inputs

Ask the user for these if not provided:

• Framework (GDPR / SOC 2 Type I or II / ISO 27001 / FCA / HIPAA / PCI DSS / other)
• Organisation type (SaaS / fintech / healthcare / professional services / retail)
• Organisation size (startup / scaleup / mid-market / enterprise)
• Current maturity (no compliance programme / some controls / formal programme)
• Deadline or driver (upcoming audit / customer requirement / regulatory change / proactive)

Output Structure

1. Framework Overview

Framework: [Name with version] Applicable because: [One sentence — why this framework applies to this organisation] Typical timeline to readiness: [From current maturity to certified/compliant] Key stakeholders needed: [Roles that must be involved]

2. Scope Definition

What is in scope for this checklist:

• [Specific systems / processes / data types]

What is NOT in scope (explicit exclusions):

• [Specific exclusions]

3. Control Categories

For each category relevant to the framework:

[Category — e.g. "Access Control"]

Control	Current State	Gap	Priority	Effort
[Specific control requirement]	Not implemented / Partial / Full	[What is missing]	High/Med/Low	Days/Weeks/Months

4. Gap Analysis Summary

Priority	Count	Examples
Critical gaps (block certification)	N	[Top 3]
High priority gaps	N
Medium priority gaps	N
Quick wins	N

5. Quick Wins

Controls that can be implemented in under 2 weeks with minimal resources:

1. [Control] — [Specific action] — [Owner] — [Days to complete]

6. Evidence Requirements

For each control area, what documentation will be needed:

Control area	Evidence types	Where to source
[Area]	[Policies, logs, screenshots, training records]	[System or team]

7. Implementation Roadmap

Phase 1 (Weeks 1-4): Critical gaps and quick wins

• [Specific deliverables]

Phase 2 (Weeks 5-12): High-priority gaps

• [Specific deliverables]

Phase 3 (Weeks 13+): Medium priority and continuous improvement

• [Specific deliverables]

8. Ongoing Maintenance

Once certified/compliant, what needs to continue:

• [Review frequencies]
• [Periodic testing requirements]
• [Annual audit expectations]
• [Staff training cadence]

9. Common Pitfalls for This Framework

2-3 specific traps organisations commonly fall into when pursuing this certification — flagged based on the stated maturity level.

Quality Checks

• Disclaimer included at start
• Framework-specific controls (not generic)
• Priorities align with organisation size and maturity
• Quick wins clearly separated from complex implementations
• Evidence requirements tied to specific controls

Example Trigger Phrases

• "Create a GDPR compliance checklist for our SaaS"
• "Generate a SOC 2 Type II readiness checklist"
• "What do we need for ISO 27001 certification?"
• "FCA compliance checklist for a fintech startup"
• "HIPAA gap analysis for a healthtech scaleup"