Guides

Practical compliance, written by engineers.

Working guides for SOC 2, ISO 27001, HIPAA, NIST CSF, vendor risk, and the messy in-between. Built for engineers and ops leaders who own compliance whether they signed up for it or not.

SOC 2

SOC 2 Compliance for Growing Teams

Type I vs Type II, the five Trust Services Criteria, what to actually prepare, common mistakes, and realistic timelines for your first audit.

Read the guide
HIPAA

HIPAA Compliance for SaaS

Security Rule, Privacy Rule, safeguard categories, BAAs, and how to build a compliance program that covers what actually applies to your SaaS product.

Read the guide
HIPAA · Checklist

HIPAA Checklist for SaaS (47 items)

A concrete implementation checklist across administrative, physical, and technical safeguards, BAAs, breach notification, and ongoing maintenance.

Read the guide
HIPAA · BAAs

BAAs Explained for SaaS Founders

When you need a Business Associate Agreement, what HIPAA requires it to contain, subprocessor flow-down, and how to manage dozens of them at scale.

Read the guide
HIPAA · HITRUST

HIPAA vs HITRUST

When to pursue HITRUST CSF on top of HIPAA. Cost gap ($0 vs $50-200K), control overlap, e1 / i1 / r2 assessment types, and which buyers ask for which.

Read the guide
HIPAA · §164.312

HIPAA Technical Safeguards for Engineers

The 5 categories in §164.312 with concrete engineering implementations. Access control, audit logs, integrity, authentication, transmission security.

Read the guide
NIST CSF 2.0

NIST CSF 2.0 for Practitioners

The six core functions, implementation tiers, and how to use NIST CSF as your compliance backbone — mapping to SOC 2, ISO 27001, and HIPAA.

Read the guide
Multi-framework

Managing Multiple Compliance Frameworks

How to run SOC 2, ISO 27001, HIPAA, and NIST CSF in parallel. Control mapping, evidence reuse, framework prioritization — without duplicate work.

Read the guide

Run all of this in one platform.

LukaGRC turns the playbooks above into a working compliance program. Map controls, collect evidence, answer questionnaires, manage vendor risk — all in one place.

Start your free trial →