# Background Currently, the compliance standards adherence dashboard lists the adherence status of projects complying to the GitLab Standard. The GitLab Standard has the following controls mapped to it: * Prevent authors as approvers. * Prevent committers as approvers. * At least two approvals. * Static Application Security Testing (SAST) scanner artifact. * Dynamic Application Security Testing (DAST) scanner artifact. # Problem As part of the work we are doing for c[ustom compliance frameworks](https://gitlab.com/groups/gitlab-org/-/epics/13295), we will be: * Removing `Standards` and including `Requirements` under frameworks; * All of our existing controls being available to be mapped to `Requirements` As part of of mapping existing controls to `Requirements`, we have the opportunity to solve a key gap in the product. Based on our [competitor research](https://gitlab.com/groups/gitlab-org/software-supply-chain-security/compliance/-/epics/7) - especially when [compared to controls available out of the box](https://gitlab.com/gitlab-org/software-supply-chain-security/compliance/product-management/-/issues/33) - our existing 5 controls do not come close to covering the entire base line of the wide variety of controls that users are expected to have in order to keep their GitLab instances compliant to the number of different regulatory frameworks and standards that need to be adhered to on a day to day basis. # Solution In order to address our current lack of controls, we will be adding most of the controls for the common regulatory compliance frameworks, which was surfaced in our research as being a key part of why users use GitLab. The controls will come from the following compliance frameworks/standards: - SOC2 - ISO 27001 - All GitLab security scanners - GitLab CIS benchmark - GitLab Internal Inventory (internal customer use case) Each of these regulatory standards has been analysed in this spreadsheet https://docs.google.com/spreadsheets/d/1Wdksot38os84xk9XtuERYc3Ako6GmLprtjFlqE1NP2E/edit?gid=0#gid=0 ...and will be aded in as part of the work we are doing to release custom compliance frameworks. We will start with the above list of frameworks as part of the launch for custom compliance frameworks. We understand that there may be a need for more controls for more frameworks in the future (e.g. PCI-DSS, GDPR etc.), but are confident of starting with the above as the baseline first before expanding to add more controls as and when we need to. # Persona * [Cameron (Compliance Manager)](https://handbook.gitlab.com/handbook/product/personas/#cameron-compliance-manager) <!--triage-serverless v3 PLEASE DO NOT REMOVE THIS SECTION--> _This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc._ <!--triage-serverless v3 PLEASE DO NOT REMOVE THIS SECTION--> <!-- triage-serverless v3 PLEASE DO NOT REMOVE THIS SECTION --> *This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.* <!-- triage-serverless v3 PLEASE DO NOT REMOVE THIS SECTION -->