How do I do this without breaking a control?
The compliance questions that come up in the middle of a change, answered the way an engineer needs them: the short version, the steps, a worked diff of the right way to do it, and the exact clause it maps to.
- How do I add audit logging the right way for SOC 2 and ISO 27001?
Log the security-relevant events (who did what, and when), always include the actor, write them somewhere durable, and do not let a later cleanup delete them. SOC 2 (CC7.2) and ISO 27001 (A.8.15) both expect this, and both check it by sampling the events you actually recorded.
- How do I store API keys and secrets without breaking ISO 27001 A.8.24?
Never put the key in source. Read it from the environment or a managed secret store at runtime, keep it out of the repository and the logs, and rotate any secret that was ever committed. ISO 27001 A.8.24 (and plain caution) expects keys to be managed, not hardcoded.
- How do I delete a user for GDPR across every store?
Make the delete path reach every place the person's data lives: the primary database, caches, search indexes, analytics, backups (on their own documented lifecycle), and any third-party processor you forwarded it to. When the right to erasure (GDPR Art. 17) applies, a forgotten copy is what defeats it, so the delete path has to reach them all.
- How do I add a third-party dependency safely?
Pin the version, verify what you pull (a lockfile and integrity checking), avoid running remote install scripts, and prefer your vetted registry or mirror. NIS 2 (Art. 21(2)(d)) treats your dependencies as part of supply-chain security, and the controls on them live in your manifest and build.
- How do I encrypt patient data (ePHI) at rest for HIPAA?
Turn on encryption at rest for every store that holds electronic protected health information (the database, buckets, volumes, backups), or document why an equivalent safeguard is in place. HIPAA's encryption specification (164.312(a)(2)(iv)) is addressable: implement it where reasonable, or record an equivalent, rather than skipping it.
- How do I restrict access to follow least privilege?
Grant only the access each role or service needs, deny by default, and avoid wildcards. SOC 2 (CC6.1) checks logical access, and least privilege is what an auditor samples: can each identity do only what its job requires, and no more.