Security & Governance 90 days 2-3 hours/day updated 2026-06-01
ComplianceOps 90-Day Learning Path
Master ComplianceOps in 90 days: automate SOC2, ISO 27001, PCI-DSS, and HIPAA controls, build continuous compliance pipelines, and prepare for audits without the scramble.
What ComplianceOps means
ComplianceOps applies DevOps automation principles to the compliance lifecycle. Instead of manual spreadsheet-driven audits, controls are codified, evidence is collected automatically, and compliance posture is monitored continuously. It covers regulatory frameworks, control mapping, evidence automation, and audit readiness as ongoing engineering activities rather than point-in-time events.
Who should follow this path
- Security engineers responsible for compliance programs
- DevOps engineers at companies pursuing SOC2 or ISO 27001
- GRC analysts wanting to automate manual compliance work
- Startup CTOs navigating their first enterprise audit
- Platform engineers building compliant golden paths
Prerequisites
- Basic understanding of cloud infrastructure (AWS or GCP)
- Familiarity with CI/CD pipelines
- Some exposure to security controls and risk concepts
- Comfort with policy documents and control frameworks
- Basic scripting (Python or Bash)
The 90-day plan
Daily study recommendation: 2-3 hours/day, six days a week. Consistency beats intensity — block the time in your calendar like a meeting.
Days 1–15: Foundation
- Major compliance frameworks: SOC2, ISO 27001, PCI-DSS, HIPAA
- Control families and mapping across frameworks
- Trust Services Criteria for SOC2
- Risk assessment and risk register basics
- Audit lifecycle: readiness, fieldwork, reporting
Outcome: Map controls across major frameworks and understand the end-to-end audit lifecycle.
Days 16–30: Core concepts
- Compliance-as-code concepts and tooling overview
- AWS Config rules for automated control monitoring
- Open Policy Agent (OPA) for policy enforcement
- InSpec profiles for compliance testing
- Evidence collection automation patterns
Outcome: Implement automated compliance checks using policy-as-code tools against real infrastructure.
Days 31–45: Tools and workflows
- GRC platforms: Drata, Vanta, and Tugboat Logic
- Continuous control monitoring pipelines
- Integrating compliance checks into CI/CD
- Access review automation
- Change management and audit trail requirements
Outcome: Configure a GRC platform for continuous SOC2 control monitoring with automated evidence collection.
Days 46–60: Hands-on projects
- Vendor risk management programs
- Third-party security assessments (shared questionnaires)
- Data classification frameworks
- Data retention and disposal policies
- Business continuity and disaster recovery compliance
Outcome: Build a vendor risk program and align data governance policies with compliance requirements.
Days 61–75: Advanced practices
- Cloud compliance: FedRAMP, GDPR, CCPA considerations
- Logging and monitoring control requirements
- Penetration testing requirements and scheduling
- Vulnerability management SLA compliance
- Security awareness training program compliance
Outcome: Manage compliance requirements for cloud-hosted systems including regulated data workloads.
Days 76–90: Portfolio, interview & certification prep
- Mock audit preparation and dry runs
- Building a compliance runbook and evidence library
- ComplianceOps interview questions
- Preparing for CISA or CISSP exams
- Metrics: audit findings, remediation SLAs, control coverage
Outcome: Lead a mock audit exercise and produce an audit-ready evidence package.
Weekly outcomes at a glance
| Phase | Outcome |
|---|---|
| Days 1–15 | Map controls across major frameworks and understand the end-to-end audit lifecycle. |
| Days 16–30 | Implement automated compliance checks using policy-as-code tools against real infrastructure. |
| Days 31–45 | Configure a GRC platform for continuous SOC2 control monitoring with automated evidence collection. |
| Days 46–60 | Build a vendor risk program and align data governance policies with compliance requirements. |
| Days 61–75 | Manage compliance requirements for cloud-hosted systems including regulated data workloads. |
| Days 76–90 | Lead a mock audit exercise and produce an audit-ready evidence package. |
Tools to learn
- Drata
- Vanta
- AWS Config
- OPA/Gatekeeper
- Chef InSpec
- Prowler
- Jira (compliance tracking)
- ServiceNow GRC
- Terraform (compliance IaC)
- Datadog (audit logging)
Labs to practice
Mini projects
- Map a SOC2 Type II control set to AWS Config rules and build a real-time compliance dashboard
- Automate access review evidence collection using AWS IAM Access Analyzer and a Python reporting script
- Build a PCI-DSS compliance pipeline that gates deployments on passing Chef InSpec profiles
Interview questions to prepare
- What is the difference between SOC2 Type I and Type II?
- How do you automate evidence collection for an audit?
- Explain how you would map controls across SOC2 and ISO 27001 to avoid duplicate work.
- What is compliance-as-code and what tools enable it?
- How do you maintain continuous compliance rather than point-in-time audit readiness?
- Describe your approach to a vendor risk assessment.
- What AWS services help satisfy SOC2 monitoring requirements?
- How would you handle a critical finding discovered during an audit?
Certification suggestions
- Certified Information Systems Auditor (CISA) — ISACA
- ISO 27001 Lead Implementer — PECB
- AWS Certified Security Specialty — AWS
- Certified in Risk and Information Systems Control (CRISC) — ISACA
Browse the full certification registry for exam details and official links.
Free resources
- NIST Cybersecurity Framework
- SOC2 Overview — AICPA
- Chef InSpec Docs
- AWS Config Developer Guide
- CIS Controls v8
Related roadmaps
Related tool categories
// instructor-led option
Prefer live, guided training with mentors and certification support? DevOpsSchool.com runs paid instructor-led programs that pair well with this free path.
Explore paid training on DevOpsSchool.com ↗