Skip to main content
Image coming soon

The Self-Taught Compliance Practitioner's Evidence Playbook

$199.00
Adding to cart… The item has been added

A focused course, tailored for you

The Self-Taught Compliance Practitioner's Evidence Playbook

For the person who picked up the compliance work mid-stream and now has to defend it to an auditor with no team behind them.

You inherited a compliance responsibility. There was no proper handover. Now an audit is on the horizon and you are quietly studying at night because the day job has no slack for it.

$199 one-time
Tailored to your situation. Access within 24 hours. 30-day money-back.

Includes a hand-built implementation playbook delivered alongside course access, generated for your specific situation.

Why this course

A lot of small and mid-sized organisations end up with one person who 'does compliance' because they were the one in the room when the question came up. That person is often technically capable, often respected internally, and almost always under-resourced. No second pair of eyes. No GRC platform paid for. A binder of policies the previous person wrote, half of which reference systems that have since been replaced. When the next audit notice arrives, the studying happens on a personal device, late in the evening, because the daytime hours are spoken for. The gap is not capability. The gap is a structured way to assemble defensible evidence without a team behind you. This course is for that exact spot.

What you walk away with

  • Assemble a working evidence file for a control without waiting on a team that doesn't exist.
  • Write a control description an auditor accepts on the first read without three rounds of back and forth.
  • Pull the population for a sample test, sample it correctly, and document why the sample is defensible.
  • Handle the vendor-risk question even when the vendor refuses to share their SOC 2 report.
  • Walk an auditor through a control room with confidence even when only one person knows the system.

The 12 modules

Module 1. The one-person compliance function: what to build first
A practical sequencing of what to assemble when you have no team and no software budget. Covers the minimum viable control inventory, the minimum viable evidence index, and the one calendar artefact that prevents quarterly surprises. Includes a starter sheet you can populate the same evening you finish the module, sized for an organisation with no full-time compliance staff.
Module 2. Reading the policy you inherited
How to triage an inherited policy library. Identifies which policies still bind the organisation, which reference systems that no longer exist, and which need the lightest possible rewrite to remain defensible. Includes a four-question filter you apply to each document and a worked example showing a sixteen-page legacy policy reduced to the two pages an auditor actually tests against.
Module 3. Writing a control description an auditor accepts the first time
The structure of a control description that survives auditor review without three rewrite rounds. Walks the actor, action, frequency, evidence, and exception-handling pattern. Includes side-by-side examples of a weak description and a strong one, drawn from access management, change management, and vendor onboarding controls. Templates included for the eight most-tested control types.
Module 4. Building the evidence file from scratch
How to construct a control-by-control evidence file when the previous practitioner left no folder structure. Covers naming conventions, version control, and the index page an auditor uses to navigate the file. Provides a downloadable folder template and a sample evidence file for an access-review control, fully populated with the artefacts the auditor will request and the cover note that contextualises them.
Module 5. Population and sampling without a GRC tool
How to pull a complete population of access events, change tickets, or transactions using only the tooling you already have (spreadsheets, native system exports, a few SQL queries). Covers what counts as a defensible population, how to size a sample, and how to document the sampling methodology so the auditor accepts it. Includes a sampling worksheet and three worked examples from different control domains.
Module 6. The vendor risk question with no vendor cooperation
What to do when a vendor refuses to share their SOC 2 report, when their attestation is expired, or when the scope of their report does not cover the service you actually use. Walks compensating-control reasoning, contractual reliance language, and the documented risk-acceptance memo that closes the loop. Includes templates for the vendor questionnaire, the risk-acceptance memo, and the auditor-facing summary.
Module 7. Access reviews when nobody owns identity
How to run a quarterly access review when no dedicated identity team exists. Covers the manager-attestation workflow, the privileged-access deep dive, and the orphaned-account sweep. Includes a downloadable access-review pack with the attestation form, the privileged-account inventory template, and the close-out memo. Worked example draws from a forty-application environment with no IdP.
Module 8. Change management for the team of one
How to demonstrate a change-management control when the ticketing system is whatever Jira project the engineering team happens to use this quarter. Covers the minimum data points a change ticket must capture, the approval evidence that holds up, and the emergency-change exception process. Includes a ticket-field template, an approval matrix, and a worked sample test showing how the auditor walks from a population of 200 changes down to the 25 they actually examined.
Module 9. Business continuity and the test you can actually run
How to design a BCP/DR test that produces real evidence when you cannot get sign-off for a full failover exercise. Covers tabletop scenarios, walk-through tests, and the documentation that converts them into audit-grade evidence. Includes a tabletop facilitator script, a participant attestation form, and a post-test report template that auditors accept as proof of an annual exercise.
Module 10. The pre-audit dry run
The four-hour exercise you run two weeks before fieldwork to find gaps while they are still fixable. Covers the control walk-through, the sample pre-pull, and the evidence-completeness check. Includes a dry-run script and a gap-log template, plus guidance on when to escalate a gap versus when to remediate quietly before fieldwork starts.
Module 11. Walking the auditor through the room
How to conduct the auditor walk-through when you are the only person in the room who knows how the system works. Covers the opening summary, the artefact pre-stage, and the technique for answering questions you do not know the answer to without losing credibility. Includes a walk-through prep checklist and a one-page control summary template you bring to every session.
Module 12. Closing the audit and setting up next year
How to read a draft report, push back on findings that misstate the facts, and negotiate the wording of an observation that will land in management's inbox. Covers the response memo, the remediation plan, and the calendar-anchored prep that prevents next year being a fire drill. Includes a finding-response template and a twelve-month evidence calendar tied to the control inventory you built in module one.

How this addresses your situation

Specific modules that map to what you said you are dealing with.

If you inherited the compliance function with no handover, start at module 1 and 4 to get a working control inventory and an evidence file before anything else.
If an audit is already on the calendar, jump to modules 3, 5, and 10 to tighten control descriptions, lock in sampling, and run a dry run before fieldwork.
If vendor risk is the area where you feel most exposed, modules 6 and the vendor templates close the gap fastest.
If you are studying compliance to back up a role you already hold, work the modules in order; each one ends with a workpaper you can apply to your environment the same evening.

What you get with this course

  • Twelve written modules with worked examples drawn from real one-person compliance functions.
  • Downloadable templates for control descriptions, evidence files, sampling worksheets, vendor risk memos, access-review packs, change-management ticket fields, BCP tabletop scripts, and finding-response letters.
  • A hand-built implementation playbook drafted to your specific situation once you enrol.
  • A twelve-month evidence calendar template tied to the control inventory.

What you will have in hand by Day 1, Week 1, Month 1

Within 24 hours of enrolment your account in the learning environment is provisioned and the tailored implementation playbook is delivered alongside it.

Modules are written content, accessible immediately, work through at your own pace.

Templates are downloadable from each module and reusable across audits.

The implementation playbook is hand-built to your situation, so it references the systems and frameworks you actually work with, not a generic example.

Before and after

Before

You are studying compliance late at night because the day job has no slack for it. There is a binder of policies the previous person wrote, no folder structure for evidence, and the next audit notice will land before you feel ready.

After

You have a working control inventory, a navigable evidence file, control descriptions an auditor accepts on the first read, and a calendar that tells you what to refresh in which month so audit prep stops being a fire drill.

What happens if you do not address this

The next audit lands and the finding you walk away with is not a control failure but an evidence failure: the control worked, you just could not produce the artefact in the form the auditor needed it. Findings of that shape are awkward to explain internally because they look like a documentation problem, not a process problem, and they tend to recur.

Who it is for

A practitioner who carries a compliance responsibility without a dedicated compliance team. Could be the IT manager who picked up SOC 2, the operations lead who got handed PCI scope, the CISO of one at a small company, the internal auditor who is the entire internal audit function, or someone studying for a certification because the role demands it now. Studies on personal time, usually with a personal email account. Needs templates and worked examples that drop straight into the workpaper, not a textbook explanation of why the framework exists.

Who this is NOT for. Not for someone with a five-person compliance team, a GRC platform implementation team, and a Big-4 advisor on retainer. Not for someone who needs a CPE-accredited certification (this is a working playbook, not an exam course). Not for someone looking for compliance theory or a tour of the framework landscape.

How it arrives

Text-based course in the Art of Service learning environment, plus downloadable templates and worked examples for every module, plus the hand-built implementation playbook delivered alongside course access.

Time investment. Each module takes 30 to 45 minutes to read plus another 30 to 60 minutes to apply the template to your environment. Most practitioners complete the course over three to four weeks of evening sessions while running their day job.

Why $199 is the right number

Compared to a certification course, this teaches you to assemble the evidence file the certification course assumes you already know how to build. Compared to free LinkedIn posts on compliance, this gives you the templates the posts describe but never share. Compared to hiring a consultant, this is the same baseline knowledge a consultant would apply, structured so you can apply it yourself.

FAQ

I am studying for a certification. Is this a substitute?
No. The certification teaches you the framework. This teaches you to produce the evidence the framework expects. They complement each other; many practitioners take the certification for the credential and use this for the day-to-day work.
I work alone. Will the templates assume a team?
No. Every worked example is drawn from a one-person or two-person compliance function. The templates are sized for that reality.
What if my organisation uses a framework you do not name?
The control patterns (access, change, vendor, BCP, evidence assembly, sampling, audit walk-through) are framework-agnostic. The templates work whether your auditor is testing against SOC 2, ISO 27001, NIST CSF, PCI DSS, or an internal framework.
I am between jobs and studying to move into a compliance role. Useful?
Yes. The templates and worked examples are the artefacts a hiring manager wants to see you can produce. Working through the course gives you a portfolio to point at in interviews.

30-day money-back guarantee. If after a week of working through the materials this is not what you needed, reply to the receipt email and a full refund is processed. No questions, no forms.

Within 24 hours your account in the learning environment is provisioned and the tailored implementation playbook is delivered alongside it.

!