EU regulations and ISO standards, decomposed to the individual article, annex and clause and verified line by line. Accompanied by a free Compliance Matrix documenting the regulatory coverage for every checklist.
Each article, annex and clause reviewed individually and either mapped to one or more audit questions or recorded as informational. The signed Compliance Matrix accompanying every checklist documents this line by line.
Authored and reviewed by compliance management professionals with decades of regulatory experience. Each Compliance Matrix identifies the regulation version it was reviewed against.
One canonical content set, five render targets for the Part you buy: Audit Checklist (PDF, MD), Audit Workbook (XLSX), Data Bank (CSV), Question Bank (XML). The Compliance Matrix ships separately with every Part as a downloadable verification document.
ISO/IEC 27701:2019 audit checklist. Privacy information management system extending ISO 27001 — PII controller and processor controls.
Directive (EU) 2019/1937 audit checklist. Internal reporting channels, follow-up procedures, confidentiality, record-keeping and the prohibition of retaliation.
Directive (EU) 2019/882 audit checklist. Economic-operator obligations — manufacturers, authorised representatives, importers, distributors and service providers — accessibility requirements (Annex I), conformity assessment, CE marking, the EU declaration of conformity and the disproportionate-burden assessment.
ISO 45001:2018 audit checklist. Worker consultation and participation, hazard identification, OH&S risk and opportunity assessment, legal requirements, the hierarchy of controls, contractors and emergency preparedness, incident investigation, internal audit and management review — Clauses 4–10, full-split.
ISO 14001:2015 audit checklist. Environmental aspects (life-cycle perspective), compliance obligations, environmental objectives, operational and emergency controls, evaluation of compliance, internal audit and management review — Clauses 4–10, full-split.
Regulation (EU) 2023/2854 audit checklist. Entity obligations — data accessibility by design, data-holder access and sharing duties, third-party obligations, FRAND conditions and compensation, unfair contractual terms, B2G data sharing, switching between cloud/data-processing services, international transfer safeguards and smart-contract requirements.
Directive (EU) 2024/1760 audit checklist. The company due-diligence cycle — integrating due diligence into policy, identifying and prioritising adverse human-rights and environmental impacts, preventing and bringing them to an end, remediation, stakeholder engagement, complaints, monitoring, communicating and the Article 22 climate transition plan.
Directive (EU) 2022/2464 audit checklist. The undertaking sustainability-reporting obligations — the dedicated sustainability statement, double materiality, business-model and transition-plan disclosures, targets, due diligence, value chain, ESRS conformity, digital tagging, publication and board responsibility.
ISO 37001:2016 audit checklist. Bribery risk assessment, anti-bribery policy and compliance function, employment due diligence, due diligence on transactions and business associates, financial and non-financial controls, gifts and hospitality, raising concerns and investigating bribery — Clauses 4–10, deep full-leaf split.
ISO 31000:2018 audit checklist. The risk-management principles, framework (leadership, integration, design, implementation, evaluation, improvement) and process (communication, scope/context/criteria, risk assessment, treatment, monitoring, recording and reporting) — the foundation underpinning the risk clauses of ISO 27001, 37301, 45001 and 22301.
ISO 37301:2021 audit checklist. Compliance obligations, compliance risk assessment, compliance culture and governance, the compliance function, controls, raising concerns, investigations, monitoring and management review — Clauses 4–10, full-split.
GDPR audit checklist. Controller / processor obligations under Reg (EU) 2016/679.
NIS2 audit checklist. Cybersecurity risk-management and reporting duties under Dir (EU) 2022/2555.
CRA audit checklist. Cybersecurity requirements for products with digital elements under Reg (EU) 2024/2847.
NIS2 implementing-act audit checklist. Technical and methodological requirements under Reg (EU) 2024/2690.
ISO/IEC 27001:2022 audit checklist. Information security management system clauses and Annex A controls.
ISO 9001:2015 audit checklist. Quality management system requirements, clauses 4-10.
ISO/IEC 27002:2022 audit checklist. Implementation guidance for the 93 ISO 27001 Annex A information security controls.
ISO/IEC 42001:2023 audit checklist. AI management system clauses, Annex A controls and informative annexes.
EU AI Act audit checklist. Provider and deployer obligations under Reg (EU) 2024/1689.
ISO 22301:2019 audit checklist. Business continuity management system requirements, clauses 4-10.
DORA audit checklist. ICT risk-management, incident reporting and third-party duties under Reg (EU) 2022/2554.
DORA RTS audit checklist. The delegated technical standards elaborating DORA ICT risk-management and reporting.
Short answers to what compliance managers ask before buying. For the full list including edge cases, see the complete FAQ.
Authored and reviewed by compliance management professionals with decades of regulatory experience. Every Part is built question-by-question against the published regulation — every article, annex and clause — not extracted, not paraphrased, not generated wholesale. Every paragraph is signed off and recorded as covered, informational, or out of scope in the Compliance Matrix that ships with every Part as a downloadable verification document.
Every Part ships with the Regulatory Compliance Matrix as a downloadable verification document. It lists every paragraph of the regulation as a row, with its coverage status (Covered / Informational / Out of scope) and the audit questions that map to it. You can verify the methodology paragraph-by-paragraph before paying. It's the auditor-of-the-auditor artefact.
Every regulatory amendment within your 12-month update window is re-authored against the new version, re-rendered through the same pipeline, and emailed to you automatically. Our publish SLA is 30 days from the date the regulator publishes — non-delivery within that window counts as a defect under our refund policy.
No. It's a one-off purchase that includes 12 months of updates. Same procurement shape as buying a consultant cycle or a an annual standards subscription — single invoice, single approval line, no card-on-file. Thirty days before your update period ends we'll email you a one-click link to buy the next 12 months. You choose; nothing happens automatically. If you don't renew, you keep every artefact you've already downloaded — they're yours forever.