Product Overview
ForgeComply is a guided compliance platform with optional AI assistance that helps organizations prepare for SOC 2 and ISO 27001 audits.
What Is ForgeComply?
ForgeComply is a compliance management platform that guides you through the audit preparation process. It helps you:
- Assess your current state — Evaluate your security controls systematically
- Generate policies — Create professional policy documents based on your actual implementation
- Collect evidence — Organize and manage evidence for auditor review
- Track progress — Understand where you stand and what needs attention
- Produce reports — Generate audit-ready documentation
ForgeComply replaces spreadsheets, scattered documents, and expensive consultants with a structured, guided workflow.
Who Is ForgeComply For?
ForgeComply is designed for:
Startups and SMBs
Companies pursuing their first SOC 2 or ISO 27001 certification who need guidance through the process.
Security and Compliance Teams
Professionals managing ongoing compliance who want to streamline evidence collection and reporting.
Founders and CTOs
Technical leaders who need to demonstrate security posture to customers, investors, or partners.
Organizations with Limited Resources
Teams that can't afford dedicated compliance staff or expensive consultants.
What Problems Does ForgeComply Solve?
The Spreadsheet Problem
Compliance traditionally lives in spreadsheets — hard to maintain, easy to lose track of, and disconnected from actual evidence.
ForgeComply solution: A structured database that connects controls, policies, evidence, and reports.
The Blank Page Problem
Writing policies from scratch is intimidating and time-consuming.
ForgeComply solution: Policy generation based on your organization's profile and control responses.
The "Where Do I Start?" Problem
Compliance frameworks are complex. Knowing what to do first is overwhelming.
ForgeComply solution: Guided setup walks you through step-by-step.
The Evidence Chaos Problem
Evidence scattered across email, Slack, Google Drive, and random folders.
ForgeComply solution: Centralized evidence management linked directly to controls.
The Auditor Readiness Problem
Scrambling before audits to compile documentation.
ForgeComply solution: Generate audit-ready reports on demand.
Supported Frameworks
SOC 2
Service Organization Control 2 — the most common compliance framework for SaaS and service providers.
Supported audit types:
- Type I — Point-in-time evaluation of control design
- Type II — Evaluation of control effectiveness over a period
ISO 27001
International standard for information security management systems (ISMS).
Supported audit stages:
- Stage 1 — Documentation review and readiness assessment
- Stage 2 — Full certification audit
Control Catalog
ForgeComply's unified control catalog contains 63 controls organized across 10 security domains:
| Domain | Controls | Examples |
|---|---|---|
| Governance | GV-01 to GV-06 | Security policy, risk assessment, code of conduct |
| Access Control | AC-01 to AC-05 | MFA, access reviews, least privilege |
| Logging & Monitoring | LM-01 to LM-04 | Audit logs, alerting, log retention |
| Change Management | CM-01 to CM-04 | Code review, CI/CD, rollback procedures |
| Incident Response | IR-01 to IR-03 | IR plan, escalation, post-mortems |
| Vendor Management | VM-01 to VM-03 | Vendor assessment, contracts, reassessment |
| Data Protection | DP-01 to DP-05 | Encryption, backups, data classification |
| Security Awareness | SA-01 to SA-03 | Training, phishing awareness |
| Business Continuity | BC-01 to BC-03 | DR plan, RTO/RPO, recovery testing |
| Vulnerability Management | VU-01 to VU-03 | Scanning, patching, remediation tracking |
Framework overlap: 35 controls are shared between SOC 2 and ISO 27001. 6 are SOC 2-specific. 22 are ISO 27001-specific.
How ForgeComply Works
0. Take the Free Readiness Scan (Optional)
Before signing up, take the free SOC 2 readiness scan. Answer 10 questions in 3 minutes to see where you stand across 37 controls. No signup required.
1. Create Your Assessment
Select your framework (SOC 2 or ISO 27001) and audit type. ForgeComply loads the appropriate controls from a catalog of 63 controls across 10 security domains.
2. Evaluate Controls
Work through each control, documenting your implementation status and assigning owners. Controls are evaluated with a dual-status model that considers both your answer and evidence completeness.
3. Generate Policies
Create policy documents from 17 professional templates that cover all control domains. Policies are automatically linked to relevant controls.
4. Upload Evidence
Attach supporting documentation to demonstrate your controls are operating.
5. Generate Reports
Produce audit-ready reports with integrity hashing, evidence coverage scoring, and blocker identification.
6. Share with Auditors
Grant read-only access to auditors for their review.
Key Features
Free SOC 2 Readiness Scan
A public, no-signup assessment that evaluates readiness across 10 security domains. Results include a readiness score, audit blocker identification, gap analysis, and timeline estimate. Results are shareable via URL.
Guided Setup
Optional step-by-step workflow that walks you through the entire assessment process.
Control Catalog
63 security controls across 10 domains: Governance, Access Control, Logging & Monitoring, Change Management, Incident Response, Vendor Management, Data Protection, Security Awareness, Business Continuity, and Vulnerability Management. 35 controls are shared between SOC 2 and ISO 27001, with 6 SOC 2-specific and 22 ISO 27001-specific controls.
Dual-Status Evaluation
Controls are evaluated with both a design status (based on your answer, owner, and policy) and an evidence status (based on evidence completeness). This gives a clear picture of what's documented versus what's proven.
Policy Generation
17 professional policy templates covering all security domains. Policies use organization context (company name, security officer, review frequency) and are linked to specific controls.
Evidence Management
Centralized storage with review workflows and auditor-safe access. Evidence coverage is scored against configurable thresholds.
Audit Reports
Immutable, point-in-time reports with SHA-256 integrity hashing (including policy version), evidence coverage scoring, and audit blocker identification.
Blog
Practical compliance content covering SOC 2 checklists, framework comparisons, and audit preparation guides.
Role-Based Access
Separate roles for admins, team members, and auditors with appropriate permissions.
AI Assistance (Optional)
Contextual guidance to help you understand controls and identify gaps.
What ForgeComply Is NOT
Understanding limitations is as important as understanding capabilities.
ForgeComply is not an auditor
We help you prepare for audits. We do not conduct audits or issue certifications. You still need an accredited auditor.
ForgeComply does not guarantee audit success
Passing an audit depends on your actual security implementation, not just documentation. ForgeComply helps you document and organize — the substance must be real.
ForgeComply is not a security tool
We don't scan your systems, monitor your infrastructure, or detect threats. We help you document your security controls.
ForgeComply does not replace judgment
Compliance requires human decision-making. ForgeComply provides structure and guidance, but you decide what's appropriate for your organization.
ForgeComply is not legal advice
Compliance frameworks have legal implications. Consult qualified professionals for legal questions.
Getting Started
Ready to begin? See the Getting Started Guide for step-by-step instructions.
Questions?
- Concepts & Terminology — Understand key terms
- FAQ — Common questions answered
- Support — Contact [email protected]