Home Services Compliance About Contact Free 30-Min Call
Compliance Support

Know exactly what we cover — and what we don't.

Compliance frameworks are complex. We believe in being specific about which controls we actively manage at each service tier, so you can make informed decisions without surprises at audit time.

What This Means

Compliance support is not the same as compliance certification.

When Wayfinder says we "support" a compliance framework, we mean we actively manage the technical controls that fall within our scope — the tools, configurations, access policies, logging, and security stack that your auditor or insurer will ask about.

What we don't do: certify you, act as your compliance officer, write your policies from scratch, or guarantee audit outcomes. Compliance involves people, processes, and technology — we own the technology layer.

What we actively manage

  • Technical security controls in your M365 environment
  • Endpoint protection, patching, and monitoring
  • Identity, access, and conditional access policies
  • Logging, alerting, and incident response (Premium)
  • Backup, DR, and business continuity (per tier)

What remains your responsibility

  • Physical security of your office and devices
  • Staff training and policy enforcement (Standard: advisory; Premium: KnowBe4)
  • Business Associate Agreements with other vendors
  • Compliance officer / DPO role

Important: Compliance framework support is included in Standard and Premium tiers and is not guaranteed. Our role is to manage the technical controls that fall within our scope of service. Achieving and maintaining certification or regulatory compliance is a shared responsibility between your organization and your service providers.

Framework Coverage

Which frameworks we support, and at what tier

Each framework below maps to the specific controls Wayfinder actively manages. "Supported" means we handle the technical layer — not that we're your compliance team.

Wayfinder manages this control
Partial — Wayfinder manages technical component, client manages remainder
i Advisory only — guidance provided, implementation is client-led
Basic & above

Cyber Insurance Readiness

Most cyber insurers require a documented set of technical controls. Wayfinder's Basic tier satisfies the majority of standard requirements.

Multi-factor authentication Entra ID MFA enforced via conditional access
Endpoint protection (EDR) Microsoft Defender for Endpoint
Email security Defender for Office 365, SPF/DKIM/DMARC
OS patching & vulnerability management RMM-managed patching with reporting
Backup & business continuity Network failover (Basic); full backup added at Standard
DNS filtering (Standard+) DNSFilter blocks malicious domains
Incident response plan Plan provided at Premium; advisory at Standard
Standard & above

HIPAA

The technical and some administrative safeguards of HIPAA fall within our scope at Standard tier. Physical safeguards remain the client's responsibility.

Access control Entra ID P2, role-based access, conditional access
Audit controls & logging Defender audit logs, Sentinel SIEM (Premium)
Data integrity & encryption Bitlocker, TLS in M365, OneDrive versioning
Transmission security TLS enforced throughout M365
Email & file backup Exchange and SharePoint/OneDrive backup
Workforce training KnowBe4 managed at Premium; advisory at Standard
i
Physical safeguards Client responsibility; we provide guidance
Standard & above

PCI DSS

Wayfinder manages the network security, access control, monitoring, and vulnerability management requirements within our scope. Cardholder data environment scoping remains the client's responsibility.

Access control & least privilege Entra ID P2, PIM, conditional access
Vulnerability management Defender vulnerability analytics, patching
Monitoring & logging Huntress MDR, Defender; Sentinel at Premium
DNS & web filtering DNSFilter
Network segmentation Advisory at Standard; managed as network add-on at Premium
Security awareness training KnowBe4 managed at Premium; advisory at Standard
i
CDE scoping & QSA engagement Client responsibility; we can advise and refer
Premium only

NIST 800-171

Required for businesses handling Controlled Unclassified Information (CUI) — common in defense contracting, government supply chains, and regulated industries. Premium's full stack covers the majority of the 110 controls.

Access control (AC family) Entra ID P2, PIM, conditional access, access reviews
Audit & accountability (AU family) Microsoft Sentinel SIEM, central log aggregation
Incident response (IR family) Formal IR plan + Sentinel automated playbooks
Risk assessment (RA family) Defender vulnerability management, attack surface mgmt
System & communications protection (SC) ThreatLocker, Defender, network segmentation (add-on)
Awareness & training (AT family) KnowBe4 managed; role-specific training advisory
i
Physical protection (PE family) Client responsibility; guidance provided
Premium only

CIS Controls v8

The CIS Controls are a prioritized set of 18 safeguards. Wayfinder's Premium stack directly maps to Implementation Group 2 (IG2) — appropriate for most SMBs handling sensitive data.

CIS 1 & 2 — Inventory (hardware & software) Intune, ThreatLocker application allowlisting
CIS 4 — Secure configuration Intune security baselines, Autopilot
CIS 5 & 6 — Account & access management Entra ID P2, PIM, conditional access
CIS 7 — Continuous vulnerability management Defender for Endpoint Plan 2, patching
CIS 8 — Audit log management Microsoft Sentinel, long-term retention
CIS 9 — Email & web browser protection Defender for Office 365, DNSFilter, Mimecast
CIS 10 — Malware defense ThreatLocker, Defender, Huntress
CIS 11 — Data recovery Datto backup & disaster recovery
CIS 14 — Security awareness training KnowBe4 — managed phishing simulations & training
CIS 17 — Incident response management Formal IR plan, Sentinel playbooks
Summary

Which tier do you need?

Basic
Cyber Insurance readiness — essential controls for most insurers
Standard
HIPAA + PCI + Cyber Insurance — healthcare, payments, regulated industries
Premium
All frameworks + NIST 800-171 + CIS IG2 — defense, government supply chain, high-risk environments
Talk to us about your requirements
At a Glance

Framework coverage by tier

Framework Basic Standard Premium Who needs this
Cyber Insurance requirements ✓ Supported ✓ Supported ✓ Supported Any business carrying cyber liability insurance
HIPAA ✓ Supported ✓ Supported Healthcare providers, business associates
PCI DSS ✓ Supported ✓ Supported Businesses that accept credit card payments
NIST 800-171 ✓ Supported Defense contractors, federal supply chain (CUI)
CIS Controls v8 (IG2) ✓ Supported Any organization wanting a proven security baseline

Not sure which frameworks apply to your business?

Book a free 30-minute call. We'll review your industry, your insurers' requirements, and any regulatory obligations — and tell you exactly what you need.

Book a Free 30-Min Call View Service Tiers