310-943-1368

1-800-866-453-5207

sales@divergeit.com

Login
Get a Quote

Services We Offer

IT Compliance Delivered With Confidence

Compliance is not a checkbox. It is an ongoing program that requires the right documentation, the right controls, and a partner who understands what auditors, regulators, and insurers are actually looking for. ComplyIT is DivergeIT’s dedicated IT compliance offering, structured in three tiers to meet your organization wherever it is in its compliance journey.
Schedule a Conversation
Whether you are preparing for your first audit, working toward HIPAA, CMMC, or ISO 27001 alignment, or looking to maintain and mature a compliance program already in place, ComplyIT gives you the documentation, visibility, and expert guidance to get there and stay there.

Why IT Compliance Is Critical To
Your Organization

advanced divider

Regulatory & Legal Obligation

If you fall under a regulated industry, you have regulatory and legal obligations to have IT compliance. Failure to do so may put you at risk for fines, sanction, lawsuits or the shutting down of your business

Risk Reduction & Cybersecurity

IT Compliance is fundamentally a risk management framework. Without it your risk of a data breach, ransomware or other cybersecurity incidents dramatically increases. It is not a replacement for cybersecurity but provides the framework for greater protection across your organization.

Data Protection & Privacy

IT compliance sets the stage for your organization to protect and be better custodians of sensitive data under your control, whether that is customer, financial, employee, or intellectual property.

Business Continuity & Resilience

IT compliance enforces structured processes for backup, recovery, and incident response. This minimizes downtime in the event of an outage, ensures more rapid recovery of data and provides another layer of protection to keep your operations running.

Customer & Market Trust

IT compliance, when developed and maintained properly, becomes a competitive advantage for your organization. By implementing IT compliance, your operations will run smoother, you mitigate the risks of financial impacts and set yourself apart from your competition in ensuring you are protecting not only your organization but those that you do business with and the customers you serve.

Vendor & Ecosystem Requirements

Organizations are increasingly accountable not just for their own compliance, but the compliance of the vendors they use. By building and maintaining a comprehensive IT compliance program, you have the framework in which to hold your vendors accountable and protect yourself from possible risks of a vendor not following the rules. Many customers require organizations to ensure they and their vendors are compliant across the many regulations and

Let's help you

Three Tiers. One Partner
Every Layer of Your IT Environment.

ComplyIT

Core

If your organization does not have formal compliance documentation in place yet, Core is where to start. This tier builds the foundational paperwork, policies, and records that auditors, insurers, and regulators expect to see. Think of it as getting your house in order before anyone comes to inspect it.

Your devices, email, backups, and patches are documented with the evidence auditors look for

A complete inventory of all hardware and software in your environment is maintained and kept current

Your onboarding and offboarding processes are documented so access is always accounted for

Starter policy templates are customized for your organization covering acceptable use, passwords, and security

Your cybersecurity insurance questionnaire is supported with documentation that demonstrates your controls

Devices that fall out of compliance are identified and reported so gaps do not go unnoticed

Get Started ComplyIT Core

ComplyIT

Plus

ComplyIT Plus is for organizations that have the basics in place and need to mature their compliance program against recognized frameworks. This tier adds advanced controls, deeper testing, and formal framework alignment on top of everything in Core.

Your compliance posture is evaluated annually against CIS Controls or the NIST Cybersecurity Framework with a clear gap report and remediation plan

Multi-factor authentication is verified, documented, and tracked across your key systems

Your backups are tested quarterly and recovery capabilities are formally documented against defined recovery time objectives

Vulnerabilities across your environment are scanned monthly and tracked through to remediation

Your core policies are formally deployed and staff awareness is documented

An annual risk assessment is produced with an executive summary suitable for board and leadership reporting

Infrastructure health including servers, storage, and uptime is continuously monitored and documented

Changes to your IT environment are tracked and approved through a formal process with rollback plans in place

Get Started ComplyIT Plus

ComplyIT

Pro

ComplyIT Pro is for organizations operating in regulated industries or working toward formal certification. This tier produces the framework-specific evidence packages, audit support, and comprehensive documentation that HIPAA, CMMC, ISO 27001, and similar standards require. Everything in Core and Plus is included, and on top of that you get:

Your controls are formally mapped to HIPAA, CMMC, ISO 27001, or your applicable framework with audit-ready evidence packages

Quarterly disaster recovery exercises are conducted and documented to prove your recovery capabilities hold up under pressure

Security awareness training is assigned, tracked, and documented for every user in your organization

Third-party vendors are assessed for security risk and those assessments are maintained and updated regularly

When an audit comes, our team supports evidence gathering, auditor communication, and gap remediation from start to finish

Policies are custom-built for your organization and kept current as your operations and requirements evolve

Your complete asset lifecycle from procurement through secure retirement is tracked and documented in a centralized system

Custom detection rules and incident response playbooks are documented and validated to demonstrate your response capabilities to auditors

Get Started ComplyIT Pro
Not sure the IT Compliance support you need? We can help you determine the right solution.

Talk to an Expert

310-496-3791

What Is Included at Each Tier

advanced divider

ComplyIT

Core

Antivirus and Endpoint Protection Documentation

Verification and documentation of endpoint protection deployment across all devices, providing audit evidence that your environment is protected and monitored in accordance with applicable controls.

Email Filtering Configuration Records

Documentation of Exchange Online Protection configuration including spam filter tuning, malware scanning, and quarantine management to demonstrate compliant email security practices.

Backup Scheduling and Monitoring Documentation

Ongoing validation and documentation of backup operations including schedule records, daily monitoring logs, and retention policy implementation to provide audit evidence of business continuity controls.

OS and Application Patching Records

Tracking and reporting of systematic patching activity including compliance monitoring reports and patch status documentation to provide evidence that systems are maintained in accordance with written policy.

Asset Inventory Documentation

Maintenance of comprehensive hardware and software inventory records providing audit evidence that your asset inventory is current and complete in accordance with applicable controls.

Onboarding and Offboarding Process Documentation

Records of consistent user lifecycle management including access provisioning and revocation checklists, providing audit evidence that user access is managed in compliance with applicable requirements.

SLA Tracking and Performance Reporting

Monitoring and documentation of service level achievement with trend analysis and monthly summaries providing accountability evidence for auditors and leadership.

System and Vendor Documentation

Foundational documentation covering system configurations, vendor contacts, network diagrams, and runbooks providing audit evidence that IT systems and vendor relationships are properly documented.

Starter IT Policy Templates

Customizable policy framework including acceptable use, password, and security policy templates tailored to your compliance framework requirements, providing evidence that governance policies are established and in place.

Cybersecurity Insurance Evaluation Support

Documentation supporting cybersecurity insurance requirements including completed questionnaires, security control evidence, and gap identification to demonstrate the controls insurers require.

Non-Compliant Device Reporting

Ongoing scanning and reporting of devices not meeting security baselines with remediation request submissions and compliance trending, providing audit evidence of visibility and active remediation efforts.
Get Started ComplyIT Core
Everything in Core, plus:

Immutable Backup Testing and Documentation

Quarterly validation records of immutable backup integrity and recoverability using Datto, providing auditors with evidence that backups will work when needed most.

Annual CIS and NIST Compliance Assessment

Annual evaluation against CIS Controls or the NIST Cybersecurity Framework with gap identification, prioritized remediation recommendations, and compliance status documentation demonstrating security maturity.

MFA Enforcement Documentation

Verification and documentation of multi-factor authentication enforcement across Microsoft 365 and key applications including conditional access policy records and user enrollment tracking.

Monthly Vulnerability Scan Reports

Ongoing external vulnerability monitoring with risk-based prioritization records and remediation tracking providing audit evidence of a proactive vulnerability management program.

Core Policy Deployment and Tracking

Deployment and documentation of Acceptable Use, Access Control, and Incident Response policies with communication records demonstrating that governance requirements are established and staff-aware.

Annual Advanced Risk Assessment

Annual risk assessment documentation including identified threats, risk analysis, prioritized remediation recommendations, and an executive summary suitable for leadership and board reporting.

Asset Lifecycle and License Compliance Tracking

Ongoing documentation of device age, warranty status, refresh planning, and software license compliance providing audit evidence that asset lifecycle and licensing are actively managed.

Quarterly Backup Validation and RTO/RPO Documentation

Quarterly recovery testing records with RTO and RPO documentation confirming recovery objectives are being met, providing compliance evidence of tested recovery capabilities.

Infrastructure Monitoring Documentation

Ongoing monitoring and alerting records covering CPU, memory, disk utilization, and uptime providing audit evidence that infrastructure health is actively tracked and reviewed.

Change Management Process Documentation

Change request records, approval documentation, maintenance window scheduling, and rollback planning records providing audit evidence that a change management process is implemented and followed.

Compliance Policy Enforcement and Remediation Tracking

Automated compliance scan results, policy enforcement logs, and remediation workflow documentation providing ongoing evidence of active compliance management and exception handling.
Get Started ComplyIT Plus

ComplyIT

Plus

ComplyIT

Pro

Everything in Plus, plus:

Compliance Trend Analysis and Risk Scoring

Historical compliance trending reports with risk score calculations and executive reporting helping leadership focus security investments based on data and demonstrate improvement over time to auditors.

Framework-Specific Control Mapping and Evidence Packages

Control mapping documentation and evidence packages aligned to HIPAA, CMMC, ISO 27001, or other applicable frameworks providing auditors and regulators with the specific compliance evidence they require.

Quarterly Disaster Recovery Testing and Documentation

Comprehensive quarterly DR exercises with Datto backup validation, recovery time testing, and documented evidence demonstrating disaster recovery capabilities for compliance purposes.

Security Awareness Training Tracking

Automated identification and reclamation of unused licenses to eliminate direct budget waste.

Vendor Risk Assessment Documentation

Third-party risk management records including security questionnaires, risk assessments, periodic reassessments, and remediation tracking providing audit evidence that vendor risk is actively managed.

Annual Compliance Audit Support

Evidence gathering, organization, and auditor liaison support streamlining the audit process and improving outcomes through comprehensive, audit-ready evidence packages.

Custom Policy Framework Development and Enforcement

Custom policy development, deployment documentation, compliance monitoring records, and periodic review updates helping organizations maintain policies that accurately reflect actual practices and evolving requirements.

Full IT Asset Management with Procurement-to-Retire Workflow

Centralized asset repository records covering hardware and software from procurement through secure disposal, providing auditors with complete asset lifecycle visibility and control documentation

Backup Verification and Documented Restore Logs

Regular restore testing records and verification logs maintained for compliance evidence providing auditors with confidence that recovery capabilities are real and documented.

Quarterly Change Reviews and Rollback Planning

Quarterly review records of change outcomes, rollback planning documentation, and change success metrics demonstrating a mature change management program that minimizes operational risk.

Architecture Diagrams and Vendor Documentation

Current architecture diagrams, vendor documentation, and integration records maintained and regularly updated providing auditors with complete technical environment understanding.

Quarterly IT Performance and Capacity Planning Reviews

Quarterly performance review records, capacity planning documentation, and executive reporting demonstrating strategic IT planning and alignment between infrastructure and organizational growth.

Custom SIEM and Incident Response Playbooks

Custom SIEM rule documentation, incident response playbooks, and escalation procedures with regular review records demonstrating detection and response capabilities tailored to your specific environment and risks.
Get Started with Pro

ComplyIT

Core

Antivirus and Endpoint Protection Documentation
Verification and documentation of endpoint protection deployment across all devices, providing audit evidence that your environment is protected and monitored in accordance with applicable controls.
Email Filtering Configuration Records

Documentation of Exchange Online Protection configuration including spam filter tuning, malware scanning, and quarantine management to demonstrate compliant email security practices.

Backup Scheduling and Monitoring Documentation
Ongoing validation and documentation of backup operations including schedule records, daily monitoring logs, and retention policy implementation to provide audit evidence of business continuity controls.
OS and Application Patching Records
Tracking and reporting of systematic patching activity including compliance monitoring reports and patch status documentation to provide evidence that systems are maintained in accordance with written policy.
Asset Inventory Documentation

Maintenance of comprehensive hardware and software inventory records providing audit evidence that your asset inventory is current and complete in accordance with applicable controls.

Onboarding and Offboarding Process Documentation
Records of consistent user lifecycle management including access provisioning and revocation checklists, providing audit evidence that user access is managed in compliance with applicable requirements.
SLA Tracking and Performance Reporting
Monitoring and documentation of service level achievement with trend analysis and monthly summaries providing accountability evidence for auditors and leadership.
System and Vendor Documentation
Foundational documentation covering system configurations, vendor contacts, network diagrams, and runbooks providing audit evidence that IT systems and vendor relationships are properly documented.
Starter IT Policy Templates
Customizable policy framework including acceptable use, password, and security policy templates tailored to your compliance framework requirements, providing evidence that governance policies are established and in place.
Cybersecurity Insurance Evaluation Support
Documentation supporting cybersecurity insurance requirements including completed questionnaires, security control evidence, and gap identification to demonstrate the controls insurers require.
Non-Compliant Device Reporting
Ongoing scanning and reporting of devices not meeting security baselines with remediation request submissions and compliance trending, providing audit evidence of visibility and active remediation efforts.
Get Started ComplyIT Core

The DivergeIT Difference in Compliance

advanced divider

Compliance documentation is only as valuable as the accuracy and consistency behind it. Most organizations discover gaps in their compliance program when an auditor finds them first.

DivergeIT takes a different approach. We build compliance programs that are accurate by design, continuously maintained, and ready for audit before the auditor calls. Every ComplyIT engagement produces real evidence, not documentation created after the fact.

Built Around Your Framework

Whether you are working toward HIPAA, CMMC, ISO 27001, SOC 2, or a cybersecurity insurance requirement, ComplyIT is mapped to the specific controls and evidence standards your framework requires.

Integrated With Your IT Environment

ComplyIT works alongside ManageIT and SecureIT to turn the work already being done in your environment into documented, audit-ready compliance evidence.

Continuous, Not Annual

Compliance is not something you prepare for once a year. ComplyIT maintains your documentation, monitors your controls, and tracks remediation continuously so you are never starting from scratch when an audit comes around

Frequently Asked Questions About ComplyIT

advanced divider
What is ComplyIT?
ComplyIT is DivergeIT’s tiered IT compliance offering covering documentation, control implementation, framework alignment, risk ssessments, audit support, and ongoing compliance monitoring. It is available in three tiers designed for different levels of compliance maturity and regulatory requirement.
Which compliance frameworks does ComplyIT support?
Our Pro compliance tier includes specific control mapping and evidence packages for HIPAA, CMMC, ISO 27001, and other applicable frameworks. Core and Plus tiers align to CIS Controls and the NIST Cybersecurity Framework as foundational compliance baselines.
How is ComplyIT different from SecureIT?
SecureIT is our cybersecurity offering focused on active protection including threat detection, monitoring, and incident response. ComplyIT is our compliance offering focused on documentation, evidence management, and audit readiness. The two work together. SecureIT does the work, ComplyIT proves it.
Do I need ComplyIT if I already have ManageIT or SecureIT?
ManageIT and SecureIT deliver the operational and security controls that compliance frameworks require. ComplyIT takes that work and turns it into structured, audit-ready documentation and evidence packages. For organizations with active compliance obligations, ComplyIT bridges the gap between doing the right things and being able to prove it to an auditor.
What industries does ComplyIT serve?
Our compliance offering is designed for any organization with compliance obligations including healthcare organizations subject to HIPAA, defense contractors pursuing CMMC, financial services firms, legal organizations, and any business that carries cybersecurity insurance or operates under contractual security requirements.
How quickly can we get audit ready?
Timeline depends on your current compliance posture and the framework you are working toward. Our team conducts an initial assessment to identify where you stand and what is needed to reach your compliance goals. Many organizations see meaningful progress within the first 90 days.
Does my business actually need a formal compliance program?
If your organization handles sensitive customer data, operates in a regulated industry, carries cybersecurity insurance, or works with government contracts, the answer is almost certainly yes. Beyond regulatory requirements, a formal compliance program reduces your risk exposure and demonstrates to clients and partners that your organization takes security seriously.
Schedule a Conversation

310-496-3791

sales@divergeit.com

Talk to an Expert