> ## Documentation Index
> Fetch the complete documentation index at: https://docs.encoreos.io/llms.txt
> Use this file to discover all available pages before exploring further.

# Compliance Requirements

> List, filter, add, and edit IT compliance requirements across HIPAA IT, SOC 2, and ISO 27001 frameworks with status tracking.

The Compliance Requirements screen lists all IT compliance requirements with filtering and is accessible at `/it/security/compliance/requirements`.

## Overview

The Compliance Requirements page loads requirements via `useComplianceRequirements` with optional filter parameters. A search box and three filter dropdowns are provided: Framework (hipaa\_it, soc2, iso27001, other), Category (access\_control, data\_protection, incident\_response, other), and Status (compliant, non\_compliant, in\_progress, not\_assessed). The data table shows requirement name (clickable, navigates to detail), framework badge, category label, compliance status badge, last assessment date, and next assessment date. An **Add Requirement** button links to the new-requirement form. The back button navigates to `/it/security/compliance`.

## Who it's for

Requires `IT_PERMISSIONS.VIEW` (outer `ITViewGuard`). No additional per-route permission gate.

## Before you start

* You must hold `IT_PERMISSIONS.VIEW` to access this screen.

## Steps

<Steps>
  <Step title="Open Compliance Requirements">
    Navigate to `/it/security/compliance/requirements`. All requirements load by default.
  </Step>

  <Step title="Filter requirements">
    Use the search box to filter by requirement name. Use the Framework, Category, and Status dropdowns to narrow results.
  </Step>

  <Step title="View a requirement">
    Click a requirement name to navigate to its detail view.
  </Step>

  <Step title="Add a new requirement">
    Click **Add Requirement** to navigate to `/it/security/compliance/requirements/new`.
  </Step>
</Steps>

## Key concepts

* **compliance\_framework** — Values: `hipaa_it` (displayed as "HIPAA IT"), `soc2` (SOC 2), `iso27001` (ISO 27001), `other`.
* **requirement\_category** — Values: `access_control`, `data_protection`, `incident_response`, `other`.
* **compliance\_status** — Values: `compliant`, `non_compliant`, `in_progress`, `not_assessed`.
* **last\_assessment\_date / next\_assessment\_date** — Track when the requirement was last evaluated and when the next review is due.

## Creating a requirement

The New Requirement page (`/it/security/compliance/requirements/new`) is a single-step form for adding a compliance requirement. New requirements are created with an initial `compliance_status` of `not_assessed`. On success the user is redirected to the compliance requirements list.

Before you start: identify the compliance framework (HIPAA IT, SOC 2, ISO 27001, or Other); determine the requirement category; have the next scheduled assessment date available if applicable.

1. Navigate to **IT > Security > Compliance** and select the requirements list, then click **Add Requirement**, or go directly to `/it/security/compliance/requirements/new`.
2. Enter the **Requirement Name** (required).
3. Select a **Framework**: HIPAA IT, SOC 2, ISO 27001, or Other.
4. Select a **Category**: Access Control, Data Protection, Incident Response, or Other.
5. Optionally set a **Next Assessment Date**.
6. Enter a **Description** explaining the requirement and how compliance is measured.
7. Click **Create Requirement**. On success you are redirected to the requirements list.

**Key concepts:**

* **Compliance framework** — the regulatory or standards framework this requirement belongs to (`ComplianceFramework` type).
* **Compliance category** — the security domain grouping (`ComplianceCategory` type).
* **compliance\_status** — new requirements start as `not_assessed`; status updates occur via the requirement detail or edit page.

## Editing a requirement

The Edit Requirement page (`/it/security/compliance/requirements/:id/edit`) loads the existing compliance requirement via `useComplianceRequirement`. Editable fields: requirement name, compliance framework (hipaa\_it, soc2, iso27001, other), requirement description, requirement category (access\_control, data\_protection, incident\_response, other), compliance status (not\_assessed, compliant, non\_compliant, in\_progress), next assessment date, and assessment notes. On save, `updateRequirement` is called. A loading skeleton is shown while data loads, and a back-navigation button is provided.

Permission required: `IT_PERMISSIONS.VIEW` via the outer `ITViewGuard`. No additional per-route gate.

1. Navigate to `/it/security/compliance/requirements/:id/edit` from the compliance requirements list.
2. Modify the name, framework, description, category, compliance status, next assessment date, and notes.
3. Submit the form to save updates and navigate back.

**Key fields:**

* **compliance\_framework** — Values: `hipaa_it`, `soc2`, `iso27001`, `other`.
* **requirement\_category** — Values: `access_control`, `data_protection`, `incident_response`, `other`.
* **compliance\_status** — Values: `not_assessed`, `compliant`, `non_compliant`, `in_progress`.
* **next\_assessment\_date** — Date string stored as ISO format; displayed as date-only input (split at `T`).

## Related

<Columns cols={2}>
  <Card title="IT Service Management" icon="headset" href="/it/overview">
    IT Service Management overview.
  </Card>

  <Card title="Governance & parity" icon="scale-balanced" href="/governance/index">
    Documentation coverage and governance.
  </Card>
</Columns>

<Note>
  This page documents shipped product behavior. It is not medical, legal, or
  billing advice. Verify against your organization's policies and applicable
  regulations before using it for clinical, compliance, or billing decisions.
  Protected health information (PHI) shown in the product is governed by your
  tenant's access controls and is never exposed in this documentation.
</Note>

<Accordion title="Documentation sources">
  * src/routes/it.tsx
  * src/cores/it/pages/security/compliance/ComplianceRequirementListPage.tsx
  * src/cores/it/pages/security/compliance/NewComplianceRequirementPage.tsx
  * src/cores/it/pages/security/compliance/EditComplianceRequirementPage.tsx
  * src/cores/it/hooks/useComplianceRequirementMutations.ts
  * src/cores/it/hooks/useComplianceRequirement.ts (via EditPage)
  * src/cores/it/types/security.ts
</Accordion>
