A Compliance Review can be technical and/or documentation-based, and focuses on how an existing configuration compares to a desired standard. It’s important to note that a Compliance Review doesn’t prove or validate security; it aims to validate conformity with a specific technical specification or standard. A Compliance Review can be conducted independently or as part of a larger Enterprise Security Assessment (if applicable).
Best Suited For: Organizations who must comply with any given cyber security standard (i.e. PCI-DSS, ISO2700x, etc.) should consider a Compliance Review in between undergoing a formal audit. Importantly, Compliance Reviews should not be used to demonstrate security.
Organizations with a mature security posture are significantly more likely to be compliant, but compliant organizations should lay no claims to being secure.