Context
The company is a German payment services provider moving its core workload from a managed
data centre to a multi-cloud setup. Regulators require documented evidence for data residency,
encryption, access control, and incident response. The team needs a vendor-neutral way to
structure the review and track gaps.
Approach
They run a WAF++ assessment focused on the Security, Sovereign, and Operational Excellence
pillars. Each control is mapped to the relevant regulation, and missing evidence is recorded
as a PASS score gap. The Security and Sovereign pillars receive extra weight because they
are audit-relevant.
Outcome
The team produces an audit-ready report with control mappings, evidence links, and a
remediation backlog. PASS scores improve from 54 to 78 over two sprints, and the external
audit finds no critical findings related to cloud controls.