Our compliance services are based on the idea that a well managed and properly controlled system will meet nearly any compliance requirements.
We don't focus on ticky-marks. We strive to leave the customer with a security implementation that is easy to understand, easy to manage, and that meets the specific compliance objective.
Our experience is that focusing on making the least amount of change possible to "pass" a compliance audit is counterproductive. You might pass audit this time but you'll have to spend more money next time. It is much more cost effective to make security management changes necessary to gain real control over your system now.