With the frequent personnel changes that many companies are experiencing right now, it’s important to consider how turnover affects companies’ compliance efforts. Almost every company is required to comply with some type of law, rule, regulation, or reporting standard.  This blog post will provide some ideas for helping to provide sufficient compliance training as part […]

Effective incident response is no longer just a best practice—it’s a critical business function. As cyber threats grow more complex, organizations must ensure their incident response plans are aligned with the latest standards. In April 2025, the National Institute of Standards and Technology (NIST) officially withdrew Special Publication 800-61 Revision 2 and released Revision 3: […]

HITRUST has issued an interesting third-party report on the ROI of a HITRUST certification. It focuses on quantifiable and qualitative outcomes such as ROI, operational efficiency, business growth, and risk reduction. As an external HITRUST assessor with many years of experience with HITRUST and many completed assessments, it piqued my interest, and I wanted to […]

PCI DSS v4.0, which took effect on April 1, 2024, introduced 47 new requirements. A 12-month transition period allowed organizations to adopt these new requirements. As of March  31,  2025, these formerly “best-practice” requirements become mandatory. For many whose report on compliance (ROC) was issued before that deadline, these requirements were simply marked as Not Applicable […]

It’s a chilly Monday morning in Denver, and I’m standing in the glass-walled conference room of a mid-sized SaaS company. The CTO looks at me, exhausted. “This is our third audit this year,” she says, showing me a color-coded spreadsheet with over 200 controls. “SOC 2, ISO 27001, and now HIPAA. There’s got to be […]

From time to time my clients ask what an unqualified opinion means when discussing the opinion being issued for an attestation engagement such as a SOC 1 or SOC 2 report. It is a funny-sounding term used for attestation engagements (engagements where the auditor is issuing an opinion over the audit performed of the identified […]

All SOC 2 examinations must include security common criteria. This includes reviewing a company’s (i.e., entity’s) risk assessment process (risks identified, risk matrix, controls in place to address the risks, etc.). However, one of the challenges that the AICPA has found when it comes to doing risk assessments is that companies are unclear on what […]

Picture this. It’s the middle of a SOC 2 readiness assessment, and a SaaS company – let’s call them BrightCloud – discovers that their cloud provider’s physical security controls aren’t auditable. The team panics. Suddenly, they’re staring down the decision: carve out method vs inclusive method. It’s not a theoretical question anymore. It’s a fire […]

Have you ever been through an audit and realized you are struggling to locate the latest version of a policy or your risk assessment? That minor delay for searching turned into time spent backtracking and duplicating efforts. It could have been a smooth review, but it spiraled into a scramble that could have been avoided […]

Conducting an ISO 27001 risk assessment is essential for organizations aiming to protect their information assets and comply with the international standard for information security. In this summary, you’ll learn how to conduct an ISO 27001 risk assessment step-by-step, including templates, methodology, examples, and tools you can use. If you’re wondering how to get started […]