The Linford & Company Blog is written by our very own auditors, who are experts in IT audits, information security, and compliance topics. Their auditing experience encompasses a broad spectrum of industries and organizations, and their specialized expertise can help your company or organization make the right decision for your auditing needs. Our specific areas of focus in our IT Audit & Compliance Blog include SOC 1 Audits, SOC 2 Audits, HIPAA Audits, HITRUST Certification, and FedRAMP Assessments, NIST & CMMC, and Penetration Testing.
In a world where digital risk, regulatory expectations, and emerging technologies are accelerating, strong IT Governance remains foundational. SOC 2 compliance continues to be a key mechanism for service organizations to show they have strong controls. Understanding how IT governance and SOC 2 align, and where recent changes affect that alignment, is more critical than [...]
Audit risk assessments are an integral part of any company’s internal control structure and are relevant to compliance frameworks, including SOC 2, HIPAA, and ISO 27001. Risk assessments can be daunting as they encapsulate risks across an entire company, and it can be difficult to understand what considerations should be taken and even where to [...]
Many cloud services and SaaS providers are eager to enter the federal market, but many underestimate what it really takes to achieve a FedRAMP authorization. FedRAMP is not just a checklist or an exercise in paperwork; it’s a high stakes, high complexity, and high-cost project that demands the right people, the right systems, the right [...]
In an era where organizations increasingly rely on the cloud to manage sensitive information, protecting personal data is no longer just a best practice—it’s a business imperative. ISO/IEC 27018 steps in as a purpose-built privacy standard designed to help public cloud service providers handle personally identifiable information (PII) responsibly and transparently. Focused on real-world challenges [...]
With the frequent personnel changes that many companies are experiencing right now, it’s important to consider how turnover affects companies’ compliance efforts. Almost every company is required to comply with some type of law, rule, regulation, or reporting standard. This blog post will provide some ideas for helping to provide sufficient compliance training as part [...]
Effective incident response is no longer just a best practice—it’s a critical business function. As cyber threats grow more complex, organizations must ensure their incident response plans are aligned with the latest standards. In April 2025, the National Institute of Standards and Technology (NIST) officially withdrew Special Publication 800-61 Revision 2 and released Revision 3: [...]
HITRUST has issued an interesting third-party report on the ROI of a HITRUST certification. It focuses on quantifiable and qualitative outcomes such as ROI, operational efficiency, business growth, and risk reduction. As an external HITRUST assessor with many years of experience with HITRUST and many completed assessments, it piqued my interest, and I wanted to [...]
PCI DSS v4.0, which took effect on April 1, 2024, introduced 47 new requirements. A 12-month transition period allowed organizations to adopt these new requirements. As of March 31, 2025, these formerly “best-practice” requirements become mandatory. For many whose report on compliance (ROC) was issued before that deadline, these requirements were simply marked as Not [...]
It’s a chilly Monday morning in Denver, and I’m standing in the glass-walled conference room of a mid-sized SaaS company. The CTO looks at me, exhausted. “This is our third audit this year,” she says, showing me a color-coded spreadsheet with over 200 controls. “SOC 2, ISO 27001, and now HIPAA. There’s got to be [...]
"*" indicates required fields
