All SOC 2 examinations must include security common criteria. This includes reviewing a company’s (i.e., entity’s) risk assessment process (risks identified, risk matrix, controls in place to address the risks, etc.). However, one of the challenges that the AICPA has found when it comes to doing risk assessments is that companies are unclear on what […]

Picture this. It’s the middle of a SOC 2 readiness assessment, and a SaaS company – let’s call them BrightCloud – discovers that their cloud provider’s physical security controls aren’t auditable. The team panics. Suddenly, they’re staring down the decision: carve out method vs inclusive method. It’s not a theoretical question anymore. It’s a fire […]

Have you ever been through an audit and realized you are struggling to locate the latest version of a policy or your risk assessment? That minor delay for searching turned into time spent backtracking and duplicating efforts. It could have been a smooth review, but it spiraled into a scramble that could have been avoided […]

Conducting an ISO 27001 risk assessment is essential for organizations aiming to protect their information assets and comply with the international standard for information security. In this summary, you’ll learn how to conduct an ISO 27001 risk assessment step-by-step, including templates, methodology, examples, and tools you can use. If you’re wondering how to get started […]

When your business runs on technology – and let’s face it, whose doesn’t these days? – you’re not just relying on servers and software. You’re betting your reputation, your client trust, and often your entire operational capacity on systems you can’t see and barely touch. That’s where Information Technology (IT) audits step in. They’re not […]

PCI compliance refers to an entity implementing the data security standards promulgated by the Payment Card Industry (PCI). The PCI Data Security Standard (DSS) applies to organizations involved with payment card processing, including merchants, processors, acquirers, issuers, and service providers that store, process, or transmit cardholder data (CHD) and/or sensitive authentication data (SAD). If your […]

The 2025 HITRUST Trust Report is more than just a retrospective on certification trends—it is a reflection of where cybersecurity assurance is heading. In a landscape where compliance complexity is growing and AI is rapidly transforming risk dynamics, the HITRUST ecosystem stands out as a scalable, rigorous, and data-driven model for building trust. Whether you’re […]

In a landscape where cyber threats are growing more sophisticated by the day, understanding an organization’s vulnerabilities is a strategic imperative for security and compliance. Conducting vulnerability scans is a key component in helping prevent successful external adversary attacks. In this article, I will discuss what vulnerability scans are, the common types, and actions your […]

Access control encompasses a broad range of concepts and practices that can vary significantly depending on an organization’s industry, risk appetite, and compliance requirements. This blog focuses specifically on the post-implementation phase of access control. It discusses the critical questions: “Once access controls are in place, how do you make sure they remain effective? What […]

Let me tell you a secret: Auditors don’t hate IaaS cloud platforms. We just dislike cloud chaos. As a SOC 2 auditor, I’ve seen things. Shared administrator accounts. Production secrets in plaintext. And one time—brace yourself—a company used a whiteboard to track administrator access credentials. I wish I were kidding. Every once in a while, […]