Outsourced Information Security Internal Auditing
Are you seeking a reliable and professional partner to help address your internal audit needs? Look no further! We offer top-notch information security internal audit services that can help you save time and money while ensuring compliance with key industry standards like ISO 27001, SOC 2, & CMMC.
Our experienced auditors will work closely with you to understand your business and tailor our services to meet your needs. We deliver our services on a state-of-the-art GRC platform to ensure a consistent audit experience and accurate assessments of your cybersecurity practices.
Together we will ensure that you are provably secure & compliant.
- What types of internal audits does PPS conduct?
- Do you conduct ISO 27001 ISMS Internal Audits?
- How do you "scope" an ISO 27001 ISMS Internal audit?
- What is an ISO 27001 ISMS Internal Audit?
- What is a SOC 2 Readiness Assessment?
- Is there a difference between an Information Security Internal Audit and a Gap Assessment?
- What is a Control Maturity Assessment?
What types of internal audits does PPS conduct?
As PPS’s client base generally needs to be “provably secure and compliant,” we most frequently audit/assess our clients against third party attestable frameworks like ISO 27001, SOC 2, and CMMC. Over our 22+ year history, we have assessed our clients against dozens of frameworks including:
- ISO 27701
- HIPAA
- PCI DSS
- NIST CSF
- ISO 27002
- TISAX
- MPAA
- NYS DFS 500
- GDPR
- CCPA
- NIST 800-53
- CIS CSC
We have a flexible, proven process to conduct your Internal Audit and help you throughout the year to efficiently operate, continuously improve, and validate the effectiveness of your program, culminating in a successful Surveillance Audit. Where privacy or information security Non-Conformities (NV) or Opportunities for Improvement (OFI) gaps are identified, PPS has the expertise necessary to help you drive them to closure.
Do you conduct ISO 27001 ISMS Internal Audits?
Absolutely, to the tune of 100+ ISO 27001 ISMS Internal Audits per year!
We have a flexible, proven process to conduct your Internal Audit and help you throughout the year to efficiently operate, continuously improve, and validate the effectiveness of your program, culminating in a successful Surveillance Audit. Where privacy or information security Non-Conformities (NV) on internal audit page or Opportunities for Improvement (OFI) gaps are identified, PPS has the expertise necessary to help you drive them to closure.
How do you ``scope`` an ISO 27001 Internal Audit?
Several dimensions significantly influence the audit program:
- The number of geographic locations in the scope
- Whether you do a complete ISMS Audit or one aligned with the registrars’ audit program (most relevant in surveillance years)
- Whether additional ISO standards are in scope (e.g., 27701, 27017, 27018)
- Whether you want to leverage the Internal Audit to validate compliance with another framework (e.g., HIPAA, CMMC, TISAX, CSA Stars)
We will work with you during the pre-sales process to optimally scope your ISMS Internal Audit to meet your specific needs.
What is an ISO 27001 ISMS Internal Audit?
An ISO 27001 internal audit reviews an organization’s Information Security Management System (ISMS) to validate that the ISMS meets the standard’s requirements and the organization’s objectives and policies. It identifies gaps or deficiencies in the ISMS (e.g., Non-Conformities, Opportunities for Improvement) to minimize information security risk and promote continuous improvement.
An annual ISO 27001 ISMS Internal Audit is required to maintain ISO 27001 Certification.
What is a SOC 2 Readiness Assessment?
A SOC 2 Type 2 readiness assessment is a sampled audit of your cybersecurity program that determines your level of preparation for the formal SOC 2 audit. The assessment will allow your team to resolve any issues or gaps identified and maximizes the likelihood of you receiving a “clean” SOC 2 report. It is an excellent tool for service organizations that don’t want to undertake the potentially substantial cost of a SOC 2 audit without a high degree of confidence that they satisfy one or more of the trust services criteria (e.g., security, availability, processing integrity, confidentiality, and privacy.)
Is there a difference between an Information Security Internal Audit and a Gap Assessment?
Both are a mechanism to assess whether controls conform with requirements but have subtleties in the approach and their best use.
- An InfoSec Gap Assessment is a determination of the degree of conformance of your organization to the requirements of a specification or standard (e.g., ISO 27002 or CCP). It is generally a “lighter touch” review (e.g., more design-centric, less evidence collected). Gap Assessments often occur at the beginning of the journey to comply with a standard to determine what “gaps” need to be addressed.
- An InfoSec Internal Audit is a determination of the degree of conformance of your organization to the requirements of a specification or standard (e.g., ISO 27002 or CCP) or your own defined cybersecurity program. It is generally a “heavier touch” review (e.g., design and operation-centric, more evidence collected). Internal Audits are a more formal approach to validate the conformance, usually of a regulated or third party attested cybersecurity program.
What is a Control Maturity Assessment?
Control maturity is a more comprehensive and effective way of assessing and reporting conformance with an information security standard during a Gap Assessment. For example,
Standard Assessment & Reporting Approach | CMA Assessment & Reporting Approach |
Not Applicable | Level 1: Initial – ad-hoc and unknown |
Non Compliant | Level 2: Managed – managed on the project level |
Partially Compliant | Level 3: Defined – proactive rather than reactive |
Fully Compliant | Level 4: Quantified – measured and controlled |
Level 5: Optimized – stable and flexible |
Control Maturity Assessments provide a more thorough and nuanced way to assess control conformity and establish control maturity targets (e.g., Our goal is to improve our Business Continuity maturity from 1.5 to 3 over the next year).