What to Expect During Your Audit—HITRUST, SOC 1 & 2, and ISO 27001

January 24, 2024 | HITRUST, ISO 27001, SOC 2

Whether this is your organization’s first audit or its twentieth, each engagement requires a certain amount of time with your auditor. At BARR Advisory, we want to maximize your time and make sure you’re prepared as best as possible for your audit. So let’s take a look at what to expect when auditing against the three highest-regarded cybersecurity compliance frameworks—HITRUST, SOC 1 & 2, and ISO 27001. 

HITRUST Validated Assessment

The HITRUST validated assessment includes a number of testing procedures to ensure compliance gaps have been appropriately identified and controls are implemented and operating effectively.

Testing procedures include:

  • Walkthroughs and interviews to verify policies and procedures are documented;
  • Inspection of policies and procedures to verify adequate coverage of CSF requirements;
  • Technical testing to validate the implementation of relevant controls;
  • Observation of relevant controls and control processes; and,
  • Inspection of mechanisms used to manage relevant controls.

During the validated assessment, your engagement lead will agree or disagree with your organization’s scoring using the HITRUST Maturity Model and provide supporting comments. 

The five levels of the HITRUST Maturity Model include:

  1. Policy, which considers the existence of current, documented information security policies or standards in the organization’s information security program and whether they fully address the control’s implementation specifications;
  2. Process/procedure, which considers the existence of documented procedures or processes developed from the policies or standards and whether they reasonably apply to the organizational units and systems within the scope of the assessment;
  3. Implemented, which considers the actual implementation of the policies and whether the control’s implementation specifications are applied to all of the organizational units and systems within the scope of the assessment;
  4. Measured, which considers the testing or measurement (metrics) of the specification’s implementation and whether they continue to remain effective; and,
  5. Managed, which reviews the organization’s management of its control implementations based on these metrics. 

After your assessment, testing will undergo manager review. Following their review, your engagement lead will complete the administrative documentation, and you’ll upload your information to HITRUST MyCSF for a final quality assurance review before gaining HITRUST certification.  

SOC 1 & 2 Examinations 

The SOC examination is the main event when working to achieve attestation. This is the stage where you’ll work with your engagement lead to create a plan and assess your controls, which leads to your final deliverable—a SOC report. 

During your audit, your engagement team will schedule a walkthrough with your team to assess the controls and any preliminary issues. A walkthrough is a meeting, or series of meetings, to discuss the design and operation of your organization’s control environment. This is a time for the engagement team to ask questions concerning how the controls are designed and how they operate, providing your auditors with a deeper understanding of your control environment to support their assessment.

Depending on your reporting period, walkthroughs are most effective in the following time periods: 

  • 30 days before period end (3-month reporting period)
  • 60 days before period end (6-month reporting period)
  • 90 days before period end (12-month reporting period)

Finally, BARR delivers your SOC report, which you can use to ensure customer trust. We not only celebrate with you but optimize your experience with improved security and next steps for continued success. 

ISO 27001 Audits 

Certification to ISO 27001 is a multi-step process, which includes two stages during your audit. In 2022, ISO 27001 was updated, adding a few new changes and controls that are reflected in this process. 

Stage 1

Following preparation for the two-stage ISO audit, stage 1 includes an assessment process of ISO clauses 4-10 and your organization’s readiness for stage 2. Stage 1 typically takes two to three days to complete. Stage 1 is referred to as the “documentation review,” because your auditor will assess the documentation process of your information security management system (ISMS).

Stage 1 begins with a kickoff meeting, during which your engagement lead will review your audit program and application. They’ll also discuss dates for your walkthroughs of ISO clauses 4-8, inspect supporting documentation, and make a conformance decision. 

Stage 2

If your organization is successful during stage 1, your engagement team will then lead you through a more thorough assessment. Stage 2, often defined as the “certification audit,” is the part of your audit when certification is considered.

Stage 2 walkthroughs cover ISO 27001 Annex A controls and any areas of concern noted in stage 1. This includes evaluating the implementation and effectiveness of your management system and confirming your organization adheres to its own policies, objectives, and procedures. Additionally, your audit team should ensure any areas of concern have been remediated. If not, these areas will be classified as nonconformities. 

For most organizations, stage 2 can be completed within one to two weeks. At the end of your engagement, BARR will issue an internal report and public-facing certification, which is good for three years with surveillance audits.

While every organization is different, these steps provide an outline of what to expect during your audit. No matter the engagement, BARR auditors are here to guide you through the process so you can easily achieve your security and compliance goals. 

Contact us today for more information about BARR’s HITRUST, SOC, and ISO 27001 services.

Let's Talk