Thank You for Choosing BARR Advisory

Welcome to the first step to meeting your security and compliance needs.

Get to Know BARR

At BARR, we build trust through cyber resilience. We help protect the world’s data, people, and information networks through a human-first approach to cybersecurity and compliance.

Learn more about what makes BARR unique and how we help strengthen security, ensure compliance, and grow business.

Our Values

We’re relentless in our pursuit to add more value for our clients.

We build relationships based on respect, accountability, and trust.

We value diversity of people and ideas.

Simple is powerful. We focus on what’s essential.

Our clients’ challenges are our challenges and, as thought leaders, we innovate to provide the best solutions.

BARR’s History

Founded by Brad Thies as Barr Advisory & Assurance Inc., a remote-first company

BARR calls Kansas City its official HQ

Associates begin serving on industry task force committees that provide AICPA guidance on SOC examination reporting

After achieving the highest rating possible by an independent peer reviewer, the company rebrands to BARR Advisory, P.A.

First annual Day of Giving with associates volunteering in their communities all across the U.S.

BARR builds global partner network of providers to connect clients with best-fit experts

Designated a HITRUST Authorized Assessor, BARR is listed as one of KC Business Journal’s fastest growing companies

Named one of only nine firms in the U.S. eligible to perform both ISO/IEC 27001 and SOC 2 audits

BARR Advisory was named the #3 Best Cybersecurity Compliance Services Vendor by Network Assured. Today, we serve hundreds of clients across 5 continents, and have nearly 100% client retention rate, and a 9.51 client NPS, a world-class ranking.

Ingram and Glassdoor
Client Satisfaction Guaranteed

100% Client Satisfaction Guaranteed

If you’re not satisfied with the quality of our work, you don’t pay us. Yes, you read that right. We have 100% confidence in our people, processes, and expertise that your satisfaction is a guarantee.

What Sets BARR Apart?

Human-First Approach

Cybersecurity, at its core, is about humans feeling safe and protected. We will educate and empower your people using real talk to raise awareness, change behavior, and embed best practices into your company culture.


BARR is a trusted advisor to hundreds of SaaS and enterprise-level clients across all industries. No matter your organization’s stage of growth, we can help you stay secure and compliant at every stage of your growth.


Through our global network of partners, we will connect you with best-fit experts. These partners are integrated into our own tools, processes, and services. They drive innovation, so why wouldn’t we share them with you?

Engagement Processes Best Practices and Resources

SOC Examinations

Getting Started

What You Provide

During the SOC examination kickoff phase, BARR will request several things from you that will help us during your assessment. 

  • Complete your system description. The system description provides an overview of your company’s operations and control environment for the in scope system. 
  • Review control wording. Controls are documented processes in your environment relevant to your in scope system that helps achieve your in scope trust service criteria. BARR will provide you with template controls to test during the engagement. It is important that you review the controls and modify them to reflect your current control environment. 
  • Provide information requests. BARR will request documentation via our tool called TaskBARR. Information requests must be submitted within predetermined timeframes that will be established by the engagement team. 

What BARR Provides

We are committed to guiding you through this process by providing you unparalleled support.

  • During the engagement kickoff meeting and providing you with the support and knowledge you need to complete your engagement. 
  • We will review information requests as they come in and hold walkthrough meetings with you to gain an understanding of your control environment and ensure we obtain the correct documentation to evidence your compliance with applicable trust services criteria. Any issues we identify will be reported to you immediately and we will work with you to identify possible solutions. 
  • At the conclusion of our fieldwork, we will issue a draft report or certification for your team to review and provide feedback. 

Readiness Assessments

If this is your first audit, or you’d like an analysis of the potential challenges that might arise when implementing new processes, the readiness assessment is right for you. 

While optional, the readiness assessment ensures that your examination will go as smoothly as possible. Through this period, you’ll engage in three specific meetings with your lead and correct gaps prior to starting the audit period.

The Process

Examination Engagement

While we cater our services to meet your specific needs, here’s a condensed timeline on what to expect from your engagement team: 

  • Plan: A kickoff call is scheduled with you to confirm we are on the same page with the scope, timelines, deliverables, and personnel needed for the assessment.
  • Assess: Walkthrough duration is dependent on your environment complexity and size; however, four hours is the typical time commitment.
  • Report: BARR will provide a draft report no later than 30 days after the period ends. 
  • Celebrate & Optimize: BARR will provide a promotional package and schedule a debrief to review improvement opportunities for your security program, rate the engagement, and plan your next engagements

For more information, see each step of our SOC 2 Engagement Process.

What You Gain

SOC Reports

Once your audit is complete, you’re ready to receive your report. BARR provides reports for SOC 1, 2, 3, and SOC for cybersecurity. For each report, you can choose a Type I or Type II.

  • Type 1 reports may be performed right away if your organization has your controls in place and documented. These reports offer a point-in-time service, testing your design on a specific date.
  • Type 2 reports are generally audited over a 3 to12 month period. These reports reflect your organization’s operating effectiveness during the course of a review period and provide a more detailed assessment of your controls.

Promotional Package

Once you complete your SOC examination, BARR provides you with a promotional package that you can share with your customers, partners, and other company stakeholders. This reassures them their data is safe with you and differentiates your organization from the rest.

HITRUST Certification

Getting Started

Our HITRUST team works with healthcare organizations through a five-step engagement process, starting with an optional readiness period. Through the readiness period, you have the opportunity to assess any potential challenges that might arise from implementing new processes. See what to expect:

Readiness Period

  • Once a client signs the Engagement Letter, the engagement lead will set up an internal and external engagement kickoff meeting. 
  • Following the kickoff meeting, the engagement will provide the client with the HITRUST Questionnaire. 
  • The client will provide the engagement lead with the completed questionnaire. This will indicate exactly what controls are not implemented (Instant gap), which controls are implemented, and which controls are not applicable.

The Process


  • The engagement lead and team will then test each control following the HITRUST illustrative procedures identifying any additional control gaps as they may arise. 
  • Once the testing is complete, the engagement lead will provide the client with a full excel workbook that will identify clear remediation tasks for the client to complete before the validation assessment begins. 
  • After the gap report is provided to the client and the internal and external debriefs are complete, the engagement lead will continually work with the client to ensure accurate and complete remediation of each gap. 

Implementation Period

  • Controls must be implemented 90 days prior to assessment.

Validation Assessment

  • The engagement lead will set up an internal and external engagement kickoff meeting. 
  • As the client provides the requested evidence, the engagement lead and team will test each control following the illustrative procedures. 
  • As the client provides the requested evidence, the engagement lead and team will test each control following the illustrative procedures. 
  • Once testing is complete, testing will go under manager review, and the engagement lead will complete the administrative documentation.

For more information, see each step of our HITRUST Engagement Process.

What You Gain

Quality Analysis Review + Report

The HITRUST Quality Assurance Review is the final phase toward HITRUST certification. During this phase, the HITRUST Assurance and Compliance teams will both check the validated assessment and determine whether the organization has met the requirements to achieve certification.

After the final report is posted, your engagement lead will set up a time for an internal and external debrief. It is important to note, that the i1 validation report is only valid for one calendar year from the date of submission, while the r2 repeats every two years with an interim period in between.


Getting Started

The CISO Advisory team helps our clients establish a cybersecurity program that is flexible and adaptive to the needs of their business stakeholders. This includes a common structure to safeguard information assets and streamline business deals with customers’ security demands. Our approach includes the phases, activities, and deliverables below:

Gap Assessment

We believe in determining the why before proposing the how and that careful planning and thorough identification of gaps are imperative to achieve your security objectives.

During the gap assessment phase, which typically takes 1-2 months to complete, BARR: 

  1. Determines the scope of your organization;
  2. Assesses your organization against a given framework or standard; and,
  3. Provides you with a list of specific gaps and recommendations to prioritize and remediate.

The Process

After you complete an initial gap assessment, your vCISO will work with you to remediate any gaps. Our goal in Phase 2 is to take the client from a posture with gaps to at least a level of compliance with the given framework(s) or standard(s). 

This includes establishing a security committee, ensuring all gaps and recommendations progress toward remediation, all deliverables are finalized, and defining a sustainable security plan for a long and short-term information security program. For more information, see our CISO Engagement Process.

What You Gain

Security Roadmap: We work with you to create a successful roadmap toward remediation, turning what were gaps in our clients’ security programs into competitive advantages.

Continuous Management: With the continuous support of a virtual CISO, we provide a valuable strategic asset. We weave security and compliance into the DNA of our clients’ organizations, differentiating them from their competition.

ISO 27001 and 27701

Getting Started

The ISO 27001 is an internationally recognized standard for helping your organization manage the security of your services through a third-party auditor. 

Internal Audit

The ISO 27001 internal audit is a prerequisite to stage 1 of the certification process, where either your organization or a third-party firm will assess the effectiveness of your information security management system (ISMS) program to meet clause 9.2 of the ISO 27001 standards. Benefits to the internal audit include:

  • Validating your ISMS before undertaking the ISO audit
  • Demonstrating your organization’s commitment to improvement
  • Encouraging continuous security management

The Process

Stage 1: Your engagement lead will conduct a walkthrough of clauses 4-10, review nonconformities, and develop and execute a corrective action plan. 

Stage 2: BARR will conduct a walkthrough of Annex A controls, review nonconformities, and start the certification process. 

For more information, see each step of our ISO 27001 Engagement Process.

What You Gain

ISO Certification

BARR currently offers certification for ISO 27001 and 27701 standards. The initial certificate issued is valid for three years from the issuance date. At least annually, surveillance audits are conducted to help ensure a certified organization is able to maintain its compliance to the standard. These audits include limited testing and an onsite review to determine the impact of any significant changes since the original certification.

Contact Us

Have questions? Schedule a call to speak with a BARR specialist.

Schedule a Call