Thank You for Choosing BARR Advisory

Welcome to the first step to meeting your security and compliance needs.

Get to Know BARR

At BARR, we simplify the path to security and compliance. Learn more about our specific services and what to expect during your audit.

Popular Topics:

What Sets BARR Apart?

We Take a Human-First Approach

Cybersecurity, at its core, is about humans feeling safe and protected. 

We will educate and empower your people using real talk (not jargon) to raise awareness, change behavior, and embed best practices into your company culture.

We Drive Value Through Connections

BARR uses its global network of providers to connect you with best-fit experts. And these go far beyond a simple referral.

These partners are integrated into our own tools, processes, and services.

We Have Perspective

We have the experience of the past and the expertise of today to meet the challenges of tomorrow. 

We understand the challenges our clients face every day— because we faced them when we sat on your side of the table.

Preparing for Your Audit

What You Provide:

During the engagement kickoff phase, BARR will request several things from you that will help us during your assessment. 

  • Complete your system description. The system description provides an overview of your company’s operations and control environment for the in scope system. 
  • Review control wording. What are controls? Controls are documented processes in your environment relevant to your in scope system that helps achieve your in scope trust service criteria. BARR will provide you with template controls to test during the engagement. It is important that you review the controls and modify them to reflect your current control environment. 
  • Provide information requests. BARR will request documentation via our tool called TaskBARR. Information requests must be submitted within predetermined timeframes that will be established by the engagement team.

What BARR Provides:

We are committed to guiding you through this process by providing you unparalleled support.

  • We do this by setting expectations during the engagement kickoff meeting and providing you with the support and knowledge you need to complete your engagement. 
  • We will review information requests as they come in and hold walkthrough meetings with you to gain an understanding of your control environment and ensure we obtain the correct documentation to evidence your compliance with applicable trust services criteria. Any issues we identify will be reported to you immediately and we will work with you to identify possible solutions. 
  • At the conclusion of our fieldwork, we will issue a draft report or certification for your team to review and provide feedback.

What to Expect During Your Audit

BARR works hard to make each phase of the engagement process as easy as possible for your organization. Learn what to expect with your engagement lead from kickoff to final deliverable and everything in between. 

SOC Examinations

BARR practices a three-phase auditing  process during SOC examinations:


  • We start by connecting on a 30-minute call to determine your needs.
  • BARR will send a proposal within one day to confirm our understanding. 


While optional, the readiness assessment ensures that your examination will go as smoothly as possible. Here’s what to expect through each meeting:

  • Readiness Meeting #1: You will meet your BARR engagement manager, share your system demo, and confirm scope and expectations.
  • Readiness Meeting #2: In this 2+ hour meeting, we will review your key processes such as change management, access management, and vulnerability management.
  • Readiness Meeting #3: A debrief meeting to confirm the three readiness deliverables.
  • Remediate & Engage: You will correct your gaps prior to starting the audit period. An engagement letter with the agreed audit period is signed.

Examination Engagement 

  • Plan: A kickoff call is scheduled with you to confirm we are on the same page with the scope, timelines, deliverables, and personnel needed for the assessment.
  • Assess: Walkthrough duration is dependent on your environment complexity and size; however, four hours is the typical time commitment.
  • Report: BARR will provide a draft report no later than 30 days after the period ends. 
  • Celebrate & Optimize: BARR will provide a promotional package and schedule a debrief to review improvement opportunities for your security program, rate the engagement, and plan your next engagements

For more information, see each step of our SOC Engagement Process.


Our HITRUST team works with healthcare organizations through a five-step engagement process. 

Readiness Period 

  • Once a client signs the Engagement Letter, the engagement lead will set up an internal and external engagement kickoff meeting. 
  • Following the kickoff meeting, the engagement lead will provide the client with the HITRUST Questionnaire. 
  • The client will provide the engagement lead with the completed questionnaire. This will indicate exactly what controls are not implemented (Instant gap), which controls are implemented, and which controls are not applicable.


  • The engagement lead and team will then test each control following the HITRUST illustrative procedures identifying any additional control gaps as they may arise. 
  • Once the testing is complete, the engagement lead will provide the client with a full excel workbook that will identify clear remediation tasks for the client to complete before the validation assessment begins. 
  • After the gap report is provided to the client and the internal and external debriefs are complete, the engagement lead will continually work with the client to ensure accurate and complete remediation of each gap. 

Implementation Period

  • Controls must be implemented 90 days prior to assessment.

Validation Assessment

  • The engagement lead will set up an internal and external engagement kickoff meeting. 
  • As the client provides the requested evidence, the engagement lead and team will test each control following the illustrative procedures. 
  • As the client provides the requested evidence, the engagement lead and team will test each control following the illustrative procedures. 
  • Once testing is complete, testing will go under manager review, and the engagement lead will complete the administrative documentation.

HITRUST Quality Analysis 

  • Once the final quality review is complete, the engagement lead will submit the assessment to HITRUST and work with HITRUST QA to address any issues or concerns. 
  • After the final report is posted, the engagement lead will set up a time for an internal and external debrief.
  • The i1 validation is an annual process, while the r2 repeats every two years with in interim in between.

For more information, see each step of our HITRUST Engagement Process.


The CISO Advisory team helps our clients establish a cybersecurity program that is flexible and adaptive to the needs of their business stakeholders. This includes a common structure to safeguard information assets and streamline business deals with customers’ security demands. Our approach includes the phases, activities, and deliverables below:

  • Gap Assessment (Phase 1): We believe in determining the why before proposing the how and that careful planning is imperative to help our clients achieve their business objectives.
  • Remediation (Phase 2): We provide a roadmap to successful remediation, turning what were gaps in our clients’ security programs into competitive advantages.
  • Continuous Management (Phase 3): With the continuous support of a virtual CISO, we provide a valuable strategic asset. We weave security and compliance into the DNA of our clients’ organizations, differentiating them from their competition.

For more information, see each step of our CISO Engagement Process.

ISO 27001

The ISO 27001 certification is an internationally recognized standard for helping your organization manage the security of your services through a third-party auditor. There are two stages in the certification process. 

  • Stage 1: Your engagement lead will conduct a walkthrough of clauses 4-10, review nonconformities, and develop and execute a corrective action plan. 
  • Stage 2: BARR will conduct a walkthrough of Annex A controls, review nonconformities, and start the certification process. 

For more information, see each step of our ISO 27001 Engagement Process.


Many questions may arise as you begin your auditing process. Explore our frequently asked questions to find the information you’re looking for. Don’t see your question here? Contact us today. 

Do I need to comply with GDPR/CCPA requirements?

Any entity, regardless of their location, that collects or processes personal information of EU residents must comply with the regulations laid out by the General Data Protection Regulation (GDPR).

What is a system description?

The system description, part of Section III within a SOC 2 report, includes important information regarding the people, processes, and technology that support your product or service. 

As the auditor, BARR’s team is charged with confirming you are fulfilling the trust services criteria applicable to your report scope. The system description sets the stage for how your auditor will identify any gaps in the control environment and determine if the controls in place were “suitably designed and operating effectively in order to achieve commitments and system requirements based on the applicable trust services criteria.” The five potential trust services criteria include security, availability, confidentiality, processing integrity, and privacy. A SOC report always includes security as one of the trust services criteria, but could also include one, two, or any mix of the others.

What’s the difference between SOC 2 Type 1 and SOC 2 Type 2?

  • Type I reports may be performed right away if your organization has your controls in place and documented. These reports offer a point-in-time service, testing your design on a specific date.
  • Type II reports are generally audited over a 3 to12 month period. These reports reflect your organization’s operating effectiveness during the course of a review period and provide a more detailed assessment of your controls.

When are privacy and processing integrity criteria applicable?

Taken from the five trust criteria for a SOC 2 audit, privacy demonstrates personal information that is used, retained, disclosed, and disposed of in accordance with entity objectives and policies. Processing integrity shows that the system processing and data are complete, valid, accurate, timely, and authorized to meet objectives. 

If I had a 3-month reporting period last year, do I need a 3-month reporting period this year?

SOC reporting periods vary depending on the type of report your organization needs at any given time. Typically a reporting period runs between a 3 and 12 month period.


What are the differences between SOC 2 and ISO 27001?

The main difference between a SOC 2 and an ISO 27001 is the final deliverable. A SOC 2 report results in a final report, while ISO 27001 certifies your organization under ISO standards. 

Type of controls also differ when looking at the two frameworks. 

What are “walkthroughs”?

While this process is dependent on your environment complexity and size, these assessments typically last 2 to 3 days. At the beginning of the  assessment period, your lead will schedule walkthroughs with you in order to:

  • Understand your control environments
  • Review information requests
  • Advise on any preliminary issues 

After your walkthroughs, BARR will test your controls and evaluate if they meet within the scope criteria. If an exception is identified, your engagement lead will verify the exception with you, discuss the impact, and obtain a management response that will be available in your final report. 

How do I prepare for walkthroughs?

When preparing for your audit, there are two options you can take:

  1. Complete the preparation work on your own, which typically consists of a readiness assessment and is done manually within your organization
  2. Use an automation partner to help streamline the process of documenting your policies and procedures

Your automation partner readiness/scoping assessments are very quick and lite touch engagements. Their role is three fold to help ensure there are no surprises for the client when it comes time for the SOC 2 examination:

  • Understand scope
  • Identify gaps that need to be internally corrected 
  • Communicate expected controls and help client prioritize gap/ task remediation

With either option, your organization is responsible for providing your control and system descriptions, and BARR will prepare information requests using our project management tool, taskBARR, schedule your walkthroughs, and set the duration of your meetings. 

How can I write strong policies and procedures for my organization’s information security program?

Writing strong policies and procedures is key to an organization’s information security program. There is a difference between policies and procedures. 

  • Policies establish the minimum information security requirements and acceptable or unacceptable behaviors—the “why.” 
  • Procedures set the “how” for each policy, and describe the processes that will enable or enforce the policy. Policies tend to be more constant and remain intact year over year, whereas procedures tend to be prescriptive and can have more flexibility.