10 / 10

Internal Audit & Compliance for ISO 27001 and SOC 2

We help startups and growing businesses achieve ISO and SOC 2 compliance through structured internal audits, gap assessments, and readiness programs, combining technical validation with governance, documentation, and remediation support.

Internal Audit & Compliance for ISO 27001 and SOC 2 illustration

What is Internal Audit & Compliance for ISO 27001 and SOC 2?

Internal audit and compliance readiness is the process of preparing your organization for ISO 27001 or SOC 2 certification: gap assessment, control mapping, policy documentation, evidence collection, and audit preparation.

What We Cover

Every engagement covers these critical areas.

Policy and procedure review
Access control and identity management audit
Data classification and handling assessment
Encryption and key management review
Incident response plan evaluation
Business continuity and disaster recovery
Vendor and third-party risk assessment
Change management process review
Logging, monitoring, and alerting audit
Network segmentation and firewall review
Employee security awareness evaluation
Physical security controls assessment
Data privacy impact assessment
Regulatory mapping and evidence collection

Our Methodology

A structured, repeatable process that ensures thorough coverage and actionable results.

STEP 01

Scope & Framework Selection

Identify applicable regulatory requirements, customer expectations, and compliance frameworks based on your industry, geography, and business model.

STEP 02

Current State Assessment

Review existing policies, controls, technical configurations, and documentation to understand your current compliance posture and identify gaps.

STEP 03

Gap Analysis & Risk Mapping

Map identified gaps against framework requirements with risk-based prioritisation. Highlight critical findings that could impact audit outcomes.

STEP 04

Remediation & Documentation

Guide your team through control implementation, policy creation, evidence collection, and documentation to address all identified gaps.

STEP 05

Internal Audit Execution

Conduct structured internal audits with evidence review, control testing, and stakeholder interviews to validate compliance readiness.

STEP 06

Report & Continuous Monitoring

Deliver detailed audit reports with findings, recommendations, and a compliance roadmap. Provide ongoing support for maintaining audit readiness.

Framework Alignment

Our methodology is aligned with industry-recognized security frameworks for thorough coverage and compliance readiness.

ISO 27001SOC 2 Type 1SOC 2 Type 2

Regulatory Support

ISO
ISO 27001
Information security management system audit
SOC
SOC 2
Trust Service Criteria: Type 1 & Type 2 readiness

Deliverables

What you walk away with at the end of every engagement.

01

Internal audit report with findings and evidence

02

Gap analysis matrix mapped to framework controls

03

Risk register with prioritised remediation plan

04

Policy and procedure templates

05

Compliance readiness scorecard

06

Evidence collection guidance

07

Management presentation with recommendations

08

Free re-assessment within 30 days

Frequently Asked Questions

What is internal audit and compliance readiness?

Internal audit and compliance readiness is the process of preparing your organization for ISO 27001 or SOC 2 certification: gap assessment, control mapping, policy documentation, evidence collection, and audit preparation.

Can you issue the ISO 27001 or SOC 2 certificate?

No. ISO certification requires an accredited certification body, and SOC 2 reports require a licensed CPA firm. We prepare you for the audit: gap assessment, control implementation, evidence collection, and documentation, so you pass when the auditor arrives.

What does a DPDP Act audit cover?

A Cybersecify DPDP Act audit covers the 11 chapters of the Digital Personal Data Protection Act 2023 against your current data-handling practices. Specifically: notice (Section 5) review, consent management mechanism (Sections 6 + 7) including granularity + withdrawal flow, purpose limitation evidence (Section 4), retention policy and deletion practice (Section 8), data principal rights workflow (Sections 11 to 14) covering access + correction + erasure + grievance redressal, breach notification readiness against the 72-hour Data Protection Board notification rule + the CERT-In Rule 14 6-hour cyber-incident rule, children data handling (Section 9) if applicable, cross-border data transfer mapping (Section 16) covering provider region + sub-processor list, Data Protection Officer appointment determination (Section 10) for Significant Data Fiduciaries, and Data Protection Impact Assessment scope for high-risk processing. Output: gap report + remediation plan + policy templates + the documentation pack the buyer needs to support a DPDP enforcement inquiry. The Draft DPDP Rules 2026 will trigger an audit-refresh once notified.

How do you do SOC 2 audit-prep gap analysis?

Cybersecify SOC 2 gap analysis maps your current state against the AICPA Trust Services Criteria (Security, Availability, Processing Integrity, Confidentiality, Privacy) at the criterion level (CC1.1 through CC9.2 for Common Criteria + the additional criteria for the four optional categories). Phase 1 (1 to 2 weeks): scope conversation, criterion-level checklist walkthrough, evidence interview with each control owner (engineering, IT, HR, legal, finance). Phase 2 (1 to 2 weeks): documented gap report with each criterion graded as Implemented + Evidenced / Implemented but Under-evidenced / Partially Implemented / Not Implemented + remediation actions per gap + priority order. Phase 3 (4 to 12 weeks depending on gap size): remediation execution with policy drafting + control implementation + evidence collection. Phase 4 (1 to 2 weeks pre-audit): internal audit + audit-prep dry run with the audit firm review questions. Total timeline: 8 to 18 weeks depending on starting maturity. We are not a licensed CPA firm, the formal SOC 2 examination is conducted by the buyer-selected CPA firm; we prepare the buyer through audit.

What is the ISO 27001:2022 audit-prep gap analysis scope?

Cybersecify ISO 27001:2022 audit-prep covers the full ISMS framework: Clause 4 (Context of Organization, scope statement, ISMS boundaries), Clause 5 (Leadership commitment, policy, roles), Clause 6 (Risk assessment + risk treatment + Statement of Applicability for the 93 Annex A controls), Clause 7 (Resources, competence, awareness, communication, documented information), Clause 8 (Operational planning and control, risk assessment and treatment execution), Clause 9 (Performance evaluation, internal audit, management review), Clause 10 (Improvement, nonconformity, corrective action). For Annex A: control-by-control gap analysis across the 4 themes (Organizational, People, Physical, Technological) and 93 controls (the 2022 revision consolidated from 114 in the 2013 revision). Output: ISMS scope document + Statement of Applicability + risk register + 21+ required policies + internal audit report + management review pack. Total timeline: 10 to 20 weeks depending on starting maturity. We are not an accredited certification body, the formal certification audit is conducted by the buyer-selected accredited body (BSI, TUV, DNV, BV, Intertek, etc); we prepare the buyer through audit.

What is the difference between internal audit prep and being an external auditor?

Cybersecify is an audit-prep firm (also called audit-readiness consultancy), not a certifying or auditing body. The distinction matters legally and contractually. External auditors who issue the SOC 2 report (a licensed CPA firm) cannot also prepare the buyer for the audit they will conduct (independence rule under AICPA AT-C Section 105). Similarly, accredited certification bodies that issue the ISO 27001 certificate (BSI, TUV, DNV, etc, accredited by NABCB in India or UKAS in UK or ANAB in US) cannot prepare the buyer for the certification audit (independence rule under ISO/IEC 17021). Cybersecify operates as the audit-prep partner, gap analysis, policy drafting, control implementation, evidence collection, internal audit, dry-run with the auditor questions, then the buyer engages an independent external auditor for the actual certification or attestation. Most SaaS startups need both: Cybersecify for readiness, an external auditor for the report. Buyers commonly ask us to recommend external auditors; we maintain a working list of CPA firms and accredited certification bodies our buyers have worked with successfully.

Do you cover RBI and SEBI cyber audits for Indian fintech?

Yes for RBI and SEBI cyber framework readiness, partial for the formal regulatory audit. Indian fintech entities have multiple overlapping cyber compliance obligations. RBI Master Direction on Cyber Security in the Banking Sector + RBI Master Direction on IT Framework for NBFC Sector specify board-approved cyber policy + cyber crisis management plan + threat intelligence capability + vulnerability assessment cadence + incident reporting within 6 hours under CERT-In Rule 14. SEBI Cybersecurity and Cyber Resilience Framework specifies similar controls for SEBI-regulated entities. Cybersecify audit-prep maps your controls against the relevant Master Direction or Framework, drafts the board-approval-ready cyber policy pack, sets up the incident-response playbook to satisfy the 6-hour CERT-In rule, and supports the readiness-side. Formal RBI inspection or SEBI audit is conducted by the regulator or by RBI-empanelled auditors. We are not RBI empanelled and not CERT-In empanelled. We prepare the buyer for the readiness review and partner with empanelled firms when formal empanelled audit work is required.

How long does an audit-prep engagement take and what does it cost?

Cybersecify audit-prep engagements scope per framework + per starting maturity. DPDP Act audit-prep: 2 to 6 weeks, INR 1,50,000 to INR 4,00,000 depending on data-handling complexity (single product vs multi-product, single geography vs multi-region, B2C vs B2B). SOC 2 Type 1 audit-prep: 8 to 12 weeks, INR 4,00,000 to INR 8,00,000 depending on starting maturity (cold start vs already-some-controls). SOC 2 Type 2 audit-prep: 16 to 24 weeks (Type 2 requires 6-12 month observation window), INR 6,00,000 to INR 12,00,000. ISO 27001:2022 audit-prep: 10 to 20 weeks, INR 4,00,000 to INR 10,00,000. Combined SOC 2 + ISO 27001 (mapped controls overlap reduces total cost): scoped per buyer typically INR 8,00,000 to INR 15,00,000. International pricing on request. All engagements include 1 free re-assessment within 30 days of report delivery. Audit-prep work is delivered founder-led; for technical control implementation that exceeds the engagement scope, Security Retainer hours can be allocated.

What does a sample audit-prep deliverable look like?

A Cybersecify audit-prep engagement delivers a documentation pack the buyer presents to the external auditor. Sample contents for a SOC 2 Type 1 prep engagement: (1) ISMS scope statement and system description (the SOC 2 Section III narrative), 8 to 15 pages. (2) Trust Services Criteria matrix mapping each CC criterion + AC criterion + PI criterion + C criterion + P criterion to the control implementing it, the evidence demonstrating it, the control owner, and the testing frequency, typically 40 to 80 rows. (3) Risk register with risk ID + risk description + impact + likelihood + treatment + control reference, typically 30 to 60 rows. (4) Policy and procedure pack covering 18 to 22 documents (Information Security Policy, Access Control Policy, Acceptable Use, Vendor Risk, Incident Response, Business Continuity, Backup, Change Management, Data Classification, Encryption, Logging and Monitoring, Vulnerability Management, Secure Development, HR Security, Physical Security, Privacy, Risk Management, Disposal). (5) Internal audit report + management review minutes. (6) Audit-prep dry-run report listing the auditor questions and prepared responses. We can share sanitized samples on request.

Do you handle audit-prep for combined SOC 2, ISO 27001, and DPDP simultaneously?

Yes. Combined audit-prep is the most cost-effective approach when the buyer needs all three (typical Indian SaaS exporting to enterprise, DPDP for India + SOC 2 for US customers + ISO 27001 for EU and global customers). Cybersecify approach: build the unified control library once (the 90+ controls covering SOC 2 Trust Services Criteria + ISO 27001 Annex A + DPDP technical and organizational measures share roughly 70% overlap), document each control once with framework-cross-references in metadata, build the framework-specific narratives (SOC 2 Section III, ISO 27001 Statement of Applicability, DPDP compliance position document) referencing the unified library. Sequencing: ISO 27001 first (broadest control coverage builds the foundation) → SOC 2 layered on (adds AICPA-specific testing and Section III narrative) → DPDP layered on (adds India-specific data-handling documentation). Combined engagement: 16 to 30 weeks, INR 10,00,000 to INR 20,00,000 depending on starting maturity and scope breadth. Significant cost saving vs running three sequential engagements.

Ready to discuss audit & compliance?

Scoped per engagement. Talk directly to both founders.