Internal Audit & Compliance for ISO 27001 and SOC 2
We help startups and growing businesses achieve ISO and SOC 2 compliance through structured internal audits, gap assessments, and readiness programs, combining technical validation with governance, documentation, and remediation support.
What is Internal Audit & Compliance for ISO 27001 and SOC 2?
Internal audit and compliance readiness is the process of preparing your organization for ISO 27001 or SOC 2 certification: gap assessment, control mapping, policy documentation, evidence collection, and audit preparation.
What We Cover
Every engagement covers these critical areas.
Our Methodology
A structured, repeatable process that ensures thorough coverage and actionable results.
Scope & Framework Selection
Identify applicable regulatory requirements, customer expectations, and compliance frameworks based on your industry, geography, and business model.
Current State Assessment
Review existing policies, controls, technical configurations, and documentation to understand your current compliance posture and identify gaps.
Gap Analysis & Risk Mapping
Map identified gaps against framework requirements with risk-based prioritisation. Highlight critical findings that could impact audit outcomes.
Remediation & Documentation
Guide your team through control implementation, policy creation, evidence collection, and documentation to address all identified gaps.
Internal Audit Execution
Conduct structured internal audits with evidence review, control testing, and stakeholder interviews to validate compliance readiness.
Report & Continuous Monitoring
Deliver detailed audit reports with findings, recommendations, and a compliance roadmap. Provide ongoing support for maintaining audit readiness.
Framework Alignment
Our methodology is aligned with industry-recognized security frameworks for thorough coverage and compliance readiness.
Regulatory Support
Deliverables
What you walk away with at the end of every engagement.
Internal audit report with findings and evidence
Gap analysis matrix mapped to framework controls
Risk register with prioritised remediation plan
Policy and procedure templates
Compliance readiness scorecard
Evidence collection guidance
Management presentation with recommendations
Free re-assessment within 30 days
Frequently Asked Questions
What is internal audit and compliance readiness?
Internal audit and compliance readiness is the process of preparing your organization for ISO 27001 or SOC 2 certification: gap assessment, control mapping, policy documentation, evidence collection, and audit preparation.
Can you issue the ISO 27001 or SOC 2 certificate?
No. ISO certification requires an accredited certification body, and SOC 2 reports require a licensed CPA firm. We prepare you for the audit: gap assessment, control implementation, evidence collection, and documentation, so you pass when the auditor arrives.
What does a DPDP Act audit cover?
A Cybersecify DPDP Act audit covers the 11 chapters of the Digital Personal Data Protection Act 2023 against your current data-handling practices. Specifically: notice (Section 5) review, consent management mechanism (Sections 6 + 7) including granularity + withdrawal flow, purpose limitation evidence (Section 4), retention policy and deletion practice (Section 8), data principal rights workflow (Sections 11 to 14) covering access + correction + erasure + grievance redressal, breach notification readiness against the 72-hour Data Protection Board notification rule + the CERT-In Rule 14 6-hour cyber-incident rule, children data handling (Section 9) if applicable, cross-border data transfer mapping (Section 16) covering provider region + sub-processor list, Data Protection Officer appointment determination (Section 10) for Significant Data Fiduciaries, and Data Protection Impact Assessment scope for high-risk processing. Output: gap report + remediation plan + policy templates + the documentation pack the buyer needs to support a DPDP enforcement inquiry. The Draft DPDP Rules 2026 will trigger an audit-refresh once notified.
How do you do SOC 2 audit-prep gap analysis?
Cybersecify SOC 2 gap analysis maps your current state against the AICPA Trust Services Criteria (Security, Availability, Processing Integrity, Confidentiality, Privacy) at the criterion level (CC1.1 through CC9.2 for Common Criteria + the additional criteria for the four optional categories). Phase 1 (1 to 2 weeks): scope conversation, criterion-level checklist walkthrough, evidence interview with each control owner (engineering, IT, HR, legal, finance). Phase 2 (1 to 2 weeks): documented gap report with each criterion graded as Implemented + Evidenced / Implemented but Under-evidenced / Partially Implemented / Not Implemented + remediation actions per gap + priority order. Phase 3 (4 to 12 weeks depending on gap size): remediation execution with policy drafting + control implementation + evidence collection. Phase 4 (1 to 2 weeks pre-audit): internal audit + audit-prep dry run with the audit firm review questions. Total timeline: 8 to 18 weeks depending on starting maturity. We are not a licensed CPA firm, the formal SOC 2 examination is conducted by the buyer-selected CPA firm; we prepare the buyer through audit.
What is the ISO 27001:2022 audit-prep gap analysis scope?
Cybersecify ISO 27001:2022 audit-prep covers the full ISMS framework: Clause 4 (Context of Organization, scope statement, ISMS boundaries), Clause 5 (Leadership commitment, policy, roles), Clause 6 (Risk assessment + risk treatment + Statement of Applicability for the 93 Annex A controls), Clause 7 (Resources, competence, awareness, communication, documented information), Clause 8 (Operational planning and control, risk assessment and treatment execution), Clause 9 (Performance evaluation, internal audit, management review), Clause 10 (Improvement, nonconformity, corrective action). For Annex A: control-by-control gap analysis across the 4 themes (Organizational, People, Physical, Technological) and 93 controls (the 2022 revision consolidated from 114 in the 2013 revision). Output: ISMS scope document + Statement of Applicability + risk register + 21+ required policies + internal audit report + management review pack. Total timeline: 10 to 20 weeks depending on starting maturity. We are not an accredited certification body, the formal certification audit is conducted by the buyer-selected accredited body (BSI, TUV, DNV, BV, Intertek, etc); we prepare the buyer through audit.
What is the difference between internal audit prep and being an external auditor?
Cybersecify is an audit-prep firm (also called audit-readiness consultancy), not a certifying or auditing body. The distinction matters legally and contractually. External auditors who issue the SOC 2 report (a licensed CPA firm) cannot also prepare the buyer for the audit they will conduct (independence rule under AICPA AT-C Section 105). Similarly, accredited certification bodies that issue the ISO 27001 certificate (BSI, TUV, DNV, etc, accredited by NABCB in India or UKAS in UK or ANAB in US) cannot prepare the buyer for the certification audit (independence rule under ISO/IEC 17021). Cybersecify operates as the audit-prep partner, gap analysis, policy drafting, control implementation, evidence collection, internal audit, dry-run with the auditor questions, then the buyer engages an independent external auditor for the actual certification or attestation. Most SaaS startups need both: Cybersecify for readiness, an external auditor for the report. Buyers commonly ask us to recommend external auditors; we maintain a working list of CPA firms and accredited certification bodies our buyers have worked with successfully.
Do you cover RBI and SEBI cyber audits for Indian fintech?
Yes for RBI and SEBI cyber framework readiness, partial for the formal regulatory audit. Indian fintech entities have multiple overlapping cyber compliance obligations. RBI Master Direction on Cyber Security in the Banking Sector + RBI Master Direction on IT Framework for NBFC Sector specify board-approved cyber policy + cyber crisis management plan + threat intelligence capability + vulnerability assessment cadence + incident reporting within 6 hours under CERT-In Rule 14. SEBI Cybersecurity and Cyber Resilience Framework specifies similar controls for SEBI-regulated entities. Cybersecify audit-prep maps your controls against the relevant Master Direction or Framework, drafts the board-approval-ready cyber policy pack, sets up the incident-response playbook to satisfy the 6-hour CERT-In rule, and supports the readiness-side. Formal RBI inspection or SEBI audit is conducted by the regulator or by RBI-empanelled auditors. We are not RBI empanelled and not CERT-In empanelled. We prepare the buyer for the readiness review and partner with empanelled firms when formal empanelled audit work is required.
How long does an audit-prep engagement take and what does it cost?
Cybersecify audit-prep engagements scope per framework + per starting maturity. DPDP Act audit-prep: 2 to 6 weeks, INR 1,50,000 to INR 4,00,000 depending on data-handling complexity (single product vs multi-product, single geography vs multi-region, B2C vs B2B). SOC 2 Type 1 audit-prep: 8 to 12 weeks, INR 4,00,000 to INR 8,00,000 depending on starting maturity (cold start vs already-some-controls). SOC 2 Type 2 audit-prep: 16 to 24 weeks (Type 2 requires 6-12 month observation window), INR 6,00,000 to INR 12,00,000. ISO 27001:2022 audit-prep: 10 to 20 weeks, INR 4,00,000 to INR 10,00,000. Combined SOC 2 + ISO 27001 (mapped controls overlap reduces total cost): scoped per buyer typically INR 8,00,000 to INR 15,00,000. International pricing on request. All engagements include 1 free re-assessment within 30 days of report delivery. Audit-prep work is delivered founder-led; for technical control implementation that exceeds the engagement scope, Security Retainer hours can be allocated.
What does a sample audit-prep deliverable look like?
A Cybersecify audit-prep engagement delivers a documentation pack the buyer presents to the external auditor. Sample contents for a SOC 2 Type 1 prep engagement: (1) ISMS scope statement and system description (the SOC 2 Section III narrative), 8 to 15 pages. (2) Trust Services Criteria matrix mapping each CC criterion + AC criterion + PI criterion + C criterion + P criterion to the control implementing it, the evidence demonstrating it, the control owner, and the testing frequency, typically 40 to 80 rows. (3) Risk register with risk ID + risk description + impact + likelihood + treatment + control reference, typically 30 to 60 rows. (4) Policy and procedure pack covering 18 to 22 documents (Information Security Policy, Access Control Policy, Acceptable Use, Vendor Risk, Incident Response, Business Continuity, Backup, Change Management, Data Classification, Encryption, Logging and Monitoring, Vulnerability Management, Secure Development, HR Security, Physical Security, Privacy, Risk Management, Disposal). (5) Internal audit report + management review minutes. (6) Audit-prep dry-run report listing the auditor questions and prepared responses. We can share sanitized samples on request.
Do you handle audit-prep for combined SOC 2, ISO 27001, and DPDP simultaneously?
Yes. Combined audit-prep is the most cost-effective approach when the buyer needs all three (typical Indian SaaS exporting to enterprise, DPDP for India + SOC 2 for US customers + ISO 27001 for EU and global customers). Cybersecify approach: build the unified control library once (the 90+ controls covering SOC 2 Trust Services Criteria + ISO 27001 Annex A + DPDP technical and organizational measures share roughly 70% overlap), document each control once with framework-cross-references in metadata, build the framework-specific narratives (SOC 2 Section III, ISO 27001 Statement of Applicability, DPDP compliance position document) referencing the unified library. Sequencing: ISO 27001 first (broadest control coverage builds the foundation) → SOC 2 layered on (adds AICPA-specific testing and Section III narrative) → DPDP layered on (adds India-specific data-handling documentation). Combined engagement: 16 to 30 weeks, INR 10,00,000 to INR 20,00,000 depending on starting maturity and scope breadth. Significant cost saving vs running three sequential engagements.
Related Articles
Not ready for a full engagement yet?
Two other ways to start: free self-serve scan, or monthly retainer for ongoing support.
OpenEASD
Open source external attack surface scanner. Run it yourself against your domain. No signup, no data leaves your network.
Get the toolSecurity Retainer
10 hours founder-led consulting per month + 1 external attack surface scan + 1 Brand Protection scan monthly. Extra hours at flat INR 2,500/hour.
Start retainerReady to discuss audit & compliance?
Scoped per engagement. Talk directly to both founders.