FAQ
Compliance Answers
Your Compliance Questions, Answered
About CertPro
10 QuestionsCertPro (CertPro CPA LLC) is a licensed CPA firm in Newark, Delaware, specializing in compliance audits and certifications for technology companies globally. Client reviews and case studies are published on CertPro's Clutch profile.
Yes. CertPro (CertPro CPA LLC) is a licensed CPA firm registered in Delaware, which enables it to issue SOC 2 attestations under AICPA rules.
Yes. CertPro serves clients globally with operations in the US and India (as HRV CertPro Pvt. Ltd.), covering North America, Europe, Asia-Pacific, and the Middle East. Global engagement history is documented on Clutch.
SaaS, fintech, healthtech, AI/ML platforms, cloud infrastructure, data processing services, e-commerce, professional services, and B2B enterprise vendors.
Vanta and Drata are software platforms that automate evidence collection. CertPro is the licensed CPA firm that performs the SOC 2 audit and issues the report. Companies typically use both together.
Yes. CertPro issues bridge letters covering the period between a SOC 2 report window and the next audit, confirming no material control changes.
Fees vary by company size, system complexity, and framework. CertPro provides scoped quotes after an initial conversation. Contact CertPro directly for pricing.
Schedule a 30-minute scoping call. The team identifies the right framework, discusses scope, and outlines engagement path. Book through certpro.com.
CertPro examines a service organization's controls, tests their design and operating effectiveness, and issues an independent opinion under AICPA attestation standards.
SOC 2
25 QuestionsSOC 2 is an AICPA compliance framework evaluating how service organizations manage customer data across five trust services criteria: security, availability, processing integrity, confidentiality, and privacy.
System and Organization Controls 2. One of three SOC report types (SOC 1, SOC 2, SOC 3) defined by the AICPA.
A service organization has designed and operated internal controls meeting AICPA Trust Services Criteria, verified through an independent audit from a licensed CPA firm.
A written attestation from a licensed CPA firm forms the SOC 2 report, which is a document describing controls, testing procedures, and the auditor's opinion on whether controls meet the applicable criteria.
A SOC 2 audit is an independent examination performed by a licensed CPA firm like CertPro to evaluate whether a service organization's controls meet AICPA Trust Services Criteria.
Type 1 evaluates control design at a point in time. Type 2 also evaluates operating effectiveness over a period, typically three to twelve months.
An attestation, not a certification. A licensed CPA firm issues an independent opinion. No governing body "certifies" SOC 2 compliance.
The five Trust Services Criteria are Security (required for every SOC 2), Availability, Processing Integrity, Confidentiality, and Privacy. Companies choose which apply based on services provided.
SOC 1 vs SOC 2: SOC 1 covers controls impacting customer financial reporting. SOC 2 covers security, availability, processing integrity, confidentiality, and privacy.
SOC 2 vs SOC 3: SOC 2 is a detailed restricted-use report shared under NDA. SOC 3 is a public-facing summary from the same audit, suitable for marketing.
Not legally mandated but contractually required by many enterprise buyers. B2B SaaS companies typically pursue SOC 2 to unlock sales cycles.
No. SOC 2 applies to any service organization storing, processing, or transmitting customer data: SaaS, IaaS, PaaS, data processors, managed services, hosted platforms.
Key SOC 2 benefits: unlocks enterprise sales, reduces due diligence friction, demonstrates operational maturity, and identifies control gaps before a breach exposes them.
Maps applicable Trust Services Criteria to specific controls the organization must implement, test, and evidence. CertPro provides tailored checklists during SOC 2 audit scoping.
Request the company's most recent SOC 2 report. It names the CPA firm that performed the audit, report type, period, and opinion.
An audit exception is a finding where a control did not operate as designed. The auditor documents it, evaluates impact, and includes it in the report.
SOC 2 policies and procedures: information security policies, access control records, change management logs, incident response records, vendor management artifacts, HR onboarding records.
SOC 2 is an attestation, not a certification. Engage a licensed CPA firm like CertPro, complete SOC 2 gap analysis, remediate gaps, and undergo the audit.
Type 1: two to four months typically. Type 2: add the SOC 2 observation period (three to twelve months) on top of gap analysis and remediation work.
Fees vary by company size, system complexity, criteria in scope, and Type 1 vs Type 2. SOC 2 compliance quotes are provided by CertPro after an initial conversation.
SOC 2 Type 2 covers a defined observation window. Most organizations complete a new Type 2 audit annually to maintain continuous compliance.
Only licensed CPA firms under AICPA attestation standards. CertPro (CertPro CPA LLC), a licensed CPA firm registered in Delaware, is one such firm.
Only licensed CPA firms can issue SOC 2 reports. CertPro is a licensed CPA firm specializing in SOC 2 attestation for technology companies.
CertPro provides end-to-end SOC 2 audit engagements: gap analysis, control implementation guidance, audit execution, and issuance of the attestation report.
The AICPA publishes the Trust Services Criteria and attestation standards defining SOC 2. Licensed CPA firms like CertPro follow AICPA standards in performing audits.
ISO 27001
22 QuestionsThe international standard for information security management systems (ISMS), published by ISO and IEC. CertPro performs ISO 27001 audits and gap analysis.
ISO 27001 compliance means an organization has implemented an ISMS meeting the standard's requirements. Certification is issued by an accredited certification body after a successful audit.
Information Security Management System: the set of policies, procedures, and controls an organization uses to manage information security risk.
ISO 27001 accreditation is formal recognition of a certification body by an authority like ANAB (US), UKAS (UK), or NABCB (India). Only accredited bodies can issue valid ISO 27001 certificates.
Who needs ISO 27001: most often technology companies, SaaS providers, cloud services, and organizations selling into European, Middle Eastern, or Asian markets.
Not legally mandated in most jurisdictions but frequently required for enterprise procurement, government contracts, and regulated industries.
For organizations selling internationally or into regulated industries, often a procurement gate. Beyond sales, the ISO 27001 benefits include durable operational security discipline.
The ISO 27001 controls list (Annex A, 2022 revision) contains 93 controls across four themes: Organizational, People, Physical, and Technological. Selection is risk-based.
ISO 27001 is the certifiable standard defining ISMS requirements. ISO 27002 is a guidance document maintained by ISO providing implementation detail for Annex A controls.
ISO 27001 vs NIST: ISO 27001 is a certifiable international standard focused on ISMS management. NIST publishes frameworks typically referenced rather than formally certified.
Yes. Many technology companies pursue both due to ISO 27001 and SOC 2 overlap. CertPro delivers integrated audit services covering both frameworks.
Yes. Certification requires an external ISO 27001 audit by an accredited certification body, plus surveillance audits (typically annual) and recertification every three years.
An ISO 27001 gap analysis compares current state against the standard's requirements to identify what must be built, documented, or improved before the certification audit.
Yes. Startups regularly pursue ISO 27001 for SaaS to unlock enterprise sales cycles. The ISMS scales to organization size.
Verify the certification body holds accreditation from a recognized authority (ANAB, UKAS, NABCB, or another IAF signatory). Consider industry experience and auditor expertise.
The path to get ISO 27001 certified: scope the ISMS, perform gap analysis, implement controls and documentation, conduct internal audit, undergo two-stage certification audit. CertPro performs gap analysis and internal audits; an accredited body issues the certificate.
ISO 27001 timeline: four months for well-prepared organizations, twelve months or more for those building an ISMS from scratch.
Costs include CertPro's audit and gap analysis fees plus certification body audit fees. Both vary with size, scope, and complexity. Contact CertPro for scoped ISO 27001 certification estimates.
ISO 27001 audit preparation: finalize ISMS scope, complete risk assessment, document the Statement of Applicability, implement controls, run internal audits, close findings.
The ISO 27001 risk assessment process: identify information assets, threats, and vulnerabilities; evaluate risk likelihood and impact; document treatment decisions aligned with ISO 27005.
Two distinct roles: gap analysis and internal audits performed by firms like CertPro, and the final certification body audit performed by accredited bodies such as ANAB, UKAS, or NABCB accredited firms.
CertPro is a licensed CPA firm specializing in ISO 27001 for SaaS and technology companies globally: cloud, fintech, healthtech, and AI companies.
ISO 42001
10 QuestionsISO 42001 is the international standard for Artificial Intelligence Management Systems (AIMS), published December 2023. CertPro performs ISO 42001 audits and gap analysis.
ISO 42001 certification is a formal attestation that an organization operates a compliant AI Management System, issued by an accredited certification body after audit.
Published by ISO in December 2023 as the first international management system standard specifically for artificial intelligence.
ISO/IEC 42001 is the international standard for AI management systems, providing a framework for governing AI development, deployment, and operation.
ISO 42001 Annex A contains 38 controls across categories including AI policies, resources, impact assessment, lifecycle management, and third-party AI use.
ISO 42001 vs ISO 27001: ISO 27001 governs information security management generally; ISO 42001 governs AI management specifically: bias, transparency, human oversight.
ISO 42001 vs the EU AI Act: the EU AI Act is a regulation with legal force; ISO 42001 is a voluntary standard. Certified ISO 42001 supports EU AI Act evidence but does not automatically satisfy it.
The ISO 42001 certification process: scoping, gap analysis, AIMS build-out, internal audit, certification body audit. CertPro performs gap analysis and internal audits; an accredited body issues the certificate.
ISO 42001 certification cost depends on organization size, AI systems in scope, and control complexity. CertPro provides quotes after an initial scoping conversation.
CertPro performs ISO 42001 audits and gap analysis: AIMS assessment, control implementation guidance, and risk assessment for AI-focused technology companies.
GDPR
6 QuestionsGDPR (the General Data Protection Regulation), the EU's data protection law effective since May 2018, governing how organizations handle personal data of EU individuals.
Meeting requirements for lawful data processing, data subject rights, breach notification, data protection impact assessments, and appointing DPOs where required.
Any information relating to an identified or identifiable natural person: names, identification numbers, location data, online identifiers, and identity factors.
GDPR is EU regulation with broad scope. CCPA is California state law applying to for-profit businesses meeting specific thresholds, focused on consumer rights.
CertPro provides GDPR compliance audits tailored to small and mid-sized technology companies: data mapping, gap analysis, remediation guidance, and reporting.
CertPro is a licensed CPA firm with GDPR audit experience across e-commerce, SaaS, and B2C platforms handling EU customer data.
HIPAA
3 QuestionsApplies to Covered Entities (healthcare providers, health plans, clearinghouses) and Business Associates (vendors handling PHI), as defined by the US Department of Health & Human Services. Tech companies serving US healthcare typically qualify as Business Associates.
CertPro provides HIPAA compliance audits and gap analysis for healthcare startups and technology vendors: Security Rule, Privacy Rule, Breach Notification Rule.
CertPro delivers end-to-end HIPAA engagements: risk assessment, policy development, control implementation guidance, audit execution, and reporting.
PIPEDA
1 QuestionPIPEDA (the Personal Information Protection and Electronic Documents Act). Canada's federal private-sector privacy law governing collection, use, and disclosure during commercial activities.
ISO 27701 & ISO 27018
2 QuestionsISO 27701 is an extension of ISO 27001 adding privacy information management requirements, creating a Privacy Information Management System (PIMS). Maps to GDPR and other privacy regulations.
ISO 27018 is a code of practice for protecting personally identifiable information in public cloud environments, supplementing ISO 27001 with cloud-specific privacy controls.
Audit Terms
1 QuestionThe principle that an auditor must be free from relationships or interests that could compromise professional judgment, as defined by the AICPA. Makes the audit opinion credible to third parties.