THE DRIVE FOR COMPLIANCE:

AktivoLabs recognized the importance of adhering to industry regulations and best practices for data protection. Their pursuit of compliance had two key drivers:

• Vendor Requirements: To work with certain partners and expand their market reach, AktivoLabs needed to demonstrate compliance with specific standards.
• Legal Requirements: Certain regulations, like HIPAA, mandate robust data security practices for organizations handling protected health information (PHI).

PARTNERING WITH CERTPRO FOR COMPLIANCE SUCCESS:

AktivoLabs engaged CertPro to conduct independent assessment and audit activities against applicable requirements. CertPro conducted audit and assessment engagements across the following frameworks:

• SOC 2 Type 1: An independent examination of controls relevant to the Trust Services Criteria at a point in time.
• HIPAA: Does not have a formal certification program. Compliance is evaluated through documented safeguards and assessments conducted by CertPro.
  

CERTPRO’S METHODOLOGY: A COLLABORATIVE APPROACH

CertPro’s engagements followed a structured, evidence-based approach aligned with applicable regulatory and audit requirements.

Phase 1: Scope Confirmation and Documentation Review

Auditors reviewed policies, procedures, plans, and supporting documentation relevant to in-scope systems and processes. The review focused on evaluating control design and documentation completeness against applicable requirements.

For HIPAA, safeguards were evaluated against the HIPAA Security Rule.

For SOC 2, controls were assessed against the Trust Services Criteria for the defined system scope.

Phase 2: Evidence Access and Evaluation

Auditors accessed the organization’s compliance automation platform and supporting repositories to review control evidence. This included policies, access records, system configurations, logs, and operational documentation.

Evidence was evaluated for consistency, completeness, and alignment with documented controls. Traceability between documented controls and operational execution was verified during this phase.

Phase 3: Control Testing and Assessment

Auditors conducted assessment procedures through inquiry, inspection, and observation.

For HIPAA, the assessment evaluated administrative, physical, and technical safeguards against applicable Security Rule requirements.

For SOC 2 Type 1, controls were examined as of a defined point in time to determine whether they were suitably designed to meet the applicable Trust Services Criteria.

Observations were documented based on control deviations, missing evidence, or inconsistencies identified during testing.

Phase 4: Reporting and Attestation

Assessment and audit reports were prepared summarizing scope, procedures performed, evidence evaluated, and conclusions.

The HIPAA engagement resulted in a formal assessment report based on the safeguards reviewed.

The SOC 2 Type 1 examination resulted in a report issued by a licensed CPA firm based on the procedures performed.

All conclusions were based solely on objective evidence obtained during the engagement.

AUDIT OUTCOMES:

The audit and assessment engagements resulted in documented evaluation of AktivoLabs’ controls against applicable requirements.

A HIPAA Security Rule assessment was completed, with findings documented based on administrative, physical, and technical safeguards.

A SOC 2 Type 1 examination was conducted, and a report was issued by a licensed CPA firm based on controls in place at a defined point in time.

The results reflect control design and implementation based on evidence evaluated during the engagements.