Every Framework.
One Audit Partner.

Type I is a point-in-time report — it says your controls were suitably designed as of a specific date. Type II covers an observation period (typically 6–12 months) and tests whether those controls actually operated effectively throughout. Enterprise customers almost always require Type II. Type I is useful as a milestone on the way to Type II, or when a customer specifically requests it for an initial vendor onboarding.

CertPro issues the report directly. We are a licensed CPA LLC enrolled in the AICPA Peer Review program, which means we can issue SOC 2 attestation reports under SSAE 18 — the same standard used by Deloitte, PwC, and KPMG. You do not need a separate CPA firm. Our reports are accepted by the same enterprise procurement teams that accept Big 4 reports.

Security (Common Criteria) is mandatory — all SOC 2 reports include it. Availability, Confidentiality, Processing Integrity, and Privacy are optional, chosen based on your service commitments and what your customers are asking for in security questionnaires. We review your customer agreements and security questionnaire responses during scoping to determine the right criteria — you don't have to guess.

Scope covers the systems, infrastructure, people, and third-party services that directly support delivery of your service commitments. Typically: your production application and database, cloud infrastructure (AWS, GCP, Azure), CI/CD pipeline, identity and access management, and key subservice organizations. We define scope precisely during the scoping phase — too broad wastes audit effort; too narrow creates gaps your customers will raise in questionnaires.

SOC 2 Type II reports cover a defined period — typically 12 months. Enterprise customers expect an annual report with no gap in coverage. You'll need a new Type II audit each year. Annual renewals are faster and less expensive than the initial audit because your controls, evidence collection, and audit processes are already established. CertPro offers annual renewal engagements on fixed-fee terms.

Your SOC 2 report typically replaces or shortens the security questionnaire process with customers. Many enterprise procurement teams accept a SOC 2 Type II report in lieu of a completed vendor questionnaire. For questionnaires that still require completion, your SOC 2 report provides pre-validated answers for the majority of security controls — significantly reducing the time your team spends on individual customer security reviews.

Legally voluntary in most jurisdictions — but contractually required by an increasing number of enterprise buyers, particularly in the EU, UK, Saudi Arabia, UAE, and APAC. It appears as a mandatory requirement in government procurement tenders, financial sector vendor due diligence frameworks, and large enterprise supplier policies. For companies doing business outside North America, it is functionally necessary to compete for enterprise contracts.

Our ISO 27001 gap analysis reviews your current controls, policies, and processes against all 93 Annex A controls in ISO 27001:2022 and the mandatory clauses (4–10). Each control is assessed as fully implemented, partially implemented, or not implemented. You receive a gap report with severity ratings, remediation effort estimates, responsible owner suggestions, and our 80% pre-built policy and procedure kit covering the most common gaps.

Three years. Annual surveillance audits in years one and two verify your ISMS continues to operate effectively. A full recertification audit is required in year three. Surveillance audits are significantly lighter than the initial certification — they focus on a subset of controls and any non-conformities from the previous cycle. CertPro handles all stages: initial certification, surveillance, and recertification.

ISO 42001:2023 is the first international standard for AI Management Systems — covering how AI is developed, deployed, and governed responsibly. It's most immediately relevant for companies selling AI-powered products to enterprise customers, regulated industries using AI in decision-making, and companies subject to the EU AI Act. Early certification is a genuine differentiator today; in 2–3 years it will likely become a contractual requirement in the same way ISO 27001 has.

ISO 27701 is a privacy extension to ISO 27001, adding a Privacy Information Management System (PIMS). It maps directly to GDPR obligations for both controllers and processors — data subject rights, consent management, cross-border transfer mechanisms, and accountability records. You need it when enterprise customers or EU data protection authorities require documented evidence of a structured privacy governance program.

Yes — and it's more efficient. Both standards share the majority of their control requirements around access management, incident response, asset management, risk assessment, and supplier security. We structure combined engagements so that gap analysis, remediation, and evidence collection serve both audits simultaneously. Clients typically save 35–50% of total effort compared to sequential separate engagements.

Yes. GDPR has explicit extraterritorial scope. It applies to any organization that processes personal data of EU residents — regardless of where the organization is headquartered or where servers are located. If you have EU customers, users, employees, or even website analytics from EU visitors, GDPR obligations apply. Maximum penalties are €20 million or 4% of global annual turnover.

There is no government-issued HIPAA certification — the HHS does not issue certificates. What exists is a HIPAA compliance assessment: an independent audit of your administrative safeguards, physical safeguards, and technical safeguards. CertPro issues a formal assessment report documenting your control environment — this is what healthcare organizations require before signing a Business Associate Agreement with you.

A Business Associate Agreement (BAA) is a contract required by HIPAA between a covered entity and any vendor that creates, receives, maintains, or transmits Protected Health Information on their behalf. If you provide SaaS, cloud storage, analytics, IT services, or any other service where you could potentially access PHI, you are a business associate and must sign BAAs.

A Data Protection Impact Assessment (DPIA) is required under GDPR Article 35 when processing is "likely to result in a high risk" to individuals' rights and freedoms. Mandatory scenarios include: large-scale processing of special category data, systematic profiling, monitoring of publicly accessible areas, and use of new technologies. DPIAs must be completed before the processing begins.

Yes — CCPA applies based on whose data you process, not where you're located. It applies to for-profit businesses that: have annual gross revenues over $25M, process the personal data of 100,000+ California consumers or households annually, or derive 50%+ of revenue from selling consumers' personal data. Fines are $2,500 per unintentional violation and $7,500 per intentional violation.

Yes. GDPR and CCPA share significant overlap in data inventory requirements, privacy notice obligations, data subject/consumer rights, and breach notification. We conduct combined privacy assessments that address both simultaneously. Findings are mapped to each regulation's specific requirements. If you're also pursuing ISO 27701, we align the assessment to that standard at the same time — one assessment covering three frameworks.

Four phases with fixed deliverables at each stage. (1) Scoping: we review your systems, define the audit boundary, assign a dedicated CPA and lead auditor, and issue a written project plan with milestone dates. (2) Gap Analysis: control-by-control review against your target standard. (3) Remediation: we provide pre-built policy templates, review your implementations, and confirm readiness before the formal audit. (4) Formal Audit: evidence collection, testing, and issuance of your attestation report or certificate.

Fixed-fee, project-based pricing — not hourly billing. Your fee is set before the engagement starts and does not change unless scope changes. We provide a detailed written quote after the scoping call based on framework, audit scope, organization size, and complexity. No surprise invoices. Most clients find our pricing 40–60% below comparable Big 4 or regional CPA firm engagements, with no difference in report format, credibility, or AICPA/IAF compliance.

4-hour response guaranteed during business hours. Our team operates across Newark, DE (USA) and Bangalore, India, giving near-round-the-clock coverage across US and European time zones. Every client gets a named CPA, a named lead auditor, and a dedicated communication channel.

Because we run a thorough gap analysis and remediation phase before the formal audit, the large majority of our clients pass on the first attempt — with 80%+ of gaps closed before audit day. In cases where non-conformities are identified during the audit, we work through the corrective action process with you at no additional advisory cost.

Annual surveillance audits, recertification engagements, scope expansion for new products or geographies, and advisory when standards are revised. We also assist with security questionnaire responses that reference your certification scope. Ongoing support is available on a retainer or per-engagement basis.