THE BUSINESS NEED FOR COMPLIANCE

As UMU grew its business, customers and procurement teams started to ask for formal assurance about security, availability, privacy, confidentiality, and data management processes. At the same time, emerging expectations around AI governance required UMU to exhibit control and structure across the AI model lifecycle, risk assessment, and accountability.

The compliance initiative was driven by the following business objectives:

• Provide independent audit assurance over relevant trust service criteria.
• Establish a formal and scalable Information Security Management System (ISMS).
• Introduce structured governance for AI systems and AI related risks.
• Meet enterprise customer expectations for recognized audit and compliance frameworks.

To meet these goals, UMU initiated a coordinated compliance and assurance program covering SOC 2, ISO/IEC 27001, and ISO/IEC 42001. Additional assessments and regulatory requirements included ISO/IEC 27701, ISO/IEC 27017, ISO/IEC 27018, GDPR, and HIPAA.

The intent was to create a single and provable control environment that could withstand independent audits across multiple standards.

MAIN CHALLENGES FACED IN THE MULTI-STANDARD COMPLIANCE PROCESS

UMU faced a familiar but complex problem. To clarify, their focus was on multiple frameworks with different audit lenses, yet under one operating environment.

The following were the main challenges faced during the process:

• To align control evidence across SOC 2, ISO/IEC 27001, and ISO/IEC 42001 without duplication or contradiction.
• To maintain coherence and uniformity between written policies and actual practices across cloud infrastructure, security operations, and AI workflows.
• To define AI governance controls that addressed lifecycle management, risk ownership, and accountability in line with ISO/IEC 42001.
• To consolidate audit evidence from different teams into a format suitable for independent audits and assessments.

Without a plan and structure, these challenges would have resulted in fragmented audits, repeated evidence requests, and inconsistent conclusions.

Therefore, UMU engaged CertPro to conduct audit and assessment activities across the applicable frameworks.

CERTPRO’S STANDARD AND QUALITY AUDIT APPROACH

CertPro approached the engagement from an audit perspective first. The audit engagements followed a structured, evidence-based approach aligned with applicable framework requirements.

Phase 1: Scope Definition and Audit Boundaries

The audit scope, system boundaries, and applicable control requirements were defined based on the systems and processes in scope for each framework.

This included:

• Identifying the systems, services, and processes that fall under the scope of SOC 2 assurance.
• Defining information assets, supporting functions, and governance boundaries under ISO/IEC 27001.
• Documenting AI systems, data flows, and model lifecycle activities under ISO/IEC 42001.
• Clear scoping reduced ambiguity early. It also prevented scope rework during audit preparation and assessments.

Phase 2: Evidence Management Through Automation

UMU leveraged a compliance automation platform to manage policies, controls, and evidence across standards. Auditors accessed the evidence repository used by the organization to review policies, controls, and supporting documentation.

Within the platform, the audit procedures included the following:

• Reviewing and validating evidence submitted by different teams.
• Mapping controls across SOC 2, ISO/IEC 27001, ISO/IEC 42001, and supporting assessments.
• Evaluating whether shared evidence met the requirements of each applicable framework.

This approach reduced manual effort and improved traceability. More importantly, it created a single source of truth that auditors could follow for verifying evidence without confusion.

Phase 3: Control Mapping and Audit Validation

CertPro’s credentialed auditors reviewed controls and supporting documentation.

The review covered:

• SOC 2 controls related to security, availability, confidentiality, privacy, and processing integrity.
• ISMS governance, risk treatment processes, and Annex A controls under ISO/IEC 27001.
• AI governance, risk management, oversight, and Annex A controls under ISO/IEC 42001.

Special attention was given to shared controls. Evidence reuse was permitted only where intent, operation, and outcomes were uniform across standards. This process reduced audit risk and avoided conflicting interpretations.

Phase 4: Gap Analysis and Remediation Direction

After control validation, CertPro performed a structured gap analysis across all applicable standards.

The outcome of this phase included:

• Confirmation of effective controls and areas of strength.
• Clear identification of gaps, inconsistencies, and audit exposure points.
• Observations were documented based on identified gaps and control deviations against applicable requirements.

Observations reflected areas of nonconformity and control gaps based on evidence reviewed. The assessment focused on evaluating control design and operating effectiveness based on available evidence.

Phase 5: Audit and Assessment Reporting

Once gaps were addressed, CertPro compiled audit and assessment reports, consolidating findings across the applicable standards.
Certification decisions and issuance of certificates were performed by the accredited certification body, and assessment reports were issued based on the procedures performed. Audit and assessment reports documented scope, procedures performed, evidence evaluated, and conclusions.

This method helped UMU to treat compliance as an ongoing and continuous process.

SUCCESSFUL OUTCOMES DELIVERED TO THE CLIENT

The audit engagements resulted in the following outcomes. The combination of a compliance automation platform and structured audit methodology allowed UMU to manage multiple standards without operational overload.

Key outcomes included:

• Audit readiness was achieved for SOC-2 assurance.
• Evaluation of the Information Security Management System against ISO/IEC 27001 requirements.
• Evaluation of AI governance controls against ISO/IEC 42001 requirements.
• Centralized and consistent evidence aligned across frameworks.
• Independent audit results provided evidence of control implementation against applicable requirements.
• Demonstrated compliance through assessment reports and certifications for ISO/IEC 27701, ISO/IEC 27017, ISO/IEC 27018, GDPR, and HIPAA, along with a SOC 3 report.

The audit results reflect control implementation based on evidence evaluated during the engagement.

CLOSING THOUGHTS

For UMU LLC, compliance was about building a foundation that enterprise customers could trust.

CertPro conducted audit and assessment procedures across multiple frameworks based on a defined scope and applicable requirements. The engagement provided independent evaluation of controls across multiple frameworks based on evidence reviewed.