Our cybersecurity compliance expert
Some may not be aware, but your experience during an information security audit such as SOC 2, ISO 27001, PCI, HITRUST, and CMMC can be significantly influenced by the following:
Some standards make the rigor more consistent, but SOC2 and ISO 27001 give the auditor/certification body much more leeway. Not all auditors will require the same amount/type of evidence to conclude on a control/requirement being met.
-Auditor Sample Size Methodology:
Standards typically allow auditors to determine the sample size for testing controls based on their own internally developed methodology. This methodology could cause you to have to provide more samples from one firm to the another.
Your auditor may not understand your technology, especially when it comes to the cloud, and this could provide barriers for you when it comes to showing them that you are meeting a control/requirement using a modern tech stack or process.
-Auditor's Interpretation of the Standards
The standards are not straightforward. Some audit firm's will take a more conservative approach to the standards while others are more pragmatic about them. The more conservative approach could cause you some headache.
-Audit Firm's Quality Control Process:
The audit firm's quality control process is supposed to ensure the audit firm follows the standards for each audit they perform. The QC process can be slow and onerous, causing you to answer questions well after the audit was completed.
-Audit Firm Size
The larger firms tend to have much more red tape for you to follow than the newer, smaller firms. Yes, you will have the brand name tied to your report, but the red tape may not be worth the benefit.
This is why we all hear about such wildly inconsistent experiences when it comes to an information security audit.
My advice: Talk to someone you trust who underwent an audit with a firm you are evaluating and ask for specific examples of how they tested controls, how much evidence they had to provide, how long the audit took from fieldwork to report issuance, and what they didn't like about the firm's approach/methodology/people.