Operational technology (OT) systems are designed for longevity and redundancy. They power defense manufacturing and critical infrastructure, sometimes running unchanged for decades. But while your OT systems stay the same, the cyber threats aimed at them are always evolving and becoming more sophisticated. This creates a dangerous contradiction: the systems you trust for their stability are facing modern threats they were never built to withstand. 

Many manufacturers stick to the “if it isn’t broken, don’t fix it” mentality, avoiding upgrades because they disrupt production or risk valuable equipment. But as your production environment remains static, attackers continually innovate, searching out new vulnerabilities and weak spots. In fact, manufacturing was one of the most targeted sectors, with CrowdStrike reporting a staggering 300% surge in cyberattacks in 2025. 

This post explores the growing vulnerability of static OT environments. We will break down why traditional airgaps fail, how threats move laterally through your network, and why combining CMMC compliance with proactive penetration testing is the ultimate defense strategy for manufacturers. 

The hidden risk in industrial security 

The gap between long equipment lifecycles and fast-changing cyber threats is a major risk in industrial security. When you buy industrial machinery, you expect it to last for decades. But cyber threats change every few days or weeks. 

Many industrial environments run legacy, unpatched, or entirely unsupported systems. You cannot easily upgrade these machines without halting production lines or causing operational disruptions. Sometimes, the update path hits a brick wall because modern operating systems lack driver support for your legacy equipment.  

Consequently, defense manufacturers find themselves trapped. You must keep production moving to meet strict contract deadlines, but you are relying on systems that cannot defend against modern nation-state adversaries. Attackers from China, Russia, and Iran actively target these unpatched vulnerabilities to halt production or steal controlled unclassified information (CUI). 

Why the airgap myth is failing 

Historically, manufacturers relied on the “airgap” to protect their factory floors. The theory was simple: if the OT network does not connect to the internet, hackers cannot reach it.  

Unfortunately, these physical separations erode over time. Remote access tools, vendor maintenance connections, and IT/OT integrations slowly bridge the gap between your corporate network and your factory floor. A technician might plug in a USB drive to run a diagnostic, or a vendor might request remote access to troubleshoot a malfunctioning sensor. Every new connection creates unseen exposure that attackers actively scan for and exploit. 

Once an attacker breaches the IT network through a phishing email or compromised credential, the threat of lateral movement becomes very real. Flat networks allow adversaries to jump from a standard corporate laptop straight into the production systems. Because legacy OT systems lack modern security controls, the attacker faces almost no resistance once they cross that boundary and can often remain undetected.  

Why CMMC compliance demands penetration testing 

Defense manufacturers already invest serious time and money into compliance frameworks like the Cybersecurity Maturity Model Certification (CMMC). CMMC provides a vital foundation. It defines exactly where your sensitive data lives, how your systems connect, and which controls keep your environment safe. 

However, compliance alone does not guarantee security. CMMC certification shows your controls are in place, but it doesn’t guarantee they’ll hold up against real-world attacks. This is where penetration testing becomes essential. Think of it as a stress test for your entire operation. A penetration test cuts through the theory and validates whether the controls you just spent months certifying can actually stop a real-world adversary in their tracks. It reveals how an attacker might chain together small misconfigurations to access your most critical manufacturing equipment. 

Bridging the gap: CMMC and penetration testing 

Too often, defense manufacturers treat compliance and security as totally separate projects. They use different vendors, different timelines, and different scoping exercises. This results in duplicated effort, fragmented reporting, and remediation advice that ignores your compliance framework. 

When your CMMC assessor and your penetration tester understand your business context, everything becomes more efficient. CMMC already does the heavy lifting of defining your system boundaries and control implementations. When you build your penetration test on that exact same foundation, the findings transition from theoretical vulnerabilities to operational reality. 

For organizations pursuing CMMC Level 2, penetration testing serves as the most rigorous way to validate your certified controls. It gives your Affirming Official real, objective evidence to stand behind during annual attestations. For those pursuing CMMC Level 3, annual penetration testing is an explicit mandate. 

Building a cohesive defense strategy

When you bring penetration testing and CMMC compliance together, you get a holistic approach to securing your OT environment. CMMC sets the standard for how sensitive systems and data must be managed, while penetration testing proves that your controls actually work against real threats.  

This powerful combination ensures you are not just checking boxes for certification — you’re identifying and fixing the gaps before adversaries can exploit them. For defense manufacturers, integrating these two practices means stronger, more reliable protection for core operations, compliance-ready evidence for assessors, and confidence that both cyber and regulatory risks are being addressed proactively. 

Secure your OT environment  

Your OT systems may need to stay static, but your security strategy must remain dynamic. Relying on eroded airgaps and outdated operating systems leaves your production floor exposed to devastating supply chain disruptions and contract penalties. 

Do not wait for an adversary to test your defenses. By combining CMMC compliance with targeted, manufacturing-specific penetration testing, you can secure your environment and protect your most critical assets. 

Take control of your industrial security posture. Reach out to the A-LIGN team today to schedule a penetration test that maps directly to your CMMC controls, and give your organization the confidence it needs to withstand modern cyber threats. 

The European Commission, Council, and Parliament have all signaled support for pushing the EU AI Act’s high-risk enforcement deadline to December 2027. For many organizations, that news has prompted a pause on compliance planning, but that response could become costly. 

For many organizations, this extension feels like a break. In reality, treating this delay as permission to pause your compliance planning is a strategic error. The shift is not an extension for businesses. It is a warning about the complexities of the regulatory landscape. 

Here is what organizations need to understand about the delay, what the current timeline looks like, and what steps to take now to stay ahead of enforcement. 

Why the deadline was extended — and why it matters

The extension was not a concession to industry but rather an acknowledgment that the regulatory infrastructure is not yet ready. National competent authorities remain partially designated, and accredited bodies capable of conducting conformity assessments are still in short supply. The ecosystem required for companies to demonstrate compliance simply does not yet exist at scale. 

However, the core obligations under the EU AI Act remain unchanged. The regulatory direction is consistent — the only difference is the extended timeline. Organizations that view this extra runway as justification to slow their compliance efforts are assuming substantial operational risk, which may become unmanageable as enforcement nears and assessor availability tightens by late 2026. 

The technical file required under Article 11 is not a checklist you can complete at the last minute. It is a robust body of documentation, demonstrating your system’s design decisions, training data governance, and fundamental rights impact assessments. Organizations that begin this process now will accumulate credible evidence over time, while those who wait until mid-2027 will find themselves scrambling to assemble it under significant pressure. 

Current EU AI Act timeline

The current timeline includes several key milestones: 

• August 2, 2026: Current legal deadline for Annex III (high-risk) systems  
• December 2, 2027: Proposed deadline backstop for standalone high-risk systems  
• August 2, 2028: Proposed extended deadline for product-embedded systems   

It is critical to note that the Digital Omnibus proposal has not been formally adopted. The Digital Omnibus is a broad legislative package proposed by the European Commission that aims to align various digital rules and officially adjust timelines for directives like the EU AI Act. Because these negotiations and trilogues between the Parliament and Council have not concluded, August 2, 2026, remains the legally binding deadline for Annex III systems today. 

Any executive who treats the 2027 date as settled law is operating on legislative optimism rather than legal fact. The prudent posture is to plan as though the extended deadlines will hold, while aggressively preparing as if they might not. 

What organizations should do now

The period between now and enforcement is your implementation runway. Organizations that invest this time in building robust governance infrastructure will be best equipped for 2027 — while those who delay and scramble to create documentation at the last minute will fall behind.  

Build and maintain an AI system inventory

Begin with a comprehensive AI system inventory. Any organization operating in or serving European markets must have a documented and organized list of all AI systems in use. 

You should map this inventory to the Act’s risk tiers and clearly define whether your organization is acting as a provider, deployer, or both. When a market surveillance authority requests details about your AI systems and their compliance obligations, you must have a documented, readily available answer. Delaying this foundational work only increases risk — no extension will compensate for a lack of visibility into your own technology. 

Implement an ISO 42001 AI Management System

Implementing an ISO 42001 AI Management System (AIMS) is one of the most impactful steps your compliance team can take right now. By establishing this system early, you build reliable, auditable evidence over time, setting your organization up for lasting compliance success. 

An AIMS that has been operating for two years or more before enforcement creates a much stronger foundation for compliance than one assembled last-minute. Its governance framework, risk management routines, and documentation practices closely align with the EU AI Act’s requirements, and the resulting audit trail becomes more robust as your organization matures. 

Address your Article 11 technical documentation gaps

Conduct a thorough gap analysis of your current technical documentation to ensure alignment with Article 11 requirements. Under the EU AI Act, Article 11 mandates that providers of high-risk AI systems must draft and maintain comprehensive technical documentation before placing their systems on the market. This requirement ensures you clearly document how your system works, its architectural design, and your data training and testing methods to prove it complies with the law. 

This assessment is especially critical for high-risk systems. Gather comprehensive system design documentation, maintain records on training data governance, and ensure accuracy and robustness testing artifacts are in place. Conduct fundamental rights impact assessments as part of your process. These critical documents result from mature governance practices that must be established well before any regulatory deadline. 

Identify your conformity assessment pathway

Identify which of your high-risk systems require third-party conformity assessment and which can proceed via self-assessment. Make this determination early in your compliance process. 

Start building relationships with accredited assessment bodies as soon as possible. The pool of qualified assessors is limited, and demand will surge as enforcement draws near. Engaging an assessor early helps ensure you won’t be left waiting when capacity constraints arise. 

Common mistakes to avoid

Organizations preparing for EU AI Act compliance often encounter common pitfalls — steps that seem productive on the surface but actually introduce hidden risks and gaps.

Treating ISO 42001 as a substitute for EU AI Act conformity

ISO 42001 certification shows your organization has a strong AIMS in place. While it does not replace full EU AI Act conformity, establishing this framework early can position your organization well as you build toward complete compliance. 

Certification alone does not result in a compliant technical file, fulfill the conformity assessment requirements under Article 43, or substitute for the system-specific risk management documentation required by Article 9. These elements are interconnected but represent distinct layers of your compliance architecture. Treating them as interchangeable can lead to critical gaps that become apparent during regulatory scrutiny. 

Scoping your AI Management System too narrowly

It can be tempting to define your AIMS scope too narrowly in hopes of minimizing audit demands, but this approach is a significant governance misstep. 

A scope statement that leaves out your highest-risk systems carries real consequences. When you exclude critical systems from your AIMS scope, those systems lose the benefits of governance protections, documented evidence, and ongoing improvement that the standard provides. Scope your AIMS thoughtfully and comprehensively, then commit to building the operational maturity needed to support and sustain that scope. 

The business case for acting now

Beyond mitigating regulatory fines, investing in AI governance infrastructure now presents a strong commercial advantage. 

Enterprise customers in regulated industries are already weighing AI governance maturity in their vendor selection processes. Achieving ISO 42001 certification sends a clear, credible signal to the market —demonstrating your organization’s commitment to AI risk management long before enforcement deadlines loom. This certification can set you apart from competitors, helping to build trust with customers and partners and positioning your business as a leader in responsible AI. 

For organizations already running ISO 27001 or ISO 27701 management systems, expanding to include AI governance offers significant efficiencies. You can leverage existing audit cycles, documentation infrastructure, and risk management frameworks — meaning the additional effort and cost to implement ISO 42001 is far lower than building a separate system. Integrating your approach not only saves resources but also creates stronger, more effective governance across the business. 

Getting started

The enforcement deadline is a trailing sign of regulatory progress, not an indicator of how prepared your organization should be. The organizations best positioned in December 2027 will be those that start building their compliance programs now — not those who wait until the last minute to act. 

A-LIGN supports organizations at every stage of AI governance maturity — from conducting initial system inventories and ISO 42001 readiness assessments to achieving full certification and preparing for EU AI Act compliance. If you’re ready to turn compliance obligations into a competitive edge, connect with our team today.  

Compliance teams today face a burgeoning portfolio of assessments and frameworks to manage, leaving them strapped for time and thinking strategically about their approach to compliance. 

According to the 2026 Compliance Benchmark Report, one in four organizations cite managing multiple concurrent audits as their primary challenge. This challenge supersedes industry, with 97% of organizations conducting two or more audits per year, while 72% of enterprises conduct four or more audits each year.  

Cultivating a high-quality compliance program isn’t a one-time process, it’s an ongoing operation. Audit harmonization can help teams drive efficiencies and meet the high expectations that executives, customers, and other stakeholders have of final reports and the audit experience. This approach identifies commonalities between frameworks to reduce duplicative work and save your organization time and money in the process. 

Read on to learn:  

• The benefits of audit harmonization  
• A guide to audit harmonization  
• Real-world examples of audit harmonization 

Download our Guide to Audit Harmonization to follow along.

What is audit harmonization? 

Audit harmonization is a white-glove approach to simplifying the audit process that is designed for organizations conducting three or more audits per year. This process includes one-on-one time with professionals who can identify overlaps and streamline even the most complex compliance strategies. 

Benefits of audit harmonization 

The 2026 Compliance Benchmark Report found that 99% of organizations believe that consolidating audits could save them time, and they would be right. 

A-LIGN’S audit harmonization process synchronizes efforts across frameworks to: 

Align business and compliance objectives 

We create a compliance strategy with a custom solution to your compliance hurdles that drives efficiency and business outcomes. We lead interim strategic workshops for continual improvement and evolution of your compliance program. 

Simplify transition and consolidation 

Our customized transition process ensures a seamless migration. We identify overlapping requirements, requests, and subject‑matter interviews. 

Provide a seamless, white‑glove audit experience 

A dedicated team with a central point of contact provides tailored guidance and consistent resourcing to build a deep understanding of your business. 

Who can execute audit harmonization? 

Audit harmonization can be achieved with an experienced, trusted audit partner that can educate your organization about what the process looks like, identify areas for improvement, and streamline the audit process.  

Defining a successful audit harmonization process 

There are three key elements to a successful audit harmonization engagement: 

• People: The people you enlist to complete your audit harmonization process should be experienced professionals that have a track record of success. Beyond this, however, these people should work well with your organization. The communication style and frequency should align with your goals. 

• Process: A well-defined process out of the gate will lead to stronger outcomes from your audit harmonization process. This element is strongly tied to the audit partner you choose to work with, so be sure to enlist the help of an experienced firm  

• Technology: Technology helps auditors work smarter to give you a high-quality final report in a quicker timeframe and with more assurance. 

What do these look like in practice? There are five key steps to harmonizing audits through people, process and technology: 

• Preparation 
• Planning 
• Fieldwork 
• Report 
• Post-audit touchpoint 

Each of these processes are driven by people and technology to ensure you have a successful audit harmonization engagement.

How to get started with audit harmonization

Not sure how to get started? According to the Compliance Benchmark Report, 27% of organizations are in the same position. But choosing the right partner to educate and guide you through the process can ensure your organization is set up for success. Download our Guide to Audit Harmonization for more.

Taking the time to find the right partner to execute this process is essential. We recommend looking for the following qualities in a potential auditor:

• Breadth and depth of services: It’s important to pick a provider that can grow with you as your compliance strategy evolves. This will help your team achieve your goals sooner with less repeated effort.
• Tech-enabled: Although technology used to be the future of compliance, it’s now the standard. Choosing a partner that is enabled by an in-house audit management platform or integrated with a GRC/readiness tool.
• Clear audit process: The right audit partner should be able to give you a clear timeline and scoping, streamline the process, and align with the communication frequency and style of your team.

SAS improves audit harmonization and efficiency with A-LIGN

SAS is a global leader in data and AI, delivering and operating mission‑critical software solutions for major industries across the globe. SAS aims to drive its Governance, Risk and Compliance (GRC) program through automation, technology, and rigorous metrics, ensuring they can meet new certification and assurance demands without sacrificing speed or quality.

To streamline its compliance efforts and enhance operational efficiency, SAS actively participates in A-LIGN’s audit harmonization program. This initiative helps SAS consolidate over 10 certifications and attestations into a unified, cohesive process.

The challenge

To maintain trust and security across such a vast operation, SAS relies on its GRC-A team (Governance, Risk, Compliance, and Audit) to manage a complex landscape of public sector and commercial compliance requirements.

While the program’s primary mandates include risk reduction and strict adherence to internal controls, an overarching goal of the GRC-A program is to drive operational efficiency in their processes.

As SAS expanded its certification and assurance engagements, the GRC-A team looked to increase its auditing intake and capabilities.

SAS required a focused, long-term strategy that examined compliance obligations across a multi-year horizon.

“There’s no way that we could do all of our assurance engagements if we did them contiguously. There’s just not enough time in the year – A-LIGN harmonized our audit efforts, greatly saving our team valuable time and resources.”
-Cathy Smith, Senior Director of GRC-A

Why A-LIGN

SAS selected A-LIGN as its audit provider based on a shared long-term strategic vision and a commitment to growing together as assurance needs evolved. From the beginning of the relationship , A-LIGN demonstrated an understanding that SAS’ audit and compliance requirements would expand over time and positioned itself as a strategic partner rather than a transactional service provider.

Rather than focusing solely on immediate audit needs, A-LIGN engaged SAS in forward-looking discussions about business growth, evolving risk profiles, and anticipated assurance demands over the coming years. This approach established a foundation of trust and alignment, enabling the relationship to mature as the scope, complexity, and volume of assurance engagements increased.

As SAS’s assurance program grew, audit harmonization developed as a strategic response to managing multiple frameworks more effectively. A-LIGN’s ability to consolidate and align compliance efforts through its audit harmonization program allowed SAS to increase efficiency, reduce redundancy, and maintain consistency across engagements. By providing an integrated, tailored compliance framework for organizations managing three or more standards, A-LIGN supported SAS in developing a more scalable, sustainable, and mature compliance program aligned with long-term business objectives.

Additionally, SAS found A-LIGN’s A-SCEND audit management platform would play an essential part in streamlining and managing complex, multi-month engagements.

The results

A-LIGN’s audit harmonization methodology helped SAS streamline multiple audits including, but not limited to — SOC, ISO, FISMA, FedRAMP, and penetration testing engagements — by conducting them simultaneously. This approach maximized efficiency, transforming a traditionally year-long process into streamlined windows that reduced both time and cost, delivering significant gains for SAS’ GRC-A team.

Audit harmonization also improved collaboration between the GRC-A team and the internal IT organization. Instead of conducting multiple audits, the process was consolidated into single interviews or evidence pulls, minimizing disruptions and respecting the IT team’s time.

The A-SCEND platform further enhanced efficiency as it is designed to support organizations operating across multiple compliance frameworks by mapping evidence once and reusing it across audits (e.g., SOC 2, ISO 27001, FedRAMP). This significantly reduced duplicative requests and enabled a harmonized audit experience as assurance programs scale.

Additionally, A-SCEND’s AI capabilities helped SAS identify if existing evidence met new audit requirements or if prior evidence remained valid, reducing redundant work and increasing overall productivity.

As the global compliance landscape evolves, SAS is confident in its strategy, where meticulous planning, advanced technology, and strategic partnerships clear the path for sustainable growth.

Why A-LIGN

A-LIGN is the leading provider of high-quality, efficient cybersecurity compliance programs.

Our more than 400 global auditors have completed more than 36,00 audits and have more than 20 years of experience providing the best quality audit experience and final reports, exemplified through A-LIGN’s 96% customer satisfaction rating.

A-LIGN’s white glove audit harmonization process ensures that your organization can get back to work instead of completing duplicative work. Our industry-leading audit management software, A-SCEND, powers our best-in-class audit experience.

With A-LIGN, you can achieve your compliance goals with confidence and earn a report that your buyers can trust, with support from technology that streamlines the process. Ready to learn more? Contact us today.

Traditional FedRAMP pathways have long been criticized for being slow, manual, and documentation heavy. Even if you had the time, money, and effort to go through the authorization process, the larger question always loomed: “Can I find a Federal Agency “Sponsor” to partner with me through the Authority to Operate (ATO) process?” 

Enter FedRAMP 20x — a new assessment and authorization path being developed in collaboration with industry and government. Its main goal? Rapidly increase the size of the FedRAMP Marketplace for agencies to be able to use the best Cloud Service Offerings (CSOs) commercially available, while maintaining protection over unclassified information. 

In this post, we’ll explain what FedRAMP 20x is, how it differs from the existing Rev. 5 model, and where the program stands today — including the official phase structure and timelines. 

What Is FedRAMP 20x? 

FedRAMP 20x is an initiative by the GSA to build new FedRAMP authorization paths, streamline processes through automation, and encourage government-wide adoption of commercial cloud services. Instead of the traditional document-centric process, 20x leans into machine-readable evidence and automation, which has shown significantly shorter time to authorization in the pilot compared to legacy pathways. 

Not only does it reimagine the documentation process, but it flips the entire security review process on its head. Instead of reviewing via the control-by-control narrative approach, it has developed “Key Security Indicators” (KSIs), which are a set of security capabilities that focus on measurable outcomes instead of prescriptive processes. 

It’s important to note that the 20x program is currently being developed, as it’s going through its pilot phases with the goal of becoming publicly available Q3 of 2026. 

How the legacy FedRAMP pathway operates 

The traditional FedRAMP authorization model is rooted in National Institute of Standards and Technology SP 800-53 Rev. 5 controls and emphasizes thorough documentation, manual review, and compliance reporting. 

Key characteristics of the Rev. 5 pathway include: 

• Extensive System Security Plan (SSP) documentation 
• Manual narrative evidence review 
• Agency partner or “sponsorship” 
• Iterative PMO review cycles 

These aspects build high assurance but often at the expense of speed and cost.

FedRAMP 20x vs Rev. 5: Key differences 

FedRAMP 20x is not a “shortcut”— it’s a different pathway that prioritizes automation over narrative descriptions and manual reviewer interpretation. Here’s a quick look at how the legacy process works compared to 20x: 

FedRAMP 20x phases and status 

FedRAMP 20x is being delivered in phases, each with specific goals and pilots. Official documentation notes that timelines are estimated and subject to change based on real-world feedback. 

Phase 1 – FedRAMP 20x Low pilot (completed) 

Tested the first version of the 20x approach with Low impact authorizations, introducing machine-readable evidence and alternative validation methods. 

A-LIGN participated as a 3PAO assessor of 20x Low systems as well as getting their own audit management software, A-SCEND, 20x Low Authorized. 

Phase 2 – FedRAMP 20x Moderate pilot (active / current) 
 
Participation was limited and not open to the general public; 13 selected CSPs from the Phase 1 20x Low pilot are working with FedRAMP and assessors to test the approach. That approach focuses on Moderate impact systems using automation and Key Security Indicators (KSIs). 

The goals of Phase 2 are to:  

1. Test how CSPs can effectively meet automated validation requirements for initial and ongoing FedRAMP Authorization 
2. Test how these automated capabilities can be effectively assessed by third parties 
3. Understand how providers and assessors can work together to deliver innovative evidence of the ongoing security decisions within a cloud service 

This is active and estimated to operate through Q2 of 2026. 

What’s next (estimated goals) 

While the published timeline from FedRAMP outlines estimated goals, they’ve also introduced a new naming convention for certification classes. The terms “Low,” “Moderate,” and “High” are being replaced with the following: 

• Class A: Replaces FedRAMP Ready 
• Class B: Replaces Low 
• Class C: Replaces Moderate 
• Class D: Replaces High 

Additionally, there will now be a single certification name called FedRAMP Certified, as the “FedRAMP Validated” naming convention has been dropped. 

Here’s what will come next after the current Phase 2 pilot ends: 

Phase 3 – Wide-scale adoption of Class B and Class C 

This is the phase in which Class B and Class C authorizations will become publicly available. Before that can happen, FedRAMP will formalize all Class B and Class C requirements based on the outcomes of Phase 1 and Phase 2. 

This is estimated to happen in Q3-Q4 of 2026. 

Phase 4 – Class D pilot 
While the Class B and Class C authorizations continue, the pilot program for Class D authorizations will begin. This is targeted at hyperscale IaaS and PaaS providers, according to FedRAMP. 

Note: During this phase, all Rev. 5 Authorized providers will be required to transition to machine-readable authorization data for both initial and continuing authorization. 

This is estimated to happen in Q1-Q2 of 2027. 

Phase 5 – End of life for new Rev. 5 authorizations 

FedRAMP will stop accepting new Rev. 5-based agency authorization at the end of this phase. FedRAMP will also provide a clear path and timeline for ensuring all legacy Rev. 5 Authorized CSOs can transition to a 20x-based authorization. The deadlines for transitioning are not defined but are stated as “likely to include multi-year deadlines” 

This phase is estimated to happen in Q3-Q4 of 2027. 

Note: FedRAMP emphasizes that these timelines are goals and may shift as the program learns from pilot feedback.

What this means for cloud providers 

Early planners: Understand that 20x is not fully baked, but the direction is clear and will be publicly available soon. Automation and machine-readable evidence are becoming central, even if you are planning for a Rev. 5 Authorization. 

Mid-Rev. 5 authorizing CSPs: Don’t assume you can pivot lanes mid-process without analysis, but be sure to build awareness of 20x and how it may impact future offerings. 

Already authorized providers: Monitor how reauthorization and continuous monitoring under 20x pilots evolve. Plan for a transition to machine-readable authorization data. 

Across the board, treating 20x as “something to keep an eye on” is no longer sufficient — it should be part of your compliance roadmap for 2026 and beyond.

Strategic takeaway 

FedRAMP 20x represents a generational shift in federal cloud authorization — one rooted in automation, standardization, and scalable evidence models. It’s still in pilot, but its goals are ambitious: 

• Lower administrative friction 
• Support faster adoption of secure cloud tech 
• Enable more providers to participate in the federal market 

Planning now will save tactical scramble later. 

Rick Orloff, a Fortune 1000 CISO and Strategic Advisor at A-LIGN, leverages over 20 years of experience at companies like Apple and eBay to guide enterprise security and audit strategies.

If you’ve ever spent weeks preparing a SOC 2 or ISO audit report only to wonder whether anyone actually reads it — the answer is yes. But probably not in the way you think. 

Experienced security leaders have a very deliberate, efficient approach to reviewing these reports. They’re not reading every word. They’re pattern-matching for risk. Here’s what that actually looks like.  

Customers are emerging as a driving factor for concern over AI risk, too. Four out of five organizations now face direct inquiries from customers about their AI risk management practices, according to the 2026 Compliance Benchmark Report. This shows that your stakeholders want to know that the tools you use are safe, ethical, and secure. 

Step 1: Scope — before anything else 

The very first thing an experienced CISO looks at is the scope. Why? Because a clean report means nothing if it doesn’t cover the services and systems that actually matter to the business relationship. A vendor can produce a beautifully audited report that excludes the exact infrastructure handling the most sensitive data — and that gap must be identified. 

The key question being asked is: Does this audit actually cover what the organization is exposed to? 

A common red flag: sensitive data, like Personally Identifiable Information (PII) or HIPAA-covered information, being processed by a system, while critical components like identity and access management are left out of scope. That’s not necessarily a dealbreaker, but it demands an explanation. What’s the reason for the exclusion? What’s the residual risk? 

Scope gaps don’t have to kill a deal. But they do have to be understood.  

Step 2: Findings — context is everything 

Here’s something that surprises a lot of vendors: findings don’t automatically spell trouble. Experienced security leaders evaluate findings with a sense of what is reasonable.  

For example, a large company with 15 years of infrastructure history is going to have technical debt that includes end-of-life operating systems, legacy configurations, and so on. A finding around that isn’t shocking. What matters is whether the auditor has flagged it repeatedly, and more importantly, what the vendor does about it. 

The finding itself is almost secondary. The management response is where the real signal lives. A good management response: 

• Acknowledges the finding clearly 
• Doesn’t read like it was trying to minimize liability 
• Outlines specific, actionable mitigating controls or a remediation plan 

If the management’s response is reasonable and the plan seems credible, many reviewers will stop right there, and the report passes.  

Step 3: The management response — where deals are won or lost 

The management response is often the deciding factor in whether a report builds trust or raises concerns. Consider two scenarios for the same finding — say, insufficient log retention for sensitive data: 

Scenario A:  

“We didn’t have the logs for 45 days. Here’s our plan to address it.”  

This response demonstrates accountability and a clear path forward. 

Scenario B:  

“Log retention isn’t something we prioritize.” 

This response doesn’t just raise a technical concern — it signals a cultural one. It tells the reviewer that the organization either doesn’t understand the risk or doesn’t care about it.  

When it goes sideways: How CISOs decide to walk away 

What happens when a vendor pushes back on a serious concern? The decision to escalate or walk away often comes down to two factors: who gave the problematic response, and how unique the vendor is. 

If the dismissive answer came from the CISO themselves — someone who should know better — most experienced security leaders will end the conversation. There’s no escalation path when the top of the security organization has already signed off on a flawed position.  

But if the response came from a senior manager or director, and the vendor offers something genuinely differentiated, it may be worth escalating to higher-level leadership. This allows for a clearer understanding of whether the organization’s security leadership supports the position or is open to course-correcting. 

The key test: does the senior leader double down, or do they acknowledge the concern and commit to action? One answer keeps the conversation alive. The other ends it. 

The takeaway for vendors 

If you’re preparing for an audit or getting ready to share a report with a prospective partner or customer, here’s what actually moves the needle: 

• Be deliberate about scope. If something is out of scope, know why — and be ready to explain it clearly. 
• Don’t fear findings — own them. They’re expected, especially in mature organizations. 
• Invest in your management response. This is your opportunity to demonstrate maturity, accountability, and a credible path forward. A thoughtful response can neutralize almost any finding. A dismissive one can end the relationship entirely. 
• Culture shows. How your team talks about risk, findings, and remediation tells reviewers everything they need to know about whether your security program is real or performative. 

The auditors have already done their job. When a CISO picks up that report, the question they’re really asking is: Do these people take security seriously? Make sure your report and your responses answer that clearly. 

A SOC 2 report is a third-party validation that attests to an organization’s ability to protect data and information. It’s widely accepted across industries and provides a singular asset that can be used in the due diligence process with multiple prospects and customers — replacing the need to undergo a custom cybersecurity audit with each new customer.    

To obtain a SOC 2 report, a company must submit to an audit whereby assessors evaluate the internal controls used to secure information, along with the systems, technology, and staff roles within the organization. Although some organizations claim they can complete the SOC 2 audit process in as little as two weeks, experienced CPAs consistently note that this timeframe is unrealistic for a thorough, high‑quality assessment. A SOC 2 audit involves multiple phases, each requiring coordination, documentation, and testing that varies based on organizational size and complexity.

In this blog, we’ll review each step of the SOC 2 audit process and explain how long each aspect of the audit process takes. This piece is meant to serve as a general guideline, as audit timelines can vary significantly based on the size of a company and the complexity of its environment and services.  

Readiness phase: Find the right partner and define scope

Estimated timeline: varies (often several weeks)

The readiness phase of a SOC 2 audit focuses on selecting an audit partner, defining scope, identifying potential gaps, and ensuring controls are appropriately designed before formal testing begins. It’s important to note that SOC 2 audits are regulated by the AICPA and reports can only be generated by an external auditor from a licensed CPA firm — like A-LIGN. Once you engage with a partner, there will be some preliminary discussions to define the scope of the project and sign a contract. 

If this is your first time pursuing a SOC 2 report, many organizations complete a SOC 2 readiness assessment during this phase to identify control gaps before the formal audit begins. Addressing deficiencies early can help reduce delays later in the audit lifecycle.

Once you’re ready to officially proceed, contracts will be signed and the official engagement will begin. At that point you will be introduced to your SOC audit team. At A-LIGN, SOC 2 audit teams typically consist of a senior manager, manager, and auditor. 

Senior managers and managers act as primary points of contact during preliminary discussions. Auditors take over as the point person when it’s time for walkthroughs, testing, and evidence review. All three of these roles work together throughout the entire audit to ensure you are supported and informed every step of the way. By leveraging the A-SCEND audit management platform, clients are able to have direct access to the audit team to flag, ask questions, and submit evidence. The tool will help companies stay organized throughout the audit process and have a clear understanding of what is required.  

Evidence collection: Information requests and documentation

Estimated timeline: 2–3 business days to issue requests; ongoing throughout testing

During the evidence collection phase, auditors issue an information request list (IRL) that outlines the documentation and artifacts required to support each control. The IRL serves as a structured guide for organizations to submit policies, system configurations, logs, screenshots, and other supporting evidence. This phase often runs in parallel with auditor walkthroughs and testing, and may include follow‑up requests if additional clarification or documentation is needed.

Timelines during evidence collection can vary depending on the organization’s readiness, the availability of internal control owners, and how quickly documentation can be gathered and submitted. Many experts recommend using audit management software to help reduce time and make the process more efficient. At A-LIGN, we use A-SCEND to streamline the process in one easy-to-use dashboard, facilitate real-time collaboration between auditors and clients​​, and utilize existing audit evidence for multiple frameworks​.

Through A-SCEND, once the evidence is collected it is transformed into readable reports that are automatically mapped to the corresponding evidence requests from the IRL. This process reduces the amount of effort, time and resources required for providing evidence.  

Audit window: Walkthroughs and control testing

Estimated timeline: 2-6 weeks 

The audit window is the period when auditors perform walkthroughs, interview control owners, and test controls against the SOC 2 Trust Services Criteria. During this phase, auditors validate submitted evidence, assess whether controls are designed appropriately, and confirm operating effectiveness where applicable. The goal of this phase is to gain an in-depth understanding of your organization’s controls, processes, and procedures related to people and technology. The length of the audit window can vary depending on audit scope, organizational readiness, and the availability of internal stakeholders to support walkthroughs and follow‑up questions.

SOC 2 report issuance

Estimated timeline: 3 weeks 

The final stage of the SOC 2 timeline is report issuance, when testing concludes and the auditor delivers the finalized SOC 2 report. A SOC 2 report comes in two parts: 

1. Draft: You’ll receive a draft report within three weeks of completing the fieldwork, sometimes earlier depending on deadlines and the complexity of the scope. During this draft report phase, you’ll have the opportunity to review the assertion, opinion, system description, and testing of the controls. If necessary, you can provide feedback or ask questions of the audit team. Once the draft report is approved internally, you’ll sign a management representation letter and notify your SOC 2 team that they can proceed with the final report. 

2. Final report: One to two weeks after the draft has been approved, you’ll receive a final report with any updates or clarifications requested in the draft phase. 

Common SOC 2 audit delays

Common factors (and causes) that can extend a SOC 2 timeline include:

• Incomplete readiness – Controls or policies are not fully implemented before testing begins
• Delayed evidence submission – Internal teams are slow to respond to information requests
• Scope changes mid‑audit – Adding systems or Trust Services Criteria increases testing requirements
• Control exceptions – Identified gaps require remediation and re‑testing before report issuance

Proactive preparation, clear internal ownership, and early scoping decisions can help reduce these delays and keep the audit moving efficiently.

Partner with A-LIGN to begin your SOC 2 audit

A-LIGN is the #1 SOC 2 issuer audits in the world. We have completed over 17,500 SOC 2 assessments and can confidently say that a proper SOC 2 audit takes at least eight weeks to complete. In planning for your SOC 2, beware of the “14-day audit” promise — this is likely only referring to the audit readiness timeline. At A-LIGN we provide the tools and expertise to help you during every step of the SOC 2 audit journey.

Ready to pursue a SOC 2 audit for your business? Speak to an expert at A-LIGN to get started. 

One of the loudest themes we hear from Organizations Seeking Certification (OSC) is not about the difficulty of CMMC. It is about the inconsistency in assessment quality. A high‑quality assessor brings clarity, confidence, and a defensible outcome. A low‑quality assessor introduces confusion, rework, and risk that lingers long after the final report. The difference between a good and a poor assessment is not toughness — it is preparation, precision, and integrity. 

Key behaviors that compromise quality 

The behaviors below are not minor irritations. They are signals of deeper quality issues that can derail readiness, waste time, and erode trust.  

1. Ignoring the evidence and searching for what is not there 

Quality begins with evaluating the implementation as presented. When assessors overlook valid artifacts and chase hypothetical gaps, objectivity slips and scope drifts. The result is frustration for the client and findings that do not hold up. Skilled assessors focus on what the requirement actually asks for and how the OSC meets it. 

2. Injecting personal preferences into determination statements 

Determination statements are not a platform for opinion. When preferences creep in, outcomes become uneven and difficult to defend. Consistency requires alignment to the model and to the requirement language. Quality assessors leave personal bias at the door and let the evidence lead. 

3. Making findings without clear, verifiable evidence 

A finding must rest on facts that can be demonstrated and reproduced. Unsupported assertions create churn, delay remediation, and damage credibility. Strong assessors tie every conclusion to specific, relevant evidence. Precision protects both the OSC and the integrity of the assessment. 

4. Reviewing artifacts for the first time during the assessment 

Preparation is not a courtesy — it is the work. Opening policies or screenshots for the first time on a live call signals a lack of respect for the client’s time. It also raises doubt about the quality of the outcome. Prepared assessors arrive informed, organized, and ready to engage. 

5. Requesting items that were already provided 

Lost evidence and repeated requests are not signs of rigor. They are signs of disorganization that cause unnecessary rework across teams. Clean evidence management creates momentum and reduces risk. Quality assessors track submissions carefully and verify before asking again. 

6. Asking questions that do not map to a requirement 

Curiosity is valuable; misalignment is costly. Questions that do not trace to a control create noise and invite scope creep. Clear mapping keeps the process fair, focused, and efficient. High‑quality assessors anchor every inquiry to the model and to the intended outcome. 

7. Confusing aggressiveness with thoroughness 

Thorough does not mean adversarial. Aggressive posturing wastes energy and erodes collaboration. Quality shows up as calm, consistent, and exacting. The best assessors are firm, fair, and always professional. 

8. Operating without the technical depth the work demands 

CMMC requires practical understanding of systems, networks, and operational realities. Without technical fluency, determinations wobble and remediation guidance misses the mark. Strong assessors invest in ongoing learning and field experience. Expertise is the foundation of consistency. 

9. Treating the assessment as a position of power 

Authority is not the point; accountability is. When ego enters the room, trust exits. The assessment should feel collaborative, structured, and transparent. Quality assessors earn influence through clarity and respect. 

10. Losing sight of the mission: Quality and consistency 

CMMC exists to protect the Defense Industrial Base and the mission it serves. When that purpose fades, the process becomes a checkbox exercise. The goal is a result that is accurate, repeatable, and defensible. Quality assessors never forget why the work matters. 

Bonus: Focusing only on the micro and missing the security reality of the macro 

CMMC assessments happen inside a much larger security framework. When assessors zoom in too tightly on a single implementation detail, they risk missing the full context of how controls work together to manage risk. A perceived gap at the micro level is often mitigated by hardened images, strict access controls, approved software baselines, or layered defenses that form a compliant and secure environment. Quality assessors step back far enough to understand how the technical, administrative, and operational controls reinforce one another. They evaluate the whole picture, not isolated pixels when validating determination statements. 

Why this matters now 

Across our conversations with OSCs and the insights reflected in A‑LIGN’s 2026 Compliance Benchmark Report, one theme stands out. Assessor consistency is a top factor in mission readiness, team confidence, and the overall cost of compliance. Quality is not softness — it is structure, evidence, and alignment to the model. 

What good looks like 

A high-quality CMMC assessment starts with preparation before the first call. Every question is clearly mapped to a requirement. Evidence is carefully tracked and verified. Determinations are grounded in facts and written for defensibility. A firm, fair, and mission-focused posture ensures trust is built and results stand up to scrutiny. 

Would you like to learn more about our approach to CMMC assessments? Get in touch today.

A Service Organization Controls (SOC) 2 report is an independent attestation that evaluates the effectiveness of a company’s controls as they relate to Security, Availability, Processing Integrity, Confidentiality, and Privacy. SOC 2 has become the baseline of doing business in the Unites States, especially for organizations that process, store, or transmit data for their clients or partners.

What does that mean for your business, and how should you prepare? In this post, we cover everything you need to know about SOC 2.

What is SOC 2?

A SOC 2 audit is the industry standard for service organizations — especially SaaS companies, data centers, and managed service providers (MSPs) — that need to prove they are protecting customer and partner data. A SOC 2 audit examines your organization’s security posture based on the requirements within the SOC 2 framework, known as the Trust Services Criteria (TSC). Providing an independent, reliable source of assurance, a SOC 2 report is often considered a cost of doing business because it establishes trust, drives revenue, and unlocks new opportunities. 

Why is SOC 2 compliance important? 

A SOC 2 report is the best way to demonstrate to your customers and partners that your organization will protect their data. SOC 2 helps instill trust among clients who rely on these service providers for critical business operations while also promoting an ongoing culture of compliance within the organization itself. This framework is a baseline expectation for a strong security program and competitiveness in the market.

Oftentimes, a SOC 2 report is an acceptable alternative to the time-consuming, 500-question security survey.

What are the key benefits of SOC 2 compliance? 

SOC 2 positions your business for growth. By meeting this industry standard, organizations can confidently expand into new markets, secure larger deals, and build a foundation for long-term success. 

Organizations who complete a SOC 2 assessment will benefit from the following: 

• Accelerate sales cycles 
• Unlock larger deals 
• Build customer trust 
• Mitigate security risks 
• Strengthen brand and market position

Learn more about the advantages of SOC 2 compliance in our blog, How SOC 2 Powers Business Expansion.

How can a SOC 2 report help small businesses scale?

Startups or small businesses will need a SOC 2 report to go upmarket and close large deals. Below are some benefits you will notice after earning a SOC 2 report:  

• Development of strong policies and procedures  
• Increased credibility with investors and partners 
• A strong competitive advantage 
• Saved time, money and resources on a potential data breach  

Who uses a SOC 2? 

While SOC 2 applies to almost any organization, it’s particularly important to data centers, software-as-a-service (SaaS) companies, and managed service providers (MSPs). Service organizations that process, store, or transmit data for their clients or partners will benefit from a SOC 2 report.

Who can perform a SOC audit? 

Only licensed CPA firms that are accredited by the American Institute of Certified Public Accountants (AICPA) can complete a SOC 2 audit. We recommend choosing a partner that has its own audit management platform that can drive efficiencies during your audit cycle, helping your team work smarter, not harder.

What is the AICPA and why does it matter in SOC 2? 

The AICPA organization is the governing body of the SOC framework that established the TSC. When you complete the SOC 2 attestation and receive your final report, your organization can download and display the logo issued by the AICPA. 

What are the SOC 2 Trust Service Criteria? 

SOC 2 assesses your security posture using the Trust Services Criteria (TSC). Each criterion focuses on a different area of data protection, allowing organizations to tailor the audit scope to their business model, customer needs, and compliance goals:

• Security: Comprised of 9 control families ranging from organization and management to risk assessment, to logical security and change management. This criterion is required in every SOC 2 report. 

• Availability: Addresses controls related to availability and redundancy of services to meet client SLAs. The Availability Criteria is a great add-on for most organizations. 

• Processing integrity: Addresses controls related to accurate processing of customer data without corruption or unauthorized alteration. Processing Integrity is largely specific to an organization’s services and not often applicable to all organizations. 

• Confidentiality: Addresses controls related to protection of data deemed confidential between an organization and its client. This extends to any data deemed confidential. The Confidentiality Criteria is a great add-on for most organizations. 

• Privacy: Addresses controls related to the protection of Personally Identifiable Information (PII). This is anything that can be tied to an individual. Privacy is large and cumbersome, and only applicable to organizations that store, process, or transmit PII.

What are the top policies and procedures needed for a SOC 2 audit?  

To start preparing for your SOC 2 examination, begin with the 12 policies listed below as they are the most important to establish when undergoing your audit and will make the biggest impact on your security posture. 

What are SOC 2 controls?

SOC 2 controls are a collection of policies, procedures, and directives dictating the operation of an organization’s systems, ensuring the security, availability, processing integrity, confidentiality, and privacy of both company and customer data. These guidelines aid organizations in managing and safeguarding sensitive information, fostering the implementation of robust security measures and mitigating the likelihood of data breaches and ensuring adherence to regulatory mandates.

How to start a SOC 2 audit 

Preparing for you SOC 2 audit will help you avoid any lengthy delays or unexpected costs. Prior to beginning your SOC 2 audit, we suggest you follow the below guidelines: 

• Undergo a SOC 2 readiness assessment to identify control gaps that may exist and remediate any issues 
• Decide which TSCs to include in your audit that best align with your customer’s needs 
• Choose a compliance automation software tool to save time and cost. Pro tip- select a licensed CPA firm that also offers compliance automation software for an all-in-one solution and seamless audit process that doesn’t require you to switch vendors mid-audit. 

During the initial stage of the audit process, it’s important that your organization follow the below guidelines: 

• Review recent changes in organizational activity (personnel, service offerings, tools, etc.) 
• Create a timeline and delegate tasks (compliance automation software will make this activity much less time consuming) 
• Review any prior audits to remediate any past findings   
• Organize data and gather evidence ahead of fieldwork (preferably with automated evidence collection) 
• Review requests and ask any questions (pro tip- it’s important to choose an experienced auditing firm that’s able to answer questions throughout the entire audit process) 

What is compliance automation software? 

If you’re looking for SOC 2 software, compliance automation software may be the best solution. Compliance automation software allows users to consolidate all audit information into a single system to gauge readiness, collect evidence, management requests and continually monitor your security posture. 

When selecting a compliance automation software it is recommended that you look for one that offers: 

• Automated readiness assessments  
• Automated evidence collection 
• Policy templates 
• Auditor assistance when needed 
• Cloud integrations 
• Project dashboard 
• Consolidated audit requests 
• Continuous monitoring  

It’s important to note that compliance automation software only takes you so far in the audit process and an experienced auditor is still needed to conduct the SOC 2 examination and provide a final report.  

What’s the timeline of the SOC 2 audit process? 

SOC 2 timelines vary based on the company size, number of locations, complexity of the environment, and the number of TSCs selected. Listed below is each step of the SOC 2 audit process and general guidelines for the amount of time they may take:  

Step 1: Find the right partner and team  

A SOC 2 must be completed by a licensed CPA firm. If you choose to utilize compliance automation software, it’s recommended that you select an auditing firm that also offers this software solution for a more seamless audit.  

Step 2: Information requests: Estimated timeline: 2-3 Business Days  

Your audit team will generate an Information Request List (IRL) for your organization. The information in this list is based on the scope, the chosen TSC, and other factors such as cloud hosting services, locations, and company size. 

Step 3: Readiness assessment: Estimated timeline: Varies based on scope 

If it’s your first audit, we recommend completing a SOC 2 Readiness Assessment to find any gaps and remediate any issues prior to beginning your audit. 

Step 4: Evidence collection for a SOC 2 audit: Estimated timeline: Varies  

The time it takes to collect evidence will vary based on the scope of the audit and the tools used to collect the evidence. Experts recommend using compliance software tools, like A-SCEND, to greatly expedite the process with automated evidence collection.  

Step 5: Fieldwork: Estimated timeline: 2-6 Weeks  

This phase includes walkthroughs of your environment to gain an understanding of your organization’s controls, processes and procedures. The time it takes to complete this phase will vary based on your scope, locations, TSCs, and more but generally, most clients complete in two to six weeks.  

Step 6: The SOC 2 report: Estimated timeline: 3 Weeks  

The audit team will provide a SOC 2 report for your company that comes in two parts. Part one is a draft within three weeks of completing the fieldwork in which you’ll have the opportunity to question and comment. Part two is a final report two weeks after the draft has been approved with the inclusion of the updates and clarifications requested in the draft phase. 

What’s the difference between SOC 2 Type 1 and Type 2? 

When determining what type of SOC 2 assessment to undergo you will have two options resulting in two different reports, a SOC 2 Type 1 audit and a SOC 2 Type 2 audit. There are two main differences between the different audit types. The first is the duration of time in which the controls are evaluated. A SOC 2 Type 1 audit looks at controls at a single point in time. A SOC 2 Type 2 audit looks at controls over a period of time, usually between 3 and 12 months.   

In addition, SOC 2 Type 2 audits attest to the design, implementation, and operating effectiveness of controls. A Type II provides a greater level of trust to a customer or partner as the report provides a greater level of detail and visibility to the effectiveness of the security controls an organization has in place.  

What’s the difference between SOC 1 and SOC 2? 

The difference between SOC 1 and SOC 2 is that a SOC 1 audit addresses internal controls over financial reporting. A SOC 2 audit focuses more broadly on information and IT security. The SOC 2 audits are structured across five categories called the Trust Services Criteria and are relevant to an organization’s operations and compliance. 

What is a SOC 3 report? 

To be issued a SOC 3 report, you must have first earned a SOC 2 report. A SOC 3 report is a public-facing version of the SOC 2 report intended for distribution and/or publication without the need for a non-disclosure agreement (NDA). A SOC 3 report is a SOC 2 report that has been scrubbed of any sensitive data and provides less technical information making it appropriate to share on your website or use as a sales tool to win new business. 

What’s the difference between SOC 2 and ISO 27001? 

Both a SOC 2 report and ISO/IEC 27001 certification are extremely attractive to prospective customers. Below are the major differences: 

Certification vs. attestation: ISO 27001 is a certification issued by an accredited ISO certification body and includes an IAF (The International Accreditation Forum) seal. SOC 2 is an attestation report provided by a third-part assessor such as a CPA firm. 

ISMS vs. Trust Services Criteria: ISO 27001 is a pass/fail audit focused on the development and maintenance of an Information Security Management System (ISMS). SOC 2 is structured around the five TSCs and includes an auditor’s opinion of the controls in place for each chosen TSC. A final SOC 2 report is much more detailed than the one-page letter that you receive with an ISO 27001 certification.  

Global reach: ISO 27001 is an international standard throughout the world while SOC 2 is primarily US-based. While SOC 2 is U.S.-based, it’s becoming increasingly accepted by global organizations, particularly those doing business in the U.S.

Renewal timelines: SOC 2 reports are valid for 12 months and require annual renewal. ISO 27001 certifications are valid for three years, with annual surveillance audits.

ISAE 3000 and SOC 2 

The International Framework for Assurance Engagements (ISAE) 3000 is a framework introduced by the International Auditing and Assurance Standards Board (IAASB), an independent standard-setting body that is widely recognized in Europe. An ISAE 3000 is an integration to a SOC 2 report, typically requested by international clients. 

Key differences: 

• SOC 2 is the most recognized standard in the U.S., while ISAE 3000 is an international standard. 

• If an organization in the U.S. needs to demonstrate its commitment to information security and privacy, it may choose a SOC 2 report. If it needs to demonstrate compliance with international standards, it may opt to include an ISAE 3000 report as well without adding extra work. 

• A-LIGN is equipped to issue SOC 2 reports with ISAE 3000 integration, to allow organizations to meet both standards, and expand their international reach. 

Can you fail a SOC 2 examination? 

No, you cannot “fail” a SOC 2 audit. It’s your auditor’s job during the examination to provide opinions on your organization within the final report. If the controls within the report were not designed properly and/or did not operate effectively, this may lead to a “qualified” opinion. This indicates that one of the SOC 2 criteria had testing exceptions that were significant enough to preclude one or more criteria from being achieved.  Audit reports are crucial because they speak to the integrity of your executive management team and affect investors and stakeholders. 

What should I do with my final report? 

While you’re not able to publicly share your SOC 2 report unless under NDA with a prospective customer, there are ways you can utilize your SOC 2 assessment achievement for marketing and sales purposes. 

1. Announce earning your SOC 2 report with a press release on the wire and on your website.  Then, share on your social media platforms! 

2. Showcase the AICPA badge you earned on your website, email footers, signature lines and more. 

3. Send a short email to customers announcing your SOC 2 report. 

4. Write a blog around earning your SOC 2 report and how this effort further demonstrates that you take your customer’s data security seriously.  

5. Teach your sales team how to speak about SOC 2 and the benefits it provides to customers. 

If you would like a public-facing report to share, consider purchasing a SOC 3 report.

What is the history of SOC 2? 

In 2010, the AICPA (The American Institute of Certified Public Accountants) introduced SOC 1 and SOC 2 to combat the growing need of companies to validate their cybersecurity posture.  

What are a few helpful SOC 2 resources? 

Everything You Need to Know: SOC 2 Examination 

SOC 2 Checklist: Preparing for a SOC 2 Audit 

SOC 2 Definitive Guide

SOC 1 vs SOC 2: What’s The Difference?

SOC 2 Framework: What You Need to Know

A Guide to SOC 2 Reporting: What Is a SOC 2 Report?

What are the SOC 2 Trust Services Criteria?

SOC 2 Compliance Requirements: An Overview

SOC 2 Controls: Everything You Need to Know

What’s an example of SOC 2 in the real world? 

Below are several customer testimonials in which the organization earned a SOC 2 report to drive revenue, build customer trust and better their security posture. 

Menlo Security reduces evidence collection time by 60% with consolidated audit approach

Obsidian Security scales compliance program with A-LIGN and Drata

Orbital leads the way in the European fintech & crypto market with SOC 2 compliance

Boomi showcases cybersecurity dedication with 10+ compliance certifications and attestations

Network Coverage sets standard in CMMC & multi-framework compliance for MSPs

Anthology’s commitment to compliance elevates edtech standards

Inriver reduces time spent on compliance by 45% with A-LIGN & Drata

SOC 2 Certified Companies: Real Success Stories & Insights

SOC 2 FAQs

SOC 2 not only helps companies demonstrate their commitment to security and trust, but also supports business growth, customer confidence, and regulatory expectations. Below, we answer some of the most common questions organizations ask when deciding whether SOC 2 is right for them.

Is SOC 2 required by law? 

No, SOC 2 compliance is not a legal requirement. It is a voluntary attestation report. That said, many enterprise customers require SOC 2 contractually as part of their vendor risk management and due diligence process.

How long is a SOC 2 report valid? 

When you earn your final SOC 2 report, it’s generally valid for 12 months. Therefore, a SOC 2 audit should be conducted annually as an internal benchmark to assess your security posture year-over-year.  

How much does a SOC 2 audit cost?

The cost of a SOC 2 audit typically ranges from $20,000 to $150,000 or more, depending on factors like company size, system complexity, audit scope, and whether the organization is pursuing a SOC 2 Type I or Type II report. First-time audits often require additional preparation and remediation, which can impact overall cost.

How long does a SOC 2 audit take? 

The timeline for a SCO 2 audit varies based on the company size, number of locations, complexity of the environment, and the number of TSCs selected. A Type 1 audit evaluates your systems at a specific moment and usually takes two to four weeks to complete. A Type 2 audit requires your auditor to observe your controls operating effectively over a specific period, which normally spans six to 12 months.

Can startups get SOC 2? 

Startups of all sizes can achieve SOC 2. Many early-stage companies pursue SOC 2 to meet customer expectations, shorten sales cycles, and demonstrate trust as they scale.

You can find more common SOC 2 questions here.

Ready to start your SOC 2 audit?  

If you’re ready to take the next step, contact A-LIGN today to begin your journey to SOC 2 compliance. The A-LIGN difference is:  

• 17.5k+ SOC assessments completed  

• #1 SOC 2 issuer in the world  

• 200+ SOC auditors globally 

A-LIGN is the leading provider of high-quality, efficient cybersecurity compliance programs. Combining experienced auditors and audit management technology, A-LIGN provides the widest breadth and depth of services including SOC 2, ISO 27001, HITRUST, FedRAMP, and PCI. A-LIGN is the number one issuer of SOC 2 and a leading HITRUST and FedRAMP assessor. 

As organizations adopt more AI tools, they’re also adopting the risks that come with using those tools. Understanding the risks your organization is taking with AI is key to developing a comprehensive AI governance strategy. 

If you’re beginning to worry about the ways your organization is mitigating AI risk, your concern isn’t unfounded. According to the 2026 Compliance Benchmark Report, 72% of organizations are concerned about AI’s effect on compliance requirements, highlighting just how complex the regulatory landscape has become.  

Customers are emerging as a driving factor for concern over AI risk, too. Four out of five organizations now face direct inquiries from customers about their AI risk management practices, according to the 2026 Compliance Benchmark Report. This shows that your stakeholders want to know that the tools you use are safe, ethical, and secure. 

Read on to explore how to identify your organization’s level of risk and strategies for mitigating it, whether you’re just beginning your AI governance journey or have a comprehensive plan. 

Identifying AI risk in your organization 

The first step to developing an AI governance strategy is identifying your level of risk. This involves understanding how AI intertwines with your organization and where the risk is coming from. This could include things like misuse, inadequate oversight, and third-party vulnerabilities.  

These missteps could pose negative consequences if your organization is impacted. Even without AI tooling, AI-powered cyberattacks are making breaches more likely, and could go beyond a financial impact to hinder your reputation. Once customer trust is broken, it’s almost impossible to mend. Being realistic about the risks that exist beyond your environment will empower your organization to work smarter. 

Benefits of mitigating AI risk 

Mitigating AI risk won’t just have a positive impact on your internal security culture, it can instill a sense of trust for your customers and other stakeholders, too. Identifying your organization’s level of risk and developing a strategy for mitigating it can enable your company to:  

• Document and communicate controls so customers, boards, and auditors have clear visibility into how AI risks are managed. 
• Manage risk systematically through repeatable, auditable processes such as risk assessments, bias audits, and performance monitoring. 
• Prepare for multiple regulatory paths by harmonizing governance across jurisdictions and regulatory regimes. 
• Train and empower personnel so executives, compliance teams, and employees understand their role in responsible AI adoption. 

Options for risk mitigation 

There is no “one-size-fits-all” for AI governance. Companies are scrambling to find the “right” way to manage this new frontier. Several methods are emerging as standard approaches to AI risk strategy:  

• ISO 42001: 60% of organizations are looking toward this specific AI management system standard.  
• Integrated controls: 56% are weaving AI checks into their existing governance frameworks.  
• Self-assessment: 50% are relying on internal audits and checks to gauge their exposure. 

Assess your options and needs based on your industry, company size, location, and customer base. If you work in a highly regulated industry like healthcare or finance, you will need to maintain a rigorous level of compliance with AI standards to operate and remain in good standing with standards like HIPAA or GDPR. Meanwhile, organizations that are using AI to brainstorm in a creative industry might have fewer regulations to comply with. It’s all about understanding your environment. 

Location can also impact the level of complexity your AI governance strategy should maintain as emerging regulations mean more companies must pursue formal compliance. The 2026 Compliance Benchmark Report found that in the next 12 months, 47% of organizations expect to be impacted by the EU AI Act. If you live somewhere that could be impacted by formal regulations, get ahead of the curve. 

Enlist the right partners 

After you’ve decided on the approach for your organization – whether it’s an internal policy or a formal regulation like ISO 42001, enlist the right partners. AI is evolving rapidly, and bringing in the right team can mean the difference between a smooth-sailing ship and financial implications of being out of compliance with a mandatory framework. 

The level of complexity of your AI governance strategy will dictate what’s right for your organization. If you’re developing an internal policy, a consultancy may do the trick. If you’re pursuing a formal certification, a trusted auditor is essential.  

Why A-LIGN 

A-LIGN is a strategic, trusted audit partner that can help your organization build, level up, and scale your AI governance strategy. The A-LIGN difference is: 

• 6.4k+ global clients 
• 36k+ audits completed 
• 400+ auditors globally 

If you’re ready to take the next step in your AI governance strategy, reach out to A-LIGN today.