For defense contractors, Cybersecurity Maturity Model Certification (CMMC) is a requirement for securing government contracts. With three levels outlined by the Department of Defense (DoD), many organizations find themselves unsure about which level applies to them and whether they can self-assess or need a Certified Third-Party Assessor Organization (C3PAO). This guide outlines CMMC Level 1, providing clarity on its requirements and helping you determine the right level for your business. 

What is CMMC? 

CMMC is designed for defense contractors and subcontractors within the Defense Industrial Base (DIB) who manage Federal Contract Information (FCI) or Controlled Unclassified Information (CUI). CMMC 2.0, finalized in December 2024, streamlines the framework into three levels of compliance, each tailored to the sensitivity of the information being handled:   

• Level 1 (Foundational): Focuses on basic cybersecurity practices for organizations handling FCI. Compliance is demonstrated through annual self-assessments.   
• Level 2 (Advanced): Designed for organizations managing CUI, this level aligns with the 110 practices outlined in NIST SP 800-171. CUI handlers require third-party assessments every three years.   
• Level 3 (Expert): Reserved for the most sensitive programs, this level incorporates additional requirements from NIST SP 800-172 on top of CMMC Level 2 certification and mandates direct assessments by the DoD.   

Who needs CMMC Level 1? 

Organizations can pursue Level 1 over Level 2 certification if their DoD contracts do not require them to handle CUI. Since certification levels are strictly determined by data types rather than organization size, Level 1 is the standard for businesses or subcontractors who do not handle higher categories of DoD information but are still critical for overall supply chain security — especially those that provide goods or services that do not involve sensitive or classified defense data. 

The key determinant in choosing Level 1 is the nature of the information you access: Level 1 is designed for companies that only need to meet the minimal threshold of protecting FCI. However, if your business objectives evolve, and you anticipate handling CUI or expanding into more sensitive DoD projects, you may consider preparing for Level 2 to facilitate future growth. 

Ultimately, the decision to pursue Level 1 compliance or Level 2 certification depends on your current needs and long-term business goals. 

Understanding CMMC Level 1 

CMMC Level 1 is considered the baseline for organizations looking to work with the DoD and is referred to as the “Foundational” level. Its core objective is to ensure companies have established basic cyber hygiene practices to protect FCI — which is information, not intended for public release, that is provided by or generated for the government under a contract to develop or deliver a product or service. It does not include information provided by the government to the public (such as on public websites) or simple transactional details like payment information.  

Unlike Level 2 and above, which address CUI with advanced controls, Level 1 focuses on preventing common cyber threats like phishing, basic malware, or unauthorized access. 

To meet Level 1, organizations must implement the 17 security controls outlined in Federal Acquisition Regulation (FAR) 52.204-21. The 17 requirements fall into six key domains: 

• Access control: Restrict system and information access to authorized users only. 
• Identification and authentication: Verify user identities before granting system access. 
• Media protection: Safeguard and securely dispose of media (e.g., USB drives, hard drives) containing FCI. 
• Physical protection: Restrict physical access to systems and equipment to authorized personnel. 
• System and communications protection: Control and monitor communications at system boundaries. 
• System and information integrity: Detect and address system vulnerabilities promptly. 

Unlike higher CMMC levels, Level 1 does not require extensive documentation of processes. Instead, it focuses on the actual performance of these essential security practices. Organizations seeking Level 1 compliance are permitted to conduct an annual self-assessment, making it a more accessible and cost-effective path for businesses that handle FCI but do not manage sensitive CUI data. 

When do you need a C3PAO? 

It’s important to understand when the involvement of a C3PAO becomes necessary within the CMMC framework. A C3PAO is an accredited firm authorized by The Cyber AB to conduct official CMMC assessments for higher certification levels such as Level 2. For organizations pursuing Level 1 certification, the self-attestation model means hiring a C3PAO is not required. However, if your organization plans to handle CUI or bid on contracts that include CMMC Level 2 requirements, a C3PAO assessment becomes mandatory.  

That said, just because a C3PAO isn’t mandatory for Level 1 doesn’t mean you can’t seek outside help. Working with a C3PAO to come and independently assess your compliance to the 17 requirements in Level 1 can add assurance that you’re accurately self-attesting to meeting these controls. 

Getting started with CMMC Level 1 

Achieving CMMC Level 1 compliance is an important milestone for organizations looking to work with the DoD. To do this, you will report your self-attestation score directly to the DoD through its Supplier Performance Risk System (SPRS). The SPRS website offers tutorials and walkthroughs to guide you through the process.  

By understanding the requirements, properly conducting and reporting your self-assessment, and seeking expert guidance when needed, your business can stay compliant and position itself as a reliable partner in the defense supply chain. 

Ready to begin your CMMC journey? Reach out today to learn more. 

As 2025 comes to a close, the Defense Industrial Base is entering a new phase of cybersecurity accountability. CMMC Level 2 certification is no longer theoretical or aspirational. For many organizations, it is becoming an operational reality with real contractual consequences. 

As the CMMC Market Leader and a Lead Assessor for leading C3PAO A-LIGN, I’ve seen this shift firsthand through dozens of successful CMMC Level 2 assessments across a wide range of defense contractors. That concentration of activity has provided a clear and sometimes sobering view into what actually drives success, where organizations consistently struggle, and which patterns are emerging as we approach 2026.  

In this blog, I’ll share real-world lessons from the assessments I have experienced so far. These are not abstract best practices. They are lessons earned from real environments, real leadership teams, and real certification outcomes. 

Lesson one: Scope was treated as strategy, not documentation 

In every successful assessment, scoping decisions were made deliberately and early. Leaders treated scope not as a compliance form to complete, but as an architectural and operational decision that shaped everything that followed. 

Successful organizations invested the time to understand where Controlled Unclassified Information truly flowed, how responsibilities were divided between internal teams and service providers, and where separation and segmentation needed to be enforced. Those decisions were socialized across engineering, IT, security, and leadership long before assessment week began. 

Organizations that struggled often approached scope as paperwork: something to rush and guess so the “real work” could start. That mindset consistently led to confusion, rework, or unexpected exposure during assessment activities. 

As certification activity accelerates, assessment boundary clarity and scoping are proving to be one of the strongest predictors of readiness. 

Tip: Take time to get your scope rock solid, everything flows from that foundation. 

Lesson two: Documentation reflected reality, not aspiration 

None of the organizations that passed had perfect documentation. What they did have was documentation that matched how their environments operated. 

System Security Plans described real processes, real enforcement, clear ownership, and current system behavior. The documents were not overly polished, but they were accurate. That mattered more than volume or formatting. 

When organizations encountered difficulty, it was usually because documentation described how the system should  work rather than how it operated in practice. Those gaps surfaced quickly when validation began. 

As we move into 2026, documentation quality will increasingly be defined by alignment with reality, not by length or complexity. I recommend following this rule:  

Tip: Say what you do, do what you say.  

Lesson three: Evidence was managed as an operational discipline 

There is a key indicator across all my recent successful assessments: evidence of control maturity emerged as one of the clearest differentiators of readiness.  

Organizations that performed well treated evidence as part of ongoing operations, not as a task reserved for assessment week. Artifacts were mapped to requirements ahead of time, validated for currency, and organized in a way that reduced ambiguity for both internal teams and assessors. 

That preparation paid dividends. Assessments moved more efficiently, discussions stayed focused on substance, and friction was significantly reduced. 

By contrast, evidence chaos — incomplete artifacts, unclear ownership, or last-minute assembly — remained one of the most consistent predictors of assessment difficulty. 

Tip: Use your self-assessment processes to validate control evidence before your external assessment. Be familiar with what you used to validate your control performance.  

Lesson four: Shared responsibility was clearly understood and documented 

Cloud adoption and managed services are now the norm across the DIB, which makes shared responsibility one of the most misunderstood areas of CMMC readiness. 

Successful organizations did not rely on assumptions. They documented which controls were inherited, which responsibilities remained internal, and what their service providers were accountable for delivering. More importantly, they could demonstrate those responsibilities through evidence and ongoing management. 

This clarity extended to identity, boundary protection, logging, monitoring, and incident response. When shared responsibility was explicit and validated, assessments proceeded smoothly. When it was vague, gaps and confusion emerged quickly. 

In 2026, organizations that proactively close the seams between vendors, platforms, and internal operations will be far better positioned for certification. 

Tip: Everyone relies on someone else, that’s the nature of our connected world. Understanding those relationships is key to your CMMC success.  

Lesson five: Leadership behaviors predicted success before any control was reviewed 

Perhaps the most consistent insight from recent assessments had little to do with technology and everything to do with leadership. 

In every successful engagement, leadership behaviors and engagement were visible from the start. Roles were clear. Teams were prepared. Discussions were calm, structured, and grounded in fact. Executives understood their environment well enough to speak confidently about scope, ownership, teams, and priorities. 

CMMC Level 2 is often framed as a technical standard. In practice, it functions just as much as a leadership and governance standard. Organizations that treated CMMC as a one-time project struggled. Those that treated it as a sustained readiness discipline succeeded. 

Tip: Leadership buy-in and support is perhaps the biggest and most consistent predictor of success.   

Looking ahead: Modernization will shape CMMC success in 2026 

Beyond these five lessons, a broader shift is becoming clear. Organizations that move faster and with less friction are modernizing how to approach compliance. 

We are seeing early adoption of machine-readable documentation through OSCAL, reduced reliance on screenshots, increased use of configuration telemetry, stronger identity governance, and greater automation in evidence collection. These capabilities are not yet universal, but the trajectory is clear. 

As certification activity scales, maturity and modernization will increasingly separate organizations that struggle from those that sustain readiness. 

Final thought 

The mission continues: CMMC success is not a milestone; it’s a mindset. As we head into 2026, CMMC readiness will belong to organizations that treat compliance as an operational discipline, embrace modernization, and lead with clarity and collaboration. Ready to begin your journey in CMMC compliance? Reach out today to learn more.

Protecting customer cardholder data is crucial to merchants that store, process, or transmit this data or other companies that can impact the security of this valuable information. Standards that help companies protect this data are cumbersome and prescriptive to ensure proper protection of cardholder data which will allow entities to demonstrate proper security controls to customers and banks which build trust. 

Read on to learn about PCI DSS and how it protects valuable customer data. 

What is PCI DSS? 

PCI DSS (Payment Card Industry Data Security Standard) is the only accepted industry enforced and run standard consisting of a set of policies and procedures intended for organizations that handle or effect security of credit, debit, and card branded cash card transactions to ensure the protection of cardholders’ personal information.   

What is PCI SSC? 

The PCI Security Standards Council develops and implements security standards for PCI DSS and other certifications. This group aims to drive education, awareness, and implementation of effective frameworks by its stakeholders. 

What are the principles of PCI DSS? 

There are 12 principal PCI DSS requirements that roll into six principles: 

Build and maintain a secure network and systems 

• Install and maintain network security controls 

• Apply secure configurations to all system components 

Protect account data 

• Protect stored account data 

• Protect cardholder data with strong cryptography during transmission over open, public networks 

Maintain a vulnerability management program 

• Protect all systems and networks from malicious software 

• Develop and maintain secure systems and software 

Implement strong access control measures 

• Restrict access to system components and cardholder data by business need to know 

• Identify users and authenticate access to system components 

• Restrict physical access to cardholder data 

Regularly monitor and test networks 

• Log and monitor all access to system components and cardholder data 

• Test security of systems and networks regularly 

Maintain an information security policy 

• Support information security with organizational policies and programs 

These processes help protect cardholder data from bad actors and ensure that companies with this information have done their best to shield their environment from potential attacks. 

Why is PCI DSS important? 

Earning a PCI DSS Report on Compliance (RoC) certification demonstrates your organization’s commitment to payment card data security and identifies the level of validation you have achieved. Failing to maintain PCI DSS compliance can range in fines from $5,000 to $100,000 per month depending on the size of the company and the scope of noncompliance. Additionally, fines and penalties are even greater for organizations that experience a security incident.   

Who should get a PCI DSS certification? 

PCI DSS was developed for companies that store, process, or transmit sensitive credit card data. PCI DSS can also apply to companies that provide services to organizations that maintain their own Card Data Environments (CDE). If you affect the security of a CDE or your client’s CDE, then you can be brought into scope for a PCI DSS assessment. 

The most common recipients of PCI DSS include:  

• Retailers 

• Ecommerce platforms 

• Payment processors 

• Payment BPO providers (e.g. Call Centers) 

Who needs a Report on Compliance? 

Your organization’s level of complexity and transaction volume will determine the level of validation you will need to comply with according to the Card Brands validation requirements. There are four merchant and to service provider levels: 

• Level 1: Merchants that process over 6 million and Service Providers handling over 300,000 card individual transactions per year. 

• Level 2: Merchants that process between 1 million and 6 million and Service Providers under 300,000 individual transactions per year. 

• Level 3: E-commerce merchants that handle between 20,000 and 1 million transactions per year. 

• Level 4: Merchants that handle fewer than 1 million transactions per year and e-commerce merchants with less than 20,000 transactions per year. 

Merchants should check with their acquirer to confirm their current merchant validation level.  Levels 2, 3, and 4 are eligible to complete a Self-Assessment Questionnaire (SAQ). However, some level 2 payment channels (e.g. e-commerce) may be required to be attested by a QSA or ISA.  Meanwhile, merchants that fall into Level 1 will need to complete a RoC, which is an on-site assessment conducted by a Qualified Security Assessor (QSA) to establish PCI DSS compliance.  Nothing prohibits a lower-level merchant or service provider from achieving a Level 1 RoC and many Service Providers that technically meet level 2 status conduct an annual Level 1 RoC to meet customer validation expectations. 

How long does it take to complete a PCI DSS assessment? 

The preparation phase can take about six to eight months for those undergoing the assessment for the first time, and around three to four months on average for a renewal assessment. The amount of time it takes to complete the assessment ultimately varies depending on the organization’s environment, what its processes are, number of locations, and what its infrastructure looks like (size and scope).   

For large entities, PCI DSS is a continual process. As soon as one audit ends, they’re prepping for the next year, making PCI DSS a continual process for them. Whereas smaller entities may have less of a lift to continually maintain those processes. 

Steps to achieving PCI DSS certification 

Learning the steps to earning PCI DSS certification is an essential part of the process. Being well prepared for this process can set your organization up for success. 

• Understand requirements: Familiarize yourself with the requirements of PCI DSS and consider how they will impact your organization. Are there obvious gaps in your environment? Do you have an information security policy? How many transactions do you process each year? Which level of merchant does that make your organization? Learning about the PCI DSS requirements and how they show up in practice is the first step to compliance. 

• Conduct a risk assessment: Conducting a formal risk assessment will inform your strategy going forward. These assessments identify vulnerabilities and their level of risk to your environment, giving your organization a baseline for your level of security, areas for improvement, and conformity to PCI DSS requirements. 

• Address gaps, implement changes: Implementing changes ahead of a formal assessment will empower your organization to get on the right track for PCI DSS certification 

• Engage with a Qualified Security Assessor: Depending on your level of certification, you may be able to complete a SAQ. If your organization is a Level 1 merchant as defined above, you will need to work with a QSA to complete a formal RoC and earn your PCI Attestation of Compliance (AOC). It’s important to choose a high-quality QSA that won’t just check the box but will set your organization up for success. Check out our list of six qualities to look for in a QSA. 

Getting started with PCI DSS  

If you’re ready to begin your journey to PCI DSS compliance, contact A-LIGN today to get started. The A-LIGN difference is: 

• 2k+ PCI assessments completed 

• 96% customer satisfaction rating 

• 20+ years of experience 

A-LIGN is the leading provider of high-quality, efficient cybersecurity compliance programs. Combining experienced auditors and audit management technology, A-LIGN provides the widest breadth and depth of services including SOC 2, ISO 27001, HITRUST, FedRAMP, and PCI. A-LIGN is the number one issuer of SOC 2 and a leading HITRUST and FedRAMP assessor. 

Many organizations are questioning whether to act now on AI governance or wait for final clarity on enforcement dates, particularly with the EU AI Act. The proposed delays in enforcement have introduced hesitation, as organizations are uncertain about the final requirements and timelines. However, the underlying governance expectations are not going to change. Developing a quality management system (QMS) for high-risk AI is a process that requires slow and steady work. Evidence must be accumulated, roles must mature, and cross-functional routines need to be established. None of these foundational elements can be rushed in the final months before an enforcement deadline. 

Although the consequences may feel distant and abstract, this blog outlines the risks of inaction and the tangible benefits of starting early. 

Understanding the High-Risk AI QMS Standard 

The High-Risk AI QMS Standard, part of the EU AI Act, demands structured, repeatable, and risk-based practices across the entire AI lifecycle. It requires clear documentation of decisions, complete traceability from data to model to deployment, and a controlled workflow. This controlled flow ensures that all reviews, evaluations, approvals, and monitoring activities leave a clear, auditable trail. These are fundamental management responsibilities, not simply technical add-ons. You cannot meet these rigorous expectations with last-minute documentation or a single, frantic compliance sprint. You meet them by building consistent habits, which only form when governance and engineering teams work together long before any regulation takes effect. 

Why waiting is a flawed strategy 

When leaders hear about a proposed regulatory delay, they often assume they have gained time. In reality, the workload remains constant. The only thing that changes is the cost and pressure of completing it. 

Waiting to establish AI governance creates three predictable problems: 

1. Lack of evidence for regulators and customers 

Imagine a financial services firm using a credit decision model across multiple markets. A supervisor requests the model’s evaluation record, but the team can only produce a single performance chart with no version history, no justification for the dataset used, and no record of who approved its deployment. The risk officer is now facing a regulatory issue that cannot be fixed retroactively. This scenario will become common for unprepared organizations. 

2. Lost revenue from procurement failures 

By 2026, large buyers in regulated industries will require their vendors to provide an AI system inventory, documented controls, and a clear governance narrative. A health tech firm, for example, might be disqualified from a bid because it cannot demonstrate that its diagnostic models were developed under a controlled process. A competitor that invested in governance earlier will win those contracts. 

3. Technical teams hitting a maturity wall 

Engineers who have never operated under a controlled development regime need time to adjust. If you introduce process discipline and documentation requirements late, teams will likely push back. This resistance can slow down delivery at the exact moment when compliance pressure is at its peak. These failures are not hypothetical; they follow the same pattern seen in every other regulated domain. Organizations that wait inevitably end up with rushed documentation, repeated rework, and expensive remediation projects. 

Delivering value before enforcement deadlines

Executives often ask about the immediate business case for investing in AI governance. The benefits arrive long before any regulatory deadline. 

• Faster procurement cycles. Complete enterprise procurement questionnaires more efficiently. 
• Higher investor trust. Address board-level questions about AI exposure with confidence. 
• Better regulatory preparation. Be ready for questions from regulators before formal supervision begins. 
• Stronger engineering discipline. Improve system reliability and reduce unplanned incidents. 
• A compelling narrative. Position your company as a prepared and responsible leader, not a reactive follower. 

These benefits are not tied to an enforcement date; they are directly linked to the maturity of your management system. 

How ISO 42001 provides a foundation 

ISO 42001 provides the essential foundation for this work, serving as a blueprint for responsible and scalable AI compliance across organizations. The standard requires organizations to define their context, roles, risks, and controls, ensuring a structured approach to AI governance. It also mandates performance measurement and a commitment to continuous improvement, enabling organizations to build trust and demonstrate ethical AI practices. 

The High-Risk AI QMS Standard builds directly on this structure. Think of ISO 42001 as the scaffolding for your AI management system. The High-Risk AI QMS Standard then defines the specific operating procedures for those systems that carry the most significant risk. Together, they form a comprehensive system of control. Neither can be implemented effectively if introduced late in the game. 

What your organization should do now 

A strong start doesn’t require a massive, complex program. It begins with clarity and ownership. 

Your 90-Day plan 

First, focus on creating a solid foundation. 

• Create a provisional AI system inventory. List all the AI systems currently in use or development. 
• Classify AI systems by risk. Pinpoint two or three systems that are likely to qualify as high-risk under upcoming regulations. 
• Assign ownership. Appoint a single, accountable executive for each of these high-risk systems. 
• Implement change control. Establish a basic process for managing model updates. 
• Create a minimum record set. Start documenting data decisions, evaluation choices, and deployment approvals to ensure traceability. 

This initial work provides the groundwork needed to align with both ISO 42001 and the High-Risk AI QMS Standard. 

Your 12-Month plan 

After the first 90 days, you can expand these initial efforts into a fully functional AI management program. 

• Formalize governance. Develop and approve official policies and governance charters. 
• Build cross-functional workflows. Create integrated processes for risk assessment, model evaluation, and approvals involving all relevant teams. 
• Train your teams. Educate engineering, product, and risk teams on documentation discipline and lifecycle control. 
• Strengthen supplier oversight. Develop processes for managing third-party risks from foundation models, hosted services, and data pipelines. 
• Conduct a mock assessment. Run a full internal audit against ISO 42001 and the High-Risk AI QMS Standard to identify gaps. 
• Mature your processes. Use the findings from your assessment to improve monitoring, incident response, and performance measurement. 

This structured approach creates a living governance environment that can be audited with confidence. 

While ISO 42001 is an ideal first step toward holistic AI compliance, not every organization may feel ready to pursue a full certification. For those seeking more tailored or incremental approaches, there are options to address specific needs: 

• AI Model Audit: For organizations needing focused assurance on a specific AI product, a model audit offers independent validation of its performance, testing, and system-level controls. It is a faster, more targeted attestation that demonstrates due diligence without the complexity of a full certification.   
• HITRUST AI: For organizations in healthcare and other sectors handling sensitive data, HITRUST offers AI-specific assessments and certifications. These add-ons help validate that security controls and processes are tailored to protect data within an AI environment. 

The leadership decision 

Many organizations believe they can delay action on AI governance, but this approach will inevitably lead to rushed audits, lost deals, and unnecessary compliance costs. By starting now, leaders can distribute the workload over a manageable timeline, building competence and confidence instead of scrambling under pressure. Organizations that act early will be ready to meet regulatory standards with evidence that naturally emerges from their daily operations.  

Deadlines may shift, but expectations will not. Success will belong to those who prepare steadily and proactively. 

ISO/IEC 27701 is now a standalone standard, no longer tied to ISO 27001. What does your organization need to know about the change? Read on to learn about key changes to the framework, a new standard for certification bodies, and the timeline for compliance with a reimagined ISO 27701. 

ISO 27701:2025: Privacy management goes independent 

Historically, ISO 27701 has existed as an extension of ISO 27001, previously known as ISO/IEC 27701: 2019. However, the 2025 revision transforms it into a standalone standard, making privacy certification more accessible. New releases include:  

• ISO/IEC 27701:2025 (Edition 2): A complete overhaul of the Privacy Information Management System (PIMS) standard  

• ISO/IEC 27706:2025: Completely new guidance for certification bodies (CB) specific to Privacy Information System (PIMS) standard 

Key changes to ISO 27701 

Beyond the obvious change to an independent, standalone standard, there are a few key changes to the ISO 27701 standard including: 

• Standalone certification: Organizations can now become compliant with ISO 27701 without needing ISO 27001 

• Restructured framework: Clauses 4–10 now mirror ISO management system standards tailored for privacy 

• Annex A consolidation: Controls for PII Controllers and Processors are unified into A.1, A.2, and A.3 

• New Annex B: Implementation Guidance offers practical steps for applying privacy controls 

• Expanded scope: Includes biometric data, health data, IoT, and AI-related privacy risks 

ISO/IEC 27706:2025: Certifying the certification bodies 

The standards that ISO certification bodies must abide by have also changed with ISO 27706:2025 replacing CBs’ current standard, ISO TS 27006-2:2021. Updates include: 

• Full standard status: ISO 27706 is now a formal international standard 

• Aligned with ISO 17021-1: Ensures consistency with global certification practices 

• Annexes A, B, and C: Provide guidance for audit planning, competence requirements, and assessment methodologies 

• Improved trust & transparency: Enhances credibility and global recognition of PIMS certifications 

What does this mean for you? 

Depending on your status as a certification body or organization earning certification, these changes mean different things. 

For organizations 

If you’re an organization seeking ISO 27701 certification and it’s the only standard you need, you can now pursue it independently of ISO 27001, which will reduce costs and complexity. 

If your organization is already ISO 27701 certified, you’ll need to conduct a transition audit sometime over the next three years. This will ensure that your environment is compliant with the changes to the ISO 27701 standard ahead of the 2028 deadline. 

For certification bodies 

ISO 27706 provides a clear framework for reliable PIMS audits that your certification body can reference. CBs will need to undergo a transition audit with their accreditation bodies to ensure they are fully compliant to perform audits against the new standard. CBs should also communicate with your ISO 27701-certified clients about the transition audit process to prevent any lapses in compliance. 

ISO 27701 transition timeline 

Organizations will have time to make changes to their environment ahead of the October 2028 deadline for compliance. Here’s the complete timeline for implementing the new ISO 27701 standard: 

• Publication date: October 14, 2025  

• Transition period: Three years from publication  

• Deadline for transition: October 2028  

• Certification guidance: Official transition rules from accreditation bodies (e.g., IAF, ANAB, UKAS) are expected within 1-3 months post-publication 

Recommendations 

Don’t delay, create a plan now to ensure your organization has enough time to prepare for its transition audit. We recommend that organizations that are ISO 27701 certified take the following actions: 

• Purchase the standard: Within the ISO website, companies should purchase the standard to understand all of the clauses and annex controls that have been developed for the new standard. 

• Conduct a gap analysis: This will allow your team to identify any gaps between your current level of compliance and the new standard. Identifying and rectifying these gaps before your transition audit is key to avoiding penalties or lapses in compliance. 

• Update your PIMS documentation and controls: Make these changes sooner rather than later so your team is fully prepared for your organization’s transition audit. Remaining gaps could become an issue as the deadline for compliance approaches. 

• Perform an internal audit and management review: After implementing the necessary changes, ensure compliance with the new requirements through an internal audit and a management review as scheduled by your organization. 

• Consult your certification body for specific transition procedures: Your CB should be a resource for you during this time of transition. Their auditors can help your organization plan an effective, efficient transition audit process. 

Ready to learn more? Contact A-LIGN today to get started on your compliance journey. 

A-LIGN has secured a place on the 2026 Seminole 100 for the ninth consecutive year – earning a spot on the list every year since its inception in 2017. 

The annual Seminole 100 list honors the fastest-growing businesses owned or led by alumni of Florida State University. Companies are ranked based on their compound annual growth over the last three years. 

“Being recognized on the Seminole 100 for the ninth consecutive year is a testament to our team’s dedication and the trust our clients place in us,” said Scott Price, CEO of A-LIGN. “As a proud Florida State alumnus, this recognition is an honor and reflects A-LIGN’s unwavering commitment to quality and innovation.” 

A-LIGN’s ranking comes as the organization celebrates a banner year with a strategic investment from private equity firm, Hg. This investment underscores A-LIGN’s commitment to providing a superior, tech-enabled audit experience through its proprietary audit management platform, A-SCEND that delivers trusted, high-quality compliance reports. 

“These honorees exemplify the entrepreneurial spirit and resilience that define Florida State University,” said FSU President Richard McCullough. “Their accomplishments not only elevate their companies but also inspire the next generation of Florida State Seminoles to dream big and lead boldly.”   

Honorees will be recognized in a ceremony on February 21 in Tallahassee, where the official ranked list will be unveiled. 

Enterprises today are juggling more compliance frameworks than ever—SOC 2, ISO 27001, HITRUST, PCI DSS, CMMC, and beyond. Each brings its own set of requirements, timelines, and evidence expectations. The result? Teams spend too much time duplicating work, managing spreadsheets, and preparing for overlapping audits that never seem to end.

But it doesn’t have to be that way. Leading organizations are embracing automation, collaboration, and continuous readiness to simplify multi-framework compliance, transforming what was once a pain point into a strategic advantage. Read on to learn insights from Drata’s Chris Weiskirch.

The multi-framework challenge

When each framework is managed separately, audit prep becomes a game of catch-up. Teams gather the same documentation multiple times, track updates manually, and scramble to meet overlapping deadlines. This reactive cycle drains resources and increases risk.

The key to breaking out of this pattern is adopting a unified, proactive approach—one where automation handles repetitive tasks, evidence collection happens continuously, and frameworks are mapped intelligently to reduce redundancy.

The shift toward continuous readiness

Modern compliance platforms are built to handle the complexity of multi-framework programs. Instead of treating each certification as a one-off event, these systems maintain a living compliance environment—automating evidence collection, monitoring control performance, and mapping once to apply across multiple frameworks.

This “map once, audit many” model reduces manual effort while improving accuracy and visibility. It enables compliance teams to focus on higher-value activities like risk management, policy optimization, and strategic scaling rather than endless document wrangling.

Collaboration as the new advantage

Automation alone isn’t enough. Collaboration is the missing link that turns readiness into success. By aligning early with trusted auditors like A-LIGN, teams can ensure their controls, documentation, and testing align with audit expectations well before fieldwork begins.

This partnership model eliminates guesswork, minimizes audit fatigue, and turns what used to be a stressful process into a predictable, repeatable rhythm. Drata’s real-time evidence collection and continuous monitoring give auditors like A-LIGN the context and clarity they need—accelerating the entire engagement.

From readiness to resilience

As organizations mature, compliance stops being an annual event and becomes an always-on function. Continuous readiness builds resilience by keeping evidence fresh, controls operational, and leadership informed—no matter how many frameworks are in play.

When readiness becomes routine, compliance evolves from a defensive exercise into a driver of trust, credibility, and growth. Reach out today if you’re ready to get started on your compliance journey.

About Chris Weiskirch

Chris leads Governance, Risk & Compliance (GRC) at Drata, leveraging his extensive experience in building and scaling enterprise security and compliance programs to help organizations make GRC a measurable, strategic driver of trust and resilience.

About Drata

Replace manual GRC efforts, reduce costs, and save time preparing for audits and maintaining compliance. Drata is the trust management platform with the mission of serving as the trust layer between great companies. We help thousands of companies streamline compliance for SOC 2, ISO 27001, HIPAA, GDPR, your own custom frameworks, and many more through continuous, automated control monitoring and evidence collection. Drata is backed by ICONIQ Growth, Alkeon, Salesforce Ventures, Notable Capital, Okta Ventures, SVCI (Silicon Valley CISO Investments), Cowboy Ventures, Leaders Fund, Basis Set Ventures, SV Angel, and many key industry leaders. Drata is based in San Diego, CA with team members across the globe.

As organizations integrate artificial intelligence into their operations, a critical question arises: who is governing these systems? Many businesses manage AI risk reactively, addressing issues as they occur or focusing on individual tools. This fragmented approach is ineffective. It leads to inconsistent oversight, creates compliance gaps, and makes it incredibly difficult to scale AI innovation responsibly.  

What organizations truly need is a comprehensive AI governance strategy. This creates a unified and repeatable framework for managing AI across the entire enterprise. This post explores why such a strategy is a strategic necessity, moving beyond one-off checks to build a stable and trustworthy AI ecosystem. 

The urgent need for AI governance

The rapid adoption of AI is outpacing the development of proper oversight. This gap creates tangible risks that can impact an organization’s reputation, finances, and legal standing. Issues like algorithmic bias, customer privacy violations, and security vulnerabilities are not just theoretical problems; they are real-world challenges that businesses face today. 

The statistics paint a clear picture of the current landscape: 

• 63% of organizations lack any formal AI governance policies. 
• More than 20% of organizations have already experienced a breach related to their AI models or applications. 

These figures highlight a widespread vulnerability. Without a structured approach to governance, organizations are operating in a high-risk environment.  

The market is also shifting, with analysts predicting that by 2027, 75% of AI platforms will include built-in governance and responsible AI capabilities. However, this leaves a significant gap in time. AI is a vulnerability right now, and waiting for built-in governance is not a viable solution. Organizations need to act now by proactively establishing governance frameworks to mitigate risks and ensure responsible innovation.  

AI governance as a comprehensive compliance strategy 

Effective AI governance moves beyond simple compliance checklists. It is a holistic framework designed to proactively manage risks, align with evolving regulations, and build deep-seated trust with stakeholders. It ensures all AI systems — whether built in-house or sourced from third-party vendors — adhere to the same high standards of security, fairness, and transparency. 

By embedding governance into the entire AI lifecycle, organizations can shift from a reactive security posture to a proactive one. It provides a stable foundation upon which to build, test, and deploy AI with confidence, knowing that risks are managed from the very beginning. 

This proactive approach delivers significant benefits: 

• Demonstrates AI security and trustworthiness to investors, boards, and customers. 
• Helps organizations get ahead of evolving regulatory requirements for AI. 
• Provides third-party validation for cloud-native and platform-based AI providers. 
• Establishes a proactive risk management posture rather than a reactive one. 

Key components of a modern AI governance framework 

A robust AI governance strategy is not a one-size-fits-all solution. It is a suite of customizable components tailored to an organization’s specific needs, infrastructure, and risk profile. These components include core frameworks and supporting tools. 

Frameworks and certifications 

• ISO/IEC 42001: This international standard provides requirements for establishing, implementing, and maintaining an AI Management System (AIMS). It serves as an excellent foundation for organization-wide AI governance and confirms that proper management practices are in place. 
• AI Model Audit: For organizations needing focused assurance on a specific AI product, a model audit offers independent validation of its performance, testing, and system-level controls. It is a faster, more targeted attestation that demonstrates due diligence without the complexity of a full certification.  
• HITRUST AI: For organizations in healthcare and other sectors handling sensitive data, HITRUST offers AI-specific assessments and certifications. These add-ons help validate that security controls and processes are tailored to protect data within an AI environment. 

Supporting tools for continuous security 

• AI Red Teaming: This practice involves simulating adversarial attacks to identify vulnerabilities in AI systems before malicious actors can exploit them.  
• AI Insurance: As an additional layer of protection, AI insurance offers a safeguard against financial liability resulting from security incidents or performance failures. 

Case study: Workday and the importance of layered AI governance 

Workday, a leader in HR technology, achieved ISO 42001 certification to demonstrate its commitment to responsible AI. However, the company later faced a lawsuit alleging bias in its AI hiring tools. This situation highlights the need for layered governance strategies that go beyond foundational frameworks. 

While a certification like ISO 42001 ensures a strong management system is in place, it does not guarantee that a specific AI model is free from hidden flaws. This is where continuous monitoring and outcomes-focused AI governance solutions become essential. Offensive security practices like AI Red Teaming provide ongoing, adversarial testing designed to uncover hard-to-find risks, such as algorithmic bias, before they escalate into legal challenges or cause reputational damage. AI Model Audit provides focused assurance that the AI model is producing outcomes as intended. By combining a solid framework with proactive security measures, organizations can build a more resilient and trustworthy AI program. 

How to get started with AI governance 

Beginning the journey toward AI governance can feel overwhelming, but it starts with a few foundational steps. 

1. Identify your role: Determine how your organization interacts with AI. Are you a user of AI tools, a developer building them, or a provider offering AI-powered services? Your role will shape your specific governance needs and responsibilities. 
2. Assess your current state: Evaluate your risks, needs, and objectives. Understand which teams are using AI and what existing frameworks (like ISO 27001) could be extended to cover AI. 
3. Choose the right starting point: You do not have to do everything at once. Select a solution that matches your maturity and goals. An AI Model Audit can provide quick, system-level validation for a key product, while ISO 42001 is ideal for establishing organization-wide governance. For those already in the HITRUST ecosystem, HITRUST AI is a logical next step. 

Build trust, enable innovation 

AI governance is no longer an optional extra; it is a fundamental pillar of modern business strategy. By moving away from reactive, disjointed, ad-hoc fixes and embracing a comprehensive governance framework, organizations can effectively manage risk, ensure compliance, and build the trust necessary to innovate with confidence. 

SOC 2 is the most popular cybersecurity audit, and for good reason. This framework is the foundation for many organizations’ compliance strategies and is now an expectation to do business with customers in many industries. 

Read on to learn why SOC 2 is so popular and how your organization can begin its compliance journey with a SOC 2 attestation. Follow along and download the guide here. In this guide, we will: 

• Define SOC 2 and its criteria 

• Explain the examination process 

• Share best practices for choosing a quality audit partner 

• Spotlight real-world SOC 2 success stories 

• Give you a list of questions to evaluate potential audit partners 

Defining SOC 2 

What is SOC 2? 

A SOC 2 report (System and Organization Controls) report is an independent attestation that evaluates the effectiveness of a company’s controls as they relate to Security, Availability, Processing Integrity, Confidentiality, and Privacy.  The security of your environment is assessed against the requirements within a SOC 2 examination, known as the Trust Services Criteria (TSC): 

• Security (required) 

• Availability (optional) 

• Processing Integrity (optional) 

• Confidentiality (optional) 

• Privacy (optional) 

Who needs SOC 2? 

Service organizations that process, store, or transmit data for their clients or partners need a SOC 2 attestation. While SOC 2 applies to almost any organization, it’s particularly important to data centers, software-as-a-service companies, and managed service providers.   

Who can perform a SOC 2 audit? 

Only licensed CPA firms that are accredited by the American Institute of Certified Public Accountants can complete a SOC 2 audit. 

What are the SOC 2 Trust Services Criteria? 

SOC 2 is comprised of five TSCs. To determine which TSCs are best for your organization, it’s important to understand what type of data you store, process, and/or transmit.  

• Security: Comprised of 9 control families ranging from organization and management to risk assessment, to logical security and change management. This criterion is required in every SOC 2 report. 

• Availability: Addresses controls related to availability and redundancy of services to meet client SLAs. The Availability Criteria is a great add-on for most organizations. 

• Processing Integrity: Addresses controls related to accurate processing of customer data without corruption or unauthorized alteration. Processing Integrity is largely specific to an organization’s services and not often applicable to all organizations. 

• Confidentiality: Addresses controls related to protection of data deemed confidential between an organization and its client. This extends to any data deemed confidential. The Confidentiality Criteria is a great add-on for most organizations. 

• Privacy: Addresses controls related to the protection of Personally Identifiable Information (PII). This is anything that can be tied to an individual. Privacy is large and cumbersome, and only applicable to organizations that store, process, or transmit PII. 

The examination process 

The SOC 2 examination process is a well-defined, six-step audit cycle. The steps include: 

• Readiness assessment (optional) 

• Audit planning 

• Audit testing and review of evidence 

• Closing meeting and draft report preparation 

• Issuance of the final report 

Understanding the steps is an essential part of preparing for your SOC 2 examination.   

Building a partner team   

Before beginning your audit, you may enlist the help of tools or partners that can help you maximize efficiency, accelerate outcomes, and drive continuous growth for your SOC 2 attestation. Government, risk and compliance software solutions frequently work in tandem with your auditor, especially if they are tech-enabled with an audit management platform. This partnership typically shows up in four steps: 

• Laying the foundation: GRC tools can help you prepare for your SOC 2 audit by automating evidence collection in addition to managing policies and procedures related to your audit. 

• Accelerating with intelligence: This is where your audit partner begins their work. Choosing a tech-enabled auditor means that they can generate request lists, match evidence, and deduplicate requests across frameworks if you are conducting multiple audits, all powered by AI. 

• Realizing results: This stage will include your audit partner conducting assessments, reviewing evidence, and delivering your final report. 

• Proving compliance at scale: After you’ve earned your attestation, it’s time to show it off to the world. GRC tools can help you showcase and provide automated, secure access to accreditations to potential buyers, saving your team time and effort on manual approvals and questionnaires. 

In addition to these steps, GRC tools provide continuous monitoring, which keeps your team in the loop on potential issues and areas for improvement long after you’ve completed your first attestation. 

The readiness assessment 

Readiness assessments are an optional way for your organization to understand the current state of your compliance before entering an audit cycle. These assessments can give your team the confidence to prepare for your SOC 2 examination. Your audit partner may take one of two approaches with these assessments: 

• Traditional approach: Your auditor will perform a formal Readiness Assessment that simulates a Type 1 or Type 2 audit and results in a report with recommendations from the auditor. This option is recommended for companies that don’t have many formal procedures or have never been through an audit before. 

• Belay approach: This hybrid two-step approach has a smaller high-level gap assessment of key controls prior to the Type 1 SOC 2 examination. This approach saves time and costs and is designed for more mature organizations with formally established and implemented procedures who still have concerns or questions about their readiness for a SOC 2 audit. 

Scoping 

During the scoping phase, your auditor team will work with your organization to better understand the scope of services as well as to identify and evaluate the controls in place specific to the scope of services. The auditors will also work with your organization to further explain the SOC 2 framework and TSCs. 

Audit planning 

Once your organization has secured plans to engage a SOC 2 with an auditor, you will be introduced to the audit management team to begin the planning phase of your audit. An official kickoff call will be scheduled to discuss timing of the audit and share key planning information and provide an Information Request List (IRL) relevant to the defined scope. Your organization should review each of the requests within the IRL to ensure you understand what is being requested, then begin to gather and provide the requested evidence to the auditors. As the dedicated audit testing date nears, the audit team will set up regular touchpoints with you to answer questions and encourage your organization to upload as much evidence as possible to and audit management platform like A-SCEND or your GRC tool of choice prior to the start of testing. 

Testing and reviewing of evidence 

At this stage, the assigned auditor actively reviews all evidence and completes the required testing, which is either performed remotely, onsite or a combination of both (depending on scope). It is essential that a majority of evidence is uploaded before this phase begins. During the testing and review of evidence phase, the auditor performs the following tasks: 

• Explains testing approach based on the SOC 2 requirements 

• Confirms the key processes and procedures observed relevant to the scope of services and provides feedback on the system description 

• Holds meetings with process owners to understand the controls in place and operation 

• Reviews evidence to corroborate management’s controls and completes testing of those controls utilizing the evidence that has been provided in the planning phase 

• Asks clarifying questions relating to the evidence provided and processes observed 

• Requests additional evidence needed in support of testing the scope of services 

• Identifies and proactively communicates potential findings identified in the testing 

• Proactively communicates the status of testing and roadblocks encountered 

Closing meeting and draft report 

Step four begins once all evidence has been provided, reviewed and accepted by the auditor. Your auditor then performs various rounds of quality review, involving multiple levels audit management, and prepares a draft version of the report. When the draft report is delivered, it is accompanied by a management representation letter that must be signed by an appropriate member of the organization and returned to your audit team. Management will have an opportunity to review the draft report prior to final issuance. 

The final report 

Once you have reviewed and returned the signed management letter and draft report with your comments and suggested updates, the auditor works to finalize the report, which includes addressing any comments left by your organization. Once all comments are addressed and updates applied, the report is finalized and delivered to your organization electronically (a hard copy can also be requested). For more about these steps, download our SOC 2 Buyer’s Guide.

Selecting a quality audit partner 

Choosing the right auditor can make all the difference during your examination process. Quality auditors will drive efficiencies for your team and instill confidence in customers that your SOC 2 attestation is reputable and meets a high standard. 

There are many ways to define what makes up a quality audit partner. Here are a few considerations to keep in mind when evaluating potential auditors. 

Experience and credentials 

A potential partner’s experience and credentials is one of the first things you should evaluate when choosing an auditor. Look for partners that have been in business for a long time and have a track record of success. In addition to reputation, technical credentials are important. Is this auditor accredited with the AICPA? Only independently licensed CPAs can issue SOC 2 attestation reports. 

Report quality 

Not all reports are created equal. High-quality audit reports won’t just confirm your compliance; they will highlight areas for improvement and risk mitigation strategies that are specific to your organization’s security posture. The AICPA has developed a downloadable checklist to guide management during their review of a SOC 2 to evaluate the sufficiency and quality of the report.  

Tech-enabled services 

Choosing an auditor that embraces technology isn’t a preference anymore, it’s essential. Auditors that perform all audit tasks manually will take longer to finish your audit and may be less accurate. We recommend partnering with an auditor that uses their own audit management platform to streamline the process. Additionally, you should enlist the help of an audit partner that integrates with your existing compliance and trust management software. 

Audit process 

It’s essential to understand the process that your chosen audit partner will use to complete your SOC 2 examination. Be sure to ask any potential partners about the timeline, scoping, audit cycle synchronization, and team communication before moving forward. 

Case study: Obsidian Security 

Obsidian Security is a market leader in comprehensive SaaS security, specializing in threat management integration, third-party risk, security posture and configuration, and compliance. 

Obsidian’s path toward creating a robust security program started when the team only had 15 employees and a tight budget. Although they were a small team, Obsidian secured business from multinational, highly regulated customers with complex security needs. 

The company reached a point of inflection where they needed to scale their compliance program and meet the growing demands of their enterprise customers. With their sights set on obtaining a SOC 2 report, Obsidian looked for an audit partner to help them meet their compliance goals. 

Obsidian sought a high-quality report and efficient audit process, driven by a partnership focused on continual improvement. Ultimately, Obsidian chose to engage with A-LIGN and Drata for their audit and GRC requirements. 

Obsidian has implemented a robust third-party risk management program, which involves thorough scrutiny of attestation reports from various companies, so their team has ample knowledge on what makes a trusted high-quality, robust audit report. 

Of all the assessors’ reports, Alfredo said A-LIGN’s stands out for its well-structured and comprehensive nature, particularly in assessing performance and coverage of controls. The detailed report assures customers and prospects of proper due diligence and fosters trust with other key stakeholders. 

“The value proposition of having an audit partner like A-LIGN at the strategic level and having a partner like Drata at the technical and operational level is that you can streamline the entire audit process.” 
– Alfredo Hickman, CISO, Obsidian Security 

Checklist: Questions to ask your audit partner  

Choosing an audit partner is one of the most important steps to completing a SOC 2 attestation for your organization. This decision will impact every other step – from start to finish, your assessor will be with you through it all. This SOC 2 checklist details questions that we recommend you ask any potential assessor. 

• What is your experience with SOC 2 attestations? 

• Is your company accredited by the AICPA? 

• How many SOC 2 attestations have you completed? 

• How many SOC auditors does your team have? 

• Do you have experience conducting SOC 2 attestations in my industry? 

• Does your organization conduct other audits? 

• Are we able to pursue multiple frameworks at the same time with your organization? How does your team handle this? 

• Do you have experience identifying overlaps among multiple frameworks? 

• What can I expect during the audit process? 

• Does your organization use technology to enhance the audit process? 

• What is your response time to questions from our team? 

• How do you ensure the quality of your audits? 

• How do you define quality? 

• What sets your audit process apart from other audit firms? 

• How much will my SOC 2 attestation cost? 

• What are your rates and what do they include? 

• How long does a SOC 2 attestation take with your organization? 

• How long will each step of the process take? 

• Do you have references and case studies from satisfied customers? 

Next steps 

If you’re ready to take the next step, contact A-LIGN today to begin your journey to SOC 2 compliance. The A-LIGN difference is:  

• 17.5k+ SOC assessments completed  

• #1 SOC 2 issuer in the world  

• 200+ SOC auditors globally 

A-LIGN is the leading provider of high-quality, efficient cybersecurity compliance programs. Combining experienced auditors and audit management technology, A-LIGN provides the widest breadth and depth of services including SOC 2, ISO 27001, HITRUST, FedRAMP, and PCI. A-LIGN is the number one issuer of SOC 2 and a leading HITRUST and FedRAMP assessor.