How SOC 2 Powers Business Expansion

by: A-LIGN 23 Jan,2026 3 mins

The ability to prove your security posture sets the stage for expansion and long-term success. That’s where SOC 2 comes in. SOC 2 compliance not only demonstrates your commitment to safeguarding customer data but also positions your business for growth. By meeting this industry standard, organizations can confidently expand into new markets, secure larger deals, and build a foundation for long-term success. 

What is SOC 2? 

SOC 2 is an independent attestation meant to confirm the presence and effectiveness of controls related to the security and privacy of customer data. It is designed to be flexible and relevant to a variety of businesses, from startups to global enterprises. What sets SOC 2 apart isn’t just its focus on controls; it instills confidence in your stakeholders, providing concrete evidence that your systems and policies are operating as intended. 

What are the benefits of SOC 2?

Treating SOC 2 as a value driver rather than a hurdle shifts the growth equation. These are the main benefits:   

Accelerate sales cycles 

With SOC 2, many prospects will accept your report in place of lengthy security questionnaires, allowing you to close contracts faster. 

Unlock larger deals 

For many enterprise buyers, especially in regulated industries, SOC 2 is non-negotiable. Without it, you may not even be allowed to compete. 

Build customer trust 

A SOC 2 report provides third-party validation that your company safeguards sensitive data, which is crucial in winning over new clients and partners. 

Mitigate security risks 

The process of preparing for a SOC 2 audit helps organizations formalize security policies, identify gaps, and build operational maturity — reducing the risk of costly breaches. 

Strengthen brand and market position 

Promoting SOC 2 compliance demonstrates diligence and transparency, boosting your credibility and allowing you to compete with larger, established players. 

Expanding into the U.S. market

SOC 2 is the most popular cybersecurity audit in the U.S. This attestation has become a baseline expectation, especially for software, SaaS, and service providers. U.S. enterprises look for SOC 2 as proof you take their data and compliance requirements seriously, often making it a prerequisite before you can onboard or even bid. 

Your readiness for the U.S. market is ultimately tested by your ability to answer tough security questions, and nothing answers them faster than a clean SOC 2 report. That’s why global companies treat SOC 2 as a gateway to the U.S., knowing it will accelerate onboarding, reduce vendor scrutiny, and establish instant credibility. 

Entering new industries

As you look to expand beyond your core market — whether it’s into finance, healthcare, government, or other highly regulated spaces — demonstrating that you can be trusted with sensitive and regulated data is imperative. These industries are governed by strict standards and oversight, making security and risk management a non-negotiable entry point.  

SOC 2 equips you to meet these standards, not just with documentation but with third-party assurance that your control environment meets industry expectations. Financial partners value the maturity that comes with being audited to SOC 2 standards. Healthcare organizations look for your alignment with HITRUST and HIPAA through SOC 2’s confidentiality and privacy criteria. Even in emerging sectors, SOC 2 increasingly distinguishes reliable vendors from the rest.  

Accelerate SOC 2 compliance with ISO 27001 

If you’ve already achieved ISO 27001, you have a solid foundation to take on SOC 2. Both operate as strong frameworks for information security, and with nearly half of the control evidence overlapping, you can harmonize your audits to save time and reduce redundancy. Leveraging similarities between the two frameworks using a tool like A-SCEND will help streamline documentation and preparation, fast-tracking your path to dual compliance. Together, SOC 2 and ISO 27001 enables organizations to expand their reach, serving clients around the globe without being geographically restricted. 

Driving growth through SOC 2  

SOC 2 has become a powerful business enabler, opening doors to enterprise clients, shortening sales cycles, and reducing long-term risk. As the #1 SOC 2 issuer in the world, A-LIGN’s highly experienced auditors can provide your organization with guidance, tools, and a premium quality audit for your SOC 2 attestation. 

Ready to get started on your path to SOC 2 certification? Reach out today to learn more. 

CMMC 2026: Seizing the Initiative to Sustain Trust 

by: Michael Brooks 15 Jan,2026 5 mins

In military doctrine, seizing the initiative means more than moving first, it means dictating the tempo, creating pressure, and forcing your adversary to respond to you. Victory is often found not in reaction, but in decisive action.  

The same principle applies to cybersecurity in the Defense Industrial Base (DIB) and supply chain risk management. In 2026, as the Cybersecurity Maturity Model Certification (CMMC) Phase I matures across the ecosystem, the initiative will belong to contractors who can prove trust not just once, but continuously. Getting certified in CMMC is not the end — it’s the beginning of a three-year cycle that demands sustained readiness.  

In an environment shaped by persistent adversaries and systems that support the world’s most capable military, the ability to demonstrate trust can’t be episodic. It must be repeatable, risk-informed, and actively sustained every day.  

That’s the shift underway in the CMMC ecosystem and what the mission requires. Not a change in regulation, a change in mindset. From point-in-time certification to continuous assurance. From checklist compliance to readiness as a business function. 

Certification is a critical milestone, not the end goal

For many defense contractors who are laser-focused on achieving CMMC certification, the path has been all-consuming: stand up controls, collect evidence, document processes, then pass the assessment.This laser focus is understandable. CMMC certification is the foundational milestone that signals eligibility to support Department of Defense (DoD) programs and establish trust.  

But as more organizations achieve certification in 2026, a realization is setting in: what many thought was the goal was just the starting point. Once certified, they discover the affirmation requirements they may not have fully appreciated during the intensity of preparation. The CMMC Program and Final Rule makes this explicit: certification establishes a point-in-time posture, but maintaining contract eligibility requires ongoing accountability. 

That’s where annual affirmation comes in — the newly codified requirement for senior leaders to attest that their organization remains compliant long after the assessment ends. This is not a formality, but a leadership obligation with legal weight. 

Affirmation: The new trust accountability layer 

Under 32 CFR § 170.22, every certified organization, prime or subcontractor must designate an Affirming Official to enter an annual affirmation in the DoD’s Supplier Risk System (SPRS). That individual, a senior leader within the Organization Seeking Assessment (OSA), must legally attest that the CMMC security requirements are not only implemented, but maintained continuously. The annual affirmation in SPRS puts that accountability on record. And in doing so, it introduces a new layer of trust validation, one that is not periodic but persistent. 

When we conduct CMMC assessments at A-LIGN, we engage the OSA and Affirming Official early in the process. We want them to understand not just what’s required to achieve certification, but what’s requiredto maintain it across Years Two and Three.  

The key point here is that while a CMMC assessment validates at a moment in time, it’s the affirmation that validates the program over time. 

The window between assessments is the new risk surface 

CMMC Level 2 assessments remain the benchmark for certification across the DIB, and the progress made by hundreds of organizations to date is significant and commendable. But as every defense contractor knows, posture doesn’t preserve itself.  

As a Lead CMMC Assessor, I’ve returned to organizations months after certification, and what I see is a pattern. Programs were designed to survive an assessment, not operate as a sustained business function. Evidence was collected because it was required, not because it was generated continuously. Controls were statically implemented but not really embedded into daily operations. The systems change, staff turns over, controls degrade, and requirements evolve.  

Across a three-year cycle, the distance between “we passed” and “we’re mission ready” can grow dangerously wide and introduce significant risk to the supply chain and mission. That’s why Year 2 and Year 3 of the certification cycle aren’t downtime — they’re critical and where assurance is sustained, posture is defended, and trust is continually validated beyond the formal assessment.  

Continuous assurance: Implementation and validation 

This is the practical definition of continuous assurance: The ability to verify cybersecurity readiness between assessments, not through constant reinspection, but through repeatable evidence, periodic validation, defensible reporting, and intentional governance aligned to mission and business risk. 

Continuous assurance has two components: 

  • Implementation: the ongoing execution of security controls, embedded into daily operations, not episodic compliance activities. 
  • Validation: the periodic confirmation that those controls remain effective across the lifecycle, through internal reviews, testing, and governance aligned to risk. 

Together, these components provide the evidence and confidence the Affirming Official needs to attest that posture holds not because someone told them it does, but because they can verify and validate it. 

The DoD is already operating this way

This evolution isn’t theoretical — it’s operational. In 2024, the DoD introduced the Cybersecurity Risk Management Construct (CSRMC), a next-generation risk model for lifecycle-aligned cybersecurity that goes far beyond compliance checklists. It integrates five phases, from architecture and engineering to monitoring and operations, all centered on continuous validation, not one-time approvals. This mirrors what’s being asked of contractors under CMMC.  

The DoD’s own adoption of continuous Authorization to Operate models confirms an operational reality: point-in-time validation is no longer enough. Assurance must be ongoing, and posture must match the speed of mission need. The DoD sees the defense base as an extension of itself and has the same expectation for contractors that it has for its own systems.  

What comes after certification? 

This is the question leading contractors are starting to ask. They’ve completed assessments and stood up governance, but now they’re facing a new challenge: How do we sustain trust — operationally, defensibly, and continuously — between certification milestones?  

That’s the new frontier for serious defense vendors across the supply chain. It’s not just about passing an assessment — it’s about showing up to the next proposal, the next contract renewal, or the next security review with clear, confident evidence that posture still holds. It’s no longer just a security conversation; it’s a business imperative. 

Steve Simmons Appointed President of A-LIGN 

by: A-LIGN 13 Jan,2026 2 mins

Tampa, Fla. (January 13, 2026) – A-LIGN, the leading provider in cybersecurity compliance, has appointed Steve Simmons to serve as President. Simmons, who joined A-LIGN in 2014, served as A-LIGN’s Chief Operations Officer since 2021. 

“Steve has excelled at leading our business through many chapters and he is the right person to assume this new position,” said Scott Price, CEO of A-LIGN. “His strong leadership and commitment to continuous improvement will be invaluable as we enter the next stage of A-LIGN’s evolution and expand our capacity to meet the increasing global demand for our services.” 

In his new role as President, Simmons will oversee a broadened scope of day-to-day operations with a focus on executing A-LIGN’s 2026 strategic priorities. This includes driving international expansion across new geographies and services and further solidifying A-LIGN’s leadership in the Cybersecurity Maturity Model Certification (CMMC) assessment market. He will be responsible for integrating elevated strategy with seamless execution to ensure A-LIGN stays ahead of the industry’s most complex cybersecurity compliance needs.  

At the core of this growth is the continued evolution of A-SCEND, A-LIGN’s proprietary audit management platform. “What excites me most is the opportunity to shape A-LIGN’s future in a rapidly evolving landscape where technology and compliance are merging,” said Simmons. “We are focused on unlocking new possibilities by leveraging A-SCEND’s AI-powered automation to not only drive growth and innovation, but to ensure world-class retention.”  

This leadership appointment comes as A-LIGN has completed a banner year in 2025 with a strategic investment from Hg, which confirmed its status as a unicorn and added new board members. This new organizational structure will empower Price to focus on external strategic priorities including customers and partners, while continuing to set overall vision, while Simmons’ operational expertise provides the foundation for A-LIGN to scale its enterprise-grade audit experience through deeper GRC integrations and technology-led delivery.  

“I joined A-LIGN when we were fewer than 30 employees and being part of that journey has shaped my leadership,” said Simmons. “As we look ahead, I’m excited to build on those lessons as we expand our services, enter new markets, and continue advancing our A‑SCEND technology to elevate our goal of delivering a frictionless, high-quality experience that moves compliance from a point-in-time hurdle to a continuous strategic advantage for our clients.”  

About A-LIGN  

A-LIGN is the leading cybersecurity compliance partner, trusted by over 6,400 organizations worldwide to navigate the complexities of compliance, audit, and risk. With a tech-enabled delivery model and deep domain expertise, A-LIGN has completed more than 36,000 audits. It is the #1 issuer of SOC 2 reports and a top three FedRAMP assessor. Founded in 2009, A-LIGN delivers high-quality, efficient audits across frameworks including SOC 2, ISO 27001, FedRAMP, CMMC, ISO 42001, PCI, and HITRUST. To learn more, visit: https://www.a-lign.com

A Guide to CMMC Level 1 Compliance 

by: A-LIGN 09 Jan,2026 4 mins

For defense contractors, Cybersecurity Maturity Model Certification (CMMC) is a requirement for securing government contracts. With three levels outlined by the Department of Defense (DoD), many organizations find themselves unsure about which level applies to them and whether they can self-assess or need a Certified Third-Party Assessor Organization (C3PAO). This guide outlines CMMC Level 1, providing clarity on its requirements and helping you determine the right level for your business. 

What is CMMC? 

CMMC is designed for defense contractors and subcontractors within the Defense Industrial Base (DIB) who manage Federal Contract Information (FCI) or Controlled Unclassified Information (CUI). CMMC 2.0, finalized in December 2024, streamlines the framework into three levels of compliance, each tailored to the sensitivity of the information being handled:   

  • Level 1 (Foundational): Focuses on basic cybersecurity practices for organizations handling FCI. Compliance is demonstrated through annual self-assessments.   
  • Level 2 (Advanced): Designed for organizations managing CUI, this level aligns with the 110 practices outlined in NIST SP 800-171. CUI handlers require third-party assessments every three years.   
  • Level 3 (Expert): Reserved for the most sensitive programs, this level incorporates additional requirements from NIST SP 800-172 on top of CMMC Level 2 certification and mandates direct assessments by the DoD.   

Who needs CMMC Level 1? 

Organizations can pursue Level 1 over Level 2 certification if their DoD contracts do not require them to handle CUI. Since certification levels are strictly determined by data types rather than organization size, Level 1 is the standard for businesses or subcontractors who do not handle higher categories of DoD information but are still critical for overall supply chain security — especially those that provide goods or services that do not involve sensitive or classified defense data. 

The key determinant in choosing Level 1 is the nature of the information you access: Level 1 is designed for companies that only need to meet the minimal threshold of protecting FCI. However, if your business objectives evolve, and you anticipate handling CUI or expanding into more sensitive DoD projects, you may consider preparing for Level 2 to facilitate future growth. 

Ultimately, the decision to pursue Level 1 compliance or Level 2 certification depends on your current needs and long-term business goals. 

Understanding CMMC Level 1 

CMMC Level 1 is considered the baseline for organizations looking to work with the DoD and is referred to as the “Foundational” level. Its core objective is to ensure companies have established basic cyber hygiene practices to protect FCI — which is information, not intended for public release, that is provided by or generated for the government under a contract to develop or deliver a product or service. It does not include information provided by the government to the public (such as on public websites) or simple transactional details like payment information.  

Unlike Level 2 and above, which address CUI with advanced controls, Level 1 focuses on preventing common cyber threats like phishing, basic malware, or unauthorized access. 

To meet Level 1, organizations must implement the 17 security controls outlined in Federal Acquisition Regulation (FAR) 52.204-21. The 17 requirements fall into six key domains: 

  • Access control: Restrict system and information access to authorized users only. 
  • Identification and authentication: Verify user identities before granting system access. 
  • Media protection: Safeguard and securely dispose of media (e.g., USB drives, hard drives) containing FCI. 
  • Physical protection: Restrict physical access to systems and equipment to authorized personnel. 
  • System and communications protection: Control and monitor communications at system boundaries. 
  • System and information integrity: Detect and address system vulnerabilities promptly. 

Unlike higher CMMC levels, Level 1 does not require extensive documentation of processes. Instead, it focuses on the actual performance of these essential security practices. Organizations seeking Level 1 compliance are permitted to conduct an annual self-assessment, making it a more accessible and cost-effective path for businesses that handle FCI but do not manage sensitive CUI data. 

When do you need a C3PAO? 

It’s important to understand when the involvement of a C3PAO becomes necessary within the CMMC framework. A C3PAO is an accredited firm authorized by The Cyber AB to conduct official CMMC assessments for higher certification levels such as Level 2. For organizations pursuing Level 1 certification, the self-attestation model means hiring a C3PAO is not required. However, if your organization plans to handle CUI or bid on contracts that include CMMC Level 2 requirements, a C3PAO assessment becomes mandatory.  

That said, just because a C3PAO isn’t mandatory for Level 1 doesn’t mean you can’t seek outside help. Working with a C3PAO to come and independently assess your compliance to the 17 requirements in Level 1 can add assurance that you’re accurately self-attesting to meeting these controls. 

Getting started with CMMC Level 1 

Achieving CMMC Level 1 compliance is an important milestone for organizations looking to work with the DoD. To do this, you will report your self-attestation score directly to the DoD through its Supplier Performance Risk System (SPRS). The SPRS website offers tutorials and walkthroughs to guide you through the process.  

By understanding the requirements, properly conducting and reporting your self-assessment, and seeking expert guidance when needed, your business can stay compliant and position itself as a reliable partner in the defense supply chain. 

Ready to begin your CMMC journey? Reach out today to learn more. 

CMMC Success: Top Five Lessons from Actual Level 2 Assessments 

by: Michael Brooks 19 Dec,2025 4 mins

As 2025 comes to a close, the Defense Industrial Base is entering a new phase of cybersecurity accountability. CMMC Level 2 certification is no longer theoretical or aspirational. For many organizations, it is becoming an operational reality with real contractual consequences. 

As the CMMC Market Leader and a Lead Assessor for leading C3PAO A-LIGN, I’ve seen this shift firsthand through dozens of successful CMMC Level 2 assessments across a wide range of defense contractors. That concentration of activity has provided a clear and sometimes sobering view into what actually drives success, where organizations consistently struggle, and which patterns are emerging as we approach 2026.  

In this blog, I’ll share real-world lessons from the assessments I have experienced so far. These are not abstract best practices. They are lessons earned from real environments, real leadership teams, and real certification outcomes. 

Lesson one: Scope was treated as strategy, not documentation 

In every successful assessment, scoping decisions were made deliberately and early. Leaders treated scope not as a compliance form to complete, but as an architectural and operational decision that shaped everything that followed. 

Successful organizations invested the time to understand where Controlled Unclassified Information truly flowed, how responsibilities were divided between internal teams and service providers, and where separation and segmentation needed to be enforced. Those decisions were socialized across engineering, IT, security, and leadership long before assessment week began. 

Organizations that struggled often approached scope as paperwork: something to rush and guess so the “real work” could start. That mindset consistently led to confusion, rework, or unexpected exposure during assessment activities. 

As certification activity accelerates, assessment boundary clarity and scoping are proving to be one of the strongest predictors of readiness. 

Tip: Take time to get your scope rock solid, everything flows from that foundation. 

Lesson two: Documentation reflected reality, not aspiration 

None of the organizations that passed had perfect documentation. What they did have was documentation that matched how their environments operated. 

System Security Plans described real processes, real enforcement, clear ownership, and current system behavior. The documents were not overly polished, but they were accurate. That mattered more than volume or formatting. 

When organizations encountered difficulty, it was usually because documentation described how the system should  work rather than how it operated in practice. Those gaps surfaced quickly when validation began. 

As we move into 2026, documentation quality will increasingly be defined by alignment with reality, not by length or complexity. I recommend following this rule:  

Tip: Say what you do, do what you say.  

Lesson three: Evidence was managed as an operational discipline 

There is a key indicator across all my recent successful assessments: evidence of control maturity emerged as one of the clearest differentiators of readiness.  

Organizations that performed well treated evidence as part of ongoing operations, not as a task reserved for assessment week. Artifacts were mapped to requirements ahead of time, validated for currency, and organized in a way that reduced ambiguity for both internal teams and assessors. 

That preparation paid dividends. Assessments moved more efficiently, discussions stayed focused on substance, and friction was significantly reduced. 

By contrast, evidence chaos — incomplete artifacts, unclear ownership, or last-minute assembly — remained one of the most consistent predictors of assessment difficulty. 

Tip: Use your self-assessment processes to validate control evidence before your external assessment. Be familiar with what you used to validate your control performance.  

Lesson four: Shared responsibility was clearly understood and documented 

Cloud adoption and managed services are now the norm across the DIB, which makes shared responsibility one of the most misunderstood areas of CMMC readiness. 

Successful organizations did not rely on assumptions. They documented which controls were inherited, which responsibilities remained internal, and what their service providers were accountable for delivering. More importantly, they could demonstrate those responsibilities through evidence and ongoing management. 

This clarity extended to identity, boundary protection, logging, monitoring, and incident response. When shared responsibility was explicit and validated, assessments proceeded smoothly. When it was vague, gaps and confusion emerged quickly. 

In 2026, organizations that proactively close the seams between vendors, platforms, and internal operations will be far better positioned for certification. 

Tip: Everyone relies on someone else, that’s the nature of our connected world. Understanding those relationships is key to your CMMC success.  

Lesson five: Leadership behaviors predicted success before any control was reviewed 

Perhaps the most consistent insight from recent assessments had little to do with technology and everything to do with leadership. 

In every successful engagement, leadership behaviors and engagement were visible from the start. Roles were clear. Teams were prepared. Discussions were calm, structured, and grounded in fact. Executives understood their environment well enough to speak confidently about scope, ownership, teams, and priorities. 

CMMC Level 2 is often framed as a technical standard. In practice, it functions just as much as a leadership and governance standard. Organizations that treated CMMC as a one-time project struggled. Those that treated it as a sustained readiness discipline succeeded. 

Tip: Leadership buy-in and support is perhaps the biggest and most consistent predictor of success.   

Looking ahead: Modernization will shape CMMC success in 2026 

Beyond these five lessons, a broader shift is becoming clear. Organizations that move faster and with less friction are modernizing how to approach compliance. 

We are seeing early adoption of machine-readable documentation through OSCAL, reduced reliance on screenshots, increased use of configuration telemetry, stronger identity governance, and greater automation in evidence collection. These capabilities are not yet universal, but the trajectory is clear. 

As certification activity scales, maturity and modernization will increasingly separate organizations that struggle from those that sustain readiness. 

Final thought 

The mission continues: CMMC success is not a milestone; it’s a mindset. As we head into 2026, CMMC readiness will belong to organizations that treat compliance as an operational discipline, embrace modernization, and lead with clarity and collaboration. Ready to begin your journey in CMMC compliance? Reach out today to learn more.

Your Guide to PCI DSS Certification 

by: A-LIGN 02 Dec,2025 5 mins

Protecting customer cardholder data is crucial to merchants that store, process, or transmit this data or other companies that can impact the security of this valuable information. Standards that help companies protect this data are cumbersome and prescriptive to ensure proper protection of cardholder data which will allow entities to demonstrate proper security controls to customers and banks which build trust. 

Read on to learn about PCI DSS and how it protects valuable customer data. 

What is PCI DSS? 

PCI DSS (Payment Card Industry Data Security Standard) is the only accepted industry enforced and run standard consisting of a set of policies and procedures intended for organizations that handle or effect security of credit, debit, and card branded cash card transactions to ensure the protection of cardholders’ personal information.   

What is PCI SSC? 

The PCI Security Standards Council develops and implements security standards for PCI DSS and other certifications. This group aims to drive education, awareness, and implementation of effective frameworks by its stakeholders. 

What are the principles of PCI DSS? 

There are 12 principal PCI DSS requirements that roll into six principles: 

Build and maintain a secure network and systems 

  • Install and maintain network security controls 
  • Apply secure configurations to all system components 

Protect account data 

  • Protect stored account data 
  • Protect cardholder data with strong cryptography during transmission over open, public networks 

Maintain a vulnerability management program 

  • Protect all systems and networks from malicious software 
  • Develop and maintain secure systems and software 

Implement strong access control measures 

  • Restrict access to system components and cardholder data by business need to know 
  • Identify users and authenticate access to system components 
  • Restrict physical access to cardholder data 

Regularly monitor and test networks 

  • Log and monitor all access to system components and cardholder data 
  • Test security of systems and networks regularly 

Maintain an information security policy 

  • Support information security with organizational policies and programs 

These processes help protect cardholder data from bad actors and ensure that companies with this information have done their best to shield their environment from potential attacks. 

Why is PCI DSS important? 

Earning a PCI DSS Report on Compliance (RoC) certification demonstrates your organization’s commitment to payment card data security and identifies the level of validation you have achieved. Failing to maintain PCI DSS compliance can range in fines from $5,000 to $100,000 per month depending on the size of the company and the scope of noncompliance. Additionally, fines and penalties are even greater for organizations that experience a security incident.   

Who should get a PCI DSS certification? 

PCI DSS was developed for companies that store, process, or transmit sensitive credit card data. PCI DSS can also apply to companies that provide services to organizations that maintain their own Card Data Environments (CDE). If you affect the security of a CDE or your client’s CDE, then you can be brought into scope for a PCI DSS assessment. 

The most common recipients of PCI DSS include:  

  • Retailers 
  • Ecommerce platforms 
  • Payment processors 
  • Payment BPO providers (e.g. Call Centers) 

Who needs a Report on Compliance? 

Your organization’s level of complexity and transaction volume will determine the level of validation you will need to comply with according to the Card Brands validation requirements. There are four merchant and to service provider levels: 

  • Level 1: Merchants that process over 6 million and Service Providers handling over 300,000 card individual transactions per year. 
  • Level 2: Merchants that process between 1 million and 6 million and Service Providers under 300,000 individual transactions per year. 
  • Level 3: E-commerce merchants that handle between 20,000 and 1 million transactions per year. 
  • Level 4: Merchants that handle fewer than 1 million transactions per year and e-commerce merchants with less than 20,000 transactions per year. 

Merchants should check with their acquirer to confirm their current merchant validation level.  Levels 2, 3, and 4 are eligible to complete a Self-Assessment Questionnaire (SAQ). However, some level 2 payment channels (e.g. e-commerce) may be required to be attested by a QSA or ISA.  Meanwhile, merchants that fall into Level 1 will need to complete a RoC, which is an on-site assessment conducted by a Qualified Security Assessor (QSA) to establish PCI DSS compliance.  Nothing prohibits a lower-level merchant or service provider from achieving a Level 1 RoC and many Service Providers that technically meet level 2 status conduct an annual Level 1 RoC to meet customer validation expectations. 

How long does it take to complete a PCI DSS assessment? 

The preparation phase can take about six to eight months for those undergoing the assessment for the first time, and around three to four months on average for a renewal assessment. The amount of time it takes to complete the assessment ultimately varies depending on the organization’s environment, what its processes are, number of locations, and what its infrastructure looks like (size and scope).   

For large entities, PCI DSS is a continual process. As soon as one audit ends, they’re prepping for the next year, making PCI DSS a continual process for them. Whereas smaller entities may have less of a lift to continually maintain those processes. 

Steps to achieving PCI DSS certification 

Learning the steps to earning PCI DSS certification is an essential part of the process. Being well prepared for this process can set your organization up for success. 

  • Understand requirements: Familiarize yourself with the requirements of PCI DSS and consider how they will impact your organization. Are there obvious gaps in your environment? Do you have an information security policy? How many transactions do you process each year? Which level of merchant does that make your organization? Learning about the PCI DSS requirements and how they show up in practice is the first step to compliance. 
  • Conduct a risk assessment: Conducting a formal risk assessment will inform your strategy going forward. These assessments identify vulnerabilities and their level of risk to your environment, giving your organization a baseline for your level of security, areas for improvement, and conformity to PCI DSS requirements. 
  • Address gaps, implement changes: Implementing changes ahead of a formal assessment will empower your organization to get on the right track for PCI DSS certification 
  • Engage with a Qualified Security Assessor: Depending on your level of certification, you may be able to complete a SAQ. If your organization is a Level 1 merchant as defined above, you will need to work with a QSA to complete a formal RoC and earn your PCI Attestation of Compliance (AOC). It’s important to choose a high-quality QSA that won’t just check the box but will set your organization up for success. Check out our list of six qualities to look for in a QSA

Getting started with PCI DSS  

If you’re ready to begin your journey to PCI DSS compliance, contact A-LIGN today to get started. The A-LIGN difference is: 

  • 2k+ PCI assessments completed 
  • 96% customer satisfaction rating 
  • 20+ years of experience 

A-LIGN is the leading provider of high-quality, efficient cybersecurity compliance programs. Combining experienced auditors and audit management technology, A-LIGN provides the widest breadth and depth of services including SOC 2, ISO 27001, HITRUST, FedRAMP, and PCI. A-LIGN is the number one issuer of SOC 2 and a leading HITRUST and FedRAMP assessor. 

Don’t Let Regulatory Uncertainty Delay Your AI Governance

by: Patrick Sullivan 5 mins

Many organizations are questioning whether to act now on AI governance or wait for final clarity on enforcement dates, particularly with the EU AI Act. The proposed delays in enforcement have introduced hesitation, as organizations are uncertain about the final requirements and timelines. However, the underlying governance expectations are not going to change. Developing a quality management system (QMS) for high-risk AI is a process that requires slow and steady work. Evidence must be accumulated, roles must mature, and cross-functional routines need to be established. None of these foundational elements can be rushed in the final months before an enforcement deadline. 

Although the consequences may feel distant and abstract, this blog outlines the risks of inaction and the tangible benefits of starting early. 

Understanding the High-Risk AI QMS Standard 

The High-Risk AI QMS Standard, part of the EU AI Act, demands structured, repeatable, and risk-based practices across the entire AI lifecycle. It requires clear documentation of decisions, complete traceability from data to model to deployment, and a controlled workflow. This controlled flow ensures that all reviews, evaluations, approvals, and monitoring activities leave a clear, auditable trail. These are fundamental management responsibilities, not simply technical add-ons. You cannot meet these rigorous expectations with last-minute documentation or a single, frantic compliance sprint. You meet them by building consistent habits, which only form when governance and engineering teams work together long before any regulation takes effect. 

Why waiting is a flawed strategy 

When leaders hear about a proposed regulatory delay, they often assume they have gained time. In reality, the workload remains constant. The only thing that changes is the cost and pressure of completing it. 

Waiting to establish AI governance creates three predictable problems: 

1. Lack of evidence for regulators and customers 

Imagine a financial services firm using a credit decision model across multiple markets. A supervisor requests the model’s evaluation record, but the team can only produce a single performance chart with no version history, no justification for the dataset used, and no record of who approved its deployment. The risk officer is now facing a regulatory issue that cannot be fixed retroactively. This scenario will become common for unprepared organizations. 

2. Lost revenue from procurement failures 

By 2026, large buyers in regulated industries will require their vendors to provide an AI system inventory, documented controls, and a clear governance narrative. A health tech firm, for example, might be disqualified from a bid because it cannot demonstrate that its diagnostic models were developed under a controlled process. A competitor that invested in governance earlier will win those contracts. 

3. Technical teams hitting a maturity wall 

Engineers who have never operated under a controlled development regime need time to adjust. If you introduce process discipline and documentation requirements late, teams will likely push back. This resistance can slow down delivery at the exact moment when compliance pressure is at its peak. These failures are not hypothetical; they follow the same pattern seen in every other regulated domain. Organizations that wait inevitably end up with rushed documentation, repeated rework, and expensive remediation projects. 

Delivering value before enforcement deadlines

Executives often ask about the immediate business case for investing in AI governance. The benefits arrive long before any regulatory deadline. 

  • Faster procurement cycles. Complete enterprise procurement questionnaires more efficiently. 
  • Higher investor trust. Address board-level questions about AI exposure with confidence. 
  • Better regulatory preparation. Be ready for questions from regulators before formal supervision begins. 
  • Stronger engineering discipline. Improve system reliability and reduce unplanned incidents. 
  • A compelling narrative. Position your company as a prepared and responsible leader, not a reactive follower. 

These benefits are not tied to an enforcement date; they are directly linked to the maturity of your management system. 

How ISO 42001 provides a foundation 

ISO 42001 provides the essential foundation for this work, serving as a blueprint for responsible and scalable AI compliance across organizations. The standard requires organizations to define their context, roles, risks, and controls, ensuring a structured approach to AI governance. It also mandates performance measurement and a commitment to continuous improvement, enabling organizations to build trust and demonstrate ethical AI practices. 

The High-Risk AI QMS Standard builds directly on this structure. Think of ISO 42001 as the scaffolding for your AI management system. The High-Risk AI QMS Standard then defines the specific operating procedures for those systems that carry the most significant risk. Together, they form a comprehensive system of control. Neither can be implemented effectively if introduced late in the game. 

What your organization should do now 

A strong start doesn’t require a massive, complex program. It begins with clarity and ownership. 

Your 90-Day plan 

First, focus on creating a solid foundation. 

  • Create a provisional AI system inventory. List all the AI systems currently in use or development. 
  • Classify AI systems by risk. Pinpoint two or three systems that are likely to qualify as high-risk under upcoming regulations. 
  • Assign ownership. Appoint a single, accountable executive for each of these high-risk systems. 
  • Implement change control. Establish a basic process for managing model updates. 
  • Create a minimum record set. Start documenting data decisions, evaluation choices, and deployment approvals to ensure traceability. 

This initial work provides the groundwork needed to align with both ISO 42001 and the High-Risk AI QMS Standard. 

Your 12-Month plan 

After the first 90 days, you can expand these initial efforts into a fully functional AI management program. 

  • Formalize governance. Develop and approve official policies and governance charters. 
  • Build cross-functional workflows. Create integrated processes for risk assessment, model evaluation, and approvals involving all relevant teams. 
  • Train your teams. Educate engineering, product, and risk teams on documentation discipline and lifecycle control. 
  • Strengthen supplier oversight. Develop processes for managing third-party risks from foundation models, hosted services, and data pipelines. 
  • Conduct a mock assessment. Run a full internal audit against ISO 42001 and the High-Risk AI QMS Standard to identify gaps. 
  • Mature your processes. Use the findings from your assessment to improve monitoring, incident response, and performance measurement. 

This structured approach creates a living governance environment that can be audited with confidence. 

While ISO 42001 is an ideal first step toward holistic AI compliance, not every organization may feel ready to pursue a full certification. For those seeking more tailored or incremental approaches, there are options to address specific needs: 

  • AI Model Audit: For organizations needing focused assurance on a specific AI product, a model audit offers independent validation of its performance, testing, and system-level controls. It is a faster, more targeted attestation that demonstrates due diligence without the complexity of a full certification.   
  • HITRUST AI: For organizations in healthcare and other sectors handling sensitive data, HITRUST offers AI-specific assessments and certifications. These add-ons help validate that security controls and processes are tailored to protect data within an AI environment. 

The leadership decision 

Many organizations believe they can delay action on AI governance, but this approach will inevitably lead to rushed audits, lost deals, and unnecessary compliance costs. By starting now, leaders can distribute the workload over a manageable timeline, building competence and confidence instead of scrambling under pressure. Organizations that act early will be ready to meet regulatory standards with evidence that naturally emerges from their daily operations.  

Deadlines may shift, but expectations will not. Success will belong to those who prepare steadily and proactively. 

ISO 27701 Updates: What You Need to Know 

by: A-LIGN 01 Dec,2025 3 mins

ISO/IEC 27701 is now a standalone standard, no longer tied to ISO 27001. What does your organization need to know about the change? Read on to learn about key changes to the framework, a new standard for certification bodies, and the timeline for compliance with a reimagined ISO 27701. 

ISO 27701:2025: Privacy management goes independent 

Historically, ISO 27701 has existed as an extension of ISO 27001, previously known as ISO/IEC 27701: 2019. However, the 2025 revision transforms it into a standalone standard, making privacy certification more accessible. New releases include:  

  • ISO/IEC 27701:2025 (Edition 2): A complete overhaul of the Privacy Information Management System (PIMS) standard  
  • ISO/IEC 27706:2025: Completely new guidance for certification bodies (CB) specific to Privacy Information System (PIMS) standard 

Key changes to ISO 27701 

Beyond the obvious change to an independent, standalone standard, there are a few key changes to the ISO 27701 standard including: 

  • Standalone certification: Organizations can now become compliant with ISO 27701 without needing ISO 27001 
  • Restructured framework: Clauses 4–10 now mirror ISO management system standards tailored for privacy 
  • Annex A consolidation: Controls for PII Controllers and Processors are unified into A.1, A.2, and A.3 
  • New Annex B: Implementation Guidance offers practical steps for applying privacy controls 
  • Expanded scope: Includes biometric data, health data, IoT, and AI-related privacy risks 

ISO/IEC 27706:2025: Certifying the certification bodies 

The standards that ISO certification bodies must abide by have also changed with ISO 27706:2025 replacing CBs’ current standard, ISO TS 27006-2:2021. Updates include: 

  • Full standard status: ISO 27706 is now a formal international standard 
  • Aligned with ISO 17021-1: Ensures consistency with global certification practices 
  • Annexes A, B, and C: Provide guidance for audit planning, competence requirements, and assessment methodologies 
  • Improved trust & transparency: Enhances credibility and global recognition of PIMS certifications 

What does this mean for you? 

Depending on your status as a certification body or organization earning certification, these changes mean different things. 

For organizations 

If you’re an organization seeking ISO 27701 certification and it’s the only standard you need, you can now pursue it independently of ISO 27001, which will reduce costs and complexity. 

If your organization is already ISO 27701 certified, you’ll need to conduct a transition audit sometime over the next three years. This will ensure that your environment is compliant with the changes to the ISO 27701 standard ahead of the 2028 deadline. 

For certification bodies 

ISO 27706 provides a clear framework for reliable PIMS audits that your certification body can reference. CBs will need to undergo a transition audit with their accreditation bodies to ensure they are fully compliant to perform audits against the new standard. CBs should also communicate with your ISO 27701-certified clients about the transition audit process to prevent any lapses in compliance. 

ISO 27701 transition timeline 

Organizations will have time to make changes to their environment ahead of the October 2028 deadline for compliance. Here’s the complete timeline for implementing the new ISO 27701 standard: 

  • Publication date: October 14, 2025  
  • Transition period: Three years from publication  
  • Deadline for transition: October 2028  
  • Certification guidance: Official transition rules from accreditation bodies (e.g., IAF, ANAB, UKAS) are expected within 1-3 months post-publication 

Recommendations 

Don’t delay, create a plan now to ensure your organization has enough time to prepare for its transition audit. We recommend that organizations that are ISO 27701 certified take the following actions: 

  • Purchase the standard: Within the ISO website, companies should purchase the standard to understand all of the clauses and annex controls that have been developed for the new standard. 
  • Conduct a gap analysis: This will allow your team to identify any gaps between your current level of compliance and the new standard. Identifying and rectifying these gaps before your transition audit is key to avoiding penalties or lapses in compliance. 
  • Update your PIMS documentation and controls: Make these changes sooner rather than later so your team is fully prepared for your organization’s transition audit. Remaining gaps could become an issue as the deadline for compliance approaches. 
  • Perform an internal audit and management review: After implementing the necessary changes, ensure compliance with the new requirements through an internal audit and a management review as scheduled by your organization. 
  • Consult your certification body for specific transition procedures: Your CB should be a resource for you during this time of transition. Their auditors can help your organization plan an effective, efficient transition audit process. 

Ready to learn more? Contact A-LIGN today to get started on your compliance journey. 

A-LIGN Achieves Nine Years of Excellence on Seminole 100 List 

by: A-LIGN 24 Nov,2025 1 min

A-LIGN has secured a place on the 2026 Seminole 100 for the ninth consecutive year – earning a spot on the list every year since its inception in 2017. 

The annual Seminole 100 list honors the fastest-growing businesses owned or led by alumni of Florida State University. Companies are ranked based on their compound annual growth over the last three years. 

“Being recognized on the Seminole 100 for the ninth consecutive year is a testament to our team’s dedication and the trust our clients place in us,” said Scott Price, CEO of A-LIGN. “As a proud Florida State alumnus, this recognition is an honor and reflects A-LIGN’s unwavering commitment to quality and innovation.” 

A-LIGN’s ranking comes as the organization celebrates a banner year with a strategic investment from private equity firm, Hg. This investment underscores A-LIGN’s commitment to providing a superior, tech-enabled audit experience through its proprietary audit management platform, A-SCEND that delivers trusted, high-quality compliance reports. 

“These honorees exemplify the entrepreneurial spirit and resilience that define Florida State University,” said FSU President Richard McCullough. “Their accomplishments not only elevate their companies but also inspire the next generation of Florida State Seminoles to dream big and lead boldly.”   

Honorees will be recognized in a ceremony on February 21 in Tallahassee, where the official ranked list will be unveiled.