Below are some frequently asked questions about SOC 2 and ISO 27001 reports:
Q: Does CyberGRX accept pre-existing audits or reports in lieu of completing their assessment?
A: No, CyberGRX is unable to accept pre-existing audits or reports in place of completing the assessment.
Q: Does CyberGRX accept pre-existing audits or reports for the validation portion of the assessment?
A: Yes, CyberGRX can accept pre-existing audits or reports for validation, including the SOC2 Type II and ISO 27001. However, the pre-existing audit and/or report must meets the following criteria:
- It is independently validated
- Tests and results are clearly documented
- The report is current (within the past 12 months)
- It covers the scope of the controls
- The Statement of Applicability is included for the ISO
Q: How many controls can my SOC2 or ISO cover?
A: While viable audits or reports can potentially cover 50% - 70% of your controls, they typically do not cover the entirety of our requested controls. However, CyberGRX offers two rounds of validation so that additional evidence may be provided for controls which were not validated in the initial round.
Q: What if I do not want to provide any further evidence other than my pre-existing audits?
A: If you do not wish to provide any additional evidence, please notify your Assessment Coordinator and they can work with our Assessors to close things out and deliver your final report.
Q: What happens to the controls that are not validated by the pre-existing audits?
A: CyberGRX offers two rounds of validation so that additional evidence may be provided for controls which were not validated in the initial round. For any controls we are unable to validate in the final round due to lack of evidence, the report will read “Not Validated.”