Adding Internal Controls to the 1Risk Platform

(skip this section if you have applied the methodology in steps 2 and 3 here)

First, here are some helpful tips to help expedite certifications, including ISO 27001 and SOC 2.

I. AICPA SOC 2 Certification:

When you engage an external auditor for SOC 2 Certification, know that the auditor will provide you with a set of Internal Controls when they complete the SOC 2 Type 1 report.

Preparing for SOC 2 Type 1, only requires that you list the documentation/evidence that you have in place to demonstrate that you are implementing the required controls. Evidence collection for certification will not typically begin until the SOC 2 Type 1 report has been created by your Auditor.

Once your SOC 2 Type 1 report has been created, you can upload it in the 1Risk Platform as your set of internal controls and your PBC (provided by client) evidence list.

The 1Risk platform can then integrate with your systems or send automated notifications out to evidence owners to begin the documentation process for your certification.

Auditors are then provided access to our system to view and validate your evidence.

II. ISO/IEC 27001 Certification

Follow Step 2a and 2 or 3 above to identify your controls in-scope for ISO Certification.

Once your ISO controls have been migrated from the Control Library, ISO does not require amended internal controls to be written for certification. We DO RECOMMEND that you write internal controls, however, you may choose to do this during a surveillance audit year, once you have automation established on the 1Risk Platform.

ISO auditors will focus on the documentation you can provide to verify the implementation of each of the control requirements outlined by ISO that are in-scope for your organization.

NOTE: Remember, with ISO, you are REQUIRED to submit a SOA that describes why the control is in-scope or NOT in-scope for audit.