Gap Assessment & Internal Audit

Independent evaluation against your chosen framework with clear findings and auditor‑ready documentation. For ISO, we can conduct the assessment as a formal internal audit so it satisfies certification requirements.

Book Your Free Consultation

Audit Coming Up

You have an external audit on the calendar and need an independent pre‑check to surface issues early.

Who This Is For

Annual ISO Requirement

You must perform an internal audit (ISO 27001) and want it executed to ISO 19011 with proper audit artifacts.

SOC 2 | ISO 27001 | ISO 27701 | ISO 42001 | HIPAA | NIST CSF

First‑Time Certification

You’re pursuing SOC 2 or ISO 27001 for the first time and want a reality check before investing in implementation.

What You Get

Focused on evaluation and evidence. We identify gaps and provide auditor‑ready documentation. Remediation guidance and implementation support are available separately under Readiness Projects.

Findings & Evidence

  • Findings register listing each gap vs. requirement/control

  • Evidence references (where we looked, what we sampled)

  • Severity/priority tagging for triage

Management Briefing

  • Executive‑level summary of current posture

  • Top findings & risks by theme

  • Suggested next steps (high‑level only)

Audit Artifacts

  • For ISO: internal audit plan, program, scope, and report (ISO 19011 aligned)

  • Interview notes and sampling methodology

  • Nonconformity statements (where applicable)

Audit‑Ready Packaging

  • Clean document set ready for your external auditor

  • Indexing/labels that map to framework requirements

  • Optional: brief handoff call with your auditor

1) Kickoff

  • Confirm framework & scope (systems, teams)

  • Access to policies, evidence sources, tools

  • Schedule interviews & sampling windows

2) Evidence Review

  • Document & system sampling

  • Stakeholder interviews

  • Control walkthroughs

3) Findings & Report

  • Findings register compiled & validated

  • ISO internal audit report (if applicable)

  • Management summary prepared

4) Handoff

  • Report delivery & walkthrough

  • Auditor‑ready package provided

  • Optional liaison call with your auditor

5) Optional Next Step: Readiness & Implementation

(for clients who want help beyond the audit)

  • Translate findings into prioritized remediation plan

  • Draft/update policies & procedures

  • Control design & workflow alignment

  • Project management support

6) Ongoing Support: Compliance as a Service (CaaS)

(for clients who want full continuous coverage)

  • Year-round internal audit & monitoring

  • Risk assessments & vendor risk management

  • Control testing & evidence collection

  • Liaison with auditors for external certification

How It Works

1. Kickoff

  • Confirm framework & scope (systems, teams)

  • Access to policies, evidence sources, tools

  • Schedule interviews & sampling windows

2. Evidence Review

  • Document & system sampling

  • Stakeholder interviews

  • Control walkthroughs

3. Findings & Report

  • Findings register compiled & validated

  • ISO internal audit report (if applicable)

  • Management summary prepared

4. Handoff

  • Report delivery & walkthrough

  • Auditor‑ready package provided

  • Optional liaison call with your auditor

Optional Next Steps

5. Readiness & Implementation

(for clients who want help beyond the audit)

  • Translate findings into prioritized remediation plan

  • Draft/update policies & procedures

  • Control design & workflow alignment

  • Project management support

6. Ongoing Support: Compliance as a Service (CaaS)

(for clients who want full continuous coverage)

  • Year-round internal audit & monitoring

  • Risk assessments & vendor risk management

  • Control testing & evidence collection

  • Liaison with auditors for external certification

How It Works

Typical Timeline

Small Scope

1–2 weeks (single product/team, limited systems)

Complex Scope

5–8 weeks (multi‑region, regulated data, many systems)

Standard Scope

3–4 weeks (typical mid‑size, 2–3 systems & teams)

Outcomes You Can Expect

Clarity

Precise picture of where you meet requirements — and where you don’t.

Efficiency

Skip wasted cycles. Focus remediation on the true gaps before your external audit.

Audit Confidence

ISO clients walk away with formal internal audit documentation that external auditors accept.

FAQ

Do you provide remediation guidance?

Within this engagement we deliver findings and high‑level next steps only. Detailed remediation planning and implementation support are available separately under Readiness Projects.

Can this replace the ISO internal audit requirement?

Yes. If you’re pursuing ISO 27001/27701/42001, we can conduct the work as a formal internal audit (aligned to ISO 19011) so you meet the annual requirement and get a gap view at the same time.

Will you manage our readiness/implementation?

That’s a separate engagement. Many clients start here, then extend into a Readiness Project for remediation and certification prep.

Which frameworks do you cover?

SOC 2, ISO 27001, ISO 27701, ISO 42001, HIPAA, and NIST CSF are the most common. Ask us about others.

Can you speak with our external auditor?

Yes. We can join a brief handoff call to ensure context and evidence mapping land cleanly with your auditor.

What access do you need?

Policy documents, system screenshots/exports, and brief interviews with owners for in‑scope controls. We’ll align this during kickoff.

Ready to schedule your assessment?

Book a consultation to confirm scope and dates. If you’re on ISO, we’ll structure it as your formal internal audit.

book your free consultation