Managed security and compliance (ISO 27001, SOC 2, etc.)

1
From SOC 2 Type 1 Readiness to SOC 2 Type 2 Advisory Assessment

Client background

A technology company approached H-X Technologies with a clear business objective: to make its security, availability, and privacy controls understandable, structured, and demonstrable to enterprise customers, partners, and future independent auditors.

The client operated several systems supporting service delivery and needed a practical SOC 2 roadmap that would not remain a paper exercise. The goal was to build a control environment that could be shown to stakeholders, supported by real evidence, and later used as a foundation for a formal CPA-led SOC 2 attestation engagement.

Challenge

Before the project started, the client had already implemented many security practices, but they were not yet organized into a SOC 2-style control system. Policies, technical controls, operational processes, and evidence collection had to be aligned with selected Trust Services Criteria.

The main challenge was not only to prepare documentation. The client needed to demonstrate that controls were designed, implemented, and consistently operated over time. This required a transition from a Type 1-style readiness phase, focused on control design and implementation, to a Type 2-style assessment, focused on evidence of control operation during an observation period.

H-X approach

H-X structured the project in several stages.

Stage 1 — SOC 2 Type 1 readiness and control implementation

At the first stage, H-X helped the client define the SOC 2 scope, select relevant Trust Services Categories, and map the existing control environment to the applicable criteria. The agreed scope focused on Security, Availability, and Privacy.

H-X reviewed and helped structure core processes, including information security risk management, HR security, access management, change management, incident management, vendor management, and backup management.

The work included building a practical control framework, preparing policies and procedures, clarifying ownership of controls, and defining what evidence had to be retained. Particular attention was given to areas that usually create difficulties during SOC 2 preparation: access control, change management, incident response, monitoring, vendor oversight, business continuity, and privacy governance.

This phase gave the client a clear Type 1-style baseline: what controls existed, how they were designed, who was responsible for them, and what needed to be improved before a longer observation period.

Stage 2 — Stabilization and evidence collection

After the initial implementation phase, the client entered a longer operating period. During approximately six months, the focus shifted from documentation to execution.

H-X helped the client understand what evidence should be collected and retained: risk assessment records, access-related evidence, change approvals, incident handling records, monitoring outputs, vendor management evidence, backup and continuity documentation, privacy governance records, and other artifacts needed to demonstrate control operation.

This period was essential because SOC 2 Type 2 is not only about having policies. It is about proving that the organization follows them consistently.

Stage 3 — SOC 2 Type 2 Non-CPA Advisory Assessment

After the observation period, H-X performed an independent non-CPA advisory assessment of selected controls across three in-scope systems supporting the client’s service delivery.

The assessment covered Security, Availability, and Privacy criteria. H-X reviewed the maturity, design, implementation, and available evidence of the client’s controls. The work also included a domain-level view of governance and risk management, logical access and identity management, system operations and monitoring, change management / SDLC, risk mitigation / vendor management, availability, and privacy.

Results

The assessment confirmed that the client had achieved a strong level of readiness across most assessed areas.

The following strengths were identified:

  • comprehensive information security policy framework;
  • formalized risk management process;
  • established incident management process;
  • mature change management practices;
  • penetration testing program;
  • centralized endpoint management through Microsoft Intune;
  • security monitoring and logging capabilities;
  • documented business continuity and disaster recovery planning;
  • defined privacy governance practices;
  • strong documentation maturity across assessed domains.

Most assessed domains were rated as ready. The only partially ready domain was logical access and identity management, due to one important gap: the absence of retained evidence for periodic user access reviews.

H-X classified this issue as a medium-risk finding. The risk was that inappropriate or excessive access could remain undetected and that the client could face difficulties demonstrating effective control operation during a future independent CPA attestation.

Remediation roadmap

H-X recommended that management formalize and consistently operate periodic user access reviews. This includes defining review frequency, assigning responsible reviewers, documenting review results, approving required access changes, and retaining evidence for future assessments.

This gave the client a focused and realistic next step: instead of rebuilding the entire security program, management could remediate a specific control gap and continue strengthening the evidence base.

Business value

The project helped the client move from fragmented security practices to a structured, SOC 2-aligned control environment.

The client received:

  • a practical control framework aligned with selected SOC 2 Trust Services Criteria;
  • a Type 1-style readiness baseline;
  • a six-month evidence collection and control operation path;
  • an independent Type 2-style advisory assessment;
  • a clear understanding of strengths and remaining gaps;
  • a roadmap for preparing for a future CPA-led SOC 2 Type 2 attestation.

Important clarification

The final deliverable was a non-CPA advisory assessment. It was not a SOC 2 attestation report, audit opinion, or assurance engagement. However, it provided management and stakeholders with a structured, independent view of the client’s readiness and helped prepare the organization for a potential formal CPA assessment.

Partner with us to create your next success story.

2
Case study: GDPR support for a regional security services provider with video analytics (European Union)

Client. A company with about 50 employees that develops intelligent video analytics systems (motion detection, face recognition) for shopping malls, business centers, and residential complexes in several countries.

The challenge. The company entered the EU markets but did not have a unified system for processing personal data. Some of the data was processed by subcontractors, and camera video could contain images of third parties without notification.

Solution. Our company provided consulting at the CISO/DPO level with a focus on:

  • Conducting a Privacy Impact Assessment for video analytics components.
  • Implementation of roles and responsibilities between controllers and processors (including contractors).
  • Development and localization of Privacy Notice and information signs in accordance with the language requirements of EU countries.
  • Drafting DPAs for partners and video analytics providers.
  • Formalization of procedures for processing video access requests (DSARs).
  • Technical verification - encryption of archives, access logging, storage periods

Result. The company avoided inspections by supervisory authorities in the countries where the face recognition system was implemented, gained a stable legal position and templates for scaling the system to new locations, and implemented a lightweight model of support from an external DPO.

Partner with us to create your next success story.

3
Consultation on climate risks and development of a resilience strategy for an IT company

Industry: Information technologies and services

Country: Uzbekistan

Project Description:

A large IT system integrator in Uzbekistan approached us to get consulted on climate risks and develop a resilience strategy for their IT infrastructure. Our experts conducted a comprehensive analysis of current climate and climate change risks and developed a comprehensive action plan to minimize these risks and implement a resilience strategy.

The project included the following key steps:

  1. Analyzing current climate risks. Conducting a detailed analysis of current and potential climate risks that may affect the company's operations.
  2. Developing a resilience strategy. Creation of a resilience strategy that includes measures to reduce the impact of climate change on the company's business processes, as well as measures to ensure business continuity and disaster recovery.
  3. Recommendations for implementing measures. Preparation of recommendations and instructions for implementing the proposed measures to improve IT infrastructure resilience.

Results:

  • The company gained a clear understanding of climate risks and possible consequences for its business.
  • A resilience strategy aimed at the long-term protection of the company's business processes was developed and approved.
  • Implementation of the proposed measures allowed the company to significantly improve its resilience to climate change, which in turn strengthened its position in the market.

Project Features:

This project stood out because it included a detailed analysis of specific climate risks for IT companies, which allowed us to develop effective and targeted measures to minimize them. Our experts used advanced methodologies and tools to assess risks and develop strategies, which ensured high quality of work performed and client satisfaction.

Partner with us to create your next success story.

4
Implementation of ISO 27001 standard for a Norwegian company

We were approached by a Norwegian company that develops extensions for Microsoft Office products and services, requesting help to comply with the international security standard ISO 27001. The company's customers were concerned about security: how safe is it to store personal data in the extensions, what data is stored, etc. To meet the growing customer demand for the security of their solutions, the company decided to implement the ISO 27001 security standard.

In the process of selecting a supplier, they turned to several companies that implement this standard, and in terms of price-quality ratio, they chose our company, after thorough negotiations. We gave an informative presentation and held several calls, during which we explained our competitive advantages and our comprehensive systematic approach.

We conducted a gap analysis at the client's head office (Oslo, Norway), during which all the controls of the ISO 27001 standard were checked and gaps were identified. These gaps were present because the company is small and many processes, in IT and other domains (operational processes, physical security, etc.), did not reach the ISO 27001 level.

Next, we developed an implementation plan and began implementing the standard. During the implementation phase, we developed several dozen information security policies and processes. For instance, we adjusted the hiring and termination process, as a result, the IT department now promptly learns about the hiring and firing of employees. This allows them to create and delete accounts with the minimum necessary privileges. New employees now receive basic training in information security and more specialized training in the process.

Also, information security requirements were introduced into projects. When developing projects, information security issues were taken into account, a risk analysis is carried out and all other requirements of the ISO 27001 security standard are met.

Usually in other companies, analyzing interactions with third parties is a separate big job. Here, this work was minimized, since only Microsoft products and online services are used for all purposes, and Microsoft has a full set of security certifications, including ISO 27001, VDA ISA, SOC 2, etc.

The new documents were approved smoothly, without unnecessary formalities or bureaucracy. Then, the employees received training, and the policies began to work.

After the implementation process was completed, we proceeded to select an independent certification auditor. Here we ran into difficulties caused by the very slow response of the auditors. Perhaps this was due to quarantine or seasonal peaks. We waited for a response from one of the auditors for several months and didn't get a response from the second one at all. Therefore, we found a third audit company, which is a representative office of a German certification body accredited by DAkkS.

As a result, the client successfully passed an independent audit and received an official ISO 27001 certificate.

Partner with us to create your next success story.

5
Implementation of ISO 27001 and ENX TISAX® in a company that develops automotive systems

We were contacted by a representative of the German automotive industry. They urgently needed to be certified that they comply with ISO 27001 and the ENX Trusted Information Security Assessment Exchange (ENX TISAX®). High competition in the automotive systems market (security, piloting, navigation, entertainment systems, etc.) forces leading car manufacturers and their contractors (Volkswagen-Audi Group, Porsche, Daimler AG, BMW, Bosch, etc.) to rush the launch of new products to market while maintaining the same high levels of quality, safety and security. This is why our client was highly motivated.

Prior to this, the client had tried to fill in ENX TISAX® compliance forms themselves, but a lack of the necessary competencies did not allow them even to begin the implementation process properly.

ENX TISAX® compliance, although based on ISO 27001, has its specifics. For example, unlike an ISO 27001 audit, which can take several days, a ENX TISAX® auditor spends only one day at the customer's office, but then it takes about 3 months to collect the pieces of evidence for each security process. ENX TISAX® audit reporting process implies a high degree of automation using modern GRC (Governance, Risk management, and Compliance) systems.

During the first 3 months after signing the contract with our client, we thoroughly studied their business processes and developed about 50 documents necessary for compliance with ISO 27001 and ENX TISAX®. During the implementation and audit reporting, we used Redmine and Goriscon systems.

It took 6 months of intense collaboration between our consultants and our client's employees from the start of the project until the day they received the ENX TISAX® compliance label. We conducted several training sessions, performed a series of server and application security assessments, strengthened the network security, system life cycle security, implemented risk management, security key performance indicators (KPI), change and incident management processes, etc.

Implemented processes, operations, and security systems must be constantly maintained so as not to lose effectiveness. Therefore our client ordered the ‘Remote Information Security Manager’ service from us. We have continued to conduct regular training sessions with our client, monitor information security events, respond to security incidents, perform quarterly vulnerability scans, audit software source code, report to our customer's auditors and clients, etc. That is, to fully perform the functions of an information security manager.

Improved security was not the only thing out customer got as a result of this project. During the asset management and technical vulnerability assessment, we discovered ineffective use of systems, such as redundant access, configuration errors that reduce network performance, etc. As a side effect of the project, the customer optimized some of their IT operations.

Achieving the official compliance status with ISO 27001 and ENX TISAX® allowed our client to get new, long-term contracts from one of the giants of the German automotive industry.

Learn more about VDA ISA and ENX TISAX®.

Partner with us to create your next success story.

6
Implementation of ISO 27001 in a medical software company

A small software company was required by their customers to be certified according to the ISO 27001 standard. Moreover, the certification body had to hold the highest international accreditation level, which is UKAS.

Previously, the company took only superficial measures and performed only occasional works related to information security, and only in the field of server and workstation protection. We immediately began working on the scope analysis, and outlining the work plan of the initial audit and gap analysis. We performed this work for the client for free. After that, the company saw that we were competent in such challenges, and could build realistic plans. Therefore, they signed a contract with us for an audit, gap analysis, and development of an implementation plan. After 3 weeks, we completed this work. The customer was once again convinced that our experience and speed exceeded their expectations.

After that, the customer signed an agreement with us for the implementation of ISO 27001. Six months later, we developed all the controls required by the standard, described them in 18 policies and procedures, implemented several security management registers, and conducted staff training. We paid particular attention to the secure software development life cycle.

Then the question of choosing an independent auditor arose. We recommended one of the largest German auditing firms to our client. We also contacted this auditor, held a discussion with them and prepared them for the certification of our client in advance. The client and the auditors signed an agreement for audit and certification.

During the audit, we defended our client and the information security management system that we had built. The auditors made minor comments, as they usually do. We took these comments into account, made corrections, and 2 weeks later our client received an official certificate of ISO 27001 compliance.

To support the implemented system and renew the certificate annually, the company subscribed to our ‘Virtual CISO’ service.

Our client was pleased with our competency in security process management, so they were also interested if we could provide IT security services. The company ordered the following services from us: application securitysource code security analysis and penetration testing of their software products.

The company obtained the certificate stating that they were compliant with ISO 27001 and that they had successfully passed the security assessment. They published the certificate on their website and used it in marketing materials. The company advertised its new status and gained significant competitive advantages, which increased the number of orders and sales.

Learn more about ISO 27001.

Partner with us to create your next success story.