Skip to main content

SOC 2 and ISO 27001 Reports | FAQs

Katie
Updated

Table of Contents

  • Does the ProcessUnity Global Risk Exchange accept pre-existing audits or reports in lieu of completing their assessment?
  • Does the ProcessUnity Global Risk Exchange accept pre-existing audits or reports for the validation portion of the assessment?
  • How many controls can my SOC2 or ISO cover?
  • What if I do not want to provide any further evidence other than my pre-existing audits?
  • What happens to the controls that are not validated by the pre-existing audits?

 

Does the ProcessUnity Global Risk Exchange  accept pre-existing audits or reports in lieu of completing their assessment?

No, the Exchange is unable to accept pre-existing audits or reports in lieu of completing the assessment.

 

Does the ProcessUnity Global Risk Exchange accept pre-existing audits or reports for the validation portion of the assessment?

Yes, the Exchange can accept pre-existing audits or reports for validation, including the SOC2 Type II and ISO 27001. However, the pre-existing audit and/or report must meets the following criteria:

  • It is independently validated
  • Tests and results are clearly documented
  • The report is current (within the past 12 months)
  • It covers the scope of the controls
  • The Statement of Applicability is included for the ISO

 

How many controls can my SOC2 or ISO cover?

While viable audits or reports can potentially cover 50% - 70% of your controls, they typically do not cover the entirety of our requested controls. However, ProcessUnity Global Risk Exchange offers two rounds of validation so that additional evidence may be provided for controls which were not validated in the initial round.

 

What if I do not want to provide any further evidence other than my pre-existing audits?

If you do not wish to provide any additional evidence, please notify our exchange support team at ExchangeSupport@processunity.com and they can work with our Assessors to close things out and deliver your final report.

 

What happens to the controls that are not validated by the pre-existing audits?

The Exchange offers two rounds of validation so that additional evidence may be provided for controls which were not validated in the initial round. For any controls we are unable to validate in the final round due to lack of evidence, the report will read “Not Validated.”

Was this article helpful?

0 out of 0 found this helpful
Return to top

Related articles