The IT Plan

Audits & Assessments

Know where you stand.
Then prove it.

Customers, investors, and regulators all eventually ask the same question: can you show us? Our assessments produce the answer — a clear current-state picture, a prioritized remediation roadmap, and the documentation that audits and diligence reviews ask for first.

Full audit or pre-audit readiness.


SOC 2

Readiness assessment, gap analysis, and remediation for Type I and Type II. We work alongside automation platforms (Vanta, Drata, and peers), not instead of them — they collect evidence; we make the judgment calls and close the gaps.

HIPAA

Security Risk Analysis, gap assessment, policies, training, and a designated Security & Privacy Officer when you need a name on the line. HIPAA Officer service →

PCI-DSS · ISO 27001 · GDPR · CCPA

Scoping, readiness, and remediation, matched to what your customers and markets actually require — not the maximal interpretation.

Full audit · $7.5k – $18k, scope-dependent

Deliverables, not a lecture.


  • Risk & remediation tracker — every finding, prioritized, owned, and dated.
  • Policy set — written and mapped to the framework, maintained as your environment changes.
  • Data flow diagrams — where sensitive data lives and moves, on paper.
  • Training decks & records — delivered to your team, logged for the auditor.
  • Cybersecurity insurance guidance — what your posture supports, and what the application will ask.

See samples of real deliverables in the gallery on the home page.

Assess. Remediate. Maintain.


Assess

Interviews, platform review, and evidence collection against the framework; typically two to four weeks.

Remediate

The roadmap, executed: by your team, by ours, or both. This is where an assessment either becomes compliance or becomes shelf-ware.

Maintain

Controls drift. Ongoing engagements keep evidence current, training delivered, and the next audit boring.

100% audit pass rate. Zero breaches.


Fifteen years of early-stage IT and security across healthcare, fintech, media, and wellness — every client audit passed, no reportable breaches across the client base.

Frequently asked


Do we need a readiness assessment before a SOC 2 audit?

It's optional but usually economical: readiness runs a fraction of the cost of a failed or stalled audit. If your practices are genuinely mature, readiness is quick and confirms it; if they're not, better to learn from us than from the auditor.

How long does SOC 2 take for a startup?

Readiness and remediation typically run one to three months depending on gap size; a Type II observation window adds three to twelve months. The calendar is driven mostly by how fast findings get remediated — which is why we offer the hands to do it.

We use Vanta or Drata — why would we need you?

The platform tells you what's failing; it doesn't decide scope, write judgment-dependent policies, remediate findings, or sit in the auditor interview. We do those parts, using your platform's evidence stream.

Which framework should we pursue first?

The one your revenue is waiting on. Enterprise SaaS buyers ask for SOC 2; anything touching PHI means HIPAA; card data means PCI-DSS. If nothing is blocking revenue yet, a risk assessment tells you what's worth doing at your stage — and what isn't yet.

What does the $7.5k–$18k range depend on?

Framework, company size, platform count, and whether we're assessing an environment we already run (faster) or one we're seeing for the first time.

Let's see if we're a match.


30-minute discovery call. We'll come prepared with a few questions.