Audit-Ready.
Risk-Informed.

SOC 2 reports test a service organisation's controls against five Trust Services Criteria — Security (mandatory), Availability, Processing Integrity, Confidentiality and Privacy. AxVeil readiness work begins with the AICPA TSC mapping (currently the 2017 criteria with 2022 points of focus), then walks each common-criteria control (CC1 governance through CC9 risk mitigation) into your existing tooling: identity provider, MDM, EDR, SIEM, ticketing, code-review and change-management systems.

Type 1 is a point-in-time design opinion; Type 2 covers a 6–12 month observation window and requires continuous evidence. We build the evidence-collection plumbing so that quarterly access reviews, change tickets, vulnerability scans and incident records flow into a single reviewable folder rather than being reconstructed under deadline pressure. The formal attestation is signed by a licensed CPA firm — we work alongside one you nominate, or introduce one we have collaborated with.

Reference: aicpa-cima.com/topic/audit-assurance/audit-and-assurance-greater-than-soc.

ISO 27001:2022 is the international standard for an Information Security Management System. The 2022 revision restructured Annex A from 114 controls in 14 domains to 93 controls grouped into four themes (organisational, people, physical, technological) and introduced 11 new controls including A.5.7 (threat intelligence), A.5.23 (information security for use of cloud services), A.8.9 (configuration management) and A.8.28 (secure coding).

Our ISO work delivers the Statement of Applicability, risk-treatment plan, ISMS scope statement, mandatory documented procedures (Clauses 4–10) and the evidence pack a Stage 1 / Stage 2 certification audit will request. Where you are transitioning from the 2013 version we map every existing control across to its 2022 successor and identify the genuinely new obligations rather than restating what you already have.

Reference: iso.org/standard/27001.

PCI DSS v4.0 superseded v3.2.1 in March 2024, with the future-dated requirements becoming mandatory on 31 March 2025. Notable changes include 6.4.3 (inventory and authorisation of payment-page scripts), 8.3.6 (minimum 12-character passwords or strong MFA), 11.4.7 (segmentation testing on a 12-month cycle for service providers, 24-month for merchants), 11.6.1 (change-and-tamper detection on payment pages) and the requirement for targeted risk analyses across multiple requirement families.

AxVeil delivers SAQ readiness for merchants, ROC readiness for service providers, segmentation testing, ASV-equivalent quarterly external scans and the annual internal penetration test the standard requires. Where a QSA is engaged we coordinate directly during fieldwork.

Reference: pcisecuritystandards.org/document_library.

The HIPAA Security Rule (45 CFR Part 164 Subpart C) prescribes administrative, physical and technical safeguards for electronic protected health information. AxVeil maps your stack against the addressable and required implementation specifications, conducts the Security Risk Analysis the rule mandates (and which OCR settlement actions consistently cite as the missing artefact), and produces the policies and procedures expected of covered entities and business associates.

We pair the documentation work with technical-control testing — access control, audit logging, integrity, transmission security, encryption — and a Breach Notification Rule incident-response playbook tuned to the 60-day notification window.

Reference: hhs.gov/hipaa/for-professionals/security.

The General Data Protection Regulation governs the processing of personal data of EU and EEA data subjects regardless of where the processor is based. Our GDPR work covers Article 30 records of processing, lawful-basis analysis, Data Protection Impact Assessments under Article 35, Data Processing Agreements with sub-processors, the Article 33 / 34 breach-notification mechanics (72-hour supervisory authority window) and Article 32 security-of-processing obligations.

We do not give legal advice — we partner with privacy counsel of your choice for the legal-interpretation work, and deliver the technical and operational artefacts that counsel and your supervisory authority will ask to see.

Reference: gdpr-info.eu.

The DPDP Act received presidential assent in August 2023 and the operative DPDP Rules followed in 2025. The Act introduces data fiduciary / data principal terminology, consent-manager architecture, cross-border transfer controls, the Data Protection Board of India, Significant Data Fiduciary obligations, and material penalties (up to INR 250 crore per breach).

AxVeil delivers a personal-data inventory, a consent-architecture review, a cross-border transfer-mechanism mapping, a breach-notification playbook tuned to the Act's timelines, and the technical controls (encryption, access control, retention) that the rules expect. Where you also process EU personal data we map controls dual-track so one evidence pack serves both regimes.

Reference: meity.gov.in/data-protection-framework.

The Reserve Bank of India has published a layered direction set covering cyber security: the 2016 cyber-security framework master circular for scheduled commercial banks, the 2023 IT-governance master direction (DoS.CO.CSITEG/SEC.7/31.01.015/2023-24), and the 2024 cyber-resilience and digital-payment-security controls direction for non-bank payment-system operators. Each carries prescriptive obligations: annual VAPT, board-level cyber-security committee reporting, baseline cyber-security and resilience controls, and incident-reporting timelines.

Our work pairs gap-analysis and policy uplift with the annual VAPT and the board-format reporting the RBI inspection team will request. Aligned with the CERT-In 2022 directions on six-hour incident reporting, the cyber-incident response procedures we hand back are written to the timeline the regulator expects.

Reference: rbi.org.in/Scripts/NotificationUser.aspx.