Introducing ISO 42001 - an update to the AssuranceLab GRC City

Mental health awareness in the workplace

"Mental Health awareness in the workplace has been a topic gaining more and more exposure over the past few years and something that I feel passionate...

The power of using compliance metadata

By Paul Wenham, Cofounder and Co-CEO

Collaboration vs competition in an ever-changing compliance landscape

By Paul Wenham, Cofounder and Co-CEO

I CAN’T BELIEVE IT’S NOT ISO 27001?!

Common myths, misunderstandings and misconceptions of the ISO 27001 standard

The Rise of Environmental, Social and Governance Reporting

In this article, we break down the ESG basics and highlight what this looks like in practice for businesses of all sizes.

The journey towards 50 incredible team members

This year we celebrated a huge milestone - hiring our 50th team member.

Bridging the Gap Across the Trust Triangle

By Paul Wenham, Cofounder and Co-CEO

Life as a manager is just a day at the zoo!

Michael Precious, Manager Team Orca In the middle of April, Sydney Harbour witnessed a very rare sight – a pod of Orcas! No, they weren’t actual Orcas,...

Navigating the Three-Sided Path to Trust and Compliance

By Paul Wenham, Cofounder and Co-CEO

World Book and Copywriting Day 2024

To celebrate World Book and Copywriting Day 2024, we asked the team to share what they are currently reading and what they love about it! This could be...

Maintaining company culture in a remote work environment

A positive company culture is important in any workplace and aids in the well-being of employees and the business. It is unique to each company but is...

Fundamentals of change management: The change review and approval process

Gowtham Ravi, Consultant In this part of our change management blog series, we look at the change review and approval process. These are essential...

Welcome to AssuranceLab’s GRC City, let me show you ISO and its surrounding suburbs!

Michael Precious, Manager and Certified ISO 27001:2022 Lead Auditor

Meet Bradley Steinbach, our People and Culture Manager

Meet Bradley, our People and Culture Manager here at AssuranceLab. With an impressive career working in tech startups (even placing a few of our team...

Fundamentals of Change Management

Gowtham Ravi, Consultant The change management process is a critical part of the knowledge and processes in completing a SOC 2 audit. It encompasses...

Talking with Ducks: Embracing AssuranceLab's Values

Picture this: It's just another day at AssuranceLab - Slack huddles, focus time blocks, calendars with check-ins, client commitments and hard work. Mat...

Effective Risk Management Process

Risk management is a structured and planned approach to identifying, evaluating, prioritising, and mitigating any risks that could threaten the goals...

The Cycle of Trust: From Public Concerns to Industry Adoption

By Paul Wenham, Cofounder and Co-CEO

Embracing Growth and Leading the Way: Our Unforgettable Offsite

Our offsite in Cronulla, Sydney, was an incredible way to finish a year of growth and success for our expanding team! Months of planning culminated in...

Effective Vendor Management Process

Third-party vendors have a critical role in improving an organisation's operational efficiency and capabilities. Organisations can focus on their core...

The Future of Trust: How Compliance Paves the Path Forward

By Paul Wenham, Cofounder and Co-CEO

3 Ways to Improve Employee Engagement

By Janine Davison, Head of People & Culture

Effectively managing incidents

A security incident can be defined as an occurrence that actually or imminently jeopardises, without lawful authority, the confidentiality, integrity,...

Unlocking Trust through Compliance Metadata

In this post, we introduce Pillar: a trailblazing solution that uses Compliance Metadata to strengthen the 'Trust Triangle' and revolutionize the way...

Protecting assets from vulnerabilities

In today's digital world, the security of your organisation's digital assets is critical. An effective vulnerability management program is an essential...

19 book & podcast recommendations from a team that’s always learning something new

We recently celebrated the milestone of crossing 30 team members (now 31) happily working away from six countries, so we circulated a quick survey to...

How to prepare for ISO 27001 Stage 2 audit after completing Stage 1

The ISO 27001 certification process is divided into two stages: Stage 1 audit and Stage 2 audit. Following the completion of the Stage 1 audit, the...

Meet Mat Camp, Pillar’s new Head of Product

In our continued pursuit to trailblaze in the audit world, we’ve recently onboarded a seasoned B2B product leader as part of Team Pillar; to power the...

Some audits are just bearable, here are 7 ways we make them lovable

We had some feedback from a client recently saying, “...at times we forgot an audit was even happening!” If that’s not the goal in modern audit service...

Our growing list of supported compliance accreditations

Essential Steps and Requirements for SOC 2 Compliance

SOC 2 reports are independent assessments conducted by certified public accounting firms or other qualified auditors. These reports provide a level of...

Hear from our team on some recent audit engagements for trailblazing clients

At AssuranceLab, we love helping our visionary clients achieve their compliance goals, and celebrating their wins with them!

Our alliance with Drata

The audit and compliance ecosystem has become a jungle of varying compliance platform and audit firm alliances. Our alliance with Drata unlocks great...

The three parts to a compliance program

We see vastly different parts making up the compliance programs in our clients, but they ALL include three key components.

The story behind continuous audit: Why we're doing it

Continuous audit has been talked about for over 10 years. From the start of my career, I remember it talked about as a concept, that made a lot of...

Access reviews simplified

Access reviews shouldn't take hundreds of thousands of hours. If they do, it's time to look at a better risk-based approach.

Our SOC 2 and what it means

In November 2022, we released our SOC 2 Type I report to demonstrate our commitment to securing our clients sensitive information assets.

The overlap of APRA and global standards

When you're a licensed financial service provider in Australia, or even just selling your software/services to those providers, APRA regulations come...

The timeline, the steps, and what’s involved for compliance

When planning for your compliance goals, you'll want to understand the timeline, steps, and actual activities before diving right in.

Comparing SOC 2 and ISO 27001 in practice

The two most common globally recognised, cross-industry, information security standards, are SOC 2 and ISO 27001. Despite about 80% overlap in what...

The Compliance Pandemic

As the COVID-19 pandemic captured the headlines; another, less visible pandemic was playing out. The compliance pandemic.

How we're different: Our 10 value props

Our software and audit services combination has been iterated and refined over the last four years. There's 10 key value differentiators in our...

SOC 1: Defining the Objectives

SOC 1 is a standard that can be confusing; why would the company get to define its own criteria, or “control objectives”, for achieving the SOC 1...

Our ESG Framework for Reporting

There are lots of ESG standards out there, so why did we create our own?

10 Compliance Standards to Consider

You might start out by asking; which compliance standard is best for us? But once you explore the realm of standards, it's common to land on more than...

Cutting Through the Complexity of ISO27001

Often considered the preeminent information security standard, ISO27001 is becoming an increasingly popular certification. Upon first look, it is a...

What to expect in the ACCC accreditation process?

Many of our clients push hard and fast to achieve compliance, complete their audit, and submit their CDR application to the ACCC to get accredited....

A practical guide to endpoint device controls and BYOD

Bring-your-own-device is a common policy for startups. You may want to save costs, reduce waste/duplication, and/or give their people more flexibility...

When is the right time to implement a HRIS?

A human resources information system (HRIS) can be a huge boost to startups and compliance programs. But when is the right time to implement one?

What’s the difference between security, privacy and confidentiality?

Data security, privacy and confidentiality have always co-existed as important topics in their own right and as related concepts. The average person...

Five easy steps to implement polices that fit

Documenting policies has always been a major pain point of companies working towards compliance. It can be a lot of work!

The Definitive Guide to GDPR

If you’ve customers or users in Europe, you probably know of GDPR. It’s that thing, that’s significant, with potential fines, and that your enterprise...

Audit ready in minutes: here’s how agile audits work

Preparing for audits and compliance with standards like SOC 2 and ISO 27001, used to be an activity that took several months. That could be shortened...

Blending standards: why it's the new and better way

There’s a lot of overlap between compliance standards, and often multiple are needed. So blending them together makes a lot of sense! How does that...

Generic vs. tailored audits: what’s the difference?

Generic audits, also referred to as bundled audits, platform-trained auditors, out-of-the-box or pre-built control sets, are an approach to audits...

HIPAA Compliance three ways

HIPAA is a healthcare data protection regulation; that’s mandatory to comply with and has optional attestations to satisfy enterprise customers.

CSA STAR: What you need to know

Cloud Security Alliance covers modern cloud security practices to address a broad set of expectations and requirements of your enterprise customers.

SOC 2 + Options

SOC 2 + is growing in popularity to combine a commonly accepted information security standard with other specific requirements.

Software for Compliance

What's the best way to leverage software for your compliance? This is the hot topic that's shaping the compliance industry.

Becoming a Certified B-Corp

We’ve had a few questions about our B-Corp certification; why do it? How does it work? What does it actually involve? 🙋‍♀️

Is unrestricted CDR accreditation the best path? 5 reasons it might be

There are now five ways to use Consumer Data Right data; unrestricted, sponsored, operating as a representative or trusted advisor, or using CDR...

The Latest Updates to the Consumer Data Right Rules (Version 3)

There are now five access models for CDR data, after previously only the unrestricted accreditation model.

The boundary of your CDR Data Environment

Defining the boundary of your CDR Data Environment is an important early step in your pursuit of CDR accreditation. Why?

The five reasons startups go for security certifications

Security and compliance qualifications, like SOC 2 and ISO 27001, demonstrate that you apply good practices in your business.

Practical tips from six successful compliance projects

Our clients have worked through the daunting and challenging task of achieving compliance with global security standards like SOC 2 and ISO 27001.

Best Practices: Business Continuity & Disaster Recovery

Business continuity planning (BCP) and disaster recovery (DR) are all about preparing for and responding to major adverse events.

Google CDR Security

Google's Cloud Platform and Workspace provide a comprehensive suite of products, settings, and user guides for achieving the CDR accreditation.

Managing Controls: Continuous

Continuous controls are systematic or design functions that once implemented, continuously apply in practice.

InfoSec Automation: The Definitive Guide

The topical focus in InfoSec compliance and assurance standards, is automation. How do you implement your control practices in a systematic way that...

Auditor selection checklist: 10 things to consider

When selecting an audit provider there’s 10 important things to consider that aren’t obvious to those that haven't been through audits before.

Managing Controls: Periodic

Periodic controls are the meetings, reviews and other activities that are performed at regular intervals.

Managing Controls: Event-Based

Event-based controls are performed in conjunction with ad-hoc events that occur; new employees, incidents, and change releases, for example.

Straight to SOC 2 Type 2

While we recommend a Type 1 prior to Type 2, we've conceded straight to Type 2 is a growing preference. Our focus has shifted to how we can enable it!

How to Align Your SOC 2 to the CDR

The SOC 2 Plus CDR approach to accreditation requires a few tweaks from the standard SOC 2 reporting approach.

Why SOC 2 for CDR Accreditation?

There are three (3) major benefits to achieving accreditation through the more established SOC 2 reporting standard.

'Process-Light' SOC 2

As the leading provider of SOC 2 reports to small-mid size cloud services businesses in Asia-Pacific, we get a lot of questions about how to achieve...

The five reasons clients choose AssuranceLab

AssuranceLab has set a new standard in SOC 2 information security compliance. Through innovation, relentless focus on our clients experience, and...

Our story

Over the last three years, AssuranceLab has become the leading provider of SOC 2 in Australia and New Zealand. Like our startup business clients, our...

The four functions of security and compliance software

A game-changer in the information security and compliance industry has been the rise of software automation.

The five drivers of information security 'compliance' in 2021

Information security compliance had a big year in 2020. When the pandemic lock downs came into effect, it put remote working practices to the test. The...

Best Practices: templates or self-created policies, procedures & plans?

We see a lot of customers ask about policy templates to solve the various requirements of Infosec. It makes sense; why start from scratch or re-invent...

Best Practices: Change Communications

When changes are made to your system, it's important to consider and communicate any InfoSec related implications.

Why Issue a SOC 3 Report?

SOC 3 is often overlooked; caused by common misconceptions. What is it and why would you issue SOC 3?

Best practices: Governance

Governance ensures your company operates effectively in alignment to your objectives.

Best practices: Management Meetings

What should management meetings cover? What if you don’t have a Board of Directors?

Best practices: Software Development

The software development cycle is all about making sure changes to your system(s) are high quality, appropriate, and protect the system integrity and...

Best Practices: Customer Communications

Customer communications may sound like an obvious and simple concept; but it's not. It often breaks down in practice.

SOC 2: The 5 Trust Services Categories

The SOC 2 audit, which can help demonstrate an organisation's commitment to protecting customer data, provides a level of flexibility that is unique...

SOC 2: Solving compliance with one standard

There’s a reason we almost always recommend SOC 2 as the solution to your compliance requirements.

Best Practices: Acceptable Use Policy

Security is only as effective as the weakest link in the chain. The Acceptable Use Policy strengthens those links across the organisation.

Best practices: Confidentiality

We all know confidentiality as the simple concept of keeping sensitive information, secret. That is, limiting who has access to it to a small number of...

Best practices: Vendor Risk Management

Vendor risk management is one of those areas you can go right down the rabbit hole and lose sight of why you’re doing it in the first place!

SOC 1, SOC 2, or ASAE 3150 for CDR Accreditation?

The CDR accreditation requires an independently audited SOC report to demonstrate the minimum set of information security controls.

ISO 27001 Stamped Inadequate for Open Banking

In a major blow to ISO 27001, the Consumer Data Right for Open Banking has ruled it insufficient for the infosec accreditation requirements.

Best Practices: User Access Controls

User access controls are a group of administration practices that restricts access to the systems, to only those that require access.

Best Practices: Perimeter Security

Perimeter security is about preventing unauthorised access, by securing the boundaries of the system.

Compliance 4.0: What's in store?

Compliance in Industry 4.0 will be defined by integration and expert process automation. We explore what that looks like.

Best Practices: Policies

Defined policies are an enabler to autonomy with clear direction and boundaries for teams and individuals to follow.

Best Practices: The Code of Conduct

The Code of Conduct can be a "compliance" tool, or an enabler of company culture. It sets the expectations of employee behaviour.