Thank You for Choosing BARR Advisory

We are excited to work with you. Let’s get started.

Get to Know BARR

At BARR, we empower organizations to create trust. We help protect the world’s data, people, and information networks through a human-first approach to cybersecurity and compliance.

Learn more about what makes BARR unique and how we help strengthen security, ensure compliance, and grow business.

Our Values

We’re relentless in our pursuit to add more value for our clients.

We build relationships based on respect, accountability, and trust.

We value diversity of people and ideas.

Simple is powerful. We focus on what’s essential.

Our clients’ challenges are our challenges and, as thought leaders, we innovate to provide the best solutions.

Client Satisfaction Guaranteed

100% Client Satisfaction Guaranteed

We have 100% confidence in our people, processes, and expertise that your satisfaction is a guarantee.

What Sets BARR Apart?

We Care

As your security partner, we take the time to listen and understand so you can achieve lasting cyber resilience.

We Keep It Simple

We take the complexity out of compliance without compromising quality.

We’re Approachable

Our expertise is matched only by our accessibility.

Engagement Processes Best Practices and Resources

SOC Examinations

HITRUST Certification

Consulting

ISO 27001 And 27701

PCI DSS

SOC Examinations

Getting Started

What You Provide

During the SOC examination kickoff phase, BARR will work with your team to collect a number of items that will help us during your assessment. 

  • Complete your system description. The system description provides an overview of your company’s operations and control environment for the in scope system. 
  • Review control wording. Controls are documented processes in your environment relevant to your in scope system that helps achieve your in scope trust service criteria. BARR will provide you with template controls to test during the engagement. It is important that you review the controls and modify them to reflect your current control environment. 
  • Provide information requests. BARR will request documentation via our tool called taskBARR. Information requests must be submitted within predetermined timeframes that will be established by the engagement team. 

What BARR Provides

We are committed to guiding you through this process by providing unparalleled support.

  • During the engagement kickoff meeting and in the weeks that follow, we will provide the support and knowledge you need to complete your engagement. 
  • We will review information requests as they come in and hold walkthrough meetings with you to gain an understanding of your control environment and ensure we obtain the correct documentation to evidence your compliance with applicable trust services criteria. Any issues we identify will be reported to you immediately and we will work with you to identify possible solutions. 
  • At the conclusion of our fieldwork, we will issue a draft report or certification for your team to review and provide feedback. 

Readiness Assessments

If this is your first audit, or you’d like an analysis of the potential challenges that might arise when implementing new processes, the readiness assessment is right for you. 

While optional, the readiness assessment ensures that your examination will go as smoothly as possible. Through this period, you’ll engage in three specific meetings with your lead and correct gaps prior to starting the audit period.

The Process

Examination Engagement

While we cater our services to meet your specific needs, here’s a condensed timeline on what to expect from your engagement team: 

  • Plan: A kickoff call is scheduled with you to confirm we are on the same page with the scope, timelines, deliverables, and personnel needed for the assessment.
  • Assess: Walkthrough duration is dependent on your environment complexity and size; however, four hours is the typical time commitment.
  • Report: BARR will provide a draft report no later than 30 days after the period ends. 
  • Celebrate & Optimize: BARR will provide a promotional package and schedule a debrief to review improvement opportunities for your security program, rate the engagement, and plan your next engagements

For more information, see each step of our SOC 2 Engagement Process.

What You Gain

SOC Reports

Once your audit is complete, you’re ready to receive your report. BARR provides reports for SOC 1, 2, 3, and SOC for Cybersecurity. For each report, you can choose a Type 1 or Type 2.

  • Type 1 reports may be performed right away if your organization has your controls in place and documented. These reports offer a point-in-time service, testing your design on a specific date.
  • Type 2 reports are generally audited over a 3 to 12 month period. These reports reflect your organization’s operating effectiveness during the course of a review period and provide a more detailed assessment of your controls.

Promotional Package

Once you complete your SOC examination, BARR will provide you with a promotional package that you can share with your customers, partners, and other company stakeholders. This reassures them their data is safe with you and differentiates your organization from the rest.

HITRUST Certification

Getting Started

Our HITRUST team works with healthcare organizations through a five-step engagement process, starting with an optional readiness period. Through the readiness period, you have the opportunity to assess any potential challenges that might arise from implementing new processes. See what to expect:

Readiness Period

  • Once a client signs the Engagement Letter, the engagement lead will set up an internal and external engagement kickoff meeting. 
  • Following the kickoff meeting, the engagement will provide the client with the HITRUST Questionnaire. 
  • The client will provide the engagement lead with the completed questionnaire. This will indicate exactly which controls are not implemented (instant gap), which controls are implemented, and which controls are not applicable.
The Process

Following the readiness period, BARR will work with your team to complete the certification process.

Remediation

  • The engagement lead and team will test each control following the HITRUST illustrative procedures identifying any additional control gaps as they may arise. 
  • Once the testing is complete, the engagement lead will provide the client with a full Excel workbook that will identify clear remediation tasks for the client to complete before the validation assessment begins. 
  • After the gap report is provided to the client and the internal and external debriefs are complete, the engagement lead will continually work with the client to ensure accurate and complete remediation of each gap. 

Implementation Period

  • Controls must be implemented 90 days prior to the assessment.

Validation Assessment

  • The engagement lead will set up an internal and external engagement kickoff meeting. 
  • As the client provides the requested evidence, the engagement lead and team will test each control following the illustrative procedures. 
  • Once testing is complete, testing will go under manager review, and the engagement lead will complete the administrative documentation.

For more information, see each step of our HITRUST Engagement Process.

What You Gain

Quality Analysis Review + Report

The HITRUST Quality Assurance Review is the final phase toward HITRUST certification. During this phase, the HITRUST Assurance and Compliance teams will both check the validated assessment and determine whether the organization has met the requirements to achieve certification.

After the final report is posted, your engagement lead will set up a time for an internal and external debrief. It is important to note that the e1 and i1 validation reports are only valid for one calendar year from the date of submission, while the r2 repeats every two years with an interim period in between.

Consulting

Getting Started

The cybersecurity consulting team helps our clients establish security programs that are flexible and adaptive to the needs of their business stakeholders. This includes a common structure to safeguard information assets and streamline business deals with customers’ security demands. Our approach includes the phases, activities, and deliverables below:

Gap Assessment

We believe in determining the why before proposing the how and that careful planning and thorough identification of gaps are imperative to achieve your security objectives.

During the gap assessment phase, which typically takes 1-2 months to complete, BARR: 

  1. Determines the scope of your organization;
  2. Assesses your organization against a given framework or standard; and,
  3. Provides you with a list of specific gaps and recommendations to prioritize and remediate.
The Process

After you complete an initial gap assessment, the BARR team will work with you to remediate any gaps. Our goal in Phase 2 is to take the client from a posture with gaps to at least a level of compliance with the given framework(s) or standard(s). 

This includes establishing a security committee, ensuring all gaps and recommendations progress toward remediation and that all deliverables are finalized, and defining a sustainable security plan for a long and short-term information security program. For more information, see our consulting engagement process.

What You Gain

Security Roadmap: We work with you to create a successful roadmap toward remediation, turning what were gaps in our clients’ security programs into competitive advantages.

Continuous Management: With the continuous support of a virtual CISO, we provide a valuable strategic asset. We weave security and compliance into the DNA of our clients’ organizations, differentiating them from their competition.

ISO 27001 and 27701

Getting Started

ISO 27001 is an internationally recognized standard for helping your organization manage the security of your services through a third-party auditor. 

Internal Audit

The ISO 27001 internal audit is a prerequisite to stage 1 of the certification process, where either your organization or a third-party firm will assess the effectiveness of your information security management system (ISMS) program to meet clause 9.2 of the ISO 27001 standards. Benefits of the internal audit include:

  • Validating your ISMS before undertaking the ISO audit
  • Demonstrating your organization’s commitment to improvement
  • Encouraging continuous security management
The Process

Stage 1: Your engagement lead will work with you to review and confirm documentation requirements and discuss next steps.

Stage 2: BARR will conduct a walkthrough of clauses 4-10 and Annex A controls, review nonconformities, and develop and execute a corrective action plan.

For more information, see each step of our ISO 27001 Engagement Process.

What You Gain

ISO Certification

BARR currently offers certification for ISO 27001 and 27701 standards. The initial certificate issued is valid for three years from the issuance date. At least annually, surveillance audits are conducted to help ensure a certified organization is able to maintain its compliance according to the standard. These audits include limited testing and an onsite review to determine the impact of any significant changes since the original certification.

PCI DSS

Getting Started

BARR experts will guide you through every step of the PCI DSS process. The following steps can be helpful to prepare for your engagement:

  • Understand your CDE segmentation: Understanding your CDE segmentation is often referred to as “requirement zero.” To do this, it’s helpful to maintain current network diagrams that reflect how data is transmitted, processed, and stored. This will help limit your scope prior to your engagement.
  • Understand your requirements: Are you a service provider or a merchant? Protect yourself from last-minute surprises by recognizing any specific requirements that may apply to your organization.
  • Know your transaction amount: Organizations are held accountable on the number of transactions handled annually. Prepare for your audit by having these numbers readily accessible.
The Process

While we cater our services to meet your specific needs, here’s what to expect from your engagement team:

Plan: The planning phase of PCI DSS compliance helps BARR and your organization set expectations for your PCI engagement.

Assess: At least three months prior to your PCI compliance report date, BARR will hold a kickoff meeting to finalize the engagement plans and ensure you’re as prepared as possible. Your organization will then respond to evidence requests that are customized to your unique CDE through BARR’s audit portal, and your engagement team will conduct the testing and gathering process—including policy reviews, system evidence reviews, interviews, and observations.

Report: Depending on your organization’s transaction amounts and customer requests, you can choose to perform a self-assessment questionnaire (SAQ) or a report of compliance (RoC). If you choose to perform an RoC, BARR will draft the report along with an attestation of compliance (AoC), which will be submitted to the appropriate entities for official attestation.

Debrief: Once your report is issued and your audit is archived, BARR will debrief with your organization, communicating process improvement opportunities (PIOs), action items for continuous management, and a pre-plan for your next engagement.

What You Gain

Depending on your organization’s transaction amounts and customer requests, you can choose to perform a self-assessment questionnaire (SAQ) or a report of compliance (RoC). Your organization can complete an SAQ on your own, or you can have a QSA like BARR assist you with the process.

If you choose to perform an RoC, BARR will draft the report along with an attestation of compliance (AoC), which will be submitted to the appropriate entities for official attestation. As your trusted partner and a certified QSA, BARR serves as an official reviewer of these reports—and will give you the opportunity to review them—prior to receiving your final deliverable.

Our reporting services include:

  • PCI DSS RoCs and AoCs
  • QSA-assisted SAQs and AoCs

Contact Us

Have questions? Schedule a call to speak with a member of the BARR team.
Schedule A Call