Supporting Service · Audit & Compliance
Compliance readiness scoped specifically for the OT and ICS portion of your audit. We translate generic control language into the operational technology context, prepare evidence packages auditors actually accept, and represent your OT scope through the audit cycle.
Engagement length
6–16 weeks
Frameworks covered
7+
Audit liaison
Included
Region
Oregon · WA · ID
Frameworks we cover
Trust Service Criteria interpreted for OT assets. CC6 (logical access) for industrial systems. CC7 (system monitoring) for plant-floor telemetry. CC8 (change management) for OT change windows.
Requirement 9 physical access. Requirement 1 segmentation between cardholder data environment and OT/BMS networks. Documentation that satisfies QSA review.
62443-3-3 System Security Requirements (SR) and Security Levels (SL). 62443-4-2 Component Security Requirements (CR). Zone-and-conduit documentation. SL target attestation.
Guide to Operational Technology Security. Control mapping for OT-specific implementations. Cross-walk to NIST 800-53 for federal-adjacent operators.
SD-02C and SD-01C readiness for pipeline operators. Architecture diagrams, network segmentation evidence, vulnerability management cadence, incident-reporting procedures.
EPA cybersecurity guidance for community water systems. SCADA exposure review, vendor remote access controls, and incident reporting procedure documentation.
For US operators with EU parents, customers, or supply chain exposure. Documentation packages that satisfy parent-company or EU-customer audit requests.
Underwriter questionnaire response packages. Evidence specifically tuned to what insurers ask about OT exposure. Renewal-cycle support.
For DOD-supply-chain manufacturers, the OT portion of a CMMC Level 2/3 environment. CUI flow review for OT-adjacent data, and segmentation evidence.
What you get
Deliverable 01
Every relevant framework control mapped to your specific OT environment with implementation status, evidence reference, and gap remediation plan.
Deliverable 02
Diagrams, screenshots, configuration exports, and policy excerpts organized by control. Suitable for direct insertion into your audit evidence repository.
Deliverable 03
We attend the OT portion of your audit walkthroughs as subject-matter expert, defending control narratives and fielding auditor questions in real time.
Deliverable 04
For OT-specific situations where the strict letter of a control is impractical, pre-documented compensating control narratives that hold up under audit.
Frequently asked
SOC 2 (Trust Service Criteria for OT scope), PCI DSS (physical and OT-adjacent requirements), IEC 62443 (3-3 System Security Requirements and 4-2 Component Security Requirements), NIST SP 800-82 Rev. 3, TSA Pipeline Security Directives, EPA water-utility guidance, and NIS2 readiness for US subsidiaries of EU parents.
IT compliance frameworks treat operational technology assets the same as IT assets — and most auditors do not have hands-on OT experience. Our compliance readiness work translates control language into the OT context, identifies which controls actually map to industrial assets, and prepares evidence packages your auditor will accept the first time.
Yes. We act as your subject-matter expert during SOC 2 audits when OT scope is in play — joining auditor walkthroughs, defending the OT control narrative, and pre-emptively documenting compensating controls for OT-specific situations like patching cycles, change windows, and vendor remote access.
NIS2 directly affects EU-based entities, but US subsidiaries of EU parents and US suppliers to EU customers are increasingly being asked to demonstrate NIS2-compatible OT security postures. We help US operators understand the obligations flowing through their EU exposure and prepare the documentation needed to satisfy parent-company or customer audit requests.
A scoped readiness engagement is typically 6 to 12 weeks. SOC 2 OT scope readiness runs around 8 weeks; full IEC 62443 SL target documentation can run 10 to 16 weeks depending on facility complexity.
Audit deadline approaching?