Most compliance firms keep this deliberately vague. We don't. Here is exactly what ThreeShield's CISSP/CISA team can attest to directly, what we deliver through licensed independent partners, and why we structure it this way. If you've wondered whether a compliance firm is being honest about its authority, this page is the answer you haven't been able to get from anyone else.
The following assessments and compliance programs are signed and attested by ThreeShield's CISSP/CISA certified team. We do not need an external licensed partner for these. The credentials involved are ISACA's CISA (Certified Information Systems Auditor), (ISC)²'s CISSP (Certified Information Systems Security Professional), and where noted, ISACA's CCP (Certified in Cyber Privacy).
| Framework / Assessment | Our Authority |
|---|---|
| HIPAA Security & Privacy Rule Security Risk Assessments, policy development, BAA review, Breach Notification readiness | Direct — CISSP/CISA |
| PIPEDA / Bill C-27 (CPPA) Privacy program assessment, breach notification, consent framework design | Direct — CISSP/CISA/CCP |
| Alberta Health Information Act (HIA) Safeguard assessment, PIA support, OIPC submission support | Direct — CISSP/CISA |
| Alberta PIPA Privacy compliance assessment, breach notification program | Direct — CISSP/CISA/CCP |
| BC PIPA BC private-sector privacy compliance | Direct — CISSP/CISA/CCP |
| Quebec Law 25 Automated decision-making disclosures, privacy officer designation, consent | Direct — CISSP/CISA/CCP |
| PCI DSS — Level 2, 3, 4 Merchants SAQ-based compliance for merchants under 6M Visa/MC transactions annually. All SAQ types: A, A-EP, B, B-IP, C, C-VT, D | Direct — former ISA background |
| NIST CSF 2.0 Framework assessment, profile development, gap analysis | Direct — CISSP/CISA |
| CIS Controls v8.1 IG1/IG2/IG3 implementation assessment, Lavawall® automation | Direct — CISSP/CISA |
| Cyber Insurance Readiness Questionnaire completion, control gap assessment, ThreeShield attestation letter | Direct — CISSP/CISA |
| Vulnerability Assessment Grey-box assessments including ISACA independent auditor methodology | Direct — CISSP/CISA |
| Secure Code Review OWASP, ASVS, requirements review, PCI DSS Req. 6 | Direct — CISSP/CISA |
| CMMC Level 1 Self-Attestation Support 17 practices, self-attestation preparation, evidence package | Direct — CISSP/CISA |
| Bill C-8 / CCSPA Readiness Critical infrastructure cybersecurity program development | Direct — CISSP/CISA |
| NERC CIP Advisory Bulk Electric System cybersecurity advisory (not registered ERO enforcement) | Direct — CISSP/CISA |
| Expert Witness Certified as an Expert Witness in Information Security in the Court of King's Bench of Alberta | Certified — Court of King's Bench AB |
ThreeShield delivers all readiness work: gap analysis, control design, evidence automation via Lavawall®, policy development, remediation, staff training, and audit preparation. The final attestation opinion — the SOC 2 report, the ISO 27001 certificate, the CMMC assessment, the PCI Level 1 ROC — is issued by an independent licensed partner. One contract. One price. One project manager. Two signatures.
| Framework | Partner Type |
|---|---|
| SOC 2 Type I & Type II ThreeShield delivers: readiness assessment, Trust Services Criteria gap analysis, evidence automation via Lavawall®, control design, policy library, staff training, auditor coordination. The CPA firm performs the examination and issues the attestation opinion. | Licensed CPA Firm |
| ISO 27001:2022 ThreeShield delivers: ISMS design, Annex A control implementation, risk register, evidence via Lavawall®, policy library, internal audit preparation. The accredited certification body performs Stage 1 and Stage 2 audits and issues the ISO 27001 certificate. | Accredited Certification Body |
| CMMC Level 2 & Level 3 ThreeShield delivers: SPRS gap assessment, SSP development, POA&M management, remediation, evidence preparation. The formal triennial assessment is performed by a DoD-authorized C3PAO (Certified Third-Party Assessment Organization). ThreeShield supports Level 1 self-attestation directly. | C3PAO (DoD-Authorized) |
| PCI DSS Level 1 — Report on Compliance Merchants with 6M+ Visa/MC transactions annually require a QSA. ThreeShield delivers readiness work and refers to vetted QSA partners for the formal ROC. We can coordinate the full engagement. | Qualified Security Assessor (QSA) |
ThreeShield's assessments are signed by credentialed professionals, not just reviewed by them. These are the credentials behind every engagement.
Certified Information Systems Security Professional — (ISC)². The gold standard general cybersecurity credential. Required for signing ThreeShield's HIPAA, NIST CSF, CIS Controls, and vulnerability assessment deliverables.
Certified Information Systems Auditor — ISACA. The primary audit credential for information systems. Enables ThreeShield to issue ISACA-methodology independent auditor reports on controls and compliance programs.
Certified in Cyber Privacy — ISACA. Privacy-specific credential covering GDPR, PIPEDA, PIPA, HIA, and Quebec Law 25 assessments.
Internal Security Assessor — former designation (no longer held). ThreeShield's principal has direct PCI DSS assessment experience from this former credential, directly informing current SAQ work for Level 2/3/4 merchants.
Certified as an Expert Witness in the area of Information Security in the Court of King's Bench of Alberta. Qualified to provide expert testimony on cybersecurity matters in Alberta courts.
Experience auditing Alberta Health Services, Government of Alberta, and Fortune 50 organizations (NASA, Pratt & Whitney, Sikorsky, UTC) including ITAR-classified military environments.
Every major compliance platform — Drata, Vanta, Secureframe, Tugboat Logic — uses the same integrated partner model for SOC 2. They automate the evidence collection, a CPA firm issues the attestation. The difference is that they don't explain this clearly. The result is confused buyers who don't know what they're buying, and disputes later about who delivers what.
The integrated model exists for a very good reason: the independence requirement. A SOC 2 attestation opinion issued by the same firm that designed the controls is not credible to an enterprise buyer — they know the conflict of interest. The opinion has to come from an independent CPA firm to be worth anything. The same logic applies to ISO 27001 (certification body), CMMC (C3PAO), and PCI Level 1 ROC (QSA).
ThreeShield states this plainly because our clients are sophisticated enough to ask, and because vague claims about what a firm can "deliver" are a liability risk for everyone.
Compliance engagements involve real liability. You should know exactly who is attesting what before you sign a contract. ThreeShield is glad to walk through any of this in detail on a call.
Book a Scoping Call Compliance Packages →