The Schellman Blog

Effective May 16, 2024, Version 2 of the Health Data Host (HDS) Referential went into force with a two-year transition period. This means if you are currently HDS certified, you’ll have to transition to the new version before May 16, 2026. This transition brings many positive changes, including a clarification of the applicable hosting activities, removal of distinction between physical hosting and IT managed services providers, removal of references to controls within the ISO 20000-1 and ISO 27018 standards, requirement for data localization within the European Economic Area (EEA), and more. However, we have noticed particular challenges that companies pursuing HDS certification tend to struggle with. In this article, we’ll break down those trends faced by organizations within the new HDS framework so that you can focus on those areas that may take more time for implementation or remediation in your own compliance journey.

TL;DR Schellman’s core value of "quality above all" means understanding your business and comprehending why you need any given compliance service. In the case of penetration tests, it's not just about counting how many vulnerabilities we find. Good pen testing gives you risk ratings that fit your actual setup, shows we understand your specific business and technology, keeps communication clear throughout the project, and provides advice you can actually use. We focus on being your security partner and helping you understand real business risk instead of just checking compliance boxes.

The S&P study on Generative AI asserts that, “The percentage of companies abandoning the majority of their AI initiatives before they reach production has surged from 17% to 42% year over year, with organizations on average reporting that 46% of projects are scrapped between proof of concept and broad adoption.”

The EU Cyber Resilience Act (CRA) sets a new regulatory benchmark for product cybersecurity, impacting manufacturers, importers, and distributors worldwide. In this article, we’ll explain the Act’s scope, key requirements, and timeline to help your organization understand what’s changing and how to prepare with a readiness assessment.

Organizations are under increasing pressure to secure and govern their AI systems responsibly. Fortunately, industry frameworks are stepping in to help, including the Cloud Security Alliance (CSA) Artificial Intelligence Controls Matrix (AICM), which maps to the ISO 42001 standard for AI management systems. Together, these frameworks provide a powerful roadmap for aligning AI governance with established security and compliance practices.

As a penetration tester, few things are more frustrating than firing up Burp Suite, configuring your proxy, and then watching Java applications completely ignore your interception attempts. While web browsers play nice with proxy certificates, Java applications seem determined to make your life difficult.

TAMPA, Fla. – August 27, 2025 – Schellman, a leading provider of attestation and compliance services and a top 50 CPA firm, is proud to announce that Marci Womack, Managing Director in Schellman's Federal Practice overseeing the emerging Cybersecurity Maturity Model Certification (CMMC) assessment program, has been appointed to Cyber AB’s inaugural CMMC Third-Party Assessment Organizations (C3PAOs) Advisory Council.

If you’re considering a SOC 2 audit, be it due to a customer request or to strengthen your security posture, you may already understand that this examination will include an evaluationof your product or service on a more operational and security-oriented level.You may even already grasp that during a SOC 2, your scope will be evaluated against a set of trust servicescriteria (TSC) that provide the backbone of the assessment. But what are the trust services categories, the criteria that make up each category,and which ones will you actually need for your SOC 2 audit? At Schellman, we have over two decades of experience in SOC 2 examinations, and we want to help you navigate what can be a complex process. Read onto discover what inclusion of each category will mean for your SOC 2 examination. From there, we’ll give you some guidelines for your internal conversations when making your choice. Afterwards, you’ll be that much closer to pinning down what you need from your upcoming SOC 2 report.