How to Leverage Your Current Compliance Program for CCPA Cybersecurity Audits
Compliance and Certification | Privacy Assessments
Published: May 28, 2026
The California Consumer Privacy Act (CCPA) has fundamentally reshaped how organizations approach data protection, but the recent cybersecurity audit regulation has added a new layer of complexity to compliance obligations. For many companies, this represents both a challenge and an opportunity to build a unified compliance strategy that addresses multiple regulations, standards, and frameworks simultaneously.
You likely already understand the CCPA’s core privacy requirements if your organization operates in California or serves California residents, but the cybersecurity audit provisions introduce a compliance dimension that extends beyond privacy into operational security.
While the audit may, at first glance, be seen as yet another checkbox to mark, what makes it particularly valuable is that the requirements don't exist in isolation. They share remarkable overlap with established security frameworks like NIST Cybersecurity Framework, ISO 27001, SOC 2, and others.
The real power lies in mapping these requirements strategically. Rather than treating the CCPA audit mandate as just another separate compliance task, forward-thinking organizations are recognizing it as a catalyst for building a cohesive security and compliance program. By understanding how the CCPA audit requirements align with broader security standards, your organization can create processes and controls that satisfy multiple regulatory demands simultaneously to reduce duplication, streamline audits, and ultimately build stronger security practices.
In this blog post, Emily Heintz, Privacy Technical Fellow, outlines the CCPA cybersecurity audit regulation and examines how they map to other major frameworks and standards to get maximum value from a single, unified effort.
California's Privacy Laws Explained: CCPA, CPRA, and CalPrivacy
The CCPA represented a watershed moment in American privacy legislation as the first comprehensive state-level privacy law in the United States, which became the standard for privacy compliance. The law, which went into effect January 1, 2020, granted California residents rights over their personal information, and initiated a shift in the balance of power between American consumers and corporations.
In 2020, the CCPA was amended by the California Privacy Rights Act (CPRA), which expanded and refined the law, including the creation of a dedicated enforcement agency, the California Privacy Protection Agency or CalPrivacy.
CalPrivacy, which has been operational since 2023, is tasked with developing regulations that interpret and operationalize the CCPA, investigating consumer complaints, bringing enforcement actions against violators, and providing guidance to help businesses understand their obligations.
Notably, CalPrivacy has the authority to issue civil penalties of up to $2,663 per violation or $7,988 per intentional violation*. The cybersecurity audit regulation was approved by CalPrivacy on July 24, 2025, as part of their tasks to interpret the law, and the regulation became effective January 1, 2026.
*Please note: this amount is adjusted every other year to reflect increases in the Consumer Price Index. You can monitor those updates here.
The Cybersecurity Audit Requirements
The cybersecurity audit regulation mandates that businesses who pose a “significant risk” to consumers must assess and document their security posture to create accountability for the systems and practices that protect personal information.
Significant risk is defined as:
- The business derives 50% or more of its annual revenue from selling or sharing consumers’ personal information; OR
- The business has an annual gross revenue more than $26,625,000* in the preceding calendar year, and:
- Processed the personal information of 250,000 or more consumers or households in the preceding calendar year; OR
- Processed the sensitive personal information of 50,000 consumers in the preceding calendar year
The Cybersecurity Audit Requirements
The cybersecurity audit regulation mandates that businesses who pose a “significant risk” to consumers must assess and document their security posture to create accountability for the systems and practices that protect personal information.
Significant risk is defined as:
- The business derives 50% or more of its annual revenue from selling or sharing consumers’ personal information; OR
- The business has an annual gross revenue more than $26,625,000* in the preceding calendar year, and:
- Processed the personal information of 250,000 or more consumers or households in the preceding calendar year; OR
- Processed the sensitive personal information of 50,000 consumers in the preceding calendar year
*Please note: this amount is adjusted every other year to reflect increases in the Consumer Price Index. You can monitor those updates here.
The regulation is not prescriptive and is intended rather to allow for interpretation based on the business’ size, complexity, and the nature and scope of its processing activities as well as room to continually improve to match the fast pace of emerging technology and their associated threats.
There are 18 components and subcomponents in-scope of the audit, including but not limited to:
-
Access and authentication, including multi-factor authentication that is resistant to phishing attacks and restrictions for privileged accounts;
- Personal information, hardware, and software inventories;
- Secure configurations, including software updates, securing on-prem and cloud-based environments, masking, patch management, and change management;
- Vulnerability scans, penetration tests, and vulnerability disclosure and reporting;
- Audit log management;
- Secure development and coding best practices;
- Retention and disposal of personal information;
- Cybersecurity awareness, education, and training; and
- Incident response
The timeline for completing the audit is dependent on the business’ revenue, as outlined below:
| Revenue Criteria | Cybersecurity Audit Deadline |
|---|---|
| Annual gross revenue for 2026 was more than $100 million as of January 1, 2027. The audit is required to cover the period of January 1, 2027, through January 1, 2028. |
April 1, 2028 |
| Annual gross revenue for 2027 was between $50 million and $100 million as of January 1, 2028. The audit is required to cover the period of January 1, 2028, through January 1, 2029. |
April 1, 2029 |
| Annual gross revenue for 2028 was less than $50 million as of January 1, 2029. The audit is required to cover the period of January 1, 2029, through January 1, 2030. |
April 1, 2030 |
| The processing of personal information poses a significant risk as of January 1 of the preceding year. The audit is required to cover January 1 of the current year, through January 1 of the following year. The report must be completed by April 1 of the following year. |
Thereafter |
How the Cybersecurity Audit Requirements Map to Other Compliance Frameworks
As mentioned, the cybersecurity audit requirements do not exist in a vacuum, and many readers may feel relieved after reviewing the required controls above and realizing their extent of overlap across frameworks.
To assist organizations that may be strategizing how to satisfy the new obligation while juggling their other compliance objectives, Schellman has provided an analysis of how the CCPA requirements map to SOC 2 criteria, NIST CSF 2.0, and ISO 27001:2022, below:
CCPA Cybersecurity Component
- Centralized storage
- Retention
- Monitoring
- Shredding
- Erasing
- Otherwise modifying the personal information in those records to make it unreadable or undecipherable
Moving Forward with Your CCPA Cybersecurity Audit
Understanding the CCPA cybersecurity audit requirements and mapping them to your organization's existing security framework is one thing. Implementing a unified compliance strategy is another. The complexity lies not just in understanding the regulations, but in translating them into concrete security practices, audit procedures, and documentation processes that work for your specific organization, industry, and risk profile.
This is where expertise matters. Navigating the intersection of CCPA compliance, cybersecurity best practices, and alignment with multiple frameworks requires specialized knowledge and experience. That's where Schellman comes in. Our team can help you conduct comprehensive readiness assessments that evaluate your existing security controls against CCPA audit requirements, identifying gaps and opportunities for improvement before official audits begin.
Organizations interested in conducting a readiness assessment against the regulation can contact us today for more information on how Schellman can assist in navigating their complex security and privacy regulatory environment.
In the meantime, check out additional privacy compliance insights in these helpful resources:
- The CCPA Now Requires Annual Cybersecurity Audits
- What You Need to Know About the CPRA
- What is NIST CSF 2.0? (and How Schellman Can Help with Your Assessment)
- SOC 2 and ISO 27001 Combined Audit: The Benefits of Using a Single Assessor
- Do You Need a Readiness Assessment?
- Global Privacy Trends and Best Practices for Compliance in 2026
About Emily Heintz
Emily Heintz is a technical fellow with Schellman based in New Orleans, Louisiana. She currently manages privacy assessments and certifications across the full suite of offerings, including CBPR / PRP, ISO 27701, EU Cloud Code of Conduct, and Microsoft SSPA. Prior to joining Schellman in 2020, Emily worked as a Project Manager on the U.S. Privacy team at a Fortune 50 retailer focusing on designing controls to comply with the CCPA and conducting privacy reviews of emerging technology solutions. She also has experience implementing a privacy impact assessment and artificial intelligence impact assessment process at a Future 50 recognized company. She is an active member of the International Association of Privacy Professionals (IAPP), is a Fellow of Information Privacy (FIP), holding both the CIPP/US and CIPM certifications, and has obtained her CISSP.