How to Prepare for CCPA Cybersecurity Audits

In July 2025, the California Privacy Protection Agency (CPPA) finalized regulations pertaining to risk assessments, automated decision making, and cyber audits. As we’ve previously outlined, the cybersecurity audits will be required to assess how a business’s cybersecurity program protects personal information from unauthorized access, destruction, use, modification, or disclosure. The CCPA cybersecurity audit requirements represent a significant addition to the law that will require businesses to commit time and resources.

This article will detail the new requirements and explain how to prepare for CCPA cybersecurity audits.

Timelines and Applicability

Businesses must comply with the audit requirements if they meet one of the following criteria:

• The business made 50% or more of its annual revenue the prior year from selling or sharing (as defined by the CCPA) consumer personal information.
• The business made over $28 million in annual gross revenue last year AND
  • Collects, uses, discloses, retains, or otherwise processes the personal information of 250,000 or more consumers, OR
  • Collects, uses, discloses, retains, or otherwise processes the sensitive personal information of 50,000 or more consumers.

When your business needs to start conducting cybersecurity audits depends on the size of the organization. Here are the timing requirements:

• April 1, 2028, if the business’s annual gross revenue for 2026 was more than $100,000,000. The audit would cover the period from January 1, 2027, through January 1, 2028.
• April 1, 2029, if the business’s annual gross revenue for 2027 was between $50,000,000 and $100,000,000. The audit would cover the period from January 1, 2028, through January 1, 2029.
• April 1, 2030, if the business’s annual gross revenue for 2028 was less than $50,000,000. The audit period would be from January 1, 2029, through January 1, 2030.

If the 2028 date is applicable, we recommend conducting an audit in early 2026 to understand and remediate gaps that would be discovered and reported during the 2027-2028 audit timeframe.

The Scope of CCPA Cybersecurity Audits

To meet CCPA requirements, the audit must assess the following components of a business’s cybersecurity program:

• Authentication, including multi-factor authentication and password requirements
• Encryption of personal information at rest and in transit
• Account management and access controls, including the restriction of access to personal information based on what access is needed to perform job duties
• Hardware and software inventories and approval processes
• Hardware and software configuration and updates, both on-premise and cloud-based
• Vulnerability scans and penetration testing
• Audit-log management
• Network monitoring and defense
• Antivirus and antimalware protections
• Cybersecurity awareness and training
• Code reviews and testing
• Vendor oversight
• Incident response and recovery plans

Also in the requirements are actions typically associated with a privacy audit, including:

• Personal information inventories
• Data flow maps identifying where personal information is stored, and how it can be accessed
• How personal information is tagged and how those tags are used to control the use and disclosure of personal information
• Proper disposal of personal information

The cybersecurity audit report must describe the business’s information system, along with

• The policies, procedures, and practices that the cybersecurity audit assessed
• The criteria used for the cybersecurity audit
• The specific evidence examined to make decisions and assessments, such as documents, sampling and testing performed, and interviews conducted
• The status of any gaps or weaknesses identified in the audit and how they will be resolved

Organizations can use audits performed for other purposes or frameworks, such as NIST CSF, if they meet all of the CCPA requirements. Businesses must submit a written certification of audit completion to the CPPA no later than April 1^st following each year the requirement applies to them. The certification must be completed by a member of the business’s executive team who is directly responsible for the audit and is knowledgeable about the cybersecurity program.

Internal vs External Audits

Under the CCPA, the auditor(s) can be within the organization or an outside service provider, as long as they are qualified and use industry-accepted standards. However, the auditor must be able to exercise objective and impartial judgment and not be influenced by the business being audited. If a business uses an internal auditor, a member of the executive team must conduct the employee review and determine compensation.

The benefits of an external auditor include greater independence for an audit free of bias. An assessment performed by an external auditor will likely be regarded as more rigorous in the marketplace.

An internal audit may come at a lower financial cost, but organizations that go this route are missing an opportunity to have a fresh set of eyes assess their cybersecurity program.

How to Get Started

Here are practical steps organizations can take now to prepare for the upcoming CCPA cybersecurity audit requirements:

Determine if the Audit Requirements Apply to Your Business

Assess whether or not your data-processing activities fall into the categories deemed “significant risk” (the sale/sharing of data for cross-context behavioral advertising, using sensitive personal information, etc.)

Establish an Independent Audit Function

If you plan to use an internal auditor, confirm they meet the rule’s independence requirements, including:

• No operational cybersecurity responsibilities
• Reports to an executive outside the security chain
• Compensation and performance review are and determined by executive team member

If you lack this structure, begin building it now, or consider engaging an external auditor.

Perform an Internal Gap Assessment

Conduct a “pre-audit” aligned to the CCPA’s required control areas detailed above. Document which controls are in place, what’s missing, and where evidence is weak or inconsistent.

Organize Evidence Now

The CCPA cybersecurity audit requires proof, not just statements. Begin collecting and organizing logs, policies, procedures, diagrams, asset inventories, vendor records, incident reports, training records, and testing artifacts so they can be easily provided to an auditor.

Update Policies and Procedures

Ensure policies are comprehensive, reflect current practices, and cover all required domains. Many organizations discover that their written policies don’t align with their day-to-day operations, which auditors will flag immediately.

Remediate Known Security Gaps

Design and implement security controls to fix the vulnerabilities identified in the gap assessment.

Align Processes with Recognized Audit Standards

The rules expect auditors to follow established standards, such as ISACA or AICPA. Align your documentation and testing approach to these structures.

Strengthen Vendor and Third-Party Security Oversight

Service provider risk management needs to be included in the audit. Ensure contract clauses, assessment processes, and monitoring mechanisms are in place and documented.

Prepare Executive Leadership

The final step in the audit process requires a senior executive to certify completion and accuracy. Leadership should understand:

• The scope and rigor of the audit
• Risks of poorly documented or non-compliant practices
• Their role in governance and accountability

Conduct a Mock Audit

Running a rehearsal, either internally or with an external assessor, helps identify documentation gaps, unclear responsibilities, and weak evidence before the formal audit begins.

How we can Help

CompliancePoint has proven expertise in both privacy and cybersecurity. We specialize in conducting Cybersecurity Risk Assessments that will meet CCPA requirements and identify vulnerabilities in your existing security program that could put personal information at risk. Reach out to us at connect@compliancepoint.com to learn more about our services.

CCPA Cyber Audits Podcast

To learn more, watch our CCPA Cybersecurity Audits Podcast episode below.