MHM offers specialized audit services in cybersecurity and privacy compliance. Our service offerings include:

• SOC attestations (SOC 1, SOC 2, SOC 3)

• ISO certifications (ISO 27001, ISO 27701, ISO42001)

• Internal controls assessments

• Privacy assessments (e.g. GDPR, HIPAA)

• Audits based on NIST and other frameworks

• Other audits and certifications tailored to your compliance needs

We tailor each engagement to your organization’s risk profile, maturity, and tools—delivering senior‑expert attention, efficiency, integrity, and practical, actionable outcomes.

MHM is based in Canada, but we serve clients across North America and globally.

A SOC 2 audit evaluates the controls around your organization’s data security, availability, processing integrity, confidentiality, and privacy. If you handle customer data, especially in SaaS or cloud environments, a SOC 2 report can enhance trust and meet contractual or regulatory requirements.

It depends on your services and customer requirements,but many organizations benefit from doing both. SOC 1 focuses on controls that impact financial reporting, while SOC 2 evaluates security, availability, confidentiality, and privacy controls.

When both are relevant, completing them together is the most efficient approach. At MHM, we coordinate evidence collection and testing across both reports, reducing duplicate requests and minimizing disruption for your team. The result is a streamlined process, faster delivery, and a comprehensive set of reports your customers can rely on.

SOC 2 is an attestation report based on the Trust Services Criteria, developed by the American Institute of Certified Public Accountants (AICPA). It evaluates how effectively a service organization manages customer data, focusing on controls related to security, availability, processing integrity, confidentiality, and privacy.

ISO 27001, on the other hand, is a globally recognized certification standard for establishing, implementing, and maintaining an Information Security Management System (ISMS). It provides a structured, risk-based approach to information security and requires ongoing audits to maintain certification.

Depending on your market, regulatory requirements, and customer expectations, one or both may be appropriate for demonstrating your commitment to information security.

SOC 2 and ISO 27001 are complementary. SOC 2 demonstrates your controls meet the AICPA Trust Services Criteria, while ISO 27001 certifies you have a formal Information Security Management System (ISMS) in place.

At MHM, we specialize in delivering them together, efficiently and seamlessly:

• One set of evidence, two reports: Many controls overlap, so we collect evidence once and apply it to both frameworks saving you time and effort.

• One audit team from start to finish: Most firms use separate teams for SOC 2 and ISO 27001. We don’t. You work with the same experts throughout, which means faster onboarding, fewer duplicate questions and consistent, actionable findings.

Our approach not only reduces disruption but also delivers a stronger outcome. Completing both together builds trust across markets. SOC 2 is well-known in North America, while ISO 27001 has global recognition. Together, they show that you’ve reached a higher level of security maturity, with robust controls and a management system built for continuous improvement.

Pricing depends on the scope, size of your organization, complexity, and the type of audit. We offer transparent, fixed-fee and time-based pricing models with no hidden fees.

Our availability varies depending on the time of year and the type of engagement. We recommend reaching out at least 4–6 weeks in advance to reserve your preferred start date. For SOC 2 or ISO 27001 engagements, we can often begin with a readiness assessment within 2–3 weeks of engagement confirmation.

Your engagement will be led by a dedicated Lead Auditor and supported by a consistent team of experienced, senior-level professionals. At MHM, we do not use junior staff on our audits, every team member assigned to your engagement has substantial expertise and is selected based on their experience in your industry and the specific compliance requirements of your business.

MHM is accredited and authorized by several key governing bodies to deliver comprehensive audit and compliance services, including SOC 2 and ISO 27001 certification audits. Our accreditations and affiliations ensure that our clients receive audit services that meet the highest international standards:

• Standards Council of Canada (SCC):
  MHM is an SCC-accredited certification body authorized to perform certification audits for ISO standards such as ISO/IEC 27001 (Information Security Management Systems), ISO/IEC 27701 (Privacy Information Management Systems), and other related management system standards, fully compliant with international requirements.

• Provincial Chartered Professional Accountants (CPA) Regulatory Bodies:
  MHM is a licensed CPA firm in Canada, authorized by provincial CPA regulatory bodies to perform attestation engagements, including SOC 2 audits. As these engagements fall under the scope of the Canadian Auditing Standards (CAS), only licensed CPA firms can issue valid SOC 2 reports in compliance with AICPA and CAS requirements.

Yes. MHM is accredited by the Standards Council of Canada (SCC), which is a member of the International Accreditation Forum (IAF). This means that all certifications we issue, such as ISO 27001, ISO 27701, and others are internationally recognized and accepted by organizations and regulators worldwide that participate in the IAF Multilateral Recognition Arrangement (MLA).

Our ISO 27001 certifications carry the same global weight as those issued by certification bodies accredited in the U.S., Europe, or other regions — making them fully valid and credible outside of Canada.