Look At that the auditor is independent from the vendor. Independence policies prohibit auditors from building the controls they audit or having monetary interests in the corporate they’re analyzing. That’s a conflict of fascination you wish to stay clear of. Manage info and Assemble proof forward of fieldwork (if possible https://calvant.com/blog/iso-27001-vs-soc-2-comparison-differences-benefits