top of page
Search

California Cybersecurity Audit: What to Build Before 2028

  • 1 day ago
  • 7 min read
California CCPA Assessment

California's CPPA cybersecurity audit rule took effect January 1, 2026. Covered businesses must run an annual cybersecurity audit against 18 control areas, document the results, and certify completion to the state. The first certifications are due April 1, 2028 for businesses over $100M in revenue. The program to pass it has to be built now.


Most of the coverage of California's new cybersecurity audit rule has been written by law firms, for general counsel. It explains what the regulation says. It rarely explains what a business in Los Angeles has to build — the actual documents, controls, and evidence an auditor will ask to see. That gap is the problem, because the deadline that matters is not the certification date. It is the date the controls have to already be running.


What is the CPPA cybersecurity audit rule?

The CPPA cybersecurity audit rule is a California regulation, codified at Cal. Code Regs. tit. 11, §§ 7120–7124, that requires covered businesses to conduct an annual cybersecurity audit and certify completion to the California Privacy Protection Agency (CPPA). It took effect January 1, 2026 and is the first rule of its kind among U.S. state privacy laws.


The rule grew out of the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA) of 2020. As Ropes & Gray noted in its January 2026 analysis, the framework is poised to change how companies evaluate, document, and validate the effectiveness of their security programs. For years, California required “reasonable security” without defining it — leaving the standard to be settled after a breach, in enforcement actions. The audit rule changes that by naming a specific set of controls a program is measured against.


Does the California cybersecurity audit rule apply to my business?


The audit rule applies to a business that is already covered by the CCPA and whose data processing presents a “significant risk” to consumer security. In practice that means a CCPA-covered business that processed the personal information of 250,000 or more consumers or households, or the sensitive personal information of 50,000 or more consumers, in the prior year — or that derives 50% or more of its revenue from selling or sharing personal information, regardless of size.

Deadlines are staggered by revenue. Per the CPPA's own announcement and confirmed across multiple law-firm analyses, the first certifications are due on these dates:

Annual gross revenue

First audit period

Certification due

Over $100 million

Jan 1, 2027 – Jan 1, 2028

April 1, 2028

$50M – $100M

Jan 1, 2028 – Jan 1, 2029

April 1, 2029

Under $50 million

Jan 1, 2029 – Jan 1, 2030

April 1, 2030

The later deadline for smaller businesses is not a reason to wait. The underlying obligation to maintain reasonable security is enforceable now. The CPPA and the California Attorney General can demand a business's risk-assessment documentation at any time, with a 30-day deadline to produce it under §7157(e), and audit records must be retained for five years. The CPPA's enforcement division described its posture as “a new era of privacy enforcement” at its September 2025 board meeting. Penalties run up to $7,988 per intentional violation, and regulators can treat each affected consumer and each day of non-compliance as a separate violation.


What does the audit actually evaluate? The 18 control areas


The audit evaluates a business's cybersecurity program against 18 enumerated control components specified in §7123. The auditor decides which apply given the company's size and operations, then tests implementation and effectiveness through document review, sampling, and interviews — not management's own say-so. The 18 components fall into five functional areas.

•       Authentication and access controls — phishing-resistant MFA, strong password standards, least-privilege access, privileged account management, and physical access restrictions.

•       Data protection — encryption at rest and in transit, a personal-information inventory and data-flow map, hardware and software asset inventories, and data retention and secure disposal.

•       Infrastructure security — secure configuration for cloud and on-prem systems, network segmentation, firewall and port controls, anti-malware, and patch and change management.

•       Detection and response — centralized log management and monitoring, intrusion detection, data loss prevention, vulnerability scanning and penetration testing, and a tested incident response plan.

•       Organizational controls — security training for all personnel, secure development practices, third-party and vendor oversight, and business continuity and disaster recovery planning.


The readiness build list: what to assemble before your deadline


Readiness comes down to three stacks of work: foundation documents, technical controls with evidence, and governance. An auditor asks for all three. The reason to start 12 to 18 months ahead of a certification date is that several of these — log retention, training records, a tested IR plan — only count if they have a track record behind them. You cannot manufacture six months of audit logs the week before the audit.


Foundation documents

•       A personal-information inventory and data-flow map — what data you hold, where it lives, who it goes to. Nearly everything else references this.

•       Written information security, acceptable-use, access-control, data-classification, and data-retention policies.

•       A documented risk assessment of your processing activities — separately required under the companion CCPA risk-assessment rule, and demandable on 30 days' notice.

•       An incident response plan, plus evidence it has been tested (a tabletop exercise with dated notes counts).

•       A business continuity and disaster recovery plan.


Technical controls and evidence

•       Phishing-resistant MFA enforced across all accounts, with configuration evidence and exception logs.

•       Encryption at rest and in transit, documented by system.

•       Centralized logging and monitoring with a defined retention window — start the clock early, because the auditor samples history.

•       Vulnerability scanning and at least one penetration test, with the remediation tracked to closure.

•       Asset inventories (hardware and software) kept current, not a one-time snapshot.


Governance and oversight

•       A named executive responsible for the program — the certification is signed under penalty of perjury by a member of executive management.

•       A third-party and vendor oversight process: contracts, security reviews, and a record of who has access to what.

•       Security awareness training for all staff, with completion records by name and date.

•       A remediation plan format ready to go — the audit report must specifically identify gaps and assign timelines, and document fixes to prior-cycle findings.

One piece of good news for businesses that already run a framework. Section 7123(f) states that an audit conducted under NIST Cybersecurity Framework 2.0 would likely meet the CPPA's requirements, provided the rule's specific obligations are satisfied. The CPPA's own impact analysis estimated that businesses with an existing framework audit — NIST CSF 2.0, SOC 2 Type II, ISO 27001, or CIS Controls v8 — achieve roughly a 30% reduction in first-year compliance costs. If you have a SOC 2 program, you are not starting from zero; you are mapping and filling gaps.


Why independence matters in choosing an auditor


The rule permits both internal and external auditors, but it holds them to a strict independence standard — and that standard is where many programs trip. An internal auditor can only report to leaders who do not run the security program, and cannot have designed or operated the controls they are evaluating. The auditor must sign an independence certification, and the executive attestation includes a statement that no attempt was made to influence the auditor's findings.

This is where the conflict in a typical managed-services arrangement surfaces. A provider that built and operates your controls cannot independently audit them, and a firm that earns margin on the security tools it recommended has an interest in the answer. The cleanest readiness path keeps the advisory and the operational layers separate from the start — so that when the audit comes, the people who built the program are not the people grading it.


How a vCISO runs CCPA audit readiness


A vCISO (virtual Chief Information Security Officer) runs audit readiness as a structured 12-to-18-month program rather than a last-minute scramble. The work is gap assessment against the 18 control areas, building the missing policies and evidence trails, standing up the controls that need a track record, managing remediation week over week, and preparing the executive who signs the certification to do so credibly.


At Purple Shield Security, that readiness work is deliberately advisory-only and independent of any tool or managed-service provider we would recommend along the way — which is the same independence the audit rule itself demands of the auditor. The point is to get the program audit-ready, then let a qualified independent auditor grade it without a conflict of interest sitting in the room.


Frequently asked questions


Does the audit rule apply to a company with under 50 employees?

Employee count is not the test — data volume and revenue are. A small headcount business can still be covered if it processes the personal information of 250,000+ consumers, the sensitive information of 50,000+, or derives 50%+ of revenue from selling or sharing personal data. Many lean, data-heavy LA tech and adtech firms are in scope despite small teams.


My certification isn't due until 2030. Why start now?

Because the audit looks backward over a full year, and several controls — log retention, training records, a tested incident response plan — only count if they have history behind them. The reasonable-security obligation is also enforceable today, independent of your certification date, and regulators can demand risk-assessment documentation on 30 days' notice.


Will our existing SOC 2 or NIST program satisfy the audit?

Largely, with mapping and supplementation. Section 7123(f) notes a NIST CSF 2.0 audit would likely meet the requirements if the rule's specific obligations are covered. The CPPA estimated roughly a 30% first-year cost reduction for businesses with an existing framework audit. You still need to map your controls to the 18 areas and close any gaps the framework leaves open.


Can the company that manages our IT also do the audit?

Not if it designed or operates the controls being evaluated — that breaks the independence standard the rule requires. A provider that built your program cannot independently grade it, and the executive attestation specifically covers non-interference with the auditor. Keeping advisory, operations, and audit separate avoids the conflict.


Where to start


If your business processes California consumer data at the volumes that trigger this rule, the first step is a clear read on whether and when it applies, followed by a gap assessment against the 18 control areas. That tells you what to build and how long it will take. If you want help mapping your current controls to the rule and building a readiness plan that holds up to an independent audit, Purple Shield Security's risk assessment and compliance readiness services are built for exactly that — independent of any product or provider we'd recommend along the way.


By Yonatan Hoorizadeh — CISSP, CISM, CRISC, AAISM

Published By: Purple Shield Security

Published: June 1, 2026

Last updated: June 1, 2026

 
 
bottom of page