Drummond Group

What is the difference between a certification and a compliance audit?

A certification is a formal determination, issued by an authorized certification body, that a product, system, or process meets a defined (often mandated) standard. Drummond holds authorizations to issue formal certifications for programs including ONC Health IT, DEA EPCS, DEA CSOS, PCI DSS (as a Qualified Security Assessor), ISO 27001, GS1 GDSN, and others.When permitted, Drummond will provide Drummond Certified® recognition, that is widely accepted as a trusted validation of compliance. A compliance audit or assessment is an independent evaluation of whether your practices conform to a regul

How long does a compliance assessment typically take?

Timeline varies by framework and scope. A NIST CSF 2.0 risk assessment typically runs four to eight weeks from kickoff to final report. A PCI DSS Report on Compliance (RoC) for a Level 1 merchant or service provider typically requires eight to twelve weeks. HIPAA gap assessments generally run four to six weeks. Penetration testing engagements range from one week for a focused scope to several weeks for a complex environment. ONC Health IT certification timelines depend on criteria scope and product readiness. Specific timeline estimates are confirmed during the initial scoping conversation. Co

What happens after Drummond identifies a compliance gap?

Drummond delivers a findings report with specific, prioritized remediation recommendations. You are responsible for implementation of those recommendations (or fixes). Drummond does not configure systems, write policies, or perform technical remediation. That separation is deliberate: a firm that assesses gaps, tells you what to fix, implements the fixes on your behalf, and then grades its own remediation effort has a conflict of interest. After you complete remediation, you can engage Drummond for a separate follow-on validation to independently verify that the fixes were implemented correctl

What credentials and authorizations does Drummond hold?

Drummond holds independent authorizations from the regulatory and standards bodies that govern each framework it assesses. Drummond is an ONC-Authorized Testing Laboratory (ONC-ATL) and ONC-Authorized Certification Body (ONC-ACB) for ONC Health IT certification. Our ONC-ACB operates under accreditation through the ANAB/ANSI program (Accreditation ID# 1045). Drummond is a Qualified Security Assessor (QSA) for PCI DSS. Drummond is ANAB-accredited for ISO 27001 certification. Drummond is a DEA-approved third-party auditor for EPCS and CSOS. Drummond is approved by GS1 as a testing and certificati

Does Drummond work with organizations outside the Health IT Industry?

Yes. Drummond serves organizations across healthcare, financial services, retail, technology, pharmaceutical, and supply chain industries. While Drummond is well known for ONC Health IT and EPCS testing and certification programs, the same independent assessment model applies across PCI DSS, NIST risk assessments, penetration testing, SOC 2, ISO 27001, FTC Safeguards, AS2/AS4 and FHIR interoperability, and more. If your compliance obligation involves formal third-party testing, certification, or a compliance audit, Drummond likely has an applicable service. Explore our services.