CCPA Article 9 Cybersecurity Audit Services

Organizations with more than $100M in annual revenue now face a new regulatory reality: the California Privacy Protection Agency (CPPA) has finalized Article 9, the first mandatory cybersecurity audit requirement under the CCPA. Beginning January 1, 2027, businesses must undergo an annual audit across 18 defined control domains, with a §7124 certification signed by a named executive under penalty of perjury.

FTI Technology delivers both advisory and independent audit-of-record services designed to help organizations achieve defensible compliance — before the first audit window opens.

Our Services

• Path 1: Article 9 Gap Assessment & Remediation Advisory
  For organizations preparing for an existing auditor relationship or needing program alignment before the audit period begins.

• Path 2: Article 9 Audit of Record
  For organizations seeking a qualified, independent assessor to conduct the formal Article 9 audit.

View the brochure