Trusted to Test. Authorized to Certify.
Drummond is a compliance, risk, & security testing & certification body with 25+ years of experience across 20+ frameworks.
Impartial Assessments Since 1999
When a regulator, customer, or auditor asks for proof, your assessment partner’s name matters.
Drummond has provided impartial third-party compliance testing and certification since 1999 as an independent body with one job: verify that your systems, software, or processes are secure and meet the standards they claim.
We test, validate, and certify—while you implement our remediation recommendations. Drummond remains impartial and your outcomes are defensible. That independence is why the organizations that need it most have trusted Drummond for over 25 years.
Who We Work With
Healthcare & Health IT
Financial Services
Retail & Ecommerce
Technology & SaaS
Pharma & Life Sciences
Manufacturing & Supply Chain
One Relationship. Compliance and Security Support.
Most organizations managing multiple compliance requirements are doing it with multiple vendors. That means repeating your infrastructure story, paying for overlapping scope discovery, and managing timelines that do not align. If you already work with Drummond for one framework, we know your environment. Extending to a second—or a fifth—doesn’t mean you have to start from scratch.
If you already work with Drummond for testing and certification, the relationship does not have to stop there. Drummond serves 20+ frameworks across compliance, risk, and security.
Insights and Guidance
Practical compliance resources from insightful articles and assessment checklists to framework guides for every industry we serve.
- Blog
Preparing for Certification with Drummond
- Blog
How the HTI-5 Proposed Rule Affects ASTP/ONC Certification
- News & Announcements
Drummond Announces Completion of ebMS-2026 Interoperability Test Event
- Blog
The Hidden Costs of Fast Compliance
- Blog
ONC Certification Explained: Who Does What and Why It Matters
- Blog
SCRIPT 2023 and EPCS Certification FAQs
- Blog
Don’t Be the Next Cautionary Tale in Healthcare Security
- Blog
Annual Penetration Testing Is a Business Advantage
- Insights & Guidance
SOC 2 Type 2 Readiness Playbook
- News & Announcements
Drummond Launches Education Program for ONC Certification
Trusted Experts in Compliance, Security, and Standards Assessments
For over 25 years, Drummond has been a trusted partner, helping organizations like yours meet industry standards, achieve regulatory compliance, and strengthen their cybersecurity defenses. Our history of delivering reliable certification and validation services has made us a recognized leader across multiple industries.
Our team of dedicated experts offers impartial, third-party assessments, tailored advisory services, and cybersecurity threat identification to ensure your business remains secure, competitive, and fully compliant with evolving requirements.
Celebrate 25 Years of Trusted Expertise with Drummond
Trust is hard to come by. Every business needs to build and protect their hard-won market trust. Drummond’s 25-Year legacy is built on a foundation of unwavering impartiality, expertise, and promotion of standards that drive secure and interoperable digital transformation. That’s why industry leaders, software developers, conformance professionals, and business owners turn to Drummond.
The Drummond Certified and Validated seals are more than symbols to indicate your products, services, or business has met rigorous compliance, security, or standards requirements—it is a testament to your unwavering commitment to providing innovative and secure solutions and services your customers can rely on.
The market trusts Drummond. What will you say when your customer asks, “Is It Drummond Certified®?”
Why Organizations Trust Drummond
Expertise That Comes From 27 Years: Drummond was founded in 1999. In that time, compliance frameworks have been written, rewritten, and replaced entirely. We have seen what works, what fails, and what catches organizations off guard. That kind of perspective takes decades to earn.
Impartial by Design: Drummond does not implement the controls it assesses and never will. That means the findings reflect reality—not a financial interest in what comes next. If you want verification that your remediation was done correctly, bring us back. We grade your fixes, not ours.
One Vendor Across Your Compliance Stack: Managing compliance across multiple frameworks with multiple vendors means repeating your infrastructure story every time you start an engagement. Drummond holds the credentials and authorizations to assess across 25+ frameworks.
Senior Expertise From Day One: Drummond specializes in compliance and security testing, validation, and certification. Every engagement is led by a senior assessor or proctor who knows your framework deeply and is committed to your engagement from start to finish.
Frequently Asked Questions
What is the difference between a certification and a compliance audit?
A certification is a formal determination, issued by an authorized certification body, that a product, system, or process meets a defined (often mandated) standard. Drummond holds authorizations to issue formal certifications for programs including ONC Health IT, DEA EPCS, DEA CSOS, PCI DSS (as a Qualified Security Assessor), ISO 27001, GS1 GDSN, and others.
When permitted, Drummond will provide Drummond Certified® recognition, that is widely accepted as a trusted validation of compliance.
A compliance audit or assessment is an independent evaluation of whether your practices conform to a regulatory or industry framework, resulting in a findings report rather than a certificate. This can include mandated programs that do not specify or authorize organizations as certification bodies (e.g., HIPAA).
Our compliance audit-based services include HIPAA, NIST, SOC 2, FTC Safeguards, and FDA CFR 21 Part 11. When appropriate, Drummond can provide Drummond Validated™ recognition, which an impartial third-party assessment validation.
How long does a compliance assessment typically take?
Timeline varies by framework and scope. A NIST CSF 2.0 risk assessment typically runs four to eight weeks from kickoff to final report. A PCI DSS Report on Compliance (RoC) for a Level 1 merchant or service provider typically requires eight to twelve weeks. HIPAA gap assessments generally run four to six weeks. Penetration testing engagements range from one week for a focused scope to several weeks for a complex environment. ONC Health IT certification timelines depend on criteria scope and product readiness. Specific timeline estimates are confirmed during the initial scoping conversation. Contact Drummond to discuss your requirements.
What happens after Drummond identifies a compliance gap?
Drummond delivers a findings report with specific, prioritized remediation recommendations. You are responsible for implementation of those recommendations (or fixes). Drummond does not configure systems, write policies, or perform technical remediation. That separation is deliberate: a firm that assesses gaps, tells you what to fix, implements the fixes on your behalf, and then grades its own remediation effort has a conflict of interest. After you complete remediation, you can engage Drummond for a separate follow-on validation to independently verify that the fixes were implemented correctly. This applies to most cybersecurity and audit services. It does not apply to formal certification programs (e.g. ONC Health IT, EPCS, PCI DSS, ISO 27001) where the certification process itself governs how deficiencies and retesting are handled.
What credentials and authorizations does Drummond hold?
Drummond holds independent authorizations from the regulatory and standards bodies that govern each framework it assesses. Drummond is an ONC-Authorized Testing Laboratory (ONC-ATL) and ONC-Authorized Certification Body (ONC-ACB) for ONC Health IT certification. Our ONC-ACB operates under accreditation through the ANAB/ANSI program (Accreditation ID# 1045). Drummond is a Qualified Security Assessor (QSA) for PCI DSS. Drummond is ANAB-accredited for ISO 27001 certification. Drummond is a DEA-approved third-party auditor for EPCS and CSOS. Drummond is approved by GS1 as a testing and certification provider for GDSN. For cybersecurity assessment services (e.g., NIST, SOC 2, HIPAA, penetration testing, and others ) our assessment team credentials include CISSP, CISM, CISA, and OSCP depending on the service. Full credential details are available on request.
Does Drummond work with organizations outside the Health IT Industry?
Yes. Drummond serves organizations across healthcare, financial services, retail, technology, pharmaceutical, and supply chain industries. While Drummond is well known for ONC Health IT and EPCS testing and certification programs, the same independent assessment model applies across PCI DSS, NIST risk assessments, penetration testing, SOC 2, ISO 27001, FTC Safeguards, AS2/AS4 and FHIR interoperability, and more. If your compliance obligation involves formal third-party testing, certification, or a compliance audit, Drummond likely has an applicable service. Explore our services.