Michelle Strickler

Michelle Strickler
Strike Graph
Michelle has been with Strike Graph even before it became Strike Graph and is currently responsible for all framework development within the Strike Graph product. With nearly 20 years of IT compliance experience, Michelle advocates a risk-based approach to data security and data privacy decisions and has deep subject matter expertise in building, operating, and auditing IT compliance programs. She has assisted organizations of different sizes in various industries, from Fortune 100 social media conglomerates to venture-backed start-ups, in various aspects of their GRC journies. Her framework expertise includes SOX (ICFRs and ITGCs), SOC 1, SOC 2, GDPR, CCPA, ISO 27001, CIS, and NIST CSF/800-53/800-171. Michelle is Certified in Risk and Information Systems Control’s (CRISC) and has a Masters in Accounting(MAcc). In a past life, she was a Certified Internal Auditor (CIA) and Certified Information Systems Auditor (CISA), Director of Internal Audit, and ran a consulting practice coaching organizations on GRC initiatives. On the weekends you can find her cheering on the Seattle Seawolves Rugby team, volunteering for Girl Scouts, or lost in a forest.
Connect on LinkedIn

Resources from Michelle Strickler

Navigating GDPR: How to protect data subject rights
BLOG

Navigating GDPR: How to protect data subject rights

Find out how to navigate GDPR and protect your data subject rights with Strike Graph's easy-to-follow guide. It's all about staying compliant and building trust, the smart way!
April 18, 2024
GDPR, ISO 27701, SOC 2, Security compliance, Designing security programs
Decoding the HIPAA Omnibus Rule: A guide for HealthTech professionals
BLOG

Decoding the HIPAA Omnibus Rule: A guide for HealthTech professionals

Navigate the complexities of the HIPAA Omnibus Rule with insights on achieving and proving compliance, crucial for HealthTech professionals looking to safeguard patient information.
March 25, 2024
HIPAA, HIPAA, Security compliance, Measuring/certifying security programs, Boosting revenue
The key to understanding SOC reports
BLOG

The key to understanding SOC reports

Everything you need to know about SOC 1, SOC 2, and SOC 3 reports, including what’s in them and the benefits they can offer your business.
March 14, 2024
SOC 1, SOC 2, SOC 3, SOC 2, Security compliance, SOC 3, Measuring/certifying security programs, SOC 1
Should I get GDPR and ISO 27701 at the same time? Yes!
BLOG

Should I get GDPR and ISO 27701 at the same time? Yes!

Independently, GDPR and ISO 27701 can feel like heavy lifts — tackling GDPR and ISO 27701 together saves you both time and resources.
January 29, 2024
GDPR, ISO 27701, Security compliance, Designing security programs
12 SOC 2 controls that support CPRA compliance
BLOG

12 SOC 2 controls that support CPRA compliance

Reduce redundancy while ensuring comprehensive coverage — among other perks. Learn how you can best leverage the framework overlap between SOC 2 and CPRA.
October 20, 2023
CPRA, SOC 2, Security compliance, Designing security programs
Prep for FedRAMP compliance using NIST 800-53
BLOG

Prep for FedRAMP compliance using NIST 800-53

Building towards FedRAMP compliance? Become NIST 800-53 compliant first and you’ll be well on your way.
October 18, 2023
FedRAMP, NIST 800-53, Security compliance, Measuring/certifying security programs, Company news
Everything you need to know about SOC 1
BLOG

Everything you need to know about SOC 1

The ins and outs of SOC 1: What it is, why it’s important, who it’s for, the types of reports (including SOC 1 Type 1, SOC 1 Type 2, and SOC 1 Type 3) and more.
October 16, 2023
SOC 1, Security compliance, Designing security programs
Has the Data Protection Act of 1988 been repealed?
BLOG

Has the Data Protection Act of 1988 been repealed?

Learn about the status of the Data Protection Act of 1988 and the updates it has undergone in recent years.
July 04, 2023
GDPR, Security compliance, Designing security programs
Is the Data Protection Act of 1988 still in force?
BLOG

Is the Data Protection Act of 1988 still in force?

Learn about the Data Protection Act of 1988, how it has changed over time, and where it intersects with GDPR.
June 30, 2023
GDPR, Security compliance, Designing security programs
What is FedRAMP and how can you get FedRAMP authorized?
BLOG

What is FedRAMP and how can you get FedRAMP authorized?

FedRAMP is an important standardized approach that agencies can use to assess the use of federal data — read on to learn what that means and why it matters
June 28, 2023
FedRAMP, NIST 800-53, Security compliance, Measuring/certifying security programs
TISAX requirements
BLOG

TISAX requirements

What are the TISAX requirements? What are the labels, and how are they different? Let’s take a deep dive.
June 06, 2023
TISAX, Security compliance, Designing security programs
How do I transition from ISO 27001: 2013 to ISO 27001: 2022?
BLOG

How do I transition from ISO 27001: 2013 to ISO 27001: 2022?

Learn when you need to transition from ISO 27001: 2013 to ISO 27001: 2022, what’s changing, and what’s staying the same.
April 24, 2023
Security compliance, Operating security programs
Who needs CMMC certification?
BLOG

Who needs CMMC certification?

Understanding all the ins and outs of CMMC can be difficult, but we’re here to help. Here’s who needs CMMC certification and how to achieve it.
March 21, 2023
CMMC, NIST 800-171, Security compliance, Designing security programs
How do I conduct a vendor risk assessment?
BLOG

How do I conduct a vendor risk assessment?

Learn the six stages of conducting a vendor risk assessment and know what types of risk you should be checking for with potential partners.
March 21, 2023
Measuring/certifying security programs, Risk management
What are the 6 stages of risk management?
BLOG

What are the 6 stages of risk management?

Ready to ensure a strong security posture? Start with risk management. In this post we explain the 6 stages of risk management and how you can prepare for each.
March 18, 2023
Designing security programs, Risk management
How do I become SOC 2 Type 2 compliant?
BLOG

How do I become SOC 2 Type 2 compliant?

Does your organization need to become SOC 2 Type 2 compliant? Here’s how to know, and how to get there if you do.
February 23, 2023
SOC 2, Security compliance, Measuring/certifying security programs
The difference between SOC 1 and SOC 2
BLOG

The difference between SOC 1 and SOC 2

What’s the difference between a SOC 1 and SOC 2? What about a SOC 1 Type 1 and Type 2 and a SOC 2 Type 1 and Type 2? In this post, we break it all down.
February 21, 2023
SOC 1, SOC 2, Security compliance, Designing security programs
What was the data protection act of 1988?
BLOG

What was the data protection act of 1988?

Learn about the history of the data protection act of 1988 and its evolution into the GDPR.
February 16, 2023
GDPR, Security compliance
Who must comply with SOC 2 requirements
BLOG

Who must comply with SOC 2 requirements

Learn about who needs to comply with SOC 2 requirements, and all the benefits of achieving compliance.
February 13, 2023
SOC 2, SOC 2, Security compliance, Designing security programs
What is the purpose of compliance risk management?
BLOG

What is the purpose of compliance risk management?

If your company doesn’t have a compliance risk management plan, you could be facing a loss of reputation, revenue, valuation, and business opportunities.
December 20, 2022
Security compliance, Risk management
What are the NIST SP 800-171 controls?
BLOG

What are the NIST SP 800-171 controls?

Get all the details on the NIST SP 800-171 controls and how they apply to your organization.
November 23, 2022
NIST 800-171, Security compliance, Operating security programs
What is an information security policy, and do you need one?
BLOG

What is an information security policy, and do you need one?

Creating a strong information security policy can help your organization prevent data breaches, and more. Discover what your policy should include.
November 22, 2022
Security compliance, Designing security programs
A cheatsheet for common GDPR terms
BLOG

A cheatsheet for common GDPR terms

There are a lot of GDPR terms, and it can be difficult to keep them all straight. Hopefully this cheatsheet will help you on your journey to GDPR compliance.
November 16, 2022
GDPR, Security compliance, Designing security programs
What are the 7 types of risk to your business?
BLOG

What are the 7 types of risk to your business?

While no company is risk-free, you can mitigate many kinds of risk with proper understanding and an action plan. Learn how!
October 31, 2022
Designing security programs, Risk management
What is required for GDPR compliance?
BLOG

What is required for GDPR compliance?

What exactly is required of your organization in order to achieve — and maintain — GDPR compliance? Let’s take a look.
October 25, 2022
GDPR, Security compliance, Measuring/certifying security programs
How many controls are there in ISO 27701?
BLOG

How many controls are there in ISO 27701?

Check out our overview of ISO 27701 controls for your answer, including what controls are, how they work, and how they improve your data security posture.
October 19, 2022
ISO 27701, Security compliance, Designing security programs
What is a vendor risk assessment questionnaire?
BLOG

What is a vendor risk assessment questionnaire?

A vendor risk assessment questionnaire helps organizations identify their partners’ potential weaknesses that could result in a breach.
October 18, 2022
Measuring/certifying security programs, Risk management
What are the 8 GDPR rights?
BLOG

What are the 8 GDPR rights?

The GDPR establishes eight rights for individuals on the internet. Read about these rights and your organization's responsibilities to protect them.
September 28, 2022
GDPR, Security compliance, Designing security programs
What are the exceptions to CCPA?
BLOG

What are the exceptions to CCPA?

Find out if your company or any of the information you handle is exempt from the CCPA.
September 26, 2022
CPRA, Security compliance, Designing security programs
Unstructured data and its impact on SOC 2 compliance
BLOG

Unstructured data and its impact on SOC 2 compliance

A SOC 2 report ensures that service providers are securely managing your unstructured data to defend your organization’s security and privacy.
September 15, 2022
SOC 2, Security compliance, Risk management
Who needs to comply with the CCPA?
BLOG

Who needs to comply with the CCPA?

To ensure your business is CCPA compliant, you need to know what CCPA is, who needs to comply, and what happens if you don’t.
September 07, 2022
CPRA, Security compliance, Designing security programs
ISO 27001 controls
BLOG

ISO 27001 controls

ISO 27001 certification proves you can protect sensitive information. Read on to learn more about ISO 27001 controls and how to implement them.
August 30, 2022
ISO 27001, Security compliance, Operating security programs
The HIPAA Privacy Rule: Is your organization a covered entity?
BLOG

The HIPAA Privacy Rule: Is your organization a covered entity?

Learn who the HIPAA Privacy Rule applies to, which information it protects, and how your organization can reach compliance.
August 23, 2022
HIPAA, Security compliance, Designing security programs
What is TPRM or third-party risk management?
BLOG

What is TPRM or third-party risk management?

TPRM stands for third-party risk management. Learn about the benefits and challenges of implementing TPRM controls for your organization.
July 26, 2022
Designing security programs, Risk management
What is summary health information?
BLOG

What is summary health information?

Learn how HIPAA defines summary health information, the Privacy Rule, PHI, and more — and how they apply to your business.
July 25, 2022
HIPAA, Security compliance, Designing security programs
What is compliance risk?
BLOG

What is compliance risk?

Learn about compliance risk and the strategies and frameworks used to manage it.
July 23, 2022
Security compliance, Designing security programs, Risk management
What are the 7 GDPR principles?
BLOG

What are the 7 GDPR principles?

Let's take a look at all 7 principles of GDPR and what they mean for you and your business. Learn more.
June 24, 2022
GDPR, Security compliance, Designing security programs
The 12 PCI DSS requirements: an in-depth look
BLOG

The 12 PCI DSS requirements: an in-depth look

Let's go a bit more in-depth and explore the 12 PCI DSS requirements, as well as how they apply to your business.
June 08, 2022
PCI DSS, Security compliance, Designing security programs
Need a quick guide to GDPR? Start here.
BLOG

Need a quick guide to GDPR? Start here.

Regardless of where you’re located, if your business collects and/or manipulates the personal data of EU residents, then you need to comply with GDPR.
May 27, 2022
GDPR, Security compliance, Designing security programs
CCPA / CPRA compliance: What you need to know
BLOG

CCPA / CPRA compliance: What you need to know

The California Consumer Privacy Act (CCPA) was signed into law on June 28, 2018 and became effective on January 1, 2020. Here's what you need to know.
May 04, 2022
CPRA, Security compliance, Designing security programs
ISO 27701 basics
BLOG

ISO 27701 basics

Learn more about what ISO 27701 is, why it’s important, and how Strike Graph can help your organization achieve certification.
April 07, 2022
ISO 27701, Security compliance, Designing security programs
How much time does it take to prepare for a SOC 2 audit?
BLOG

How much time does it take to prepare for a SOC 2 audit?

How much time do common SOC 2 preparation tasks take and which departments need to be looped in? Realistic answers from Strike Graph.
August 10, 2021
SOC 2, Security compliance, Measuring/certifying security programs
Skipping a Type 1 on your SOC 2 journey? Think again!
BLOG

Skipping a Type 1 on your SOC 2 journey? Think again!

Skipping a type 1 SOC 2 and heading straight into a type 2 is called a running start. It is risky!
June 09, 2021
SOC 2
How to select a SOC 2 auditor
BLOG

How to select a SOC 2 auditor

Selecting a SOC 2 doesn't have to be fear inducing. Knowing what to ask an auditor and how to interpret their responses will set you up for success.
May 25, 2021
SOC 2
Top 9 cybersecurity measures for remote teams
BLOG

Top 9 cybersecurity measures for remote teams

Working remote is here to stay. Organizations can implement new security controls or beef up existing controls to address this reality.
May 18, 2021
IT security
What are SOC 2 Complementary User Entity Controls (CUEC)?
BLOG

What are SOC 2 Complementary User Entity Controls (CUEC)?

Learn the difference between Complementary User Entity Controls (CUECs) and Complimentary Subservice Organization Controls.
March 26, 2021
SOC 2, Security compliance, Operating security programs
How much does a SOC2 certification and audit cost?
BLOG

How much does a SOC2 certification and audit cost?

The cost of SOC 2 audit and certification is dependent on a number of factors. These include company size, current capabilities, and more. Learn the total cost of SOC 2 certification.
March 01, 2021
SOC 2
SOC 2 System Description series: how to describe your System Boundaries
BLOG

SOC 2 System Description series: how to describe your System Boundaries

Defining your System Boundaries within the System Description can be a nerve-wracking endeavor. With a bit of guidance it does not have to be.
February 11, 2021
SOC 2, Security compliance, Measuring/certifying security programs
How SOC 2 auditors test
BLOG

How SOC 2 auditors test

SOC 2 audits can be nerve wracking events. If you know the basics of how auditors approach testing, you will be prepared and have a bit of an advantage.
February 05, 2021
SOC 2, Security compliance, Measuring/certifying security programs
You got your SOC 2! Now what?
BLOG

You got your SOC 2! Now what?

You have your SOC 2 report in hand, your customers are happy, now what happens? Detailed tips on how to brag about it and how to not let it go stale.
January 26, 2021
SOC 2, Security compliance
SOC 2 controls and a remote workforce in 2021
BLOG

SOC 2 controls and a remote workforce in 2021

Assessing risks and threats to your network during the pandemic will helps you identify the appropriate controls to integrate into your security program.
January 20, 2021
SOC 2
How long does it take to get a SOC 2 Type 1? And how long does it last?
BLOG

How long does it take to get a SOC 2 Type 1? And how long does it last?

Your customer is requiring you to get a SOC 2. Depending on the urgency, you have a few options, from a methodical approach to a 'running' start. Learn more.
January 14, 2021
SOC 2, Security compliance, Measuring/certifying security programs
SOC 2 Trust Services Criteria: how to choose
BLOG

SOC 2 Trust Services Criteria: how to choose

Learn about the five SOC 2 Trust Services Criteria and tips to determine which ones will be right for your organization to include in your SOC 2 report.
January 06, 2021
SOC 2, Security compliance, Designing security programs
What is a control?
BLOG

What is a control?

What the heck is a control? This post provides examples and guidance on how to create a solid, audit ready control.
December 30, 2020
Security compliance, Operating security programs
5 things founders should know about SOC 2
BLOG

5 things founders should know about SOC 2

We share a list of what we wish we knew, as Founders of startups, before starting on our SOC 2 Journey - and it is not writing policies.
December 21, 2020
SOC 2
SOC 2 System Description series: adding additional TSCs
BLOG

SOC 2 System Description series: adding additional TSCs

Step-by-step advice for weaving Privacy and the other TSCs into a System Description.
December 14, 2020
SOC 2, Security compliance, Measuring/certifying security programs
Load More items
See all resources

Keep up to date with Strike Graph.

The security landscape is ever changing. Sign up for our newsletter to make sure you stay abreast of the latest regulations and requirements.

foot-dark-shade
Strike Graph offers an easy, flexible security compliance solution that scales efficiently with your business needs — from SOC 2 to ISO 27001 to GDPR and beyond.

© 2025 Strike Graph, Inc. All Rights Reserved • Privacy PolicyTerms of ServiceEU AI Act

SOC_NonCPAA
Achieved-SG-badge_hipaa