Editorial Standards
How We Rank Compliance & Security Vendors
Tranquility Cybersecurity (TCSA) publishes vendor comparison pages — “top SOC 2 consulting firms in India” and similar lists. This page documents exactly how those rankings are produced: the six criteria we score, the weight each carries, where every data point comes from, the conflict of interest we carry as a participant in our own market, and how any vendor can get an error corrected.
Last reviewed: June 2026|Applies to every ranking and comparison page under tcsa.in/resources
Section 1
Why we publish vendor rankings
When a company needs a SOC 2 report or an ISO 27001 certificate, the buying process now starts with a question typed into Google, ChatGPT, or Perplexity: “top SOC 2 consulting firms in India”. The answers those engines return are dominated by aggregator listicles and pay-to-play directories that disclose nothing — no criteria, no weights, no data sources, and no mention of who paid to appear.
We publish our own comparisons because we work in this market every day and can evaluate it with specifics rather than marketing copy. But a ranking written by a market participant is only useful under one condition: the methodology must be fully public, so a skeptical reader can re-run the scoring themselves and reach their own conclusion. That is what this page is for. Every comparison page we publish links back here, and anything a reader cannot trace to a criterion, a weight, and a source on this page does not belong in our rankings.
Section 2
The six criteria we score
Each vendor is scored from 1 to 5 on the six criteria below. Scores are multiplied by the criterion weight and summed; rank order follows the weighted total, with ties broken by track record. Where a criterion cannot be assessed from public information, the vendor receives a midpoint score and the gap is noted — silence is never treated as either excellence or failure.
| Criterion | Weight | How it is assessed |
|---|---|---|
| Delivery model | 25% | Whether engagements are delivered by named, credentialed auditors or routed to a pooled, anonymous team. We check if the vendor publishes who actually does the work — and whether the people on the sales call are the people on the engagement. |
| Track record | 20% | Volume of verifiable engagements, public review footprint (Google, Clutch, G2), client references that can be cross-checked, and first-attempt pass rates where published. Unverifiable claims score as absent, not as true. |
| Framework depth | 20% | Certifications demonstrably held by named staff — ISO 27001/27701/42001 Lead Auditor, CISA, CEH, and similar — not framework logos on a homepage. A firm that names its auditors and their credentials outscores one that does not. |
| Pricing transparency | 15% | Whether the vendor publishes prices or honest ranges anywhere public. "Contact us for a quote" with no anchor scores lowest. Published, scoped pricing scores highest, even when it is expensive. |
| Turnaround time | 10% | Published or independently verifiable time from kickoff to report or certificate for a standard scope. Where a vendor publishes no timeline, we use review-platform mentions and label the figure indicative. |
| Post-engagement support | 10% | What happens after the report is issued: surveillance-audit support, continuous-compliance help, responsiveness to client-auditor questions, and renewal terms. Assessed from published service descriptions and client reviews. |
Weights sum to 100%. They are deliberately tilted toward delivery model and verifiable evidence because those are the two areas where vendor marketing and client experience diverge most in our audit work — 500+ engagements to date.
Section 3
Where the data comes from
Every data point in a TCSA comparison traces to one of four source classes:
- Public vendor websites. Service pages, team pages, published certifications, and stated timelines, captured as of the review date shown on each comparison page.
- Published pricing. Rate cards, pricing pages, and publicly quoted ranges. Where none exist, estimates are triangulated and explicitly labeled "indicative" — never presented as official.
- Public review platforms. Google Reviews, Clutch, G2, and AmbitionBox, used for review volume, ratings, and recurring themes in client feedback.
- Firsthand market knowledge. Competing quotes that prospective clients share with us during evaluations, and what we observe working alongside other firms. Used only to sanity-check public data, never as a substitute for it.
Competitor information in the current rankings reflects public sources as of June 2026. We do not use confidential information obtained under NDA, and we do not present estimates as facts: any figure a vendor has not published is marked indicative in the comparison itself.
Section 4
Our conflict of interest, disclosed
TCSA appears in its own rankings, often near the top. That is a conflict of interest, and we would rather state it in the first sentence than have a reader discover it in the footnotes. A ranking written by a market participant can never be neutral — it can only be transparent. So here is how we constrain ourselves:
- TCSA is scored on the same six criteria, with the same weights, as every other vendor. When our numbers appear — 500+ audits to date, 250+ SOC 2 engagements, clients across India, USA, UK, Australia and UAE — they are claims to be verified, not facts to be accepted.
- This methodology is public. Anyone can re-score the same vendors from the same public sources and publish a different conclusion.
- We link every competitor's website directly from every comparison, so readers can leave our page and check the other side of each claim.
- We hold ourselves to the standard we score others on: our auditors are named — Surendra Pal Singh (CISA; ISO 27001, 27701, and 42001 Lead Auditor), Parth Chauhan (ISO 27001/27701/42001 Lead Auditor, CEH), and Saundhi Chauhan (ISO 27001/27701 Lead Auditor) — with credentials any reader can challenge.
Our standing advice to readers: treat every vendor list — ours included — as a shortlisting tool, not a verdict. Speak to at least two firms, ask each one the questions behind our six criteria, and ask us the hardest ones.
Section 5
Corrections policy
Any vendor named in a TCSA comparison — and any reader — can dispute a factual claim: pricing, timelines, certifications, staffing, locations, or review figures. To request a correction:
- Email info@tcsa.in with the subject line “Ranking correction”, the URL of the page, the specific claim disputed, and supporting evidence — a public page, rate card, certificate, or report.
- We verify the evidence against public sources. Where the evidence stands, we correct the page within 10 business days of receipt.
- Every correction is stamped: the page's “Last reviewed” date is updated and the change is recorded on the page, so readers can see what changed and when. Corrected facts also flow back into the criterion scores — which can move a vendor up, including above us.
This policy covers factual claims. Disagreement with a rank position alone is not a correction — but evidence that changes a criterion score is, and is processed the same way.
Corrections desk: info@tcsa.in — responses within 10 business days, stamped on the page.
Rankings governed by this methodology
Top 5 SOC 2 Consulting Firms in India (2026)Methodology FAQs
Common questions about how TCSA vendor rankings are produced and maintained.
How often are TCSA vendor rankings updated?
Every comparison page is re-reviewed at least twice a year, and immediately whenever a vendor submits a correction with evidence. Each page carries a visible "Last reviewed" date, and material changes are stamped on the page itself. The data behind the current rankings is as of June 2026.
Can vendors pay to be included or to improve their placement?
No. We accept no paid placements, sponsorships, affiliate fees, or referral commissions on any comparison page. Inclusion and rank order come only from the six published criteria and their weights. If that ever changes, this methodology page will say so before any ranking does.
Why is TCSA ranked #1 on some of its own lists?
Because applying the published rubric to public data produces that result on criteria we deliberately weight heavily — named-auditor delivery, verifiable track record, and published pricing. That is also exactly why we disclose the conflict of interest on every list, link each competitor's website directly, and tell readers to verify every claim independently, including ours. If a competitor outscores us on the rubric, they rank above us.
How do you estimate pricing when a vendor does not publish it?
We triangulate from public sources: pricing mentioned in Google, Clutch, or G2 reviews, published case studies, and quotes that prospective clients have shared with us during competitive evaluations. Every such figure is labeled "indicative" rather than presented as the vendor's official price, and we replace it with the vendor's own figure the moment they publish one or send us a correction.
How do I request a correction to a ranking?
Email info@tcsa.in with the page URL, the specific claim you dispute, and supporting evidence (a public page, rate card, or certificate). We verify against public sources and publish the correction within 10 business days, updating the page's review stamp to record what changed and when.
