What If Compliance Wasn’t So Hard?
Let’s face it, nobody really likes compliance because it seems like a daunting list of rules to follow. In essence it is. Some organization makes up a framework and then you have a bunch of auditors that ask you lots of checklist questions over and over. It is a time consuming and boring task for most people, but it doesn’t have to be that way.
What if there was a different simpler approach? Start off with agreeing on the scope, reviewing your relevant policies, procedures, etc., and then have conversations with your key personnel. Engage verified experts in their field so they can learn about your environment and operations without spreadsheets. In a few short interviews, you could generally answer about 80% of the engagement. Inevitably, there are items that will require follow-up but that doesn’t slow the reporting process. In the end, you wind up having a much less complicated experience.
Want compliance to be even easier? Did you know that our clients with multi-year contracts are prepared for changes in compliance rulesets and framework versions months in advance of when the new framework is officially released or enforceable? Our team stays in tune with upcoming changes and when we see something coming up that could impact an assessment, we like to bring that your attention as soon as possible so you have an opportunity to make any adjustments needed before getting surprised by something new during an assessment.
Multi-year agreements will help you streamline compliance operations even if the rules haven’t changed. Regardless of whether you’re trying to tackle HIPAA, ISO 27001, NIST CSF, PCI DSS, or something else, there’s a good chance we’ll have to look at over 100 controls and depending on the people, processes, and technologies in place, an assessment can include several hundred controls. Learning about all the moving pieces in an environment requires an upfront investment. Just because you do the same type of thing as your competitor doesn’t mean your environment and operations look the same, and thus compliance efforts will vary. However, with each successive assessment, the whole process gets easier because you don’t have to learn everything from scratch.
So, if you are looking for ways to make compliance easier, here’s my best advice: hire experienced professionals that can quickly get up to speed with your organization and then stick with them. Compliance will always be a time consuming and expensive process but when properly counterbalanced by a team that can help you get the job done right the first time, we can make every other time after that go a lot more smoothly.
Brandon Polk | QSA CISA CISM CISSP CRISC CCSP
Director of Risk & Compliance Services | Contextual Security Solutions
