Anyone who is going for or has already achieved some kind of certification will know that getting there is difficult, time- and resource-consuming and requires buy in and input at all levels, especially from those at the top.
It might be a legal requirement for your industry such as HIPAA or PCI/DSS. Or you might be doing it to provide assurances to current and prospective clients, like many companies going for SOC 2 or ISO 27001.
But whether you are doing it for the first time or preparing for a future audit, it’s likely that in recent weeks, various control requirements that you thought you had locked down would have been stretched to breaking point.
Even the best laid ‘Stay at home’ Disaster Recovery scenario may well not have anticipated all the knock-on effects caused by so many partner businesses, third-party suppliers and so on having to make similar drastic changes.
Let’s look at a couple of common requirements where compliance might have gone slightly out of the window:
And crucially, if you know you nailed these points, are you able to evidence of how they were implemented, how they are configured and used to protect the environment and the data?
What you can be absolutely sure of is that nothing has stopped in the world of compliance. Controls must still be adhered to. Audits must still take place. In fact, because of the likelihood of compliance controls not being adhered to, organisations such as AICPA are pumping out information on how auditors can conduct effective remote audit.
As long as virtual meetings can still happen, you will still need to gather the information and evidence needed according to the schedule.
There are many actions that need to be taken right now, especially if an audit is just round the corner.
This would be a daunting task at the best of times. Simply arranging a meeting of internal stakeholders who work in the same building is like herding cats these days. Now add on the fact that you can’t see someone trying to hide from you behind their desk!
When so many actions and people need to be coordinated in a short time, you may need an additional level head (apart from your own, of course) to help coordinate the strategy, prepare the evidence and documentation, and bring the various stakeholders together. A good place to better understand what might be involved is checking out NIST cybersecurity requirements.
With a CISO on demand from TBG, you get the specialized talent and experience you need right now to help you through this most difficult of times. The regulatory process can be completed quickly, and of course means you’re not having to employ a new member of staff with all the time and cost that entails.
We are all in uncharted territory, the one certainty for your business is that compliance must be maintained. Contact TBG today to discuss how a CISO on demand can navigate your business through your next audit.