Anyone who is going for or has already achieved some kind of certification will know that getting there is difficult, time- and resource-consuming and requires buy in and input at all levels, especially from those at the top.
It might be a legal requirement for your industry such as HIPAA or PCI/DSS. Or you might be doing it to provide assurances to current and prospective clients, like many companies going for SOC 2 or ISO 27001.
But whether you are doing it for the first time or preparing for a future audit, it’s likely that in recent weeks, various control requirements that you thought you had locked down would have been stretched to breaking point.
Even the best laid ‘Stay at home’ Disaster Recovery scenario may well not have anticipated all the knock-on effects caused by so many partner businesses, third-party suppliers and so on having to make similar drastic changes.
Let’s look at a couple of common requirements where compliance might have gone slightly out of the window:
- You followed the ‘Stay at Home’ scenario in your Business Continuity Plan. How do the results compare with expectations following your findings from the most recent Business continuity contingency experiment. So many companies didn’t even bother to test the plans appropriately before signing them off, and now may find themselves in rather turbulent waters.
- You are required to ensure your firewall is correctly configured and updated. How does this apply now your remote working employees’ computers, which find themselves behind a smattering of consumer-grade firewalls, all individually configured?
- You signed up a new cloud backup provider, so users wouldn’t make insecure backups at home. Did you ensure that your vendor selection processes were followed? For example do these backups actions fit into the outlined requirements for security controls and compliance?
And crucially, if you know you nailed these points, are you able to evidence of how they were implemented, how they are configured and used to protect the environment and the data?
What you can be absolutely sure of is that nothing has stopped in the world of compliance. Controls must still be adhered to. Audits must still take place. In fact, because of the likelihood of compliance controls not being adhered to, organisations such as AICPA are pumping out information on how auditors can conduct effective remote audit.
As long as virtual meetings can still happen, you will still need to gather the information and evidence needed according to the schedule.
There are many actions that need to be taken right now, especially if an audit is just round the corner.
- Carry out a risk assessment to establish how changes you implemented affect the normal control objectives. Gather evidence and establish whether policies and procedures were fit for purpose.
- Contact your certification partner to understand both your situation and theirs and create a new action plan and schedule.
- Coordinate with internal stakeholders. Many people in IT and in high-level management are doing little else but fire fighting at the moment, but the auditing schedule will have to be viewed as a priority. Continued certification is of fundamental importance to any business that hopes to thrive in the ‘new normal’ economy.
- Communicate with external stakeholders. If clients or the law require you to continue to be certified then eyes will be upon you for the results of the audit. If there is a legitimate delay then this must be transparently communicated.
This would be a daunting task at the best of times. Simply arranging a meeting of internal stakeholders who work in the same building is like herding cats these days. Now add on the fact that you can’t see someone trying to hide from you behind their desk!
When so many actions and people need to be coordinated in a short time, you may need an additional level head (apart from your own, of course) to help coordinate the strategy, prepare the evidence and documentation, and bring the various stakeholders together. A good place to better understand what might be involved is checking out NIST cybersecurity requirements.
With a CISO on demand from TBG, you get the specialized talent and experience you need right now to help you through this most difficult of times. The regulatory process can be completed quickly, and of course means you’re not having to employ a new member of staff with all the time and cost that entails.
We are all in uncharted territory, the one certainty for your business is that compliance must be maintained. Contact TBG today to discuss how a CISO on demand can navigate your business through your next audit.