How to Lower Your Compliance Costs: Just Add Risk
Compliance is costly, time-consuming and often frustrates one or many in the company. It should not. Here are simple mistakes to avoid and processes to build that will help your company climb the compliance mountain with relative ease.
B2B “I need that SOC Report and I need it now!”
If you’re selling or buying B2B these days, audit firms love you, and , your company is likely looking at or already maintaining a certification for ISO 27001, AICPA SOC 2, CMMC, PCI DSS, HiTRust and/or managing compliance an industry regulatory requirements, FFIEC, SOX, HIPAA, etc.
It’s always a great moment when your sales rep asks you for your SOC report, right? You know you have finally arrived!
Check out my VERY expensive…“free checklist!”
Many companies are advised or choose to approach implementation security standards through the lens of compliance. This is a typical compliance-guided approach:
What does the standard require my company to do?
Do I have a policy and control in place to what is required?
How often do I need to do it?
Am I or who is doing it?
How can I demonstrate that it is being done?
It seems relatively simple on the surface, and a whole industry of “GRC Compliance” products are now available to help you implement your process. Many even offer a checklist, so here’s one we hope you will also find useful…
How can simple be wrong?
So, is it this simple? The answer is not only ‘no’ but ‘no, and if you are doing it this way, you may be costing your company a lot of time and money.”
Why? Well, you are essentially forcing yourself to do any or all of the following:
Creating a very expensive checklist
Repeating processes year over year, generally in ‘panic mode’ to meet annual audit needs.
Implementing controls that you do not need
Adding unnecessary financial and workload burdens to your company and team
Risk as the Guiding Principle of Compliance Management
Before you hit that panic button and start building policies and controls against either the certification that your sales team needs, or your industry regulatory requirements, we encourage you to follow this process. It will save you time and money and create a continuum of compliance that is both meaningful and manageable. Our customers agree…
ASSETS: This will tell you what you need to protect.
Make an inventory of the assets that need to be in scope for compliance. If you don’t have a building, why purchase sprinklers? Don’t start with controls – start with what needs to be protected…
Rate each asset in terms of its value to the company (often referred to as an Impact Analysis)
RISK: This will help prioritize which controls to implement
Now, you know what you’re protecting, you need to decide what to protect it from. You might think of this in two layers:
How “big” is the risk if I do nothing (often referred to as Inherent Risk and Likelihood)
How “big” if I do something (Residual Risk and Likelihood)
Often, the above are completed in a Risk Register. For more information on how to build a risk register, read this article.
Now you know both what to protect and which assets are most important, and what are your biggest risks, which assets they impact and, therefore, what should take priority.
Armed with this information, you can now do the following:
Build policies and controls that are meaningful to your organization
Limit the scope of your compliance work to save time and money
Limit the scope of your audit to reduce the opportunity for discovering costly corrective actions
Continuous Monitoring – Our cherry on top of your sundae
Much as by following this process you are limiting the amount of data under management which will save time, it is likely, nonetheless, that there will be a significant amount of data to manage. Importantly, how do you keep track of this on a year-round basis?
Remember, certification and compliance is not a one-off. Most require annual recertification, or at least surveillance audits.
These three core automated processes can alleviate a major burden to your team:
Risk Mitigation (mitigation of findings/corrective actions)
Evidence Collection
Policy Review
Automation is simply right
If your processes for any of the above are manual in any way, you will lose time. That’s why C1Risk provides a fully integrated, automated platform to manage your regulations, assets, risks, policies, controls and issues.
Why manage any of that data in isolation?
In conclusion, security begins with good governance and rarely does one process exist in isolation, so our humble advice to you is to build a process, not push panic buttons, and use a solution that supports the full lifecycle of that process.
Related Articles:
How to advocate for your security compliance and risk management program