When you are going through implementation of SOC 2 or ISO 27001 for the first time, the immediate goal is to get the audit report or certificate in hand. That’s the goal, and everyone understands the importance of meeting the objective. For most organizations, it opens up revenue, builds customer trust, and actually improves the security culture.
You successfully made it through your first audit, so now what?
The short answer is, “keep it going.” Unfortunately, there are organizations that treat the SOC 2 or ISO 27001 audit process as the conclusion to a project rather than the foundation of a well-built cybersecurity program. They assign key individuals to implementing controls and getting the audit completed, then those people are assigned to other projects or get new priorities. The reality is that without an individual or team maintaining the controls, they will quickly begin to atrophy. This is why each control is required to have a control owner.
Manual controls tend to be the first to be forgotten. For example, is there an access review that needs to be completed? What triggers the review? If it’s a calendar reminder on a single person’s calendar, there is a high likelihood that the access review will take a lower priority on their list of tasks when the time comes around. Another risk is that the individual has left the organization, and nobody takes on the task of performing the review. The better approach is to leverage a compliance automation platform or recurring tickets that get auto assigned to the correct individual. This way, there is a record of work that needs to occur. It still depends upon somebody having the priority of getting the task completed.
What does SOC 2 or ISO 27001 communicate to customers?
When an organization completes an audit, the auditor can sign off that the company had functional controls that were suitably designed and operating effectively in the past. It’s extremely important for maintaining customer trust that you continue to operate the controls described in the SOC 2 report or mandated in the ISO 27001 framework. Each time you provide the report or certificate to a prospect or customer, you are attesting to the fact that you continue to operate the controls as described. Some customers request a bridge letter stating that the controls are currently being performed, and others make a contractual obligation to do so.
It is imperative that you invest in maintaining the program after implementation and first audit to keep your customer’s trust.
How does an organization adapt the SOC 2 or ISO 27001 program to business changes?
An organization can be likened to a living organism that is constantly changing and growing. It’s appropriate for security controls to change as the organization changes. For example, a new product or service offering may be created or acquired. Another common change is switching vendors. When the SOC 2 program does not change and adjust to business changes, this almost always leads to exceptions on the next audit. If those exceptions are egregious enough, it can lead to a qualified opinion or failed audit.
It is critical that an individual or team be assigned to constantly consider business changes in context of the security controls that an auditor will be reviewing. This requires that leadership invest in a position or service to tackle this important challenge.
What does Genius GRC do after implementing your security controls and working through the first audit?
The Genius GRC team fully understands that audits are not the destination. They are checkpoints that validate the security controls are operating effectively, and we ensure that your controls continue to operate effectively between those checkpoints. We become your compliance team and immediately respond to indicators that your controls are not operating. Additionally, we proactively gather the evidence necessary for your next audit at the time when it is necessary to do so. When changes to the business are necessary, we will modify or add the relevant controls and tests to ensure that your next audit is successful. Using a compliance management tool, you will have complete visibility into your cybersecurity program. On top of that, when you need to work through a potential security issue, respond to a customer questionnaire, or implement a technical control, our team will be there to help you through it. We will help you perform your disaster recovery tabletop, we will lead your incident response tabletop, we will perform ongoing risk assessments, and we will monitor your vendors for compliance.
Our customers have found that investing in our services has allowed them to maintain their compliance and improve their security posture. Their focus is on running the business and building revenue without worrying about their next audit. We would love to be your compliance team too! Take a look at our managed services for more details.
