14 Steps to Compliance Certification or Attestation
14 Steps to Compliance Certification or Attestation
Ezentria ComplyWise is a comprehensive program helping small businesses (10-99 employees) and midsize enterprises (100-500 employees) achieve compliance certification or attestation for the information security standards, regulations or privacy requirements they need to attain. The Ezentria ComplyWise fourteen (14) step process ensures that the policies, procedures, and investments you make will result in a successful audit. Our consultants are experts (and trained instructors) in international security standards and have refined this process over years of implementations and audits. The Ezentria ComplyWise process was designed to be “standard independent” and can be adapted to any supported framework.
Click a step below or scroll down to learn more about our proven process:
1. Scope Requirements
There are several elements to consider when scoping the requirements of a comprehensive compliance program. When building your project scope, we will consider:
- Business Context – Internal and External Issues
- Locations, Stakeholders, and Culture
- Customer and Supplier Contracts
- Local, Federal and International Laws
- Risk Acceptance Criteria
Our Kick-off presentation will include an introduction of risk concepts and terms; a discussion of your information security management system objectives; and an initial discovery of information assets. We’ll also discuss our methodology, timeframes, responsibilities, costs, and the compliance certification or attestation audit process. Your team will leave with a solid understanding of the project, and we will leave with the information we need to develop an appropriate security strategy.
2. Choose Framework
When we first engage a new client, they typically have a specific Security Framework in mind. They have either done their own research or the framework is required by a supplier or customer. After we scope the project, we formulate a framework recommendation. Our written plan looks at what you need today, and what you may need to comply within the near future. Within the ComplyWise Portal, we can track multiple target frameworks and map the common requirements. So, while you may be targeting a SOC 2 Report, we can show you the incremental controls required to also obtain an ISO 27001 Certification.
3. Assess Risk
The risk assessment process is one of the most important parts of the ComplyWise process because it establishes the foundation for many of the subsequent steps. Our methodology uses a comprehensive risk assessment process and analyzes the identified risks with qualitative and quantitative techniques. The ComplyWise risk assessment process follows the ISO 27005 framework and includes several Ezentria-developed best practices that are tailored to your scope and risk acceptance criteria. During this step, Ezentria evaluates the “consequence” and “likelihood” of each risk to prioritize treatment. Risks with existing controls are assessed for effectiveness and vulnerabilities; then assigned to the current owner in the ComplyWise Portal.
4. Plan Risk Treatment
As a team, we will evaluate the cost, benefit, and context of each risk treatment option for your prioritized list of risks. We’ll assign a treatment option to each risk based on several factors—understanding that not all decisions are financially driven. The risk treatment options include:
The treatment options are not mutually exclusive. Some risks may be treated with multiple options or sent back through the assessment process to be property assigned a treatment option. Any gaps or vulnerabilities that were discovered from existing controls will also need to be assigned a treatment option. When complete, the Risk Treatment Plan is loaded into the ComplyWise Portal where tasks, owners, and deadlines are managed.
5. Provide Visibility
Visibility of the team’s assignments, priorities, deadlines, and progress is provided via the ComplyWise Portal. Powered by Apptega, the portal displays each major element of your security framework as a dial/gauge on a management dashboard. You can manage one or more frameworks and instantly see your progress, trends and compliance scores in real-time. With one-click reports, your data is immediately available in Word, Excel, and PowerPoint. The ComplyWise portal delivers unprecedented visibility and control of your compliance program.
6. Lower Risk
Executing your Risk Treatment Plan (RTP) will lower your risk. Most of the time spent on this step will be focused on implementing controls to remediate your risk and gaps. This includes writing policies, documenting procedures, developing plans (Incident Response, Business Continuity, and Awareness Training, etc.), and configuring new cyber security technologies. Ezentria offers several professional and managed cyber security services to help speed the procurement and implementation process of controls that require cyber security tools and resources. Time will also be spent on the policies, procedures, and authorizations to avoid, transfer, and accept the remaining risk.
7. Develop Metrics
Establishing metrics and procedures to regularly evaluate and document the performance and effectiveness of your security program is very important. Selecting the components to monitor and measure can be a little overwhelming. While everything can be measured, it doesn’t mean everything should be measured. Ezentria will help you identify a manageable number of metrics to track. The metrics we recommend will best predict the health, performance, and effectiveness of your program.
Entered as a task in the ComplyWise Portal, the metrics are assigned an owner and a regular cadence. Dashboards and scorecards are used to publish the organization’s metrics. As you operate the environment, your metrics will help you identify when a control or procedure needs to be improved. Your team can submit Corrective Actions to continually refine the security program.
Ezentria will also help you prepare a subset of your metrics for your executive team. The executives are normally interested in statistics that demonstrate how well your security program is aligned with the organization’s goals and established risk acceptance criteria.
8. Document Program
Documentation is often an after-thought for many internally developed compliance programs, especially in smaller organizations. Most compliance certifications require your policies and procedures to be documented, tracked for revisions, and stored in a secure, accessible location. Ezentria will document your security compliance program and the ComplyWise Portal centralizes and classifies your documents, so they are easy to find and maintain. Documenting your policies and procedures:
- Protects against “knowledge loss” when employees leave
- Acts as a playbook for new hire training and daily operations
- Settles disputes and misinterpretations
- Defines expectations, requirements, and ownership
As Corrective Actions and other improvements are made to the established processes these documents will be updated. After you achieve certification or attestation, Ezentria Virtual CISO services can be retained to manage your internal change control process. In addition to documenting policies and controls, some common documentation items include a Statement of Applicability (SoA), a Program Manual, and various templates prepared by Ezentria.
9. Select Auditor
Every auditor is different. Knowing which auditor is best for you is part of the ComplyWise process. When it comes time to choose an auditor, we’ll provide you with a few accredited assessors that we feel will be a good fit for your project. For our clients, we prefer an auditor that is truly invested in helping you grow and improve your information security program. Having the right auditor for your industry, company size, security maturity and culture will make a big difference—especially over time, since you will have annual audits to verify the effectiveness of your compliance program.
10. Perform Internal Audit
In preparation for your official third-party audit, Ezentria will conduct an Internal Audit of your security program. Your “virtual auditor” will be an Ezentria consultant that wasn’t involved in the original system design in order to remain impartial and objective. The goal of this “dry run” is to simulate a real audit. We’ll be testing your policies, procedures, controls, and people for conformity with the chosen framework—and the company’s risk requirements. Using the same level of scrutiny and attention to detail as a third-party auditor, the virtual auditor will analyze your system to make sure it is implemented and maintained properly. The virtual auditor will ask the team to demonstrate their knowledge, processes, and responsibilities; while collecting evidence of the system’s effectiveness to share with the Management Team.
11. Prepare Management Review
Executive involvement in your security compliance program is crucial. Ezentria helps you prepare and communicate your ComplyWise milestones, certification readiness, and outstanding items that require executive discussion or approval. The ComplyWise process can take six to twelve months and include several Management Review sessions that address the suitability, adequacy, and effectiveness of your security compliance program. A typical session will include a review of the Project Scope, Risk Procedures, Confirmed Incidents, Corrective Action Requests, Certification Status, Metrics, Feedback, and Future Actions. The ComplyWise process teaches your team how to prepare and deliver effective Management Review sessions. After compliance certification or attestation, Ezentria’s Virtual CISO services are available if you require further assistance with preparing and executing quarterly and annual Management Reviews.
12. Achieve Certification / Attestation
During your third-party compliance certification or attestation audit, your Ezentria consultant will be onsite as your advocate (Acting Chief Information Security Officer). We’ll communicate with the auditor(s) throughout the process to ensure that they have everything they need for a 100% successful audit. Some of our audit support responsibilities include:
- Confirming the audit scope
- Answering questions and clarifying responses
- Providing documentation, policies, procedures, and evidence
- Organizing and guiding internal teams
- Understanding the auditor observations (recommendations)
Obtaining compliance certification or attestation is a great achievement as it confirms you have the proper policies, processes, and tools in place to protect your information to the standard you selected. As your business grows and cyber incidents increase, your system will require improvements. Many of these changes will occur naturally as a result of the Corrective Action process built into your security program. However, if your business changes significantly Ezentria can help you make the appropriate adjustments to your policies, procedures, and controls.
Each compliance certification or attestation has its own re-certification or re-attestation schedule that may include both partial and full third-party audits. Ezentria will leverage the ComplyWise process to help you prepare for these additional audits. Over time, you may also find that your organization requires additional security frameworks. The Ezentria ComplyWise Portal will automatically identify the incremental controls necessary to comply with these additional industry standards, government regulations, and privacy laws.
13. Continually Improve
Maturity Level 0 = Incomplete – Ad Hoc and Unknown (Score 0)
Maturity Level 1 = Initial – Unpredictable and Reactive (Score 1-20)
Maturity Level 2 = Managed – Managed on the Project Level (Score 21-40)
Maturity Level 3 = Defined – Proactive, rather than Reactive (Score 41-60)
Maturity Level 4 = Quantitatively Managed – Measured and Controlled (Score 61-80)
Maturity Level 5 = Optimizing – Stable and Flexible (Score 81-100)
Ezentria will also begin to transition the day-to-day operations and management of the Compliance Program to your internal team. For organizations with limited internal resources, Ezentria offers additional Services to extend our cybersecurity and compliance assistance. We will help to identify which functions can move to the internal team and which functions we will retain under contract.
14. Manage Compliance
Managing your compliance program involves several administrative and managerial activities. Most of the administrative tasks are built into the compliance program and managed using the ComplyWise Portal. These daily activities would include identifying, tracking, treating, and mitigating new risks and corrective actions, as well as, organizing Penetration Tests and Vulnerability Assessments, as required. There are also a few strategic activities that are typically completed by your CISO or people on his/her team. If you don’t have a dedicated CISO, these activities can be managed by Ezentria leveraging our Virtual CISO services. The activities may include: Security Governance, Incident Response, Change Control, preparing for Quarterly and Annual Management Reviews, Vendor Risk Management (client and supplier contract reviews), Awareness Training, Custom Reporting, and internal Security Communications.
To get started, we invite you to learn more about the Ezentria ComplyWise process and contact us for a Free Compliance Consultation. During this conversation, we’ll discuss your compliance requirements and how those requirements align with the various standards, regulations, privacy laws and frameworks. We’ll talk about your short term and long term compliance requirements and the importance of building a roadmap that aligns your strategy, goals, resources, and budget.