This is a series of blog(s) to covert a concept/thought of how to bring in Strategy, Process, Technology and People to provide an effective approach in terms of resource usage, cost savings and timely to reality and achieve the success of assessing once and complying to many regulations.
Lets’ start with “Who” is responsible for your organizations’ compliance, what is their nightmare and what credibility is at stake? The response is most likely – The CISO / Head of Compliance and/or audit.
Their objective is two-fold, managing their cyber security risks, threats and resilience, while also communicating and providing assurance to the board of directors, management, clients and stakeholders.
Now based on the organizations regulatory requirements, clients’ assurance requirements and managing their internal risk, there may be one or multiple regulation / standards the organization has to abide with.
Let’s name a few
- PCI DSS (Payment Card Industry – Data Security Standards)
- HITRUST (myCSF Alliance)
- SOC Attestation
- CCPA
- GDPR
- FEDRamp
- FFIEC
- ISO
- NIST Cyber Security Framework
Now imagine if the need for the responsible personnel is to fulfill some of the above mentioned, if not all of the above regulatory/industry best practices standards as part of the assurance program for your clients and/or for regulatory and marketing purposes.
That is one too many to deal with.. but the concept is up for grabs
“One Audit – Access once and comply to many”
As you scale and grow, you have more vendors and more suppliers (You partner with a wider number of third party service providers). This essentially means that a larger amount of data is under your purview and your legal commitment, responsibility and accountability to safeguard and protect that data from unauthorized access increases exponentially. This essentially equates to having assurances for different regulations / standards and certifying / attesting / complying with a variety of such standards / frameworks.
At that point you wonder, how do you bring everything together?
ONE AUDIT is the answer to this mystery. Let’s see if you can make it happen…
As you embark on your One Audit journey, you literally need to find a partner on your road to compliance with expertise in multiple standards/ regulations with a qualified and certified team who fulfills these objectives.
- Reduce costs and time spent on audits
- Meet contractual obligations and marketplace concerns through executive reports
- Proactively address risks
- Increase trust and transparency to all stakeholders
The constant demands from internal and external stakeholders to show compliance to regulatory and industry best practices can lead to Audit Fatigue for managing the cyber security and compliance programs. An “One Audit” approach can assist.
ControlCase One Audit approach is setup with a combination of People, Process and Technology.
The tested methodology and approach is two phased approach.
Phase 1: Consolidated Pre-Assessment
Phase 2: Certification/Attestation
The ControlCase assessment framework, including an assessment approach to streamline the audit process with accuracy and consistency in the evaluation and reporting of implemented controls, regardless of the specific standard/regulation and scales across the multiple business processes, both in the number and locations that may be assessed.
This provides companies the ability to address their requirements and achieve them with success and objectivity. The approach provides consistency, accuracy and scalability to add additional frameworks (regulations/standards) and scope and manage/exceed expectations.
The One Audit approach focus is mainly to reduce the audit fatigue, group audit requirements (collection of evidences / artifacts), group common controls across lines of business, locations, address policy deficiencies to cover all control objective requirements and reduce time and cost.
The concept seems correct and what are the next steps to make it a reality, lets converse about that in the next blog .. to be released shortly.