Typically, the process of adhering to a compliance includes the following steps.
- Identifying the scope
- Gap assessment
- Implementation
- Readiness review
- Internal Audit
- External Audit followed by certification*.
- Subsequent Yearly Audits.
*Certification is not mandatory for certain compliances.
The compliance efforts are usually done manually, led by qualified subject matter experts (either internal audit teams or external consultants). Depending on the size of the company and their current cybersecurity practices, the whole process may take up to several months to a year. Compliance is an ongoing process, even post certification, one must follow the standard and needs to be audited on a regular basis.
Each compliance has well defined set of information security controls broadly categorized into three aspects
- People related controls cater to onboarding, training, and empowering human resources in an organization while carrying out their roles and responsibilities.
- Process related controls cater to establishing, adopting, and implementing a well-defined standard operating procedure while conducting business activities.
- Technology related controls cater to identifying relevant technical tools (both purchased or built in house) and operating, maintaining them with relevant secure configurations and measures in order to deliver business value to the stake holders.
Crux of any compliance is to adopt tried and tested controls to ensure a good cyber hygiene. And to do this optimally, by following a risk-based approach.
Compliance management should not be just gap assessment against the controls.
Recent Comments