Compliance Is Not About Paperwork

  • August 4, 2021

Companies often dread their compliance audits. It’s very common to see companies rush through the endeavor of documenting policies and processes. In a rush to get it done, they may get through the audit but cause new problems for themselves. For some compliance audits, it’s enough to show you have the processes in place. However, eventually, all audits, ISO, SOC, FedRamp, etc., will require you to present evidence such as logs to show that your organization is following the compliance processes on a daily basis. 

Many times, when we rush to solve the most urgent matter—documentation—we forget that those documents must reflect what every team member in our organization is doing every day. If you want to succeed, you will have to dig deep. To avoid creating new issues for your organization, it is best to face the situation head-on and talk to your people, understand how they work, document everything, and then, if necessary, make the improvements needed to achieve certification. 

It may be tempting to create a document for compliance processes or procedures your organization is not yet doing or is unwilling to do. This will create both organizational debt and a people change management challenge that you may not be able to overcome. ‘Change management’ is often associated with an ITIL process focusing on controlling IT changes, as described below. Whether you want to avoid organizational debt or change management challenges, it is always better to have a clear picture of the actual situation in order to understand the gaps in your compliance process. You want to spend time working on improvements instead of writing documents that nobody can or will comply with. 


Getting Compliant

When you do need to make improvements at your organization to get closer to compliance, focus on the main processes. Every compliance certification has at least some requirement linked to the processes below. They are basics, and to some extent, everyone is expecting to see them from your organization.


  • Incident Management Process (Including Request, Event and Security Incidents)

Your organization must have processes and solutions that allow your teams to detect and respond to incidents. An Incident Management Process will ensure that your team can effectively respond to and address vulnerabilities and issues. A fast response will help reduce the impact of incidents and keep your systems and services operating as planned. Without incident management, you may lose data and see decreases in productivity and revenue due to downtime. 


  • Change Management Process

Change will happen whether you are prepared or not. Rules and regulations may change. Customers’ needs may require a new approach. To be prepared for change, you will want to set up a method to manage change. Change Management refers to the methods and manners used to implement these changes both internally and externally. 


  • Business Continuity Plan (BCP)

BCP is a document used to capture the essence of the business, where critical functions and their dependencies are identified, as well as acceptable recovery times for them.


  • Disaster Recovery Plan (DRP)

You may wish to avoid disasters, but sometimes they are out of your control. Your DRP is a set of procedures put in place to execute your organization’s disaster recovery processes so you can recover and protect your infrastructure when a disaster does happen. A disaster can be a major occurrence like a flood that destroys your premises. It can also be minor issues, such as an accidentally deleted file, that might impact your business continuity.  Overall, DRP is a statement of actions you and your organization should take before, during, and after a disaster. 


  • Security Policy

For your organization, you will want to define what it means to be secure. This is your Security Policy. It should address security from end-to-end, be practical and enforceable while allowing for updates and revisions. Most of all, it should focus on your organizational goals. 


Compliance Team

To help you stay compliant, your organization may want to consider forming a compliance team. This team can keep the processes working and evolve the tooling needed to maintain compliance. Remember, it’s not a fixed-scope project. It is more like an ongoing initiative where the primary need is evolving the way your organization works. 

If you have never thought about these processes before, you should do it. Even before deciding to face a certification process of any kind, you will want to have these processes in place in addition to putting together your compliance team. Once you have the building blocks set up, you will be ready to take on your compliance audit.


Written by: Gaston Valdes
General corrections and edition: Diego Woitasen