Dec 2, 2022
The traditional approach to information security management compliance can be complex, convoluted and time-consuming—particularly for SMEs and their owners.
Information security management compliance is governed by risk-based frameworks like ISO 27001. These frameworks are comprised of motherhood statements and overarching objectives like: prevent unauthorised access to systems and applications; prevent against loss of data; and take a risk-based approach to managing cyber security threats and controls. The expansive nature of these motherhood statements mean that they are open to interpretation. This broader context can sometimes make compliance easier—there are fewer specific boxes to tick.
However, challenges arise when these motherhood statements are translated into implementation programs. For instance, the Payment Card Industry Data Security Standard (PCI DSS) states that organisations must have passwords that are a minimum of 15 characters on every single account. This is a very proscriptive requirement, with a clear pass or fail result.
The translation of risk-based frameworks into implementation programs is where the traditional approach to compliance falls short. Organisations run into challenges and their project scope quickly blows out. The person in charge of compliance reads a standard like ISO 27001, creating a ‘to-do list’ along the way. Based on their interpretation, this list often ends up unnecessarily long and too difficult and expensive to implement.
One of the most common issues occurs when a company drafts a Policy that features statements like: we regularly check all accounts for malicious activity. An auditor’s first question after reading this type of statement will be: how? If the company cannot demonstrate how and when these checks have occurred, it is immediately deemed non-compliant.
Pro Tip: Are your Policies and Procedures realistic? Or are they aspirational? If you cannot abide by your own objectives, then do not commit them to paper.
Similarly, most companies download paper based Information Security Policies from the web, perform a quick ‘search and replace’ on the company name, and then distribute it to all staff, instructing them to read and abide by the long, boring, difficult to understand Policy. In reality, we know what happens. Employees never read the policy. The company has no real intention of enforcing the policy and no means to ensure conformance. And so, employees don’t abide by the policy. The end result? Non-compliance—yet again.
Traditional compliance frameworks are built around one day of the year: the annual audit. Then, for the other 364 days of the year, employees are confused and companies are non-compliant.
The Solution? Integrated, Sustainable Compliance
de.iterate’s compliance solution is designed to ensure that employees understand exactly what they need to do. All our policies are written in simple, easy to understand language, and broken down into easily digestible modules.
All of our policies combined take just 70 minutes to read initially. Then, the execution of those policies requires just 30 minutes per week. Our platform ensures that new employees can easily read and understand company policies during the onboarding process, and complete quizzes to update or refresh their knowledge on an ongoing basis. Plus, it generates quarterly compliance reports from meta-data activity to satisfy audit requirements.
This simplified approach to compliance is sustainable because it is integrated into everyday business operations. Compliance becomes a part of day-to-day activities, rather than a tick-box exercise completed in a rush the day before the auditor arrives.
An integrated, sustainable approach to compliance helps mitigate risk, improve operations, and is easily understood and followed by employees. Importantly, it is less confusing and more attainable, giving business owners and managers peace of mind.
Questions? Queries? Keen for further information? Contact de.iterate today.