ABOUT OUR GUIDES

Best Practices Series AssuranceLab’s Guides

Our Best Practices Series is about finding harmony between your compliance goals and fit-for-purpose business practices. Meeting the requirements of industry standards while achieving real operational benefits.

We explore why the ‘best practices’ are important, and how you can implement the right approach for your unique business, culture, and context.

contact us book a call
alab-why-us-team-working-together-1
3

PROCESS-LIGHT COMPLIANCE

Can you be agile and compliant?

As the leading provider of SOC 2 reports to SMB SaaS businesses in Asia-Pacific, we get a lot of questions about how to achieve InfoSec compliance in a ‘process-light’ or ‘fit-for-purpose’ way.

Can you achieve SOC 2 and other standards without being ‘process-heavy’ and over-burdening your business with ‘compliance’?

read more

PART O1

Control environment

The control environment supports the broad business objectives through people, governance and
management activities.

Best practices - code of conduct

Code of Conduct

This little 'compliance' document can resolve some tricky situations, and even enable your desired culture.

READ MORE 

Best practices - talent management

Talent Management

Finding, developing and retaining talent in your people investment to achieve your business objectives.

 

Best practices - employee 2

Employee Onboarding

Starting your employees off on the right foot, aligning to your culture, objectives, and clarity of expectations.

 

Best practices - policies-1

Policies

The policies set out the requirements of each key functional area to provide clarity and accountability.

READ MORE 

Best practices - Management meetings

Management Meetings

Management meetings provide the governance of your organisation. There's three layers to consider.

READ MORE 

Best practices - Governance

Governance

The policies set out the requirements of each key functional area to provide clarity and accountability.

READ MORE 

PART O2.1

Information & communication

Collecting and using the right information to effectively manage your operational practices and
communicate with internal and external stakeholders.

Best practices - I&C Checklist

I&C Checklist

There's a broad range of practices that lay the foundation for effective information & communication.

 

Best practices - user comms

Customer Comms

Effective communication is a necessity to building long term users, but also improving security outcomes.

READ MORE 

Best practices - boundaries

System Boundaries

The system boundaries identify and communicate where responsibility shifts to your customers and vendors.

READ MORE 

PART O2.2

Risk management & internal controls

Defined processes and practices for identification, assessment and response to risks that threaten
your objectives, and your controls to manage those risks.

Best practices - vendor

Vendor Management

The basic processes to manage third-party providers protects your business and customers interests.

READ MORE 

Best practices - risk

Risk Management

A defined approach to your risk management transforms this intuitive practice into an enabler of your success.

READ MORE 

Best practices - control framework

Control Framework

The control framework puts formal ownership and monitoring in place to achieve effective control practices.

READ MORE 

PART O3

System security

System security covers the technical security protections and surrounding processes to ensure
access to sensitive data is limited to the right people.

Best practices - perimeter security

Perimeter Security

Defining and protecting the boundary of your security and ensuring your information assets are protected.

READ MORE 

Best practices - User Access Controls-1

Access Control

Managing internal and external users to your systems to limit access to authorised personnel.

READ MORE 

Best practices - Acceptable Use Policy-1

Acceptable Use Policy

Setting out the role of all your employees to protect the security of your systems and customers data.

READ MORE 

PART O4

Data protection

Defined processes and practices for identification, assessment and response to risks that threaten
your objectives, and your controls to manage those risks.

Best practices - confidentiality

Confidentiality

Classifying and handling data in a way that is appropriate to the nature and sensitivity of that data.

READ MORE 

Best practices - privacy

Privacy

Recognising and responding to individual preferences and sensitivities of personal data that is collected and used.

 

Best practices - data

Data Management

Managing critical data to ensure it is available, accurate and appropriate to support the system objectives.

 

PART O5

System operations

System Operations monitors and manages the systems to ensure continuity of services and
effective response to adverse events.

Best practices - Availability

Availability

Ensuring your service operates continuously with redundancy, backups and response plans.

 

Best practices - business continuity-1

Business Continuity

Planning for major adverse events that threaten the continuity of your services and operations.

READ MORE 

Best practices - Incidents

Incidents

Defined processes and steps to identify, classify, respond to and resolve unplanned adverse events.

 

PART O6

Change management

Change management is ensuring the integrity of your systems through controlled software
development and infrastructure configuration practices.

Best practices - product backlog

The Product Backlog

Managing change priorities and requirements to achieve a balance of short and long term business objectives.

READ MORE 

Best practices - software development

Software Changes

The Software Development Lifecycle is a series of process elements to manage changes effectively.

READ MORE 

Best practices - change comms-1

Change Comms

Release communications ensure change impacts are understood to protect your users information security.

READ MORE