Preparing for audits and compliance with standards like SOC 2 and ISO 27001, used to be an activity that took several months. That could be shortened to as little as one month when using expert consultants, software that offers compliance ‘shortcuts’, or an audit firm that guides you during your preparation.
The problem remains; whenever you start the audit there’s a learning curve involved. You’ll get feedback, build an understanding of how it works, and see things in a different way. If you’re working tirelessly to implement your compliance without understanding that, then there’s going to be some areas you go too far, some not far enough, and other surprises from the audit.
Why you should start the audit immediately
To avoid those surprises and ensure alignment with your auditor from the start, you should start the audit process immediately. Before you think you’re ‘ready’ or 100% compliant. It’s like how the world moved to agile software development; with faster feedback, continuous iteration and a more collaborative approach, it’s a much smoother process with less risk.
How can you start the audit in minutes?
Let’s say there’s 100 areas you need to satisfy to be compliant. Any business that’s with live customers and employees, is going to have at least 30 of those ready because they’re essentials to running a business. It’s common to see at least another 30 for any business that’s been through enterprise due diligence, and/or taken some time to consider their security foundations. And the point is, those areas can be worked through while also working through implementing any gaps. As you learn from those areas, you’ll be more in-tune with what’s required for the others. You’ll build confidence and momentum from that clear progress towards your certifications.
How do you know what ‘100 areas’ are required for the audit?
There are different ways you can do your initial compliance readiness assessment, or ‘control mapping’. The point of this is to look at what your business does, the scope of your systems and processes, and then compare to the standard(s) and criteria you need to comply with. That can be really complicated, especially if you don’t have compliance experts in your business. Our software excels at this and we offer it free to help businesses get started with their compliance. What it does in a nutshell, is translate the activities of your business into data points, and logically assess those against your chosen standard(s), so you can see what’s relevant to you, where there are gaps, and what’s required for your audit.
Once that’s done - by our software or another means - you can start the audit. Let’s say that identified 80 controls, and 40 control gaps. You can start adding evidence for your auditors to check the 80 controls, and working through the 40 control gaps. Your auditors will build a better understanding of your business the more they review, and that will improve their ability to guide you through the other items. Generally the more that’s marked off, the more flexible it becomes to remove items from scope that may be considered less critical. No compliance is a black-and-white exercise, so this mutual understanding, guidance, and iterative approach, is so much better than the old way!
Why aren’t agile audits the standard way?
Conducting audits in an agile manner is a no-brainer. It’s more efficient for you and your auditor, reduces the timeframe to achieve compliance, and builds greater mutual understanding along the way. That means you get more value from the process and it reduces the business disruption for your team. So why isn’t everyone doing it?
There’s a few necessary components to make this work in practice:
1. A modern audit firm: Unfortunately, many audit firms are stuck in the past scheduling audits for specific dates and inflexible support.
2. Trust: It’s common to hear hesitation to work closely with auditors. But unlike a financial or tax audit, the goals of the company and auditor are closely aligned when it comes to compliance audits.
3. Software and supporting processes: Our agile approach works really well because we’ve developed it over four years. Our software for the readiness assessment seamlessly flows into a Kanban board to work through all the items together and in one place.
Want to try the agile way?
If you're not sure if this agile way is right for your business, try it out with no strings attached. Our readiness software is free. You can map out your '100 items' (number varies significantly) based on your selection of up to 12 global standards. We'll workshop the outputs with you to give you a steer in the right direction, and can give you access to the kanban board to see first hand how it works if you want to proceed with our agile audits. Get in touch with our friendly team if you've any other questions on this newer and better way of conducting audits.
About AssuranceLab
AssuranceLab is a modern cybersecurity audit firm that provides assurance reports (ASAE 3150, SOC 1/2, and more!). Our award-winning, free software has helped over 500 companies prepare for their compliance goals. We're experts in the latest software and cloud providers. We guide your team through the compliance practices in a way that fits your environment and culture. We work closely with clients through our agile and collaborative approach; saving time, costs, and headaches along the way.