With all the effort you’re putting into achieving compliance, you might be tempted to hire your Assessor almost as an afterthought. After all, the Assessor just needs to ask a set of questions, check your work, and grade your final exam, right?
Actually, there’s a lot more to it than that. A good security and compliance Assessor will be communicating with you, seeking to understand your organization, and working with you to help you be as successful as possible with your security and compliance efforts. Having a good working relationship is essential.
Rather than treating your Assessor as an order fulfillment vendor, think of him or her more like a contract employee. Hire an Assessment firm based not only on their skills and experience, but also on their fit with your company. A fantastic Assessor for one client may not be fantastic for you, and you don’t want to deal with the long term frustrations of a bad Assessor hire.
What should you look for when hiring an Assessor for your organization? Start with these considerations.
Your First Compliance Audit: Will You Crush It or Get Crushed?
Who Do People Love?
The best place to start is with people you trust. Ask your colleagues and contacts for Assessor referrals. Also ask them for any lessons learned in their own work with Assessors — what to look out for, and what questions to ask during the vetting process.
This is one of the great advantages of hiring a security and compliance consultancy. They have experience working side by side with dozens of Assessment firms. And because your consultant knows your company inside and out, they can recommend the Assessors who would fit your needs best.
Hire the Expertise You Need
This is almost too basic to mention, but it’s critical. Make sure the Assessor you’re vetting has experience with the certification you’re going up against. You don’t want to hire a PCI expert when you’re trying to achieve ISO certification.
Also, don’t just consider the certifications you need to be compliant with today. Take a fresh look at the marketplace for other certifications that are gaining steam in your industry. Is it likely that your clients will start asking you to be compliant with this or that certification at some point?
If you’re going to put in all the work to find an Assessor for your current needs, you may as well anticipate your future needs too. Find a firm that can accommodate those as well, so you don’t have to go through the effort of vetting a second Assessor down the road. It’s a lot more efficient to add on a new certification with your current provider instead of going through another search all over again.
Find a Culture Fit
When you hire employees, you want to be sure there’s a good culture fit with your organization. The same goes for any Assessment firm that you hire. You don’t want a vendor who clashes with your company’s culture or values — you want someone who understands what you’re all about.
There’s a diverse range of company cultures among Assessment firms — they aren’t all the same. Some are fluid and dynamic while others are highly structured. Some approach compliance from a black-and-white perspective while others think outside the box.
Find out what your compliance Assessor will expect from you.
Meet the Assessors
Even when you find the Assessment firm that fits you well, the Assessors within the firm will vary from one to another. They’ll each have their own personalities, strengths, and weaknesses. It’s worthwhile to meet as many Assessors as you can while vetting the firm, so you can get a sense of the personnel you may be working with.
Large Assessment organizations are more likely to hire young Assessors straight out of college, which means they could be cutting their teeth on your engagement. Don’t hesitate to request an Assessor with experience. It will make your engagement immeasurably smoother and more efficient.
Likewise, if you get paired with an Assessor who isn’t a good fit, you can ask to be assigned to another Assessor. The sooner you make that switch, the better and the less disruptive it will be. If you’re experiencing challenges and issues, address them immediately — don’t hope they’ll blow over. Your Assessor is working for you, and there’s no reason you need to accept unsatisfactory service.
Search Far and Wide
Don’t limit your search to firms in your geographic area. You may have only a couple local Assessors to choose from, but there are hundreds of organizations around the country. Assessors can easily work with you remotely, and they’re almost always willing to travel for the annual on-site reviews. You may save a few dollars by hiring a local firm that doesn’t need to travel, but the value of a good Assessor that’s the right fit for you is incalculable.
Get deeper: 7 Common Mistakes You May Be Making with Your Compliance Assessor
Don’t Throw Your Money Away
Don’t hire the cheapest firm, and don’t hire the most expensive one. There’s a reason the cheapest companies are priced at the bottom — they tend to churn clients through their system as quickly as possible so they can make more profit.
At the same time, the most expensive companies usually don’t provide the best service or results. Instead, find a highly recommended firm that you trust who is priced reasonably.
Ask About System Requirements
Some Assessment firms require you to organize all of your data in their compliance management system. Others are willing to use your system. In either case, always be sure that you have your own compliance system for organizing and managing your data and evidence — one that you own and control. You can use your Assessor’s system as well your own, but never rely solely on their system. (CAUTION: Maintaining two systems is astronomically less efficient — and a lot more work.)
It’s possible that you will move onto another Assessor, they’ll get acquired by another company, or they’ll go out of business. If that happens, you’ll need your data back, but you won’t get it in a format that’s easy to port from one Assessor custom system to another. Now you’ve got data you can’t work with, and it’s essentially lost information.
TCT Portal is an exception to the rule. If your Assessment firm uses our compliance software, you aren’t left in the lurch. You can easily pick up your own license and retain all of the data and historical knowledge, and continue to leverage TCT Portal on your own or preferably with your new Assessor, with no interruption.
The Right Partner
There’s no magic formula for hiring the perfect Assessor — and there is no perfect Assessor. But these best practices will set you up for choosing a great Assessment firm for your organization. And they’ll give you a better chance at a rewarding partnership that makes compliance suck less.
Looking for a trustworthy and knowledgeable Assessor referral? Reach out to us — TCT consultants have worked with dozens of world-class Assessment firms.
Let TCT's consultants bear the burden
Say goodbye to the chaos of compliance
