It can be challenging enough to get certified under one compliance standard, but your organization could have multiple standards you need to meet. The mere thought of having to do this multiple times can be downright demoralizing.
Fortunately, adding secondary certifications to your primary one can be easier than the first time around — if you approach it the right way. Let’s go through the best practices of adding secondary certifications to your compliance program.
Know Where You Really Stand on Compliance
Before adding secondary certifications, check the true state of your compliance. About 75 percent of the companies I’ve worked with were less compliant than they thought. They were mostly there, but they still had gaps to fill. Whoever was driving the process and validating the evidence was either not fully qualified or just gave it a basic review. They did their best but they weren’t up to the task, or they checked a box in good faith when they shouldn’t have.
Before you add on secondary certifications, take an honest look at the state of your current certifications. If you don’t have everything in place, when you try to map to other standards it will fall short. You’ll simply be creating more complex cleanup for yourself, down the road.
If you used an internal person, an IT company, or a bargain-priced auditor to assess your first certification, it’s probably wise to have another auditor or assessor take a look.
Start with the Right Certification
This is especially important if you’re adding multiple certifications. Starting with the right standard makes it much easier to add secondary ones, saving time and headaches. Here’s why.
Some certifications, like HIPAA, are more directional in nature as they are geared to serve organizations ranging from a single medical practitioner all the way up to a health system. Others, like PCI, are extremely prescriptive and detailed about what you need to do. If you start with a prescriptive standard, it will be a lot easier to map to more directional standards than the other way around.
For example, PCI’s firewall requirements are very detailed. Get those right, and you won’t have to worry about meeting HIPAA’s more flexible requirements. But if you start with HIPAA, you may find that you haven’t met PCI’s standard. You’ll have to completely redo the firewall requirements all over again.
Document Like Crazy
Ensure that your primary certification has evidence for every line item, under every requirement. This is a critical part of adding secondary certifications. Otherwise, you’re building a house on a shaky foundation.
When you have evidence at the line item level — with explanations, documentation, screen shots, and policy documents — then you can clearly prove out that your primary standard is mapping against secondary standards.
Don’t Skip the Details
Make sure you read the fine details of what you’re mapping, and where. Verify that you’re providing the coverage you think you’re providing. It’s easy to skim through a requirement and think you know what it calls for. You check the box and move on without digging into the details, because your brain is starting to go numb from all the minutiae.
Take antivirus, for example. I’ve seen organizations say, “Yeah, yeah, yeah… we have antivirus software,” and they move on. But they don’t take the time to read all of the requirements for their antivirus. They haven’t asked if their antivirus is:
- Deployed everywhere it’s supposed to be
- Configured in this certain way
- Receiving updates every day
- Performing scans on a regular schedule
- Logging in the right place and saving the logs for the specified period of time
Get your attention to detail down to line item level. Once you’ve got that knowledge on the first certification, now you understand exactly what you have, and you can easily assess how it measures up to the secondary certification.
Hiring the right C3PAO is only one small piece of successfully navigating the Cybersecurity Maturity Model Certification. Get fully equipped with TCT’s online guide to CMMC.
Use the Right Compliance Management Tools
Don’t rely on spreadsheets and file directories to manage all of your work and your evidence. It’s mind numbingly inefficient. Instead, it’s critical to use a robust system that can effectively manage it all. This is more and more important as you increase your compliance maturity and breadth.
It’s an incredibly onerous process to keep everything organized and coherent with network drops, share files, and spreadsheets. And while it doesn’t cost your company anything out of the gate, you will blow an enormous amount of time trying to manage your compliance efforts manually. Your company has better things to do with your people resources than to waste them.
TCT Portal was built for this. The all-in-one system conveniently stores and organizes all of your evidence in one central place. It’s always easy to find and access, and it makes project tracking a snap.
But even if you don’t use TCT’s compliance management system, use something. Just don’t rely on a manual process — it’s the single largest waste of time you could possibly add to a compliance engagement. Find a tool that can provide automation efficiencies.
Hire Smart for Mapping Certs
There are a lot of organizations out there that provide ready-to-go mappings between certifications. They’re appealing, because you expect to plug and play, and save a ton of time and effort. But in our experience, there’s a wide variation in the quality of mappings you’ll get.
Off-the-shelf approaches don’t consider your company’s particular circumstances and responsibilities. Every organization is different. You need to account for the unique issues that affect how a certification is applied to your organization and maps against other certifications based on your circumstances.
Look for companies that will help you assess the mappings to fit your organization appropriately. The downside of not doing so is believing you’re covered when you’re really not.
Make Your Secondary Certifications Less Painful
TCT is devoted to helping you get unscathed through the gauntlet of compliance. No other compliance management tool can match TCT Portal’s capabilities. We’re able to stand out from the crowd, because we aren’t a software company that built a compliance tool — we’re a compliance company that understands the needs and daily life of compliance personnel. We understand engagements from the perspective of those going through it and the assessors responsible for validating it. TCT Portal is a tool that was built specifically to address those needs.
TCT Portal is continuously improving. We engage closely with our customers to provide enhanced capabilities to meet your needs, and we’re always looking for ways to make existing functionality better. That includes taking customer feedback and building it into the product.
Choose the compliance management tool that will reduce your time and effort, and eliminate your manual heavy lifting.