In the security and compliance world, every assessment firm has either their own proprietary systems or manual procedures to serve their clients. They see it as a competitive advantage, but it often means they’re in control of your compliance data. You’re hiring them, and it’s your data. Take control of it, and get in the driver’s seat.
Let’s play out a scenario that I’ve seen multiple times. Your company has decided to become PCI and HIPAA compliant and you hire an auditor. The auditor has an impressive proprietary system to handle your data, which other assessors don’t have. It sounds like a great advantage to you. As part of the engagement, you’ll need to load your compliance data into their system, which will store your evidence and manage your files.
Some time later, your company decides to add ISO 27001, but your existing assessor doesn’t audit for that standard. So you hire a second auditor, who has their own proprietary system for collecting and managing evidence. Eventually, you go for a fourth certification, which neither of your auditors supports. To no one’s surprise, your third assessment firm also has their own way of doing things.
Now you have three different auditors with their own way of collecting, storing and managing your data. None of those systems is compatible with the others—or with your own system, for that matter. Your data is out of your control and it’s scattered to the winds. When all is said and done, your team has spent valuable time facilitating the demands of the assessment firm, and the net result is that the most organized version of YOUR data doesn’t live on systems you control.
Handpicked related content: What Does Your Compliance Auditor Expect from You?
Who Owns Your Compliance Data Storage?
From your auditor’s perspective, a proprietary auditing system makes a lot of sense. The firm wants to maximize consistency across all their engagements, because it helps increase efficiency and makes them more competitive. If you’re looking at it from their perspective of efficiency, it’s a perfectly reasonable scenario. But not if you’re the client.
If you’re the client, you’re giving up control of your data. You’re the one with the evidence and the policies. You’re the one supplying the information. It’s your information, and it belongs to you. But what happens when you give that data to an assessment firm that uses their own proprietary system?
You can only access it for as long as you decide to stay with that assessment firm, and you’re still left with a problem—the fact that you need to spend time organizing your OWN data storage. Typically, the assessment happens when your people are busy, and it’s a mad flurry of loading to someone else’s system!
All of your source data is now spread out across multiple assessment firms, and it’s a mess. If you request access to your data, the auditor can probably export it and send it to you, but often it’s not in a format you use. Chances are, you’ll get a bunch of CSVs and evidence files dumped into a zip folder. It’s up to you to reformat the data and weed out the columns, worksheets and notes that the auditor added for their own internal purposes.
Most clients shrug and say to themselves, “Well, we need to do whatever the auditor says.” This is your data—take control of it. They work for you, you don’t work for them. This is your information, which you own. You should be able to manage it on the system you prefer. If your assessment firm is charging you to use their proprietary system, you’ve got to ask yourself if it’s the right fit.
Related topic: The #1 Change to Gain Control of Compliance Management
Bigger Costs Than You Realize
On top of that, everything your auditor is doing in-house to save themselves time and money is actually costing you more time and money. Proprietary systems rarely use automation, and they pass inefficiencies onto the client. For example, PCI requirements 1-12 are broken out into hundreds of different elements. Some spreadsheet-based approaches require you to load your evidence into individual subfolders, one for each element! Imagine the work for your data protection policy that applies to 100 different elements.
Not only are you required to use each auditor’s custom system, siloed from the others, but keeping everything organized on your side means duplicating all your files and effort. There’s no automation to keep track of who has what, where it is or what status it’s in. You have to track everything manually on your end to navigate through this, unless you’re paying your point person to keep track of everything every day.
If an employee were negatively impacting your business like that, you’d make a change, fast.
A Better Solution
There’s a better way to give auditors the evidence and functionality they need, while maintaining access, ownership and control of your data. TCT Portal automates your compliance management and makes it easy to share information with assessors. Your data can be shared with multiple auditors, all while staying under your control.
The reason we developed TCT Portal in the first place was to help make the world of security and compliance management easier for everybody. It’s a meeting place for all of the personnel in your organization, your consultants, your service providers/vendors and your auditors. Everyone involved in the compliance and auditing process gets the access and the functionality they need.
Best yet, you don’t have to duplicate your efforts. In fact, you could cut your compliance efforts by nearly 70 percent.
Handpicked related content: How We Make the Pain of Compliance Go Away
How to Take Control
Need to take control of your compliance data? Here are the steps to take.
First, don’t tell your auditors they need to start using TCT Portal. That will only be a waste of time, because they’re probably committed to the system they’re already using.
Start using TCT Portal as your internal compliance management system to organize your evidence and track activities. You’ll gain tremendous functionality, capabilities and efficiencies just by implementing that alone. Now you’ve got a rock-solid repository that keeps your data organized. Everything is clearly organized and easily accessible. Better yet, the system’s automation helps you stay on-track with compliance activities all year long.
Next, start looking at your third-party partners to identify where you can start building efficiencies into your process. Which external parties can you bring in? For example, you may have vendors that need to provide compliance information. You can include those vendors in that workflow within TCT Portal.
Now you can start having conversations with your assessment firm. Don’t demand anything, but let them know you’ve got a resource they can also benefit from. Tell them, “We’ve got this great tool, and you’re welcome to start leveraging it on our engagement. In fact, we prefer that you do.” If they refuse, you have a decision to make—either stick with the assessor’s arcane or proprietary system or look for another firm that’s willing to leverage TCT Portal.
A growing number of assessors already love using TCT Portal as their tool of choice, covering almost any industry standard. We’ll gladly point you to them, if you’d find the introduction helpful.
Then again, it may make sense to stay with your current auditor, who has years of relationship built with you and understands your organization. If so, you can still benefit internally from TCT Portal. You’ve got all of your compliance evidence organized to the requirement, with the documentation, who provided it and what exactly did they give you. The automation keeps you on track for managing your compliance activities throughout the year. And when you come back to it next year, all of your evidence from the prior year is perfectly aligned at the line item level. Your work with a second or third auditor is much easier, because you’ve got your evidence organized and mapped across standards.
Take Back Your Data!
With TCT Portal, you can stay in control of your data, in a format you can use—and in a format that’s shareable with all of your auditors. Need to regain control of your compliance data? Total Compliance Tracking can help you change that.
Schedule a personalized demo today to see what we can do for you.