This section doesn’t provide everything you need to get compliant with one or more schemes but it should be enough to get you started.
danger Though we won’t ever admit it to our friends, both authors of this book are former auditors, so before we wrap up this section, here are some common mistakes we have seen in this space.
Poorly documented evidence that is impossible to replicate.
Spending hours arguing that controls are outdated and make no sense. You are probably right, but take a breather—arguing won’t change this. You need instead to show you meet them “as a minimum,” not as a target.
Poorly organized evidence without dates, times, and sources, or not mapped clearly to controls.
Compliance programs that lose momentum and don’t get finished—staying “in progress” in perpetuity.
Companies lying about compliance status or being creative with their marketing teams to imply compliance without the certification.
Compliance programs delegated to one individual in a company and not shared across a team. Remember, it’s OK to have someone be the project manager for compliance, but the evidence needs to be of a collaborative approach to meeting the controls. (Plus, if you have a single person doing it and they leave, you may find yourself back to square one.)
Poorly briefed team before an audit, misunderstanding the nature of the questions, and using the interviews to expose issues with processes or policy.
Evidence focusing on the purchase of products or tools, not the use of them.
You get the picture.
Whatever your industry and whichever standard you choose to or have to meet, make sure you understand the complexity of the task, and are prepared to get specialist help and commit people, money, and time to do it well.
confusion Remember, compliance doesn’t mean you are secure, it means you met a set of controls and standards at a moment in time. You need to meet those standards at any time if challenged, especially after a breach—so make sure you invest in sustainable security that exceeds compliance requirements and makes audit a breeze.