editione1.0.0
Updated October 9, 2023🚀 As explained by Laura
If you are used to building new systems and processes, often with the intention of disrupting an industry or changing the way an established industry operates, the idea of inheriting a compliance or regulatory system is disheartening.
For those who like to try new things and move fast, compliance has a reputation for being the exact opposite of how you want to run your fast-growing business. A world filled with complex (often outdated) systems of requirements and controls, supported by auditors and accompanied by the threat of large fines or inability to operate, rarely makes anyone excited.
Have no fear, though—while this may not be your happy place, it doesn’t have to be a burden.
In this chapter, we will take a quick look at what compliance is, why it matters, and how you can become liable for it. We will also examine a number of the most common compliance schemes you may encounter and give you some survival tips for getting through this in one piece.
danger Please note that audit and compliance is a very complicated process and when you reach the need for compliance, you would be wise to engage the services of specialist compliance consultants. This section is provided as an introduction, rather than a complete guide to the subject.
Before we dig into how to achieve and maintain compliance, we really need to be clear about what compliance means and why it matters.
Definition Compliance schemes are systems of controls and requirements defined by a governing or regulatory body to achieve a certain aim. In the most part, compliance schemes aim to protect something. That something might be the health and safety of people in and around your organization; the quality, reputation, and prestige of an industry; or the security of personally identifiable or financial information.
There are three main reasons why an organization will pursue compliance with a particular scheme:
Legal regulations and the law. They may be required to meet a certain compliance standard based on the laws of the country or territory in which they operate. Not meeting compliance requirements will often mean that the law has been broken and company directors will be liable. Health and safety law is a typical example of this.
Controlled industries. There may be one or more compliance standards linked to the industry in which you operate or the way you conduct business. Financial regulations are an example, when in order to operate in specific financial markets and roles, you must achieve and maintain compliance with national or international financial regulations. On a smaller scale, companies that process or take payment on credit cards are held to a smaller but no-less-important standard—the Payment Card Industry Data Security Standard (PCI DSS).
Optional compliance standards. Finally, there are optional compliance standards. These are standards that have been developed and defined by independent (often international) bodies, and aim to improve quality, consistency, and process across an industry or element of business operations. Organizations do not have to comply with these standards or work to achieve them, but there may be benefits in choosing to do so.
important Voluntary international security standards such as the ISO27000 series are often seen as a benchmark for a healthy and mature information security program. Companies may choose to achieve this compliance certification as a benchmark they can share with partners and customers. This may be used for marketing purposes or simply to speed up the customer due diligence process when selling to larger enterprises.
The following are common schemes you may encounter, with resources for further information.
Governs the safe storage and processing of credit card information. This standard applies to all companies that process and handle credit card payments.
A handy six-stage guide to PCI DSS compliance
The official PCI DSS document library, including standards
A standard development and enforced by the US government for the protection of some types of health information. Most suppliers of health systems are required to meet this standard.
Covering a wide range of operational aspects of organizations, SOC 2 specifically refers to the controls at a service organization relevant to security, availability, processing integrity, confidentiality, or privacy.
Definition ISO 27001 is the International Standard for the Management of Information Security. It covers a range of key domains from policy and standards through to disaster recovery. Certification to this standard implies that you have a well-developed and mature approach to all aspects of information security. This is an optional standard.
For most of us, compliance schemes are a natural part of growing. There are hundreds of different regulations and compliance schemes around the world, and you may find your organization is subject to a number of different schemes depending on elements of your business model and operations.
Let’s take a look at the relationship between your business operations and the compliance schemes it may need to comply with.
| Operational Detail | How Does It Relate to Compliance? |
|---|---|
| Your customers’ location | Regardless of where your company is located or registered, many compliance regimes are based around the idea that the location of your customers is more important than where you are. Often these regulations are set by the country or location in which these customers live. Examples: • Sales tax • Privacy law |
| Your company’s registered location | When registering your company, you agreed to follow the local laws and regulations of that place. These regulations often cover: • Company management • Director responsibilities • Taxation • Employment laws • Health and safety • Environmental protection |
| Your industry | From finance to health, and from food production to mining—almost all industries have some form of regulation of compliance. Sometimes this is built to protect people and keep them safe, sometimes this is about regulating markets and preventing financial incidents. Whatever your industry, it pays to know what compliance schemes apply. |
| The type and quantity of data you store | Not all data is created equal and as you will remember from our discussions on classification, the risk posed by collecting, processing, and storing some types of data can be severe. Data types with considerable compliance or regulations include: • Health and medical information • Personally identifiable data • Intellectual property |
| The way you handle payments | Whether you handle credit card payments or do national or international transfers, there are compliance schemes and regulations you need to follow. Some of these come from the banking industry, some from national governments, and some from the credit card providers themselves. Getting these wrong can be the difference between frictionless payments and a lot of headache (and fines). |
| How your company trades | Whether you are publicly or privately owned changes the way you have to operate. Once your company lists publicly, you are held to the regulations of the stock exchange in which you are trading. These regulations are enforced from your initial intention to list and all the way through your lifetime on that market. |
There are two different regimes you should be aware of when working with a compliance scheme. The first regime covers the activities needed to achieve and maintain certification, the second regime is triggered in the event of a security breach or incident. Hopefully this second kind remains something you never experience, but it’s always best to understand what you would need to do if the worst were to happen.
Let’s take a look at each regime at a high level.
Identify the scheme and level of compliance required. The first rule of compliance is to take compliance schemes one at a time. While they may all have some common themes, they each express themselves differently and it’s easy to conflate standards when you are rushed or dealing with many at once.
Decide with your executive team which standard to pursue and make sure you have time, money, and people budgeted to get it done and maintain it each year.
(Optional) Find specialist assistance to conduct a gap analysis of your current position. If this is your first compliance scheme or audit, or your team hasn’t got prior experience with the particular scheme you would like to achieve, it may be worthwhile to engage an advisory firm to help you understand how your current processes and operations compare to the controls and requirements you need to meet. While this process isn’t a formal audit, it will review your operations in enough detail to capture any remediation you need to do before attempting the full audit.
Create a prioritized plan and make improvements. If you have had a gap analysis (or have done a review yourself) you most likely have some work to do before you can get through the audit. Make a plan and get to work. Remember that you need to make measurable improvements to your processes, not just superficial gestures. Auditors are really good at spotting a fake.
Gather evidence and prepare for the audit. The time of your audit is approaching and it’s time to get ready. This involves two sets of actions.
Gathering evidence of the policy and processes you have in place to meet the compliance requirements.
Working with team members to prepare them for audit.
Remember that the more organized your evidence is, the easier it will be to audit. Rock out your spreadsheets, reference specific evidence against controls, and don’t forget to add modification and review dates to your documents as you go.
Go through the audit. In most cases, major compliance schemes will require your organization to be audited by a qualified and certified auditor. While not always the case, many organizations will use former or current chartered accountants for this role. This audit will be evidence-based and will compare the “as built and evidenced” controls and processes you have in place to meet the requirements of the scheme. For complex or large environments, they may sample your systems, only reviewing a random number of the total technology platform or team.
There are a small number of compliance schemes that allow smaller (low-risk) organizations to self-assess instead of doing an audit. This can be a great way to make compliance more accessible to smaller teams, however, remember that in the event of an incident, the full incident review and audit process will still be triggered, so it’s in your best interests to take self-assessment seriously.
Plan remediation for gaps. If the audit finds any gaps or controls that haven’t been met, the auditor will typically outline the gaps and work with you to plan remediation and reassessment within a certain time frame.
Achieve certification. When happy that the controls have been met (or the risks identified have been managed or remediated), the auditor will recommend you for certification. In some cases, this is simply the issuance of a certificate that can be shared as a credential for the company. In other cases, the auditor will assume some liability for incidents should a breach occur in this newly certified company. It’s sort of like an auditor saying, “I think this place is good and I’m willing to stake my reputation (or insurance) on it.”
Comply with reassessment as needed. You may need to repeat this certification or audit process on a regular basis (commonly annually) or when there is a significant business change.
Breach events often come in two forms. The first is a self-disclosure, where you find you have made a mistake and failed to comply with an element of the scheme. You are obligated to report this to your governing body and they may choose to respond. In the second case, the failure may have been identified by a third party and disclosed to the governing body first, in which case an investigation will typically be launched.
Identify the cause and resulting impact of the incident. Just like we discussed in our chapter on handling the unexpected, lapses in compliance or data breaches need immediate attention and investigation. Use your incident response plan to understand, identify, and isolate the cause of an incident as well as its impact (both internal and on customers or users).
Notify the regulatory authorities as required for the scheme in question. If the breach relates to a failure to protect data or information that is protected by a compliance scheme or mandated as critical by a regulatory body, this incident might be “notifiable.” Notifiable incidents are ones that must be reported to the regulatory authority so that they can investigate and determine whether further action needs to be taken.
Examples of regulatory or compliance with notification requirements:
GDPR (General Data Protection Regulation). Privacy breaches including personally identifiable information.
HIPAA. Breaches exposing or involving health information.
Financial markets. Breaches impacting the material value or operating ability of a publicly listed company.
PCI DSS. Data breaches involving credit card information.
danger This is by no means a complete list, and you should check your compliance requirements carefully to understand if and when you would need to notify a third party.
Submit to a post-incident review/audit. In many cases, notifying a regulatory or compliance authority will result in that agency conducting a moment-in-time audit of your organization and processes. The aim of this activity is to understand if you were still compliant with the controls required at the time of the incident. If you are found not to have been compliant, there may be repercussions for your organization, directors, or operations.
After this review is completed, the regulator will decide whether remediation work is required and whether your organization can continue to operate under their mandate.
This section doesn’t provide everything you need to get compliant with one or more schemes but it should be enough to get you started.
danger Though we won’t ever admit it to our friends, both authors of this book are former auditors, so before we wrap up this section, here are some common mistakes we have seen in this space.
Poorly documented evidence that is impossible to replicate.
Spending hours arguing that controls are outdated and make no sense. You are probably right, but take a breather—arguing won’t change this. You need instead to show you meet them “as a minimum,” not as a target.
Poorly organized evidence without dates, times, and sources, or not mapped clearly to controls.
Compliance programs that lose momentum and don’t get finished—staying “in progress” in perpetuity.
Companies lying about compliance status or being creative with their marketing teams to imply compliance without the certification.
Compliance programs delegated to one individual in a company and not shared across a team. Remember, it’s OK to have someone be the project manager for compliance, but the evidence needs to be of a collaborative approach to meeting the controls. (Plus, if you have a single person doing it and they leave, you may find yourself back to square one.)
Poorly briefed team before an audit, misunderstanding the nature of the questions, and using the interviews to expose issues with processes or policy.
Evidence focusing on the purchase of products or tools, not the use of them.
You get the picture.
Whatever your industry and whichever standard you choose to or have to meet, make sure you understand the complexity of the task, and are prepared to get specialist help and commit people, money, and time to do it well.
confusion Remember, compliance doesn’t mean you are secure, it means you met a set of controls and standards at a moment in time. You need to meet those standards at any time if challenged, especially after a breach—so make sure you invest in sustainable security that exceeds compliance requirements and makes audit a breeze.
🚀 As explained by Laura
While we may not focus on it very often and we certainly don’t talk about it a lot, most growing companies are trying to get somewhere very specific. For most companies, this means an IPO, an acquisition, or a sale.
It’s tempting to think that this “ending” also ends your need to focus on security. After all, all going well, your company is entering a new phase, perhaps even under new ownership.