Here’s what to think through as you prepare your organization for standards compliance.
Security Standards- ISO 27001. PCI DSS. GDPR. When it comes to business and security standards, it’s easy to get lost in the alphabet soup of acronyms.
How can you discern which ones are right for your organization? Start by asking some high-level questions as to what you hope to accomplish by adopting them – and how adhering to standards can help your growth, says Khushbu Pratap, a senior principal analyst at Gartner who covers risk and compliance.
“The most important questions to ask [are]: Are your customers asking for it, and do your stakeholders think a particular standard is important?” says Pratap.
Assuming the answers are yes, there are additional factors to think through before moving ahead with a strategy for compliance. The seven practical tips outlined in this feature will help. Heavily regulated organizations typically have special teams that work on these standards, but even for them, use this list as a chance to take a step back and better target your standards compliance and certification teams.
Decide Whether Compliance Is Enough
Compliance means your security system adheres to all the standards and regulations. That’s all well and good, but your customers may require your system is certified by the appropriate governing body. With certification, companies can show physical proof of a compliance claim.
That’s why it’s important to find out whether your customers are asking for certification — and also whether your company’s stakeholders believe it’s important. If so, certification programs require buy-in from top management and take extra resources for maintaining documents and paying consultants.
In many cases, if a company takes the time to achieve a certification, they can often avoid additional audits in the future because most customers will trust the independently verified certificate, adds Lindsey Ullian, compliance manager at Threat Stack.
Scope the Project Carefully
Gartner’s Pratap says companies often try to take on too much when adopting standards. So start by defining the scope — determine which departments and employees these standards are targeted for. Clearly, pricing from a security vendor or consulting firm also will depend on scope. Finalizing the scope early in the process can save significant time and costs in the overall initiative. Want to control costs? Tighten the scope of the standards project.