The first time I was introduced to a compliance certification, it took 18 months to get our arms around it and cross the finish line. The process was chaotic and excruciating, and we spent the bulk of the journey trying to plot our path as we went.
That’s fairly typical for organizations that take on a new certification. You haven’t seen the terrain before, so you don’t know the best route to arrive at your destination.
Fortunately, there are some best practices that can make your journey a bit smoother when you’re spinning up a new certification — or any new standard, requirement, or law for that matter. Follow these tips and you’ll avoid more pitfalls and save more time getting certified.
Related: Run a Smooth Compliance Program in the Midst of Employee Turnover
Know the Certification Requirements
The first thing you need to do is gain a solid understanding of what it is you’re going up against. For every certification out there, you’ll find a plethora of information — which is both a blessing and a curse.
If you Google the name of the certification, all kinds of results pop up from all kinds of experts and organizations. Some results are better than others, but if you’re new to the cert, it isn’t always obvious which is which.
Make sure to identify the documents that come from the originating certification body itself. You don’t want to inadvertently pull up somebody’s summary of the documents, only to find out too late that it doesn’t contain all the details.
Gather a list of requirements. Depending on who issued the certification, there may be other documents, which can take a wide variety of forms. Look for:
- Descriptions of the requirements themselves
- Any supplemental or additional guidance that the certification body provides — explanations, templates, examples, etc.
- Any additional guidance for Assessors — instructions about how to assess requirements, which can help you understand what your Assessor will be looking for
Assets from other experts can be helpful, but they can’t replace the source documents.
Conduct a Gap Assessment
Do a gap assessment to determine how much of your required items are already in place. What is fully in place, partially in place, and not in place? Identify the gaps that exist between the certification requirements and where you are today. This will give you a good sense of the work that you have ahead of you.
From here, you can begin planning your project and assigning tasks to your team members.
Map to Existing Certifications
Many organizations maintain multiple certifications. If that’s the case for you and you’re spinning up a second or third (or fifth or tenth) certification, you’ll save a lot of time by mapping your new certification to one of your existing primary ones.
By finding mappings between certifications, you’re identifying overlaps. This allows you to work more efficiently by applying the work you’ve done on a previous certification to particular line items in your new one.
For example, the antivirus rules from PCI DSS easily satisfy the antivirus requirements of HIPAA as well. If you’re spinning up HIPAA, you don’t need to reinvent the wheel — simply apply the antivirus line items from PCI DSS to HIPAA, validate this will cover fully or partially, and move on.
Identify all of your mapping opportunities from your existing suite of certifications, and you’ll dramatically cut down on your time and efforts to get your new cert completed.
Related: Multiple Compliance Standards to Meet? Live Linking Makes That Mountain into a Molehill
Start Closing out Certification Requirements
Once you have your arms around your mappings, it’s just a matter of going through each of the line items and fulfilling their requirements. You may need to address technologies, solutions, processes, operational templates, changes to documentation, changes to training — you name it.
Make sure you have everything buttoned up, from top to bottom, to achieve the new certification. At that point, you’ll be ready for final validation steps. Depending on the certification, validation might be an internal process, or you may need to go through an external audit with an Assessor.
Trust, but Verify
As you’re fulfilling requirements and closing gaps, beware of taking shortcuts. Don’t just take someone’s word that a requirement is in place — not even from a trusted vendor.
The job of going through compliance and making sure that you have everything in place is an act of analysis as well as evidence collection. It isn’t good enough to say that you have this or that item — you need to prove it. Provide a screenshot, supply the configuration file, show an example of an alert, provide policy documentation.
Because there’s just so much stuff that you have to get through, there’s a tendency to take the easy way once in a while. You rely on a faulty memory, or you make an assumption — not because you don’t care or don’t take the process seriously, but because you’re human and you just want to get through this as quickly as possible.
I’ve seen it happen time and time again: well-meaning people believe a requirement has been completely fulfilled and they trust their memory or assumptions without verifying. In the end, it almost always comes back to bite them in the ass.
If you can’t show an Assessor the evidence itself, you must assume it doesn’t exist.
Vet Your Vendors
When you go through a new certification, you’ll usually need certain vendors, such as hosting providers, to prove that they’re in compliance with that certification as well. Request evidence to back up their claim that they’re in compliance. Usually, they’ll provide a Compliance report, an Attestation of Compliance (AOC), or a responsibility matrix.
Don’t just accept the report and file it away — review it and make sure their claims actually line up with your needs. I’ve seen vendors provide AOCs that cover completely different areas than my clients needed, and the reports were effectively useless for the scope of the client engagement.
If you think your vendor has it covered, and they don’t, you’re stepping on a landmine — and frankly, you may need a new vendor! These are things you do not want to be discovering at the finish line of an Assessment with an external Assessor.
Keep up the Good Work
Don’t forget: once you’ve achieved certification, your work has just begun. When it comes to compliance, you can’t set it and forget it. Now you’ll need to maintain compliance with your certification, moving forward.
There are ongoing activities that you’ll need to stay on top of, both on a recurring basis and when certain changes occur in your organization that affect the certification.
Put a mechanism in place to ensure that you’re actively maintaining compliance on an ongoing basis. Assign specific tasks to team members, with the appropriate cadence. Keep them accountable for their assignments throughout the year, making sure the team stays on track.
Many organizations struggle to stay on top of these ongoing activities, especially if multiple certifications are involved. But if you’re using TCT Portal for your compliance engagement, the management is automated for you in Operational Mode.
Related: How One Company Managed Their PCI Certification in Record Time
Follow these best practices and you’ll avoid many of the pitfalls and time sucks that make it so painful to spin up a new certification. Even better — take your compliance engagement to the next level by tapping the veteran expertise of a compliance consultant. TCT can refer you to several rockstar consultants, or provide you with one of our own.