Until now, your organization hasn’t decided to (or needed to) become compliant with a particular certification. You may have taken some actions to protect your company, but nothing official. But things have changed — your competitors have suffered a public breach and you want to avoid that fate, or there’s now an external factor that requires you to become compliant.
I’d like to say congratulations, but you probably don’t feel very congratulatory right now. It’s damn stressful to figure out how to become compliant with any certification for the first time. Still, you’re setting your organization up for greater protection, better success, and significantly less risk — and that’s a very good thing.
But what if you don’t know what certification is the right one to get started with? You don’t have someone telling you to become compliant under HIPAA or CMMC, and maybe you’re facing analysis paralysis from all the options available to you.
Filter Down Your Certification Choices
TCT Portal currently has about 150 different compliance standards loaded. There are a lot more out there and that’s a lot to wade through as you’re determining your first compliance certification. Often, you can quickly narrow down the list of options and eliminate all but a few compliance certifications. I recommend applying a couple initial filters. For example:
What industry are you in?
Are there any certifications specific to your industry? If you’re in the educational space, HECVAT could be a good framework to start with. If you’re in the medical space, HIPAA would make for an appropriate choice. If you’re in manufacturing, ISO is prevalent. For finance or service industries, consider SOC 2. If you process credit cards, PCI DSS is required.
Look at your peers and see what compliance certifications they hold. Usually you can find them listed on their websites.
Check your contracts
Many companies have contracts with clients that have references to maintaining some kind of compliance standard. For example, a customer agreement might state that you will operate in a PCI DSS compliant manner or in an ISO 27001 compliant way.
You could have these kinds of agreements with current customers and not even realize it. Before you commit to following a particular compliance standard, review your existing legal contracts and look for any agreements that call out specific frameworks.
Do You Need a Directional Standard or a Prescriptive One?
If that first set of filters doesn’t make your decision for you, consider the type of approach that your first compliance certification should take. In other words, does it make more sense to comply with a prescriptive standard, or a directional one?
The more prescriptive (or specific) a certification is, the more rigid its requirements. You don’t have as much freedom to determine how you want to fulfill the requirements, because you have to fulfill the requirements that the chosen framework prescribes.
Prescriptive standards may sound like they’re more difficult, but ironically they can provide an easier path to becoming compliant.
When you start with a highly directional certification, you’re working under a framework that gives you an end goal to move towards, but no map to get there. You have the direction, but the route is up to you.
Directional certifications give you plenty of choices regarding how you will implement the requirements, but that means you have to know if the resolution decisions you make are good ones.
Prescriptive standards may be stricter in their requirements, but they also provide more clarity that you’re well protected.
An example of prescriptive compliance standard is the Payment Card Industry Data Security Standard (PCI DSS). Some examples of directional standards include SOC 2, HIPAA, NIST CSF 2.0, ISO 27001, GDPR and CCPA.
Some of these standards are more directional than others, but as an example where HIPAA will effectively say that authentication needs to be performed in a secure manner, the PCI DSS will provide literally dozens of specific elements to implement surrounding secure authentication. Instead of hoping you do a good job under HIPAA, you have a roadmap under the PCI DSS.
Choosing Your First Compliance Certification
All things being equal, I have a strong preference for the first certification to become compliant with. I often make this recommendation to clients, and I’ve found that this certification sets them up for greater security and compliance success — immediately, and well into the future.
Based on my experience, it’s best for most companies to start their compliance journey with PCI DSS. This is assuming, of course, that you don’t have other certifications you need to immediately comply with.
By leveraging PCI, you’ll make it easier to go up against less prescriptive standards you may need in the future. PCI makes nearly every other security standard easier to leverage, enabling your organization to more readily map the PCI requirements to the controls of your additional target certifications. That allows for substantial increases in compliance program optimization.
The PCI DSS is a standard intended for companies that process credit card payments. But it’s easily adaptable to any organization, and the robustness of this framework is well worth it. Essentially, you can apply “credit card data” in PCI to any sensitive data that your organization handles. Because credit card data is sensitive data, the analogy is a perfect fit.
TCT’s Ultimate Guide to PCI DSS Certification
Some Thoughts About Implementation
If you discover that you need to comply with multiple certifications, it’ll be tempting to get a quick win and knock out the easiest one first, then move onto the next certification. I would advise against that option.
It’s a lot easier, in the long run, to get to know all of those certifications and to implement them simultaneously. If you tackle one framework at a time, you’ll find yourself redoing previous work from the first standard to get it lined up with the next one.
When you first get started with a new compliance framework, the people in your organization will feel like they’re trying to eat an elephant. It’s an overwhelming experience. For that reason, I strongly recommend that your company does not try to go it alone. Rely on the experience and guidance of an experienced compliance Consultant.
Some companies decide to simply rely on their Assessor for answers as they start their first compliance certification — and you can, in principle. But a Consultant allows you to have a much more honest communication. Because they’re on your side, it’s safe to tell them about things that aren’t currently in compliance, or to ask about potential objections that the Assessor might have. Better yet, your Consultant can help you dramatically streamline your overall compliance program by helping with compliance mappings, assist with solution options and be extremely helpful with coordination with the Assessor.
Compliance with Confidence
In the end, what matters most is that your organization has a security and compliance program in place that’s effective in reducing cybersecurity risks. The early decisions you make about your compliance program and approach will go a long way to guiding the level of challenge your organization will face, given the chosen compliance path.
If you’re engaging with a solid compliance Consultant, they’ll provide the sanity check you need in making your compliance certification decision and be very helpful with the running of your security and compliance program.
TCT personnel have been actively helping organizations navigate their security and compliance engagements for almost two decades. In total, we have thousands of hours of security and compliance management experience we would be glad to leverage for the benefit of your engagement.
Making the choice of which security and compliance standard(s) make sense for your organization will be made much easier, and in TCT you’ll have a partner that’s in it for the long run to allow you to focus on your core competencies.