Congratulations, You're Compliant: Charting Your Path Ahead
Navigating the labyrinth of compliance requirements is no small feat, so congratulations if you've recently achieved compliance with a particular standard or regulation! However, the journey continues. Achieving compliance is not a one-time event but a continuous review, adjustment, and improvement cycle. So, what comes next after you've achieved compliance?
In this blog post, I’ll point out seven things that you can do to capitalize on your compliance achievement. I’ll also discuss how you can use the benefits, resources, and tools of a CIS SecureSuite Membership as a toolbox to help you along the way.
1. Celebrate Your Achievement
First and foremost, take a moment to appreciate your team's hard work and dedication. Compliance isn't achieved in isolation; it's a team effort involving collaboration across your organization. Celebrating this achievement fosters a positive organizational culture and motivates your team for the next phase of the journey.
2. Communicate Your Success
Compliance isn't just an internal affair. It matters to your stakeholders, too. Your customers, partners, and investors want the assurance that you're committed to good governance, and achieving compliance provides that assurance. Be sure to communicate your success to your stakeholders, demonstrating your ongoing commitment to quality, security, and privacy depending on the compliance standard you've achieved.
Quick Tip: One of the ways you can communicate success is to create a Trust and Security Center on your website. Its purpose is to illustrate your certifications and FAQs so that everyone – stakeholders, customers, and external visitors alike – can view your compliance and privacy achievements.
3. Monitor Continuous Compliance
Achieving compliance is one thing; maintaining it is another. This is because environments change both from a physical and technological perspective. Every change to the environment modifies the level of compliance you’ve achieved. As such, you need to make compliance an ongoing effort.
Regular monitoring is crucial to ensure that you continue to meet compliance requirements. This could involve regular audits, reviews, and reporting to ensure your controls remain effective and meet compliance requirements.
That’s the philosophy behind the pro version of our CIS Configuration Assessment Tool (CIS-CAT Pro). Included in a CIS SecureSuite Membership, CIS-CAT Pro comes with two components, an Assessor and a Dashboard, that support you in conducting automated scans of your systems’ settings against the secure recommendations of the CIS Benchmarks. The Dashboard component graphically displays your scanning results over a recent period of time. With that information, you can visualize the impact of your hardening efforts on each system and plan out what you need to do to meet your security requirements.
A screenshot of CIS-CAT Pro showing conformance to a CIS Benchmark over the span of a year.
4. Plan for the Next Audit
While celebrating your current achievement, remember that the next audit is just around the corner. Begin planning for it early, considering any changes in your business operations or the regulatory environment that could affect your compliance status. Be proactive in identifying and addressing potential issues before your next audit. Also, make sure to review the audit requests and identify gaps that are not currently identified in your control set.
5. Identify Opportunities for Improvement
Even though you've achieved compliance, there are likely still areas where you can improve. Use the insights gained from your compliance process to identify these areas and develop a plan to address them. This could involve enhancing your controls, improving your processes, or investing in modern technologies to increase efficiency and effectiveness.
This is another area where a CIS SecureSuite Membership can help. Specifically, the pro version of our CIS Controls Self Assessment Tool (CIS CSAT Pro) helps you to track your implementation of the CIS Critical Security Controls (CIS Controls). You can use CIS CSAT to plan your journey through the different Implementation Groups (IGs) of the Controls by reviewing which individual CIS Safeguards you’ve implemented and which ones you’d like to prioritize toward strengthening your cyber defenses.
Want to learn more? Check out our video below.
6. Expand Your Compliance Program
Once you've achieved compliance with one standard or regulation, consider whether there are other areas where you should seek to achieve compliance. Expanding your compliance program can further strengthen your governance and risk management practices and provide additional assurance to your stakeholders.
Once again, a CIS SecureSuite Membership can assist you with this step. Both CIS CSAT Pro and CIS-CAT Pro are designed to help you streamline your implementation of the CIS Controls and CIS Benchmarks. These security best practices map to numerous standards and regulations such that you can avoid duplicating effort. By implementing the Controls and Benchmarks, you’ll save time and money on complying with multiple standards and regulations at once.
7. Foster a Culture of Compliance
Finally, continue to foster a culture of compliance within your organization. Compliance isn't just the responsibility of a single department or team – it should be embedded in the culture of your entire organization. Regular training, communication, and reinforcement can help to embed compliance into your organizational DNA. Toward this end, you can use newsletters, lunch and learns, and continuous training. Ongoing education will help you to create a security-first mindset and security-minded culture. By contrast, if you conduct training just once a year, your employees will quickly forget the importance of security and compliance until next year’s training.
An Ongoing Commitment to Compliance
Achieving compliance is a significant milestone, but it's not the journey's end. By taking these steps after achieving compliance, you can ensure that your organization continues to benefit from your compliance efforts, maintaining a robust and effective governance and risk management program that stands up to scrutiny and delivers value for your stakeholders. Remember, compliance isn't just a box to be checked – it's an ongoing commitment to quality, security, and integrity.
In the next blog post, I’ll talk about how you can start building a continuous audit program.
Check out our related blog posts:
Ready to act upon your compliance achievements now?
About the Author
Chief Information Security Officer
Sean Atkinson is Chief Information Security Officer of CIS. He uses his broad cybersecurity expertise to direct strategy, operations, and policy to protect CIS’s enterprise of information assets. His job responsibilities include risk management, communications, applications, and infrastructure. Prior to CIS, he served as the Global Information Security Compliance Officer for GLOBALFOUNDRIES, serving Governance, Risk and Compliance (GRC) across the globe.
Prior to GLOBALFOUNDRIES, Atkinson led the security implementation for the New York State Statewide Financial System (SFS) implementation from 2007 to 2014, and his last role and responsibility was as the Internal Control, Risk and Information Security Manager.
Atkinson was born in Brooklyn, N.Y. and lived in England for 18 years, graduating from Sheffield Hallam University in 2000. After moving back to the United States, he has pursued multiple degrees and certifications in the IT arena.
In addition to his work with CIS, Atkinson is also an adjunct professor of Computer Science at the College of Saint Rose.