A History Lesson (InfoSec Compliance Data) | Blog by anecdotes

Can I predict the future accurately?

I alone cannot. Not with all the tarot cards, tea leaves and palm readings in the world, I wouldn’t be able to predict what will happen to you, or anyone else for that matter, tomorrow when you get out of bed.

But actually, in InfoSec Compliance, there is a semi-easy way to find out what may happen in the future; it’s by looking at historical data. Seeing how you have behaved and reacted to situations in the past can help make more accurate predictions about your future. Reviewing historical compliance data lets you see how far your organizational compliance posture has evolved, so you (and perhaps more importantly, your auditor) can understand where you’re likely headed.

“History is a better guide than good intentions” – Jeane Kirkpatrick

I’m not a history teacher (there was more money to be made in InfoSec than in teaching, sorry to say) but although having to wait 6 months to a year to complete an audit is frustrating (it’s is the least we can say), it makes sense. Here’s why I say that; A few weeks ago, we explored the differences between SOC 2 Type 1 and SOC 2 Type 2. I’ll avoid a major recap here, but suffice it to say that the 2 types of SOC attestations are similar in many ways; both auditing controls and policies, with the goal of understanding compliance posture. Yet there is a huge difference – SOC 2 Type 2 is about the value of conformance over time and Type 1 is about the here and now. And we all know that of the two, SOC 2 Type 2 is far more valuable.

There are two reasons why looking at history is so crucial:

For current year compliance assessment

The objective of standards such as SOC 2 and ISO 27001 is to establish practices that enable an optimal compliance posture. To do this, select the most important controls for your organization. These can include controls such as event logging, monitoring, and incident management. This may also include proper change management, such as change detection, change requests, designs and approvals, security testing for changes, rollback of changes, and emergency change processes and even more. Either way, once the controls are agreed with the auditor, then you have to wait some time to see if they are actually implemented and ensure you still get the same results.

If you can demonstrate that your controls are still working as intended over that time frame, that’s a powerful demonstration that your compliance strategy is strong. And that’s why it takes so long to prepare for SOC 2 Type 2 and that’s also why it’s more valuable than a Type 1 report. he history is an essential element.

To show compliance maturity over time

The other reason we care about history is to understand maturity over time; this is particularly important in ISO 27001, where improving maturity year on year is a major factor. Do you remember the first time you prepared for the ISO? It was enough that your controls consisted of having policies and procedures in place and showing management commitment and decision-making regarding security measures, as well as good access management, focused on the processes of integration and disintegration. But we both know that while that’s great for an early-stage startup, it wouldn’t fly at Microsoft, or even a startup with a few years of audits under its belt.

Section 10 of ISO 27001:2013 covers the continuous improvement of the Information Security Management System (ISMS) assessment. Section 10.1, Nonconformities and Corrective Actions, discusses the corrective procedures taken when your company encounters a nonconformity. Section 10.2, Continuous Improvement, discusses how your organization inspects, reviews, and then measures these procedures to ensure that improvement is always ongoing. The focus is on ensuring that your compliance posture is always worked on and optimized and that each year is better than the last.

“If you want to understand today, you must seek yesterday” – Pearl S. Buck

This is the advantage of having access to the compliance history; it lets you see where you’ve come from and where you’re headed. With the right tools, you can demonstrate ‘conformance over time’, to show improvement in internal and external standards.

They say that if we are not careful, history repeats itself; I say the more careful and intentional we are in developing our compliance policies and procedures, then hopefully, with any luck, history will continue to repeat itself.

Comments are closed.