Most businesses have to comply with multiple information security related standards and regulations. In our experience the average is 3. These can include but are not limited to PCI DSS, GDPR, ISO 2700, Sarbanes Oxley, HIPAA, Cyber Essentials, POPI and even audits by clients.
Managing these standards and regulations on an individual basis poses a number of challenges for a business:
- Repetition; most information security standards and regulations share many common control requirements with multiple control owners doing basically the same thing, and multiple independent assessments covering the same things.
- Financial cost; multiple assessments equates to unnecessary financial and operational cost including multiple procurement process and vendor management costs. Plus, the additional cost of multiple Finance Department interactions.
- Complexity; multiple security standards and regulations can be complex and difficult to manage. For example, some standards require 7 character passwords while others require 8; staff need to be trained on multiple standards and have to deal with multiple organisations. It is also necessary to build numerous compliance tracking systems.
- Time; multiple assessments can mean less time to focus on the real work of running a business. Time spent preparing each assessment, hosting each assessor, gathering evidence again and again, and remediating conflicting audit findings.
However, when complying with multiple standards, often the process to gain compliance can involve taking multiple steps. These steps are often shared control requirements.
- External; Regulator bodies, third parties, auditors.
- Technology; Configuration, software development, encryption, tokenisation.
- Information; Capture, manipulation, storage, destruction.
- Internal; Awareness and training, contractual issues, responsibilities, policies.
Benefits of a combined approach
The pain of multiple assessments can be released by taking a combined approach to compliance with multiple standards and regulations:
- Less effort; using a common framework that covers all standards in one assessment greatly reduces the effort required to comply with multiple standards and regulations.
- Less complex; management and design of multiple controls can be collapsed into one.
- Reduce cost; having one partner and one assessment can save a considerable amount of money.
- Save time; reduced effort and interactions with multiple standards saves a significant amount of time.
The benefits of aligning multiple standards to a common framework are clear, however developing that framework also takes time and effort and it essential that the framework is capable of incorporating changes to those standards and new standards as they become applicable to the business.
Sysnet recently launched their Combined Assessment Model, a single assessment model that covers many standards. It enables businesses seeking compliance with multiple standards to work with one partner with fees on average 50% less than they would pay for multiple assessments.
To learn more about Sysnet’s Combined Assessment Model click here.
If you are a merchant that requires technical or PCI DSS help, please click here