New Infrastructures and Functionality -Compliance Mapper, Consult2Comply’s Enterprise GRC application recently added new pre built infrastructures that make it easier and quicker to get a manageable and sustainable compliance strategy running. If there is an infrastructure you would be interested in, please let us know! 

New infrastructures included: 

•  NFPA 1600
•  FFIEC BCP
•  NERC CIP
•  BS 25999 BCM
•  Various India regulations
•  Cert Resiliency Framework 

Compliance Mapper functionality has also been updated to include: 

•  Workflow and Project management – assignments to individual 
• Resourcing and costing
•  Compliance checking  and sign off for mappings
•  Capability for audit scheduling
•  Ability to see when project activities are outstanding, pending or complete

BCM 25999 ACP Appointment -

Consult2Comply has been appointed an ACP for Business Continuity Management (BS 25999) in the US, in addition to its equivalent ACP status in the UK. Consult2Comply is now the only BSI member of the Associate Consultancy Program to carry both US and UK (Global) status for ISO 27001 Information Security Management System, ISO 20000 IT Service Management and BS 25999 Business Continuity Management. We are proud of this and it shows our commitment to support British and ISO standards that have relevance to organizations worldwide.

Before embarking on a true GRC initiative, organizations and professionals should adhere to the following rules of engagement to aid their understanding and identification of the appropriate needs required to be successful.

• Information Technology does not dictate the (GRC) compliance initiatives. IT does have a role to play, but the board and stakeholders are the groups responsible to ensure GRC is being met and conducted in the appropriate way throughout the organization.
• Develop your GRC strategy and document your intent.
•  Do not “silo” GRC; it’s an organization-wide issue. Ensure whoever needs to be involved is involved. Putting Risk in one silo and Legislation in another and Best Practices in another, and not understanding the relationships among them can be detrimental to the overall success of GRC initiatives.
•  Understand who will be asking for the budget. Business and IT are in competition for budget – business is most often seen as a contributor; IT is perceived as an overhead – business will normally win the budget battles.
• Unified control infrastructures put a spin on the real controls and potentially cost an organization more money in the long term (too many controls to worry about, and unified control infrastructures are not normally nationally or internationally recognized).
•  Set the baseline control infrastructure (e.g. ISO/IEC 27001, CobIT, NIST, and ISF) and work out across the regulations, standards and best practices. 
•  Do not stop at control infrastructures. Include everything that’s needed (e.g. Policy; Procedures; Process Maps; Training Records and so on).
•  Do not exclude Management Controls (these tend to be excluded in technology solutions that address IT rather than the business). These are extremely important when understanding responsibilities and metrics.
•  Understand the international implications of your GRC initiative (if they apply). Ensure the appropriate regulations, standards and best practices align to the laws of the land nationally and internationally and can work with your organizational requirements.
• Paper mappings (spreadsheets) or out-of-date diagrams are difficult to utilize and use; find something that can automate your requirements.
• Loose mappings do not offer compliance – ensure your mappings are not too high level. Loose mappings tend to skip the actual control and concentrate on the control objective which could mean implementing more controls than necessary. 
•  Having GRC solutions and associated people in silos is not a good practice to ensure compliance for an organization. A consolidated view is a must, due to the “knock-on” effect if something changes (a new control is implemented; a control is discontinued for whatever reason or changes in the regulation, standards and best practices dictate a major change).

The long awaited ISO/IEC 27005:2008 Information technology — Security techniques — Information security risk management has been published. As part of the overall ISO/IEC 27000 family of standards for Information Security Management Systems, it will now be used to determine compliance to ISO/IEC 27001:2005 requirements for Risk Assessment and Risk Treatment.  Previously, BS 7799-3:2006 Guidelines for information security risk management was the standard used for this process for either alignment or certification. ISO/IEC 27005:2008 has a number of significant subtle changes that the alignment or certification will now require. The standard has taken each process area and include the following criteria that was be used to check compliance.  For each process, there is now a requirement for; “Input” – this is what is being used as the input to the process. “Action” –  the establishment of what needs to be completed.“Implementation Guidance” – Purpose and effect – what needs to be done.“Output” – the expected outcome from the process All of these areas can now be measured more effectively by the auditor prior to alignment or certification, whereas before the auditor had to understand more about the risk process that the company had adopted. More information can be found at http://www.iso.org/iso/search.htm?qt=iso+27005&searchSubmit=Search&sort=rel&type=simple&published=on  Cost is CHF 154.00 (Swiss Francs)

CEO Steve Crutchley writes: I have been a consultant for over 30 years providing Business Protection, Security Management, Governance and Compliance services. Over those years I struggled to find supporting products that could help me achieve success with my clients. The tools I experienced seem to lack the required functionality and were a always a bit expensive.
 
Having struggled for many years, I decided to dedicated myself to assisting consultants worldwide by leveraging my hands on experience and collective knowledge into inexpensive and functional tools that address the issues facing consultants and organizations alike.
 
I invite you to try these applications at no cost and believe you will see the immediate value to the Risk, Compliance and Regulation industry.
 
Sincerely,
 
Steve Crutchley,
CEO, Consult2Comply

ISO38500, the international standard for the corporate governance of information technology (IT) is due for publication shortly.  The original draft number of ISO 29382 has been discarded, and the official number of the new standard is now ISO/IEC 38500. ISO 38500 draws upon a number of sources, specifically AS 8015:2005, which defines six principles (establish responsibilities, plan to best support the organization, acquire validly, ensure performance when required, ensure conformance with rules to ensure respect for human factors).  ISO/IEC 29382, Corporate Governance of Information and Communication Technology, was first published early in 2007 as a fast track candidate from the existing Australian standard AS 8015. It was officially re-named ISO/IEC 38500 in April 2008.  Other documents related to this publication are: AS 8000:2003 - Good Governance PrinciplesAS 3806:2006 – Compliance Programs

To get the blog going – I recently experienced an auditor from a large banking group – who undertook a Compliance audit at one of my clients. The auditor, I must admit, was not a bank employee but a contractor that had satisfied the bank that he was capable of performing a compliance audits. During the audit, I requested a review to ensure we were all on the same page. The auditor swaggered into my office and promptly sat himself down, as if he owned my office, and promptly started to tell us how bad we were. Listening in disbelief and utter confusion, I stopped the auditor in his tracks and asked what the issues were. To my horror, he promptly handed me a number of non conformities that had no bearing on the audit whatsoever. When questioned he said this was his scope and we were in non conformance with a number of items. In reality, he had decided to extend his scope and look at what he was interested in. When questioned about his findings, it was obvious he was making it up as he went along. For example- he stated that one side of our buildings had to have bullet proof windows because it was aligned with the multi-storey car park and a sniper could easily shoot someone in the office. I asked the auditor what he believed the cost would be to do this – he said that wasn’t his problem, we just had to do it. We also discussed other supposed non-conformities which in the end were all rescinded. I promptly decided to call an end to the meeting and requested we resume the next morning to review this particular NCR – I really wanted to find out what cost we were talking about.

I contacted the maintenance guys and asked the question about the bullet proof windows – I actually thought they were thinking I had been drinking and were jerking them around. I really needed to get a ‘gut-feel’ for the cost so I could confront an auditor with some ammunition against the NCR (please excuse the pun)!

The maintenance guys luckily had a contact and we were able to get a rough price for this type of work. Let’s say in was over $500,000 and would take approximately 2 months to get the job done.

The next day came around all too quickly, the auditor came to see me at the prescribed time and I then decided to play a game. I gave the auditor the costing and then asked to see his working papers and baseline controls that indicated we needed to have bullet proof windows. To my absolute dismay, he told me that it was his decision and that the bank would back him up regardless of working papers and controls (which he didn’t have). To be completely truthful – I really had a good idea he was just trying to prove a point and stamp his authority on my client. I decided that I would ask him to reconsider and rescind this NCR as well. To my disbelief he said no and that the NCR stood. I really didn’t know if to laugh or cry because my experience was staring to show that there were many audit bullies out there and that they are running ‘rough-shot’ over organizations with little to no auditor skill in dealing with NCRs.

 The outcome 

I decide to contact the bank, (the audit manager) to discuss this situation. What transpired was that the audit manager for this auditor was astounded that one of his team was taking a stance like this and was working outside of the audit scope. He was also astounded that the auditor had insisted that the work needed to be done and the auditor had stated the bank would back him up. In reality we had found a rogue auditor (and there are lots out there) trying to make organization do what the auditor wants with no regard for cost of NCR versus benefit. One good thing did come out of it – the auditor was promptly removed form site and promptly removed as a contractor for the bank.

 Lessons learned 

Do not be afraid to question what an auditor is telling you, there is a tendency to accept the NCRs and then run off to fix the problem – sometimes fixing the problem or so-called problem can cost more than the overall benefit and risks involved.

Before letting an auditor on site

Make sure you have an audit plan and you understand what is in the scope of the audit.

Check auditor competency – specifically – knowledge and understanding of the audit scope, and business sectors being audited. Do not be afraid to question the auditor and findings – REMEMBER – management determines and carries the risk of the business not the auditor.

I look forward to reading stories of Audit Bullies and bad auditing experiences that can be shared with the community!

The use of CAP to establish a baseline as part of the early phases of IS027001 or ISO20000 project will not only determine the current status in terms of a standard, but the subsequent reports can assist in quantifying the initial budgets and resource forecasts necessary for the next phases of a project.
Using these reports as input to management’s decision making will also prove the involvement and support of management in the key decision making processes necessary for the ultimate certification of these types of projects