For many businesses, achieving information security standards allows them to operate in new territories and do business with more companies within those territories.
For example, the American Institute of Certified Public Accountants (AICPA) standard SOC 2 is widely used in the US and Canada, while International Organisation for Standardisation (ISO) standard ISO/IEC 27001 is more popularised in the UK and Europe. If you’re working with prospects from multiple geographies, you may find that you receive enquiries about whether your business is compliant with various information security standards.
Our unique “compliance as you work” ethos is not limited to security standards. Security governance sits with the broader GRC or ESG agenda, so Hicomply also supports a range of core standards covering quality (ISO 9001), financial transaction security (PCI DSS), privacy (GDPR), health, safety (ISO 45001) and environment (ISO 14001).
Considering potential information security standards
Deciding which certification to focus on first can be a daunting process, and the decision can hinge on various factors. The standards you already have, the amount of work involved to achieve a standard or certification, the timeframe to external audit, the territory or territories that your business is currently focusing on, and the needs or requirements of any third parties such as investors, suppliers and current customers can all come into play.
The Hicomply platform is designed to help you quickly and easily achieve, maintain and manage your certifications, whether you’re looking to get certified to one standard or several.
Is it better to work one standard at a time, or multiple standards at once?
If you’re starting from scratch, our digital ISMS experts and qualified implementors, Hicomply customer success manager Laura and head of services Zoe, suggest getting your business certified to a single security standard before starting work on any others. Doing so means you can keep your workload low and your focus on a single project.
With the comprehensive onboarding offered by our customer success team (or entirely self-led digital onboarding, if you prefer this approach), you can kickstart your journey to certification and complete key tasks to get set up for success. For example, in ISO 27001, this includes tasks such as completing your asset register and risk assessments.
In addition, Hicomply automates over 90% of the work for you with automated risk assessments, a full asset library, policy and procedure generation, and the capacity to automate your evidence by from your third-party HR, task management and ticketing apps. Getting your organisation audit-ready is faster and simpler than ever.
Using the Hicomply platform, you can achieve certification in half the average time frame – freeing up your time and resource to focus on winning new customers.
How will I know when I'm ready for my audit?
The platform’s built-in audit feature can be used at any time. You can use it at the start of your project to get an idea of your business’s security posture, to undertake a GAP analysis, or monitor your progress in preparation for an external audit. You can select all of the clauses in your chosen standard or choose to focus on a specific clause or clauses, and view the objective, control description and guidance for related controls.
The tool allows you to:
- Identify non conformities, for example if there is missing information
- Identify areas for improvement, such as policies that need to be updated or clarified
- Request further evidence to prove compliance.
Is there an overlap between requirements in standards?
Within standards like ISO 9001 and ISO 27001 there are many similar requirements because these standards were developed by the same regulatory body. However, even across standards that were developed by entirely different organisations, many of the required documents, policies and procedures are alike. For example, SOC 2 and ISO 27001 share around 80% of the same controls.
This means that once you’ve achieved one standard with a set of approved documents, you can often cross-pollinate the documents into the next standard you choose to work on, cutting down on your workload for that standard and saving both time and resource. By waiting to work on your second information security standard until you’ve successfully passed the audit for your first standard, you’ll have less work to do to become compliant.
Final thought
Whether you’re considering just one standard or several, achieving information security compliance can open up access to new territories and customers for your business. It’s wise to consider which standard most suits the needs of your business, which is often the standard most appropriate for the key geographies you want to unlock.
Once you’ve successfully passed your audit and achieved that standard, any other standards you want to work on will almost certainly see a reduced workload and a shorter timeline to external audit.