Can I accurately predict the future?
Me, on my own, I cannot. Not with all the tarot cards, tea leaves, and palm readings in the world, would I be able to predict what will happen to you, or anyone else for that matter, tomorrow when you get out of bed.
But actually, in InfoSec Compliance, there’s a semi-simple way of knowing what may happen in the future; it’s by looking at historical data. Seeing how you behaved and reacted to situations in the past can help make more accurate predictions about your future. Examining historical Compliance data enables you to see how far your organizational Compliance posture has come, so that you (and perhaps more importantly, your auditor) can understand where you are likely headed.
“History is a better guide than good intentions” - Jeane Kirkpatrick
I'm no history teacher (there was more money to be made in InfoSec than teaching, sorry to say) but although the need to wait 6 month to a year to complete an audit is frustrating (to say the very least), it makes sense. Here is why I say this; A few weeks ago we explored the differences between SOC 2 Type 1 and SOC 2 Type 2. I’ll avoid a major recap here, but suffice to say that the 2 types of SOC attestations are similar in many ways; both check in on controls and policies, with the goal of understanding Compliance posture. Yet there is one massive difference -- SOC 2 Type 2 is all about the value of showing Compliance over time and Type 1 focuses on the here and now. And we all know that of the two, SOC 2 Type 2 is far more valuable.
{{banner-image}}
There are two reasons that looking at history is so crucial:
For the current year’s Compliance assessment
The goal of frameworks like SOC 2 and ISO 27001 is to establish practices that enable optimal Compliance posture. This is done by selecting the controls that matter most to your organization. These may be controls like event logging, monitoring, and incident handling. It may also include proper change management, such as detection of changes, change requests, designs and approvals, security testing for changes, rollback from changes and emergency change processes and lots more. Whatever the case, once controls are agreed upon with the auditor, you then have to wait a significant period of time to see if they are effectively implemented and to ensure you always get the same results.
If you can demonstrate that your controls always work as planned over that time period, this serves as a powerful demonstration that your Compliance strategy is solid. And this is why it takes so long to prepare for SOC 2 Type 2 and is also why it’s more valuable than a Type 1 report. It is the model for a Compliance framework in which history is a critical component.
To show Compliance maturity over time
The other reason we care about history is to understand maturity over time; this is especially important in ISO 27001, where improving maturity year-on-year is a major factor. Remember the first time you prepared for ISO? It was sufficient if your controls consisted of having policies and procedures in place and showing management commitment and decision making regarding security measures, as well as proper access management, focused on on- and off-boarding processes. But we both know that while this is great for a startup in its infancy, it wouldn't fly at say Microsoft, or even a startup with a few years worth of audits under their belt.
Section 10 of ISO 27001:2013 covers the continual advancement of the Information Security Management System assessment (ISMS). Section 10.1, Nonconformities and Corrective Actions, examines the corrective procedures taken when your company experiences a Compliance failure. Section 10.2, Continual Improvement, looks at how your organization inspects, reviews, and then measures those procedures to ensure improvement is always happening. The focus is on ensuring that your Compliance posture is always being worked on and optimized and every year is better than the last.
“If you want to understand today, you have to search yesterday” – Pearl S. Buck
This is the benefit of having access to Compliance history; it enables you to see where you've come from and where you're headed. With the right tools, such as a real-time data infrastructure you can demonstrate “Compliance over time”, to show improvement with both internal and external standards.
They say that if we aren't careful, history repeats itself; I say that the more careful and intentional we are in crafting our Compliance policies and procedures, then hopefully, with any luck, history will continue to repeat itself.