Data Security and Demonstrating Compliance
- By Stuart Barker, Guest Author
When it comes to legal and regulatory requirements for data at the heart is the need to implement and demonstrate data security compliance. Be it the FCA handbook regulations being as vague as ‘an adequate information security management system’ and referencing an out of date BS standard to the GDPR. There is no doubt that having an information security management makes sense.
'if it isn’t written down it doesn’t exist
The question comes on how does an organisation demonstrate compliance. I deal with companies daily that are doing the right thing, on the whole, but can they demonstrate it? No so much. The world of audit works to the principle that if it isn’t written down it doesn’t exist.
'Document everything
If you have done GDPR then this comes as no surprise to you. The first advice I would give is to document everything. You want to make sure you have documented processes and procedures in place. I know you 'do the doing', but write down what it is that you do do. The benefits of writing it down include:
- gaining some understanding of yourself,
- gaining some consistency in how you operate internally,
- being able to demonstrate to a regulator or auditor if you have a breach that you kinda knew what you were doing and it wasn’t your fault,
- and when and if customers ask you what you do do - ta da you can show them!
The final part is gets you ready for a more formal method of demonstrating compliance.
Get certified
Ok this is not for the faint hearted. You need a compelling business case to get certified. It is going to cost you a lot of money.
Cyber Essentials - cheap as chips with comparatively low value in terms of its acceptance outside the public sector.
ISO 27001 - the standard of standards and the one most requested and referred to but you have to brace yourself. In the article how much does ISO 27001 cost, Stuart Barker - The Data Security Guy - estimates the ISO 27001 certification costs for year one are going to cost you in the region of £8,000 and implementation costs of a similar value. Just for year one you would be budgeting at least £16,000 and this is not a one-shot deal.
SOC - this is more prevalent in the Americas where ISO 27001 is less well accepted and for this one you are going to have to get your cheque book out. We see SOC fees ranging from £18,000 to £50,000 just for the certificate. Steep isn’t it ?
Pen Testing - important if you have a technical solution with fees in the £10,000 to £20,000 range for a small company.
Conclusion
Whether you certify or not, make sure you have adequate documentation in place. If it isn't written down, it doesn't exist.
Author: Stuart Barker
Stuart specialises in fin tech and financial services companies with over two decades of experience delivering legal and regulatory compliance for data. He specialises in getting and keeping companies compliant for data security which usually means ISO 27001, PCI DSS, SOC 1 and SOC 2 certification and regulations like the FCA regulations for data security.
Stuart started, built and successfully sold a cyber security business. Now he advises companies and builds data security capability allowing them to meet the needs of their customers, the needs of their funders and the needs of the law. Usually in that order.
He is also a driver in addressing isolation, wellbeing and mental in business and building emotionally intelligent people networks
Next Steps?
Advanced UK are proud of our association with Stuart and High Table, and together we bring security to your organisation.
Advanced-UK may be reached by telephone on 01895 811811 (London region & HQ). or email sales directly.
PS. If you enjoyed this article, please consider using the social media sharing buttons - it really helps!
Have you read these articles?
