Compliance is defined in the dictionary as “the action or fact of complying with a wish or command.” That is a very simple definition for a complicated topic, especially when you consider all the demands and regulations companies are asked to be compliant with these days. In the business and IT world, I think of compliance more as meeting the requirements of defined regulations, frameworks, or laws. Specifically, compliance covers the steps a company takes to conform to governance (all the laws and prescriptive controls that are needed in a company and for standards).
IT Compliance Standards to Be Aware Of
SOC, HIPAA, HITRUST, SOX, NIST, FedRAMP, CMMC, ISO, and PCI are just a few of the most well-known regulations/standards that businesses are expected to be compliant with. While there is overlap between some of these regulations, each one of these has a different set of requirements that must be met for businesses to be considered compliant with the standard. You can find additional compliance guidance for some of these frameworks listed below.
Compliance allows for a common language to be used between regulators and auditors in order to evaluate the effectiveness of controls in place.
For example, a SOC 2 (System and Organization Controls) engagement has five (one that is required and four that are optional) TSCs (Trust Services Criteria) and defined common criteria that are tested by the auditor and concluded on in the issued report at the end of the engagement. This allows the readers of the report to understand if the service organization is “compliant” with the required criteria for a SOC 2 report.
Another example is the HIPAA Security Rule. A covered entity must comply with all of the standards of the Security Rule with respect to the EPHI (electronic private health information) it creates, transmits, or maintains to be compliant with the HIPAA Security Rule. The auditor performing the HIPAA audit will test that the covered entity is compliant with the HIPAA Security Rule and issue a conclusion in the report.
Many companies do not prepare for compliance with a regulation until it is a requirement, and then they are scrambling to get the right policies, processes, and controls in place. This approach can be stressful, costly, and prone to error. Preparing early can help make sure the appropriate amount of time and effort is put into meeting the requirements to be compliant with a regulation, framework, or law.
So how does a company get started on being compliant? If a company is aware of a regulation in the industry, it would be beneficial to learn more about the regulation and understand if it applies to the organization. Starting right away will go a long way. Also, if a client asks a company if they have a certain certification, report, or framework in place, it will most likely not be the last time a company is asked about it, and it would be worth taking the time to understand what is involved. Starting early and understanding what would be required for your company will help in taking the time needed to do things correctly.
How Do I Get Compliant With All the Standards Out There?
Contacting a knowledgeable and experienced provider to help you through the compliance process will go a long way. Many of the standards require that the provider be certified or accredited to even perform the audit to provide the certification or report. It is beneficial to first do research to find out if the particular standard has a requirement such as this. For example, a SOC examination has to be performed by a CPA firm as the standard is governed by the AICPA. Another example is the CSA (Cloud Security Alliance) STAR program, which requires providers to certify with CSA and then a list of certified STAR auditors is provided on their website.
Additionally, many of the standards have governing websites that provide information on the standard and compliance, and some even provide information on implementation specifications. The implementation specification is a more detailed description of the method or approach that can be used to meet the requirements of a particular standard. Below is a list with links to some of the common standards that are current in the IT industry.
- SOC 2 standards (per AICPA guidance)
- SOC 1 standards (per AICPA guidance)
- HIPAA standards
- HITRUST standards
- FedRAMP standards
- PCI standards
- NIST standards
- CSA STAR standards
- CMMC standards
- ISO 27001 standards
Can & Should I Advertise That I Am Compliant With a Specific Standard?
If you become compliant with a specific standard, there is nothing wrong with using that to your benefit. Putting a statement on your website, in marketing materials, or in a press release stating that you are compliant with a standard and that this compliance is audited and verified by a third party can be very positive. Some reports cannot be publicly circulated (posted on your website), such as SOC 1 and SOC 2 reports, but adding a note that the report is available upon request to clients is recommended. If you are not sure if you can share the report, or who you are allowed to share it with, check with the audit firm that completed the examination for guidance.
Who Should be in Charge of Compliance?
Having a designated person or department in charge of compliance is always the best way to make sure that compliance is always being monitored. While this can be an option for large organizations, this is not always feasible for small or medium-sized companies. In organizations of these sizes, a person can be designated to be the point of contact for a specific compliance examination. This person is responsible for providing the required documentation and monitoring ongoing compliance with the established standard throughout the period under review. This person is generally not in a standalone compliance role, but takes on that responsibility as part of their job function.
Key Takeaways on Compliance in IT & Business
The first step in determining whether you need to be compliant with a standard or regulation is to talk to a provider that has an understanding of the requirements and has the appropriate certifications or accreditations. Using the governing body’s website to gain information about the standard and possibly even finding a provider is a great way to gather information
Linford and Company assists organizations with a number of audit compliance services such as SOC 1 audits, SOC 2 audits, StateRAMP Assessments, ISO/IEC 27001:2022, PCI DSS audits, and CMMC compliance audit services. If you foresee your company needing compliance at some point in the future, whether near or far, we recommend starting as soon as possible. If you have questions about whether compliance is required, please request a consultation with one of our auditors.
This article was originally published on 10/18/2017 and was updated on 12/11/2024.
Nicole Hemmer started her career in 2000. She is the co-founder of Linford & Co., LLP. Prior to Linford & Co., Nicole worked for Ernst & Young in Indianapolis, Chicago, and Denver. She specializes in SOC examinations and royalty audits and loves the travel and challenge that comes with clients across all industries. Nicole loves working with her clients to help them through examinations for the first time and then working together closely after that to have successful audits.