Compliance is defined in the dictionary as “the action or fact of complying with a wish or command.” That is a very simple definition for a complicated topic, especially when you consider all the demands and regulations companies are asked to be compliant with these days. In the business and IT world, I think of compliance more as meeting the requirements of defined regulations, frameworks or laws.
SOC, HIPAA, SOX, NIST and PCI are just a few of the most well known regulations that businesses are expected to be compliant with. While there is overlap between some of these regulations, each one of these has a different set of requirements that must be met for businesses to be considered compliant.
Compliance allows for a common language to be used between regulators and auditors in order to evaluate the effectiveness of controls in place. For example, a SOC 2 (System and Organization Controls) engagement has five (one that is required and four that are optional) TSPs (Trust Service Principles) and defined common criteria that are tested by the auditor and concluded on in the issued report at the end of the engagement. This allows the readers of the report to understand if the service organization is “compliant” with the required controls for a SOC 2.
Many companies do not prepare for compliance to a regulation until it is a requirement, and then they are scrambling to get the right policies, processes and controls in place. This approach can be stressful, costly and prone to error. Preparing early can help ensure the appropriate amount of time and effort are put into meeting the requirements to be compliant with a regulation, framework or law.
So how does a company get started on being compliant? If a company is aware of a regulation in the industry, it would be beneficial to learn more about the regulation and understand if it applies to the organization. Starting right away will go a long way. Also, if a client asks a company if they have a certain certification, report or framework in place, it will most likely not be the last time a company is asked about it, and it would be worth taking the time to understand what is involved. Starting early and understanding what would be required for your company will help in taking the time needed to do things correctly.
Additionally, contacting a knowledgeable and experienced provider to help you through the compliance process will go a long way. For example, at Linford & Company, we have helped many of our clients go through initial SOC and HIPAA requirements for the first time. We offer pre-assessments as initial steps in determining where there may be gaps in controls that would preclude a service organization from having a successful or clean conclusion.
If you foresee your company needing compliance at some point in the future, whether near or far, we recommend starting as soon as possible. If you have questions about whether compliance is required, feel free to reach out to Linford & Company via our website at https://linfordco.com/contact/.