Build a Security Compliance Program | Info-Tech Research Group

Do not fill in this field

Enter no text in this field

Get Instant Access
to This Blueprint

Business Email

Full Name

Company

Phone

Job Title

Most organizations spend between 25 and 40 percent of their security budget on compliance-related activities.
Despite this growing investment in compliance, only 28% of organizations believe that government regulations help them improve cybersecurity.
The cost of complying with cybersecurity and data protection requirements has risen to the point where 58% of companies see compliance costs as barriers to entering new markets.
However, recent reports suggest that while the costs of complying are higher, the costs of non-compliance are almost three times greater.

Our Advice

Critical Insight

Test once, attest many. Having a control framework allows you to satisfy multiple compliance requirements by testing a single control.
Choose your own conformance adventure. Conformance levels allow your organization to make informed business decisions on how compliance resources will be allocated.
Put the horse before the cart. Take charge of your audit costs by preparing test scripts and evidence repositories in advance.

Impact and Result

Reduce complexity within the control environment by using a single framework to align multiple compliance regimes.
Provide senior management with a structured framework for making business decisions on allocating costs and efforts related to cybersecurity and data protection compliance obligations.
Reduces costs and efforts related to managing IT audits through planning and preparation.
This blueprint can help you comply with NIST, ISO, CMMC, SOC2, PCI, CIS, and other cybersecurity and data protection requirements.

Build a Security Compliance Program Research & Tools

Start here – read the Executive Brief

Read our concise Executive Brief to find out why you should manage your security compliance obligations, review Info-Tech’s methodology, and understand the ways we can support you in completing this project.

Build a Security Compliance Program – Executive Brief

Member Testimonials

After each Info-Tech experience, we ask our members to quantify the real-time savings, monetary impact, and project improvements our research helped them achieve. See our top member experiences for this blueprint and what our clients have to say.

9.5/10

Overall Impact

$27,209

Average $ Saved

17

Average Days Saved

Client

Experience

Impact

$ Saved

Days Saved

Testimonial

Helmerich & Payne, Inc.

Guided Implementation

9/10

$62,999

20

Overall, a good experience. We were looking for guidance on creating a roadmap to achieve ISO 27001 certification. Bob provided us with the specific control objectives and a mapping framework, from which we able to start working on the level of effort in...

College of the Ozarks

Workshop

10/10

$23,500

50

The overall engagement was the best part of my experience. The ability to answer questions and have the ability to shift around the engagement because of those questsions as needed was extremely beneficial. No bad experience whatsoever.

Turo Inc.

Guided Implementation

9/10

$31,499

20

Cianbro Corporation

Guided Implementation

10/10

$30,999

10

Cameron is very knowledgeable. He was able to quickly and efficiently walk us through the InfoTech site related to our Cybersecurity and CMMC strategic needs. No concerns, however as CMMC is new to everyone InfoTech is in the learning curve too. Camer...

Syngenta Limited

Guided Implementation

10/10

$1,859

2

It is hard to estimate the value of what you have done until I get to the end of my implementation. I did find the Policy Template useful which I got from one of the follow up emails.

Wade Trim Associates, Inc.

Guided Implementation

9/10

$12,399

2

Load More Testimonials

Workshop: Build a Security Compliance Program

Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

Module 1: Establish the Program

The Purpose

Establish the security compliance management program.

Key Benefits Achieved

Reviewing and adopting an information security control framework.
Understanding and establishing roles and responsibilities for security compliance management.
Identifying and scoping operational environments for applicable compliance obligations.

Activities

Outputs

1.1

Review the business context.

RACI matrix

1.2

Review the Info-Tech security control framework.

1.3

Establish roles and responsibilities.

1.4

Define operational environments.

Environments list and definitions

Module 2: Identify Obligations

The Purpose

Identify security and data protection compliance obligations.

Key Benefits Achieved

Identifying the security compliance obligations that apply to your organization.
Documenting obligations and obtaining direction from management on conformance levels.
Mapping compliance obligation requirements into your control framework.

Activities

Outputs

2.1

Identify relevant security and data protection compliance obligations.

List of compliance obligations

2.2

Develop conformance level recommendations.

Completed Conformance Level Approval forms

2.3

Map compliance obligations into control framework.

(Optional) Mapped compliance obligation

2.4

Develop process for operationalizing identification activities.

(Optional) Identification process diagram

Module 3: Implement Compliance Strategy

The Purpose

Understand how to build a compliance strategy.

Key Benefits Achieved

Updating security policies and other control design documents to reflect required controls.
Aligning your compliance obligations with your information security strategy.

Activities

Outputs

3.1

Review state of information security policies.

3.2

Recommend updates to policies to address control requirements.

Recommendations and plan for updates to information security policies

3.3

Review information security strategy.

3.4

Identify alignment points between compliance obligations and information security strategy.

3.5

Develop compliance exception process and forms.

Compliance exception forms

Module 4: Track and Report

The Purpose

Track the status of your compliance program.

Key Benefits Achieved

Tracking the status of your compliance obligations.
Managing exceptions to compliance requirements.
Reporting on the compliance management program to senior stakeholders.

Activities

Outputs

4.1

Define process and forms for self-attestation.

Self-attestation forms

4.2

Develop audit test scripts for selected controls.

Completed test scripts for selected controls

4.3

Review process and entity control types.

4.4

Develop self-assessment process.

Self-assessment process

4.5

Integrate compliance management with risk register.

4.6

Develop metrics and reporting process.

Reporting process
Recommended metrics

Cost-effective compliance is possible.

About Info-Tech

Info-Tech Research Group is the world’s fastest-growing information technology research and advisory company, proudly serving over 30,000 IT professionals.

We produce unbiased and highly relevant research to help CIOs and IT leaders make strategic, timely, and well-informed decisions. We partner closely with IT teams to provide everything they need, from actionable tools to analyst guidance, ensuring they deliver measurable results for their organizations.

What Is a Blueprint?

A blueprint is designed to be a roadmap, containing a methodology and the tools and templates you need to solve your IT problems.

Each blueprint can be accompanied by a Guided Implementation that provides you access to our world-class analysts to help you get through the project.

Need Extra Help?
Speak With An Analyst

Get the help you need in this 5-phase advisory process. You'll receive 9 touchpoints with our researchers, all included in your membership.

Guided Implementation 1: Establish program

Call 1: Scope requirements, objectives, and your specific challenges.

Guided Implementation 2: Identify obligations

Call 1: Establish framework and roles.
Call 2: Identify operational environments.

Guided Implementation 3: Implement compliance strategy

Call 1: Identify compliance obligations and conformance levels.
Call 2: Map obligations into control framework.

Guided Implementation 4: Verify

Call 1: Review policies and strategy.
Call 2: Develop test scripts.

Guided Implementation 5: Track and report

Call 1: Track status and exceptions.
Call 2: Report on program status.

Author

Kate Wood

Search Code: 95780
Last Revised: August 23, 2022

TAGS:

Security compliance, compliance management, compliance obligations, data protection, cyber security, control framework, security audit, nist, cmmc, soc2, soc 2, iso 27001, iso 27002, iso27001, iso27002, cis top 20, top 20 controls, pci

Visit our IT Cost Optimization Center
Over 100 analysts waiting to take your call right now: 1-519-432-3550 x2019