An extensive guide to understanding and being ready for ISO 27001 and SOC2 certifications.

Subscribe to get access to more posts like these!

Join Newton's newsletter to receive our blogs, templates, and the latest information right in your inbox. You can unsubscribe at any time.

This comprehensive article will cover a range of essential topics related to compliance. First, we will explore the critical importance of compliance and its significance in various industries. Next, we will delve into the role of Legal Ops in driving compliance efforts. We will then discuss effective project management strategies for achieving and maintaining compliance, followed by an in-depth look at the steps involved in preparing for ISO 27001 and SOC 2 certifications, including gap analysis, risk assessment, policy and procedure formalization, incident response, disaster recovery planning, and employee training programs. Additionally, we will examine data governance and privacy measures within the context of ISO 27001 and SOC 2 frameworks and the importance of auditing and monitoring for continuous compliance. Finally, we will cover the benefits of using software compliance automation tools and provide a wind-up to summarize the key points covered in the article.

In this article, we will cover the following:

Understanding the Importance of Compliance
Preparing for ISO 27001 and SOC2 Certification: from zero to hero
Data Governance and Privacy Measures
Regular Audits and Compliance Monitoring
The Benefits of Compliance Automation Software for SOC2 and ISO27001
Conclusion: The Benefits of Achieving SOC2 and ISO27001 Certifications
About the Author
Adopting Newton for your governance

Understanding the Importance of Compliance

By following this guide and leveraging compliance automation software, legal professionals in multinational corporations can efficiently navigate the process of obtaining SOC 2 and ISO 27001 certifications. This combination of effective guidance and automation tools ensures the security and compliance of their organizations' information assets, while also reaping the benefits of streamlined compliance processes.

Compliance is vital for multinational corporations that necessarily must contend with complex legal landscapes, protect their reputation, mitigate risks, maintain ethical standards, and gain a competitive edge in the global marketplace. While compliance is something you can’t live without, the complexity of compliance is increased by the existence of different frameworks.

EY Compliance risk survey revealed that 63% of companies consider it a top challenge. These frameworks form a multi-tiered system that demands substantial investments in specialized personnel and dedicated costs each year. A Coalfire analysis found that a majority of companies up to 40 percent of their security budgets towards compliance efforts. Furthermore, nearly half of medium large companies dedicate an extensive amount of time, equivalent to 20,000 man-hours per year, to ensure compliance. Astonishingly, 58 percent of these organizations also perceive compliance as a notable obstacle when attempting to penetrate new markets.

For all these reasons, legal entities must opting to align themselves with internationally recognized and highly standardized frameworks. They should allocate the necessary budget to anticipate compliance activities and increasingly consider adopting compliance automation software, which promises to streamline compliance processes, delivering an annual ROI of 80-85%. This strategic approach, embraced by Legal Ops professionals, ensures efficient compliance management while maximizing resources.

Why compliance certifications for multinational corps?

By obtaining compliance certifications, multinational corporations can enhance trust, meet regulatory requirements, mitigate risks, gain a competitive edge, and access new markets. These certifications are instrumental in demonstrating commitment to data privacy, security, and compliance, which are crucial in today's interconnected business landscape.

Nothing new to Legal Ops departments: when engaging in negotiations with a prospect, one of the initial requests often revolves around existing certifications within the company, particularly ISO 27001 and SOC 2, or any documentation showcasing the robustness, reliability, and security of the IT infrastructure. This holds especially true for businesses operating in the SaaS or cloud service domain.

When a company lacks certification, the following unfolds:

The prospect client must submit all documentation to their internal departments (Legal and Cyber), seeking their review.
Internal departments invest considerable time and often attempt to deflect the request, suggesting certified services or questioning if the selected provider is the sole player in the market.
The prospect client finds themselves justifying internal costs right from the start, in addition to the service fees being negotiated.

Therefore, the first major benefit of IT certification is customer trust.

Moreover, by embracing compliance, companies can enhance productivity, proactively address legal concerns, and conduct a thorough evaluation of internal policies and procedures. This is because pursuing an IT compliance certification often reveals inefficiencies and counterproductive practices within organizations, and executive leaders have the opportunity to establish a corporate culture centered around compliance by leveraging IT security compliance certifications. Instead of evading regulations or taking shortcuts, employees should recognize the significance of adhering to compliance standards.

Compliance certifications should not be underestimated, especially in terms of simplifying interactions with regulatory authorities. These authorities rely on certifications as evidence of a commitment to compliance, which in turn streamlines potential audit activities. Holding certification can serve as a valuable asset when engaging with regulatory bodies, facilitating smoother communication and demonstrating a proactive approach to meeting compliance requirements and avoiding fines and penalties.

The role of legal professionals in ensuring compliance

Legal Ops plays a pivotal role in leading compliance processes, even in the realm of IT frameworks such as ISO and SOC. They support various departments in understanding the technical and legal requirements imposed by different frameworks. In practical experience, it is common for the legal department to be entrusted with defining policies that ensure compliance with the chosen framework. With their expertise, they strike the right balance between legal language and employee-friendly comprehension, tailoring the policies to communicate the necessary guidelines effectively. By bridging the legal and operational aspects gap, Legal Ops facilitates the smooth implementation of compliance measures, ensuring that employees grasp their obligations while aligning with the organization's overall strategic goals.

Project Management Strategies for Implementing SOC 2 and ISO27001 Processes

The compliance management plan is a fundamental tool for implementing proper compliance processes within the company. This plan is a comprehensive roadmap that outlines the steps and strategies to ensure adherence to applicable regulations and standards. It encompasses various elements such as risk assessments, policy development, training programs, monitoring mechanisms, and continuous improvement initiatives.

Here are some key tips to consider when creating your compliance management plan:

Conduct a thorough risk assessment: understand regulatory standards and identify potential failures in your business processes to prevent and correct them.
Establish corporate policies and procedures: develop top-down initiatives that align with the outcomes of your risk assessment.
Communicate the plan and provide training.
Account for routine maintenance: stay up to date on standards and conduct periodic reviews and corrections.
Conduct periodic audits: regular internal audits are essential to avoid irreparable mistakes and ensure ongoing compliance.

Preparing for ISO 27001 and SOC2 Certification: from zero to hero

ISO27001 and SOC2 Certifications: what is it?

In today's global business landscape, as we said, customers are increasingly concerned about the impact of their vendors on their IT infrastructure and the possible risks related to unreliable suppliers. Service Organization Control (SOC) 2 report and ISO 27001 are the most relevant certifications in the international market.

But how does SOC 2 differ from ISO 27001, and can organizations use ISO 27001 to fulfill SOC 2 requirements?

ISO 27001 is an international standard establishing Information Security Management System (ISMS) requirements. Applicable globally, it defines a systematic approach to protect information and consists of 10 clauses and 93 security controls grouped into four sections. It enables organizations to align security levels with desired objectives using a risk management approach. SOC 2 consists of audit reports demonstrating conformity to defined criteria (Trust Service Criteria or TSC). It validates internal controls related to information systems involved in service provision and covers five overlapping categories: Security, Availability, Processing Integrity, Confidentiality, and Privacy. ISO 27001 provides controls that align with the Trust Service Criteria of SOC 2. By implementing ISO 27001 controls, organizations can fulfill the requirements of SOC 2 while enhancing their information security practices; this is why many legal entities are adopting both frameworks. Instead of viewing them as competing choices, organizations can recognize that an ISO 27001 ISMS provides a solid foundation for preparing SOC 2 reports.

Also, some industry leaders are endorsing one standard over another. Microsoft Supplier Security and Privacy Assurance Program (SSPA) refers only to ISO 27001. This company-wide program assures Microsoft suppliers are adequately protected in terms of information security and privacy to be permitted to process personal data, information assets, or Microsoft Confidential Data under Microsoft policies, reflecting Microsoft values on all its suppliers. In Microsoft’s view, ISO27001 is of fundamental importance because an independent controlling organization attests it, is still up-to-date, and reflects all the relevant applicable laws and a recognized standard all over the world (while it’s true that SOC2 is more a US standard, now extending to Europe).

In my professional experience, I can say that 90% of the companies decide to go for ISO 27001 first, and only after adding the SOC 2 to streamline negotiations with US clients.

Gap Analysis: evaluating existing security measures and identifying gaps

Conducting a “gap analysis” is the first step for evaluating existing security measures and identifying gaps in compliance with SOC 2 and ISO 27001 standards. By assessing the current state of security controls, policies, and procedures, organizations can uncover areas of non-compliance and understand the potential risks associated with these gaps. This analysis serves as a foundation for developing remediation strategies and closing the identified gaps to achieve compliance objectives.

While assessing your information security controls, it is not solely the ISO 27001 and SOC 2 requirements that matter. Implementing appropriate best practices suitable for your organization's size and stage is equally important. Whether a large corporation or a series A startup, information security should be implemented and enforced based on your specific circumstances and growth objectives.

The first output of a gap analysis is consciousness. It must be carried out with utmost respect for the principles of transparency and impartiality, encompassing all the most relevant processes within the company. A gap analysis is a fact-finding operation that evaluates your current security posture against industry standards and the SOC 2 framework. About ISO 27001, it assesses the key vulnerabilities: from potential human issues such as communication or technical problem areas like access controls. Regarding SOC 2, it is more likely a comparison of existing controls, such as those in place for data privacy, risk management, or cyber-attack mitigation, to the requirements outlined.

In my experience, the fundamental questions to address are:

Gap Analysis for ISO27001

What are the organization's current information security policies and procedures?
Are there clearly defined roles and responsibilities for information security management?
How is risk management currently practiced within the organization?
What security controls and safeguards are in place to protect information assets?
Are there established incident management and response processes?
Is there a process for monitoring, measuring, and evaluating information security performance?
How is employee awareness and training on information security conducted?
Are there appropriate physical and environmental security measures in place?
How are suppliers and third-party relationships managed from an information security perspective?
Is there a formal process for conducting regular security audits and reviews?

Gap Analysis for SOC 2

What type of data do you store or transfer?
Where does the data reside?
How does it flow within your organization?
Who has access to the data?

To conduct a gap analysis effectively, in my experience, I suggest utilizing specifically designed tools that allow for tracking requirements and essential elements for compliance with the chosen frameworks. Small organizations can adopt models such as checklists to be distributed to various departments with item cards divided by specific competence. Larger organizations with complex organizational structures and typically more than 250 employees will certainly prefer compliance automation tools, which will be discussed in the following paragraphs.

Conducting a comprehensive risk assessment

Another crucial tool is a risk assessment to understand potential risks that could impact an organization's information security and compliance. Organizations can prioritize their efforts and allocate resources effectively by defining the scope, identifying risks, and assessing their likelihood and impact. The risk assessment outcomes inform the development of risk mitigation policies, enabling organizations to address and minimize potential risks to their information assets proactively.

The risk assessment process involves establishing scalar parameters, creating a matrix that relates probability and impact, and calculating the risk level. The assessment should consider information security and controls' structure, system, and privacy attributes. Implementing security and privacy measures requires the establishment of control objectives, which must be referenced from standards established by ISO 27001. The risk level is categorized based on the calculated probability and impact values, and the organization should define the acceptable risk level.

Some fundamental steps in conducting an information security risk assessment can be identifying all information assets (e.g., physical copies, electronic files, devices, removable devices) and related threats and vulnerabilities (e.g., loss probability for device and data, exposure to data breach). Then, risks should be prioritized based on scores and criteria: level 1 should be mitigated immediately, only after the others shall be approached. Risk reports and documentation about the evaluation conducted must be kept for audit performance and to ensure that information is handled properly.

Developing policies and procedures to meet these requirements

Effective policies and procedures provide a framework for consistent and compliant practices. It’s time to build the team to develop policies that align with the standards.

My last professional experience made me realize that there are some fundamental elements to consider in this process, often led by Legal Ops as a center of cooperation. The first step is to ensure everyone is on board by adding team members and stakeholders to a centralized online platform or a shared tool or cloud that can be accessed anytime. To facilitate effective communication, it is important to utilize separate discussions for each document or topic and send notifications through email or internal chat tools to ensure that important information reaches everyone involved. I find really useful Slack channels specifically dedicated to compliance cooperation activities.

By automating task creation, assignment, and notifications, tasks can be assigned to the appropriate team members, promoting accountability and ensuring timely completion. This is where software designed for compliance automation is the game-changing player. They also provide document management with storage and version control, review and approval, and logs related to all the steps and actions taken by teams. A clearly defined schedule for review and update of policies ensures that those remain relevant and effective in meeting the organization's needs, without the need to act on all documents at once during a single time of the year, which would result in an inefficient and unmanageable workload.

Incident Response and Disaster Recovery

Incident response and disaster recovery are key components of a comprehensive cybersecurity and compliance strategy. Organizations can effectively detect, contain, and mitigate security incidents by developing incident response plans and minimizing their impact. Additionally, having a well-defined disaster recovery plan ensures the organization can quickly recover and resume operations in the event of a major disruption. All legal, cyber, and IT teams are well aware that a data breach can potentially cause catastrophic consequences for the organization, its business operations, and even its survival.

Here is a practical example of incident response plan steps. First, train employees in their roles and responsibilities, conduct mock data breaches and pen tests to evaluate your response plan, and ensure all aspects of the plan are approved and funded. In the event of a breach, determine if the breach has occurred and gather as much information as you can about the event documenting facts and security vulnerabilities. Disconnect all the devices affected, relying on redundant system backups to fix the breach consequences. Next, focus on eliminating the root cause of the breach. This involves securely removing malware, patching systems, and applying necessary updates. Address any existing security issues meticulously to minimize data loss and mitigate liability. Once the breach has been contained, proceed with the recovery phase. Restore devices and data to their normal functioning state. Hold an after-action meeting to analyze the breach and document lessons learned.

Employee Training and Awareness Programs: promoting a culture of security and compliance

Employee training and awareness programs are mandatory in every compliance framework but are often undervalued. Organizations should ensure employees have the knowledge and awareness to protect sensitive information and comply with requirements. These programs help establish a proactive approach towards security, encouraging employees to be vigilant, report incidents, and actively contribute to maintaining a secure work environment.

Ongoing awareness, understanding, and appropriate action are necessary to ensure data safety and prevent compromises. However, inconsistent messaging has created confusion among employees, leading to a lack of clarity on protecting company information. Building a strong security culture from the top down is crucial, involving continuous efforts to help employees understand the impact of their behaviors on corporate data.

Data Governance and Privacy Measures

Part of the journey throughout compliance is implementing data governance frameworks for protecting sensitive information and ensuring proper data management practices. Organizations can maintain data integrity, confidentiality, and availability by establishing clear policies and guidelines. Additionally, compliance always goes hand in hand with privacy regulations such as GDPR. By prioritizing data governance and privacy measures, organizations can safeguard sensitive information, build customer trust, and meet regulatory requirements.

Compliance frameworks such as ISO 27001 and SOC 2 provide a solid foundation for establishing robust security controls. However, integrating compliance with data governance and privacy becomes crucial for organizations aiming to manage and protect their data assets effectively. Organizations must go beyond mere compliance to ensure effective data governance and privacy. Data governance encompasses the policies, procedures, and processes that govern the collection, storage, use, and sharing of data throughout an organization. It provides a framework for organizations to manage data as a valuable asset and ensures data quality, integrity, and availability.

In the EU zone it is essential to consider technical compliance, as ISO 27001 and SOC 2, together with GDPR, which sets strict guidelines for data protection and privacy, and organizations must align their data governance practices with these regulations. By incorporating GDPR principles into the data governance program, organizations can proactively protect personal data, demonstrate accountability, and mitigate the risks associated with non-compliance.

In my business organization, we establish scope, identify data owners, and set clear objectives aligned with business needs and regulations. The expertise of key stakeholders from various departments is crucial for implementing the program, though you must involve people, including IT, cyber, accounting, and HR. Legal must create comprehensive data policies that align with regulatory requirements, including the GDPR, which includes the definition of clear role and responsibility to answer to the accountability principle stated by the law.

A data governance program fits into an ongoing, continuous cycle that never ceases. As a result, it is crucial to include an evaluation and assessment phase, which may sometimes involve modifying or enhancing the program. Corrective measures should be implemented when vulnerabilities or weaknesses are identified, while adjustments may be necessary in response to regulatory changes, technological advancements, new risks, or organizational restructuring. This ensures that the data governance program remains adaptable and resilient in evolving circumstances.

Regular Audits and Compliance Monitoring

Conducting internal audits allows for objective evaluations of security controls and processes, identifying areas that require improvement. Indeed, regular compliance assessments and monitoring help identify any deviations or non-compliance, allowing for timely corrective actions to be taken. Audit findings are the main tool to monitor security controls, update deficiencies and mitigate risks. Continuous compliance monitoring ensures that the organization remains aligned with industry standards and regulatory requirements, and it is mandatory under every compliance framework. By monitoring and updating security controls, organizations show a proactive approach to the compliance process.

Legal and Compliance managers identify high-risk areas related to operational aspects, considering factors such as fraud alerts, advisory opinions, audits, enforcement priorities, and contractor activities. Once these high-risk areas are discovered, a comprehensive compliance audit plan should be developed, prioritizing the areas with the highest risk levels.

To address these risks effectively, managers must develop and implement monitoring plans that follow ongoing activities and review procedures for compliance risks.

It is advisable to schedule monitoring and auditing results as part of the agenda in compliance committees at the management and board level to ensure continuous oversight. Moreover, it is highly recommended to involve independent compliance experts to assess the compliance program's effectiveness. These assessments should particularly concentrate on verifying the appropriate handling of high-risk areas.

If you’re finding this newsletter valuable, share it with a friend, and consider subscribing if you haven’t already. You can unsubscribe at any time.

The Benefits of Compliance Automation Software for SOC2 and ISO27001

Compliance automation software is not new to the compliance industry sector. Utilizing compliance automation software benefits organizations pursuing SOC2 and ISO27001 compliance. It simplifies and accelerates the overall compliance journey. This is possible thanks to the advanced capabilities of such software, which can effectively address the diverse legal and technical requirements of various compliance frameworks while also allowing for the integration and layering of multiple frameworks.

Additionally, it offers time and resource efficiency by automating manual tasks, allowing personnel to focus on higher-value activities (ROI). With the ability to centralize and integrate compliance data, these tools provide real-time visibility into the organization's compliance posture, enabling proactive identification and remediation of issues. Additionally, compliance automation software supports audit readiness by facilitating evidence collection and documentation, simplifying the audit process.

To determine the most suitable compliance automation software for your organization, I recommend involving key stakeholders in demo meetings from the outset. This will provide them with direct visibility into the platform's offered functionalities. Before committing to the software, one of the most frequently asked questions is how efficiently and to what extent it can replace human work, particularly in reducing reliance – and costs – on consultants. Based on my professional experience, engaging stakeholders in the demo process and addressing their concerns can greatly inform decision-making. This approach ensures that the selected software aligns with your organization's needs and can effectively streamline compliance processes while minimizing dependence on external resources.

Most compliance automation platforms thoroughly map ISO 27001 and SOC 2 frameworks and other regulations. The setup process usually takes a few hours to a few days, and a gap analysis report is generated immediately. This report helps prioritize high-priority actions using a risk-based approach. After achieving full compliance with the chosen framework, top market players confirm that only a 15-minute weekly check is needed to maintain continuous compliance, with a maximum of one hour for fixing activities. These platforms can be customized to suit the organization's specific characteristics, allowing the elimination of certain checkpoints for justified reasons. They also offer automatic alerts within the platform or through email or Slack notifications.

Their services offer APIs seamlessly integrating with an organization's key infrastructure components like AWS, Atlassian, Google Workspace, Workday, and more. They even provide pre-packaged solutions to fix any identified vulnerabilities or errors during analysis. These platforms feature a dedicated section for legal departments, which includes a set of policies tailored to your organization's internal structure, ensuring the availability of all necessary documentary evidence to demonstrate compliance posture. Furthermore, they make HR functions more accessible by incorporating a training section for all employees.

I was particularly impressed by the internal and external auditing features provided by these platforms. The continuous access to all supporting documentation is remarkable, as it can be easily shared with auditors at any time. This eliminates the need for teams to collect the required documentation and exchange information and clarifications with auditors. In most cases, automatically generated reports or visibility access is sufficient. Additionally, some market players offer a trust center for clients to create a dedicated repository. This enables auditors to directly access the repository and verify the correct implementation of the relevant framework.

One may have concerns about the accuracy and reliability of the data stored on the platform. However, all tools maintain access logs and monitor every action taken. Profiles can be personalized, precise visibility and action authorizations can be granted, and data remains unchanged and regularly refreshed.

When assessing compliance automation's ROI (Return on Investment), it's crucial to consider various factors, including time saved, cost reduction, enhanced efficiency, better resource allocation, risk mitigation, scalability, and other intangible benefits. Organizations can ascertain the software's worth by computing the financial gains and comparing them to the initial investment. Compliance automation licenses are between 15-25k per year, while the costs of relying solely on consultants can be four or five times higher.

Conclusion: The Benefits of Achieving SOC2 and ISO27001 Certifications

Enhancing trust and credibility with clients and stakeholders is important to gain a strong market position and expand the customer portfolio by making one investment that benefits the entire company. Compliance with ISO 27001 and SOC 2 frameworks opens new business opportunities, as many clients and partners prioritize working with compliant organizations.

The legal department plays a fundamental role in compliance. Their expertise helps interpret and apply regulatory standards effectively. They guide legal implications, assist in risk assessment, and ensure adherence to relevant laws and regulations. Compliance is a cross-functional activity in 100% of cases, but the legal department plays a central role in building a corporate compliance program. It helps establish a collaborative network where other teams serve as key stakeholders, with increased involvement from IT and Cyber departments. Additionally, the legal department typically enjoys privileged communication channels with the corporate decision center and C-managers. It has a direct reporting role to these functions, acting as a link between the compliance function and top management.

Strengthening the cybersecurity posture and mitigating risks is paramount in today's digital landscape. Organizations can proactively address potential vulnerabilities and protect sensitive data by implementing robust compliance frameworks such as ISO 27001 and SOC 2. Adopting compliance automation software streamlines processes enhances efficiency, and ensures ongoing compliance. Compliance automation software, combined with active involvement from the legal department, enhances efficiency and effectiveness in achieving and maintaining compliance.

About the Author

Camilla Ragazzi, a guest writer at Newton, is a practical legal thinker who provides speedy, straightforward, yet solution-oriented advice. Understanding the dynamic nature of the tech industry, believing in technology enhancements, and knowing the legal requirements enabled her to help companies build efficient and legally compliant processes. She is currently in-house legal counsel in a multinational holding group managing and overseeing legal matters related to corporate management, including contract law, compliance, and corporate law.

Adopting Newton for your governance

Newton delivers an easy and intuitive platform to manage and automate your legal entities' information, governance, and compliance. If your entity management processes have an essential role in the sustainability and performance of your business (which they do for most), be sure to get in touch to explore how Newton can help you have everything you need to be in control of your entity portfolio.

But that's not all. By partnering with Newton, businesses can establish internal compliance policies that cover a more comprehensive range of issues related to their dealings with customers and suppliers.

So if you're looking to help your business stay ahead of the curve regarding compliance and legal support, chat with our team about partnering with Newton today.

About this article

Sources

Pathway Communications (2020). Significance of Compliance Certification to Business
Indeed (2023). 5 reasons why Compliance is important for a business
EY (2021). Compliance Risk management: four key areas of opportunity for a stronger compliance program
Diligent (2019). How to evaluate legal compliance
Perforce (2022). Compliance Management 101: Process and Challenges
Signaturit (2016). 8 essential processes and tools for any compliance officer
Thoropass (2021). How SOC 2 Compliance works_ Gap Analysis
Sprinto (--). What is ISO 27001 Gap Analysis?
Advisera (2021). SOC 2 vs. ISO 27001: What are the differences?
ISMS (2022). Why ISO 27001 is better tnah SOC 2
ISACA (2022). Performing an Infomration Security and Privacy Risk Assessment
CISO (2021). Information Security risk assessment – 7-Step Guide
VARONIS (2022). SOC 2 Compliance Definition & Checklist
Advisera (2020) Enable teamwork to develop the right policies and procedures aligned with ISO 27001
Nakivo (2023) Incident response & Disaster recovery Plans Overview
IBM (2023). A step-by-step guide to setting up a data governance program
Techtarget (2022) 7 Best Practices for Successful Data Governance Programs
Diligent (2022). What is compliance monitoring and Why is it important?
SMS (2017). Monitoring vs. Auditing: best practices for compliance
Fortinet (--). What is compliance automation?
GAN (2021). Compliance Automation: the 6 essential building blocks
Forbes (2021). The importance of a strong Security Culture and how to build one

Images

Featured Image: Photo by Studio Republic on Unsplash
Featured CTA blog post: Photo by Jurica Koletić on Unsplash / Photo by Christina @ wocintechchat.com on Unsplash

Published by Camilla Ragazzi in How to & Guides

Tags: Cybersecurity, ISO27001, Security Compliance, SOC2

Extensive research to build a culture of compliance with practical advice to implement and measure it effectively.

Subscribe to get access to more posts like these!

Join Newton's newsletter to receive our blogs, templates, and the latest information right in your inbox. You can unsubscribe at any time.

The prevalence of corporate misconduct evidence is alarming, led by numerous high-profile scandals, to name a few: the Italian Parmalat to cover losses, Enron's debt to fabricate earnings, the Ponzi scheme of the investor Bernie Madoff, Wells Fargo's cross-selling fraudulent accounts, Volkswagen's deceptive emission levels, Wirecard fraudulent financial reporting, Samsung's legal violations, widespread bribery at Petrobras that damaged both the government and the economy of Brazil, Boeing's epic compliance failures. They all demonstrate how a corrupt culture pervades an entire organization. The recent Silicon Valley Bank collapse (check out our article) is the new update of these countless collections.

Despite making great headlines, these incidents demonstrate how a corrupt culture can permeate an entire organization. While one may be inclined to think of these as stories about single bad actors, they lay bare corporate failures to prevent, detect, and discipline at an institutional level.

Nearly half of all fraud cases go unreported to the public. GDPR enforcement in 2021/2022 saw landmark cases, including a record fine of €743 million. Additionally, according to EY's 2016 Global Fraud Survey, 42% of the 3,000 executives surveyed believed that unethical behaviour was justifiable to meet financial targets, and 38% of respondents stated that bribery/corrupt practices occur widely in business in their country.

These findings indicate that unethical practices continue to exist within private companies. To prevent white-collar crime, corruption, and other missteps, businesses must prioritize compliance and integrity from the top down. While compliance and legal departments work hard on these issues, it's not solely their responsibility. All members of an organization, including contractors, need to understand the importance of compliance. A proactive approach must originate from the C-suite to have a genuine impact. This article outlines why creating a compliance culture is crucial and offers practical advice on how executives can effectively implement it.

In this article, we will cover the following:

Creating a culture of compliance

Creating a culture of compliance

Narrow down your compliance frameworks

It is extremely important to thoroughly understand the rules and regulations that apply to your industry and location. This knowledge will help you identify the specific obligations your business must fulfill for each code and create a plan to meet those requirements. Companies are often subject to multiple and overlapping regulations, which can make compliance a complex and challenging task. Therefore, it is essential to consider all relevant aspects, including but not limited to:

Financial compliance refers to meeting the rules and regulations of your industry, nation, and other regulatory bodies to ensure you fully comply with financial regulations.
IT and data compliance is relatively new but crucial, and businesses must ensure that they comply with the rules and regulations of the industry for cybersecurity and data management.
Health and safety compliance involves ensuring that your physical workplace is safe and secure and following the national guidelines on safety practices, evacuation escape routes, and other related areas.
Legal compliance involves abiding by legally binding contracts and agreements, seeking the advice of a qualified legal professional to ensure fairness and appropriateness like employment law or tax law.
ESG responsibility is a set of standards that investors, consumers, and other stakeholders use to evaluate a company's social and environmental performance. Companies are expected to take proactive measures to reduce their carbon footprint, reduce waste, and use sustainable practices.

Ongoing risk assessment

A successful business must prioritize risk management with practices to identify, own, manage, and mitigate ethics and compliance risks. Risk assessments are a compliance program's foundation and starting point and must be unique to the organization's industry, history, maturity, and marketplace. It plays a crucial role in enterprise risk management, providing critical information to management and the board to avoid severe business disruption and loss.

The program establishes a shared responsibility for risk management, where leaders assume ownership for identifying and mitigating risks relevant to their areas. The compliance program must stay attuned to the most severe risks as they change over time to support this effort. Therefore, ongoing risk assessments are critical as they serve as an early warning system for current and emerging issues.

Check out an exciting conversation about risk assessment in complex industries between Nomsa Hoohlo, an anti-financial crime compliance and risk management expert, and Kudzai Chaka, a compliance risk management expert with tracked experience in JPMorgan and Barclays, among others.

From key risks identification to mitigation

After identifying and prioritizing risks, the usual approach involves creating policies to prevent and minimize the identified risks. Employees are given targeted training to prevent potential threats and are equipped to respond in the event of an incident. Additionally, the compliance program ensures employees can easily access the necessary information to reduce risks. Any failures, breaches, or near-misses are considered part of the organization's early warning system, and these events are continuously monitored to gain insights that could prevent future occurrences.

Merges and Acquisitions risks

The compliance program is critical beyond internal operations by encompassing diligence processes for vetting and integrating third-party entities. Additionally, the program includes explicit processes for the integration period following an acquisition, including testing and monitoring to confirm the timely integration of new entities. A well-structured compliance program is particularly crucial for investors interested in acquiring a business, as it provides them with the necessary assurance that the company is compliant with regulatory standards and ethical practices. At the same time, integrating acquired businesses is necessary to ensure that the organization operates as a cohesive entity.

Governance and Compliance by Design

Governance and compliance are closely intertwined and mutually reinforcing elements within an organization. Governance refers to the overall framework of rules, practices, and processes that guide decision-making and ensure accountability at all levels. Compliance, on the other hand, pertains to the adherence to laws, regulations, and internal policies.

An effective governance structure establishes the framework for compliance by defining the responsibilities, roles, and expectations of individuals within the organization. It sets the tone for ethical behavior, risk management, and transparency. Compliance, in turn, ensures that the established governance principles and guidelines are followed.

To understand this approach better, we suggest the work of Lisa Welchman, a pioneer in this topic and author of Managing Chaos: Digital Governance by Design. In her book, she gives a set of rules for considering governance at scale, substance, and ownership about strategy, policies, and standards in ways that meet ethical company standards.

Examples of Governance by Design

Involve automatically applying retention policies for managing data throughout its lifecycle, including data collection, storage, use, sharing, and disposal. This ensures that data is handled in a secure and compliant manner.
Applying security policies to restrict sharing of sensitive information ensures that only authorized users can access sensitive information. It can include role-based access controls, multi-factor authentication, and data encryption in transit and at rest.
Setting up a change management process that includes a formal review and approval process for all changes to the design system. It ensures that any changes are carefully considered and vetted before being implemented.
Launching business process workflows without user intervention, for example, automatic invoicing and payment processing.

By including these policies in the system's design and configuration, the burden of understanding and adhering to policies no longer lies with end users. This ensures that policies are working in the background, allowing users to focus on their job while maintaining compliance with governance policies.

Implement nudges and gamification

A nudge is a way of reframing a problem or question that individuals ultimately need to make. It's a handy concept worth digging into with Richard Thaler and Cass Sunstein's book Nudge while gamified policies through design, rewards, and sharing best practices increase a culture of compliance and accountability.

Some examples:

Opt-out decision: in a policy program aimed at improving cybersecurity, a nudge could be to use default options that prioritize security, like the highest level of security features preset, and users would need to explicitly opt-out if they prefer a lower level of security. Research has shown that automated decisions increase optimal behavior by taking advantage of individuals' inertia and tendency to stick with default options.
Personalization: a nudge could be to use personalized reminders, such as sending reminders of upcoming deadlines, highlighting the benefits of compliance, and providing information on the potential penalties for non-compliance.
Gamification-design: a company could implement a gamified campaign that educates employees about data privacy best practices, such as handling personal data securely, obtaining proper consent, and reporting data breaches. Employees could earn points or rewards for completing data privacy tasks, passing quizzes, or identifying potential data privacy risks. For example, sharing the percentage of colleagues that already accomplished a task increases a sense of urgency and positive competition.

Therefore, it's crucial to thoroughly research and test nudges to ensure their effectiveness in achieving the desired policy outcomes while considering the ethical implications and potential unintended consequences.

Adopt engaging policy

Policy creation's playbook

Clarify the purpose. Ensuring everyone understands the policy's purpose is essential to foster trust between you and your employees. Clearly explain the policy's necessity and its value to your company. Once the goal is established, ensure the policy's content is well-structured, dividing it into themes, procedures, and role-oriented information.
Avoid technical language. Policies serve as internal documents that employees must understand (simple and multilingual) to ensure that company operations are carried out consistently and competently. However, policies also have an external function in the event of controls, such as audits or potential investigations by regulatory authorities. As such, policies must be crafted with a level of legal sophistication that meets the requirements of relevant laws and regulations to ensure that the company is adequately protected and prepared for any external scrutiny.
Use real-life examples. Using real-life examples tailored to your company's day-to-day work, explain acceptable and unacceptable behavior in the workplace and address real risks.
Define the policy's scope. Clearly define which employees must comply with the policy and which are not. If any person or group is excluded, ensure it is precisely defined to avoid misunderstandings in the future. Ensure that only relevant employees are asked to read the policy.
Define and communicate consequences. Policies must clearly define the consequences of non-compliance for employees to be effective. Explain how employees should act if they see internal violations occurring.
Focus on regulatory cores. Regulatory cores are concrete instructions that describe permissible actions or obligations. They can be categorized as authorization, command, exemption, and rights.
Avoid restrictions. Avoid negative language and harsh restrictions. Instead, formulate policies as positive expectations, showing employees you trust them. Policies should highlight possibilities, stating what employees can do rather than what they cannot do.
Revise policies to meet future needs. The fast-changing regulations, especially regarding privacy and security, require the creation of policies flexible enough to address present and future needs and implement a review culture to ensure that they are still relevant and effective. In this process, stakeholders' involvement ensures that the policies reflect the needs of the entire organization, not just one Department or group.
Consistency. Different departments may use their solutions or free services, making it difficult to manage content and enforce consistent policies. The complexity in such an environment increase and become fragmented and stored in multiple cloud repositories. To address this challenge, companies should adopt a cloud content management system, like Newton, that can work with all their applications, reducing the number of repositories and the need for policy applications. Policies must consider three key factors:
- Data policies should limit access to personal data and clearly define its intended use.
- Exceptions should be made for legal holds, with policies that can interrupt automated content lifecycles in case of litigation.
- Policies should comply with newer regulations that require content deletion when no longer necessary, as keeping records for too long can be just as risky as deleting them too soon.

Simplify and categorize policies

As a rule of thumb, reducing the number of polices to fewer than 100 and moving towards a big bucket approach helps track their effectiveness better.

It's important to note that compliance requirements can vary greatly depending on the industry, jurisdiction, and specific applicable regulations. Therefore, the policies related to reducing and categorizing compliance requirements will also vary depending on the circumstances. Here are some suggestions for categorizing and benefits:

Data retention policy: A company must reduce the amount of data it retains to only what is necessary for legal or business purposes. This can help reduce compliance requirements related to data protection and privacy regulations.
Employee training policy: A company may consolidate its compliance training requirements for employees by conducting one annual training session instead of requiring multiple pieces of training throughout the year. However, it is important to note that certain regulations require specific training paths, and employees must demonstrate their compliance through training certificates that are clear and pertinent to the specific topic. For example, annual GDPR training may be necessary. Therefore, while grouping the training sessions may be practical, it is still necessary to provide different training paths to ensure that all compliance requirements are met.
Vendor management policy: A company may reduce vendor compliance requirements by only working with vendors who have already demonstrated compliance with relevant regulations.

User-friendly and friction-free system

Effective governance and compliance require strict policies and guidelines and a user-friendly system that only creates a little friction. If the system is too complicated and slows down productivity, employees may seek out unauthorized methods, putting security and control at risk. This is a common problem, as executives, doctors, engineers, and others may find the system too cumbersome and opt for a quicker solution to meet their needs, potentially resulting in devastating consequences.

Stanford University' studies have shown that almost 90% of cyber-attacks are caused by human error or behaviour. To prevent this, compliance policies must strike a balance between security and ease of use, including appropriate guardrails that keep employees within policy boundaries.

These guardrails can also send notifications if someone accidentally steps outside the policy to protect content from leaving the system.

Strive for compliance success: communication, individual contribution, and data analysis

Compliance centrality to business strategy

Ensuring that everyone follows the rules is best achieved when leaders set a good example. Therefore, it's crucial for initiatives to come from high-level executives like the CIO (chief innovation officer), CCO (chief compliance officer), or CMO (chief marketing officer) or key figures like the head of legal or head of operations with the proper budget allocated for initiatives.

Good practices kick off projects with 90min meetings where all stakeholders are involved. If the round table shows up just the marketing or the IT team, we know there is an issue, stated Lisa Welchman. Digital, by its own nature, is a set of silos and an operational plan or externals can close the gap in the organization.

Foster communication

When it is clear that compliance is essential and that everyone has a responsibility to uphold it, the company might initiate senior management or legal department updates, newsletters, intranet, confidential hotlines or even consider having a compliance week each year where open communication and metrics are the baselines to evaluate policy success and mistakes and audit results related to priority compliance areas such as workplace safety, product safety, anti-corruption, financial controls, conflicts of interest, and so on.

The Role of the Board of Directors

The board of directors is knowledgeable about the impact of the compliance program. Accordingly, it actively monitors its implementation across the business through various leading practices, such as seeking and receiving comprehensive information about the organization's program, maintaining regular contact with the program stakeholders and their team, receiving regularly scheduled briefings on risk assessment processes and metrics, recruiting and retaining board members with compliance tracked expertise, and receiving periodic training tailored to their responsibilities as board members and any particular issues of relevance.

Use of surveys, a starting point for a compliance culture's shift

Gathering feedback internally and externally can provide insights into how well the governance policies are working and where improvements can be made. Anonymous feedback fosters a speak-up culture allowing employees to feel comfortable raising issues and reporting violations without fearing retaliation. Set the right expectation to implement and evaluate changes in 3-6 months in small companies to 12-18 months in larger ones. Some decisions can be challenged with satisfaction scores (net promoter score or similar), where contributors, users, and departments rate and provide feedback about new policies.

However, relying solely on surveys may yield flawed results due to self-reporting and self-selection biases. Employees who have witnessed unethical behaviour may hesitate to report it, leading to skewed results representing only part of the workforce.

Furthermore, senior employees or those involved in misconduct may be less likely to participate in such surveys, contributing to biased data. Therefore, it is crucial to acknowledge the presence of bias in the collected data when interpreting metrics.

As we love bootstrapped companies, we suggest Tally (we do not have an affiliate program) as they have many templates you can customize and make this process faster and for free or test out other widely known design-centered tools like Typeform. Make sure to comply with your security and storage policies.

Tracking compliance effectiveness with key KPIs

Deloitte and Compliance Week reported that just 70% of companies attempt to measure the efficiency of their compliance programs. Among those that do, only one-third feel confident or very confident about utilizing the right metrics.

Individual, Legal Department or company-wide success metrics can be established to measure the effectiveness of compliance training. However, there are better approaches than measuring success based on completion rates or training hours. While completion rates may be significant to track for other purposes, the effectiveness of the compliance program must be directly linked to a specific outcome, such as:

Employees' comprehension of policies and procedures
Acquisition of relevant skills to address anticipated scenarios or a change in behavior
Percentage of employees who are following the governance policies
Number of active employees on company channels where discussion happens
Number of external contributions (this measures adoption and engagement)
Hotline or other compliance initiative effectiveness on adoption, usage, and type of requests
Time and resources required to implement and enforce governance policies
The time it takes to identify and resolve incidents related to governance compliance can help identify areas where the guidelines may need to be updated or improved
Number of open tasks on compliance
Changes in the amount of time required to perform QA
Measure risk reduction on non-compliance with regulations, data breaches, or other incidents that could harm the organization's reputation or financial stability
Using independent and reliable auditors to assess the organization's compliance policies
Percentage of internal audits completed

Implementing SMART Employee Performance Management

Discussing how each individual can contribute to the effort. Establishing and sharing SMART compliance objectives with the entire team is also essential. Doing so, can establish a culture where compliance is valued and everyone takes it seriously.

Here is an example of how to set up a SMART outcome related to data privacy:

Specific: Reduce the number of customer complaints related to data privacy by 50% in the next quarter.
Measurable: Track the number of customer complaints about data privacy and compare it to the previous quarter's data.
Achievable: Implement new policies and training programs to improve data privacy practices, which have been proven effective in similar organizations.
Relevant: Data privacy is a critical concern for our organization, and addressing customer complaints will help us maintain our reputation and avoid legal or financial consequences.
Time-bound: The outcome will be achieved within the next quarter, with progress updates provided monthly.

Build multivariate regression analysis

Regression models allow an investigator to examine the impact of one variable while holding the others constant. Designing appropriate regression models takes time and experience (here is an in-depth guide), but it is the most reliable way to know whether to be reassured by or concerned about shifts for:

Training effectiveness a regression model can help firms understand the link between training sessions and changes in employee behaviour. By controlling for the other factors that may contribute to policy violations, to test whether the individuals who undergo training become more or less inclined to break the rules.
Employee expense reports for suspicious activity patterns to flag employees who consistently submit expenses that fall just below the threshold requiring manager approval or who always submit receipts at the maximum allowed amount.
Analyze procurement data for signs of non-compliance, such as bid-rigging, price-fixing, or collusion among vendors. A regression model could identify unusual bidding patterns or suppliers that consistently win contracts even though their prices are significantly higher than those of competitors.
Anti-money laundering in financial institutions to analyze customer transactions for signs of money laundering. A model could flag accounts with high volumes of cash deposits or withdrawals, transactions with counterparties in high-risk jurisdictions, or unusual activity patterns that may indicate attempts to conceal the source of funds.
Insider trading One way to identify potential insider trading cases is by analyzing trading data. This involves looking for patterns in trades made by employees or executives before major corporate events, such as mergers or acquisitions, are announced. However, it's important to note that laws on an international level typically prohibit certain individuals from trading with company shares when they have knowledge of forthcoming operations. Companies often have internal policies and procedures to prevent non-compliance with the law. If executives buy shares when they are not allowed to, it is a serious breach of the law and can only be investigated by the authorities. Companies typically rely on written declarations from employees, executives, and shareholders to ensure compliance with regulations.
Fraud detection analyzes data from multiple sources to detect patterns of behaviour that may indicate fraud. For example, a model could identify employees who frequently access sensitive data outside regular business hours or consistently submit false or misleading information on expense reports or timesheets.

Taking action on misconduct

The compliance program is committed to acknowledging and addressing misconduct within the organization. They conduct investigations of alleged wrongdoing in a timely, neutral, thorough, competent, and consistent manner. The program ensures that appropriate consequences are given to violators, regardless of their level or organizational status. This approach complies with EU Directive 1937/2019 and the whistleblowing procedure, which is mandatory in the EU.

The program aims to learn from every substantiated case and communicate the importance of integrity to employees. The organization is transparent in disclosing issues to regulatory and government authorities and works cooperatively to address their concerns.

Considering the fast-paced digital age, the program includes well-developed systems for escalating issues, chronic crisis management, and response testing. The organization is committed to making decisions based on its values, even during crises.

Summary

Although many companies view compliance as legal, it is more related to behavioral science. Managers must experiment and test their compliance programs to achieve a genuine impact. Codes of conduct must contain policies fundamental to a company's success, and legal support must not only record reports of misconduct but also help employees navigate difficult situations before making a misstep. To effectively reduce improper behavior, firms must develop better measures of effectiveness and adopt innovative and ambitious programs. With the numerous and complicated regulations governing businesses today, relying on a one-size-fits-all metric to determine compliance program success is unrealistic. Instead, successful compliance engineering needs creativity, experimentation, and careful model design to measure outcomes effectively.

A good compliance program can be summarized as a three-part approach. Firstly, it involves implementing policies and providing training to prevent non-compliance. Secondly, it requires finding ways to stay informed about what is happening within the company, such as establishing whistleblower programs. Finally, it involves managing any wrongdoing that does occur by finding solutions internally or, if necessary, reporting to the relevant authorities. The specific course of action taken will depend on the nature and severity of the non-compliance.

Adopting Newton for your governance

So if you're looking to help your business stay ahead of the curve regarding compliance and legal support, chat with our team about partnering with Newton today.

If you’re finding this newsletter valuable, share it with a friend, and consider subscribing if you haven’t already. You can unsubscribe at any time.

Extra: Tracing the path that led to our current situation*

Compliance programs began in the US in the 1970s and 1980s to respond to corporate scandals. Industry groups adopted internal policies and procedures to report and prevent misconduct, which helped to assuage legislators who had sought to regulate and penalize firms for dishonest practices. In 1991, the US Sentencing Commission amended its guidelines and offered firms reduced fines if they could demonstrate an "effective compliance program."

Other civil regulators, including the Securities and Exchange Commission, adopted this carrot-and-stick approach to compliance.

An industry quickly sprouted to provide compliance training programs, hotlines for whistleblowers, and risk assessments. Today, compliance programs are viewed as protection against worst-case scenarios, and employees are asked to sign lengthy codes of conduct and sit through training programs. However, even at firms spending millions of dollars annually on their programs, compliance often needs more substance. The DOJ (USA's Department of Justice) recognized that firms might be creating all the components of compliance programs but producing hollow facades.

The DOJ, in its 2008 update to the Principles of Federal Prosecution of Business Organizations explicitly instructs prosecutors to evaluate whether a company's compliance program is just for show or if it's been adequately developed, put into practice, considered, and improved as needed. In the same year, Siemens was fined $800 million by US authorities in a case where the prosecution highlighted the deficiencies of Siemens' compliance program as merely existing on paper.

A similar example of lack of program effectiveness happened when the DOJ in 2012 brought criminal charges against Morgan Stanley employee Garth Peterson, based in Singapore, for a real estate enrichment scheme and bribing a Chinese government official.

Despite receiving seven compliance training sessions and 35 related reminders to avoid such conduct, Peterson engaged in illegal activity. He stated that he viewed the compliance initiatives as pro forma and that people often deleted emails or checked boxes indicating compliance without actually listening or following through on the training.

The point is that policies are not effective if employees do not commit a crime, but if the company is the first to become aware of the crime committed inside the company and is allowed to take remedial action before the crime responsibility extends to the company or, worst case, lead to bankruptcy or similar disruptive event.

Evaluating a program required considerable time and expertise, which was challenging. In response, in 2017, the DOJ publicly released a document titled "Evaluation of Corporate Compliance Programs," which included a list of questions for prosecutors to consider when assessing compliance programs.

The compliance and risk survey (2016) conducted by Deloitte and Compliance Week showed how the prevailing method for measuring training effectiveness is to track completion rates and consider the training successful if a sufficient number of employees say 90% or 95%, complete it. However, this approach needs to take into account the quality of the training content, how relevant and beneficial it is, or its actual effectiveness, and how much employees retain and apply what they have learned.

Companies tend to use completion rates as a measure of success not because it has been proven effective but rather to fulfill regulatory requirements. For example, although some firms provide their employees with effective training on following rules, many others mistakenly believe their training is satisfactory simply because it has been completed. One of the reasons why companies continue to invest in compliance is that they need more appropriate measures to determine the effectiveness of their compliance efforts.

As a result, many companies equate strengthening compliance with hiring more managers, purchasing more software, and creating more policies, even when those actions are redundant, wasteful, or ineffective.

To avoid a process of tick-box exercise, the Principles and Practices of High-Quality Ethics & Compliance Programs (E&C program) report, released by the ECI's Blue Ribbon Panel in 2016, has become a benchmark for effective E&C program construction. The report focuses on five critical principles of a high-quality program and recommends techniques for practitioners to use when building out their own. These principles provide the standard framework for the development of an E&C program, and it was endorsed by the US Department of Justice (DOJ) in its 2020 guidelines for Federal prosecutors on evaluating the effectiveness of corporate compliance programs, setting the standard for all E&C programs, whether or not your company operate in the United States.

*This section is a summary with our integration and updates of an interesting article from Harvard Business Review. Written by Hui Chen, formerly the compliance expert at the U.S. Department of Justice, is an ethics and compliance consultant to government regulators and companies worldwide, and Eugene Soltes, Professor at Harvard Business School, where his research focuses on corporate misconduct. It gives an understanding of why compliance programs have been and keep being a tick-mark exercise and make the reader more conscious of the suggestions to achieve the best-in-class compliance programs.