Don’t treat a compliance initiative as a check-the-box activity. Instead, use it as an opportunity to get your leadership team on board with properly managing risks through the formalization of a risk management program. Compliance can mobilize your organization to start viewing risk management as an important business objective.
5 Ways to use compliance as a way to build a risk management program
1) Establish a System to Govern Your Risk Management Program
Building a system to govern your program requires your team to have a common operating rhythm. Everyone should be using the same language, the same rules, and be on the same page. Both SOC 2 and ISO 27001 provide the opportunity to build this structure.
Compliance Mapping: ISO 27001 ISMS (Clauses 4-10), SOC 2 CC1 and CC3.
2) Form a Risk Council to Make Risk Decisions
Creating a risk council will ensure that the security team has a leader at the table to make decisions for the organization. The risk council will approve policies, projects, budgets, and strategies. This is the forum for security leaders to make things happen.
Compliance Mapping: ISO 27001 Clauses 5 (leadership), 6 and 8 (risk management), SOC 2 CC:3
3) Perform a Risk Assessment to get in the Mind of Top Leadership
A good risk assessment is a perfect opportunity to get in tune with what’s going on with the business because you will be able to ask leadership tough questions and align the security program with the business.
Compliance Mapping: ISO 27001 Clause 6 and 8, SOC 2 CC3
4) Perform Regular Program Reviews to see how things are going
Leaders need to know how the program is going and where additional resources/effort may be required. That means performing regular security assessments to see if things are operating as expected and rolling those findings up to management for visibility.
Compliance Mapping: ISO 27001 Clause 9.2 (Internal Audit), SOC 2 CC3
5) Policies as Strategy
Policies are an opportunity for leaders to slow down and think through their intent. Avoid treating policies like an administrative activity. Use them as an opportunity to bridge strategy and tactics.
Compliance Mapping: ISO 27001 (all), SOC 2 (all)
Conclusion
Compliance initiatives for SOC 2 and ISO 27001 are great ways to build a risk management program for your organization. These initiatives serve to establish a system to govern your risk program, form a risk council to make risk decisions, perform a risk assessment to get in the mind of top leadership, schedule regular program reviews, and create strategies through your organization’s policies.