All organisations establish processes and policies for interests including; SLAs, product quality, security and legal obligations. Organisations also take the necessary steps to ensure that the policies and process are being followed. This is done through internal or external audits, compliance certifications or recognized standards.
In an environment where there is a product, this can be done quite simply through automated reporting. Implementing automated compliance assessments for an operational team is a lot more difficult. This is because the output of the team varies.
At BizCubed, our goal was to demonstrate though a proof of concept, that it is possible to develop automated assessments for operational teams to track compliance. Our focus was on our ISMS function.
BizCubed already has a robust ISMS program, which is also certified to be compliant the ISO27001 framework. As part of this investigation, we aimed to take this program further by automating some assessments leveraging existing data technologies freeing up valuable time for the operational teams.
Additional benefits include having real time monitoring for the ISMS function’s performance, allowing faster response and shorter cycle times. The implementation of this system contributes stronger trust and improved reputable organisations allowing them to outcompete in the market, and delivering on our value of customer delight.
Following the groundwork, we targeted 2 key controls that are critical to BizCubed ISMS programs as well as common controls implemented by other organisations. We opted to automate assessments for Access and Incident management controls. After thorough analysis, we identified the respective data sources for the actual and expected states for access and incident management. By setting up data acquisitions and ETL processing using BizCubed’s DEEP service, we create daily compliance assessments. Though the usage of Business Intelligence services, we were able to reflect the results on live dashboards for key stakeholders.
To conclude, we had built a successful proof of concept demonstrating that though existing data engineering techniques, we are able to automate compliance assessments for operational teams. While our investigation specifically focused on BizCubeds ISMS function, it is certainly feasible to deploy these similar concepts in other operational areas across businesses.
Dasaradh (Dash) Kodali
Dasaradh (Dash) is a Data Engineer at BizCubed. He is interested in all things security and ISMS, and was previously the ISMS lead for BizCubed. In addition, he recently completed his thesis on Automation of ISMS Compliance Assessments. Follow him on LinkedIn