7 expert tips on how to effectively implement security frameworks
In the last of our 2021 webinar series ‘Compliance Best Practices’, we tackled a crucial component of any successful compliance or privacy plan: implementing security frameworks.
Joining us for this episode was Christoffer Fries, a Senior Consultant at Complyon’s implementation partner VENZO. With experience running large-scale implementation projects within both GDPR and information security, Christoffer brings a wealth of experience in risk and compliance, particularly around issues of implementation, maturity and standardisation.
In the 30-minute talk, Christoffer and Complyon CEO and Co-founder Julie Suhr focussed on the benefits of investing in your security framework, as well as discussing their top pitfalls to avoid and strategies for success. You can watch the full webinar here or keep reading for our main takeaways on how to effectively implement your security framework.
What is a security framework?
Before we delve into the main learnings and tips from our conversation with Christoffer, here is a quick recap on what a security framework is and why companies embark on implementing such frameworks.
In general, frameworks are a set of rules or questions that work to standardise a chosen area, whether information security or compliance. Within GDPR, a compliance framework can be described as:
“a structured set of guidelines that details an organization’s processes for maintaining accordance with established regulations, specifications or legislation.”
This framework should cover all business processes and procedures related to the regulatory compliance standards an organisation needs to abide by. For example, a framework could detail risk mitigations, communication protocols, roles and responsibilities, governance and post-breach responses.
Frameworks will vary from business to business, with companies required to build their own set of controls that reflect the frameworks being implemented as well as their individual maturity status.
Why do companies introduce security frameworks?
There are many different reasons why businesses embark on their implementation journey.
For some, they’re required by customers or suppliers to be certified, for example with certifications such as ISO/IEC 27001. For others, they could be part of a merger or acquisition deal where different technologies, cultures and ways of working need to be aligned to ensure efficiency and unite the organisation.
Whatever the specific motivations for implementation may be, at the core of any security framework is the aim to standardise ways of working, ensuring one way of working is used across the entire organisation.
Standardisation then leads to many business benefits from increased security, greater productivity, streamlined output and of course, enhanced compliance.
7 tips for implementing security frameworks
From handy steps to take pre-implementation to smart strategies for safeguarding the impact of your security framework, here are some of Christoffer and Julie’s top tips for successful implementation.
1. Clearly define your implementation goals
While drivers for implementing security frameworks will vary, it’s fundamental that whatever you’re looking to achieve goes beyond a certification or status.
Getting certified or achieving a goal such as ensuring your company is GDPR compliant is often the comparatively easy part. It’s more difficult to actually follow and maintain the procedures and processes that have been set in place. This maintenance requires consistent governance and evaluation. As time goes on you’ll have issues such as deviations, the need to report incidents, keep track of audit logs, and so on.
If you don’t have enough drive to maintain the systems and processes that underpin and uphold your implementation phase, it’s unlikely that you’ll be able to hold on to the certifications or compliance you once achieved.
Focusing on the long-term goal of developing the maturity of your company and the cumulative benefits that will bring allows your business to reap many more benefits than those brought by a piece of paper or certification.
2. Take high-level activity and turn it into concrete actions
Your framework is going to consist of a lot of high-level statements or objectives which while important, need to be broken down into easy to understand steps for employees to follow.
For example, the statement ‘appropriate controls must be implemented to support this process’ needs to be backed up with documentation that specifically outlines exactly what actions and controls you expect an employee to take.
If your team don’t know exactly what steps to follow or who to contact in risk-based scenarios such as when a breach happens, a customer requests their data or a new supplier is onboarded, your security efforts will soon run into trouble.
Christoffer suggests adopting a method he calls “we do what we say and we say what we do”, where every statement exists alongside clearly defined activities, roles and responsibilities. Investing time into breaking down and interpreting the high-level action points of your framework minimises confusion in the long run and sets your framework up for success.
3. Communicate change in everyday language
Any documentation that needs to be read and acted on by employees needs to be written using language and scenarios that are familiar to the reader.
Unless they work in the legal or compliance department, employees will struggle to understand and connect to legal documents that are full of complex industry terminology and overarching company objectives. So if you want to engage your colleagues and motivate them to fulfil the tasks required of them, documents have to be easily understood by any member of your team, whether they work in IT or customer services.
These documents also need to reflect the reader’s every day. For instance, talk them through their workflows and risk scenarios such as the types of emails they’re sending or the protocol of taking calls in public spaces.
Creating relatable, easy-to-follow guidance will go a long way in helping you get the support of your colleagues and maintain the implementation of your security frameworks.
4. Shift your attention beyond the IT department
Due to the involvement of systems and technologies, many companies see the implementation process as an IT concern and responsibility. Following that line of thinking, a top-down approach to implementation is often adopted with many activities sitting between the DPO and IT department.
However, when it only takes one employee to put your company at risk or cause a data breach, you need buy-in from everyone in your organisation and your compliance processes and efforts need to incorporate daily work and workers. Real benefits and real change happen when you ditch the department-specific approach and start involving your entire organization in your risk and compliance efforts.
Awareness campaigns are therefore another hugely important component of successful security frameworks. Engaging, frequent and interactive, these training efforts need to be factored in when planning your implementation timelines and resources.
5. Don’t underestimate the importance of roles and responsibilities
A common problem organisations face is being unable to maintain their framework once their hired consultants have come in, fixed their problems, obtained their certifications and left.
This issue mainly arises when internal roles and responsibilities haven’t been identified and implemented from the start of the project and consultants have been unable (whether due to resources or direction) to bring employees on the compliance journey with them.
Effective implementation requires assigning these roles and responsibilities to internal teams to ensure they know how to sustain and evolve your framework. There is also the issue of accountability. If no one is responsible for upholding your new ways of working, change simply won’t happen.
These internal responsibilities should become apparent through your initial gap analysis and CMMI assessments, which need to be rigorous and ask employees the hard and potentially annoying questions.
Through this deep knowledge of a company’s maturity and ways of operating, you’re able to help management understand all the different parts of the organisation and get them thinking about what they’re doing, how they can do it better, who can help with this change and whether or not they need new hires such as a DPO or CISO.
6. Remember to work towards “continuous compliance”
One of the major points Julie and Christoffer emphasised in the webinar was the need for businesses to understand the concept of ‘continuous compliance’.
Risk and compliance are not areas where you can apply a ‘set it and see’ mentality. Frameworks that try to mitigate risk and standardise company practices must be dynamic, constantly changing to adapt to new business scenarios and environments.
Where many frameworks fall short is they fail to scope for and view compliance as an ongoing process. May 18th 2018 is a good example of this, where many companies dedicated a lot of time and resources into mapping their data and becoming compliant, only to lose momentum on their compliance efforts after GDPR legislation had taken effect.
Fast forward a couple of years, and many of these businesses are working with outdated and risky processes, systems and practices because no one has been updating them.
Treating your risk and compliance journey as a never-ending, long-term process ensures you’re able to move to a proactive rather than reactive approach to safeguarding company data and processes and allows you to maintain an optimum level of protection against internal and external risk.
7. Track your activities
To be able to continuously monitor the efficacy of your framework, you need to give your employees tools that provide them with a clear overview of the data and controls relevant to their tasks, as well as functionalities to help manage roles, responsibilities and the project status.
Asking individuals to manually keep up with evolving controls, security measures and data, alongside managing various colleagues’ deadlines, soon becomes overwhelming and prone to human error. Particularly if you’re working with multiple frameworks at the same time such as ISO 27001, ISO 27701 and CCPA, processes and scenarios quickly reveal themselves to be more too complicated and complex for manual practices and Excel spreadsheets.
Integrated risk and compliance systems like Complyon automate many of the manual tasks involved with implementing and safeguarding your security framework and provide a much clearer overview of the data flows, regulations and controls relevant to your projects. Its project management module allows you to quickly assign and track roles and responsibilities, send task reminders and keep on top of task and project statuses.
If you’re interested in learning how Complyon helps organisations successfully implement security frameworks, take a look at our short demo here. The 7-minute demo focuses on how to create controls of security measures and implement multiple framework controls at the same time.
To learn more about how software can help you effectively implement security frameworks or to speak to our team about your compliance efforts, get in touch here.