Today’s CIOs are struggling to define a standard of “best practices” that are achievable given their budget and staffing constraints, and are seeking to get operational benefits out of the onerous compliance audit process.
Some of the widely used compliance standards that Corsis sees in the industry include:
ISO 27001
NIST-800
SSAE-16
PCI DSS
HIPAA
When we step back and survey the diverse IT auditing landscape that confronts our mid-sized clients, we have observed a recurring theme regardless of business vertical.
For more information, please visit http://www.corsis.com.
1. Audit Hurdles for Mid-Sized
Companies
Corsis’ mid-sized clients are often subjected to compliance audits, either by potential acquirers, demanding customers,
or statutory requirements like HIPAA. Some of the widely used compliance standards that we see in the industry
include:
– ISO 27001 (see http://www.27000.org/iso-27001.htm and http://www.itgovernance.co.uk/iso27001.aspx)
– NIST-800
– SSAE-16 (see http://www.ssae16.org/white-papers/ssae-16-controls–5-important-points-to-know.html)
– PCI DSS
– HIPAA
When we step back and survey the diverse IT auditing landscape that confronts our mid-sized clients, we have
observed a recurring theme regardless of business vertical. Today’s CIOs are struggling to define a standard of
“best practices” that are achievable given their budget and staffing constraints, and are seeking to get
operational benefits out of the onerous compliance audit process.
Why is this so hard? For starters, formal certification against standards such as ISO 27001 and SAE-16 is a complex
and expensive process (see: http://www.27000.org/ismsprocess.htm). Normally undertaken by larger companies with
sizable IT budgets and the ability to assign project teams to time consuming risk assessment activities. In addition to
the sheer cost of certification audits is the uncertainty around obtaining tangible, operational benefits from the process.
Mid-sized companies are struggling to define what “best practices” means to their business, and to make “best
practices” a part of day-to-day operations. Part of the Corsis philosophy is that best practices in IT infrastructure
management should not be an unattainable pi-in-the-sky standard. Rather, best practices should be tailored to a
company’s operational context, taking into account IT budget, size of operations, growth goals and customer
expectations for data security and availability.