There’s a lot of overlap between compliance standards, and often multiple are needed. So blending them together makes a lot of sense! How does that work?
At the start of 2021 (a year ago) we started our “all-you-can-eat cyber assurance” covering SOC 1, SOC 2, HIPAA, GDPR, Consumer Data Right, and CCPA. It was instantly popular. It’s common to see three, four, even all six of those as important business goals or requirements. We offered it to three existing clients that all went for it, and then we paused while we saw it play out in those pilots.
At the start of 2022 (this year), we've now added a few additional pieces to the list and offer three levels of blended standards; Establish, Expand and Excel. The new standards include:
- ISO 27001: commonly combined with SOC 2, or sometimes used as a different starting point for your compliance program.
- CSA STAR: a built-for-purpose cloud security standard to go beyond entry-level standards.
- ESG: sustainability reporting that’s increasingly on the enterprise agenda and a point of positive differentiation.
Now our blends can cover all bases of what enterprise care about; bar perhaps US government, high security clearances, or nuanced regulatory compliance for specific industries like finance.
The concept is; we blend multiple standards into one commercial arrangement and clients can add them when they want, and when they’re ready. With the efficiencies involved it works out to about double the cost and effort of a single standard, so if you need any two or more it’s generally worth it.
Why is it so popular?
Cost savings aside, there are a few reasons why the concept is really popular;
- It’s a major headache for businesses to decide which one or two standards to pursue and future proofing for others that may come up. Enterprise customers are coy about what they require and it’s especially hard to anticipate what will be mandated or important in the future. The all-you-can-eat model ensures all bases are covered both costs-wise, and that you’ve the foundations ready to uplift to whichever standards you need without all the usual duplicated effort.
- Modern businesses work on OpEx. Almost all expenses of modern businesses are monthly recurring fees or smaller ad-hoc costs. Paying for audits as a large ad-hoc costs throws out budgets and is challenging to manage as an odd-one-out in the P&L.
- Compliance enables growth. Compliance outcomes can be viewed one of two ways; a necessary evil that negatively impacts the business, or a source of competitive advantage. Either way, covering more basis lowers the friction and positively differentiates your business during enterprise sales. If costs were the same and there was minimal additional work, few businesses would turn down additional accreditations to take the pain away and grow their business.
How do the blends work?
We have three tiers; Establish, Expand, and Excel, that each do what their names suggest:
- Establish covers of the most commonly accepted assurance standard; SOC 2, with Security, Availability, and Confidentiality, and includes both a Type 1 and Type 2 in year one. These default inclusions take out the headaches of choosing the scope and report type that often leaves clients confused and hesitant. A Type 1 report can be issued as soon as compliance is achieved to start building trust and securing enterprise deals. A Type 2 is issued soon after, which many enterprise see as the more reliable report to tick off your credentials. Availability and Confidentiality are great inclusions for all SOC 2 reports so customers know you are generally secure, reliable, and protecting their most sensitive confidential data.
- Expand builds on the Establish tier, with one other business goal that can be selected. That might be the privacy add-on including the SOC 2 Privacy criteria, GDPR, and/or CCPA to demonstrate privacy best practices and cover the common international requirements. Or it can be SOC 1, HIPAA, ISO 27001, Consumer Data Right Accreditation, Sustainability reporting (ESG), or CSA STAR. These add-ons play an important role in their respective industries. It’s strategically we’ll suited to combine the general purpose and broad SOC 2 report, with these more specific purpose standards.
- Excel is where this all-you-can-eat approach really… excels. It’s where your compliance program stands out from the crowd, and you remove all the headaches of planning for and managing each standard individually. It includes all standards referenced above. That doesn’t mean they all need to be achieved in one go, or even the first year of this blend. There’s flexibility of when to start, complete and issue the respective standards.
What’s the catch? Why doesn’t everyone do blending?
Blending in this way just makes a lot of sense. In each model you get more for less. Even if you don’t want more, the simplicity of having it included for if and when you do, removes major headaches.
There’s efficiencies of this new way of looking at compliance; instead of individual projects and duplication. It works based on the underlying compliance attributes with many overlapping areas within each standard. Our software enables this without any duplication, so we have an edge when it comes to this style of approach. It’s a natural evolution of our clients needs that we’ve been supporting for years in the snowballing world of compliance standards. No one standard is enough.
There are a few circumstances where this new way may not be the best option for you:
- You’re expecting an acquisition, pursuing a single SOC 2 Type 1 or Type 2 to help get that across the line (actually fairly common);
- You only need ISO 27001 or ONE of the other standards. ISO 27001 is a less flexible standard, which is why it’s not offered as an option in the Establish blend; OR
- Enterprise customers have set very specific, nuanced requirements. We rarely see this anymore, but for example last year a Swiss bank had a set of really specific and bespoke requirements for one of our clients. They could achieve all of these combined standards and still only get half way to this customers mandates.
Aside from those scenarios, the three blends should save costs and effort compared to any other approach. For example, even if you go for the bare minimum; straight to SOC 2 Type 2 and Security only, the Establish blend works out to the same costs but with monthly billing. The additional Type 1 report, Availability and Confidentiality are included if you later decide you want them (we think you will based on our experience, and it's a good option to have if you need them).
How do you get started?
Our award-winning product is free to use for your initial assessment; we always recommend this as the first step so you know what you're in for before committing to it. You can select as many of the standards as you like, and assess your current state against all of them in one assessment. We'll workshop the outputs with you, to guide you on deciding an action plan, perhaps a roadmap of when you want to incorporate each standard based on your growth strategy and customer requirements.
AssuranceLab is a modern cybersecurity audit firm that provides assurance reports (ASAE 3150, SOC 1/2, and more!). Our award-winning, free software has helped over 500 companies prepare for their compliance goals. We're experts in the latest software and cloud providers. We guide your team through the compliance practices in a way that fits your environment and culture. We work closely with clients through our agile and collaborative approach; saving time, costs, and headaches along the way.