The topical focus in InfoSec compliance and assurance standards, is automation. How do you implement your control practices in a systematic way that automates the performance and documentation of your controls?
The main benefit of automation is operational efficiency, but also using software solutions to manage your control practices also tends to make them more effective and consistent as well. It’s important to note that most security and compliance control practices can’t be fully automated.
There's three levels of automation to consider in this context:
1. Completely automated controls: some practices can be completely automated like systematically enforced multi-factor authentication or independent review and approval for pull requests in the software source code repository.
2. Automated processes: practices like network and system monitoring, operational workflows, and vulnerability scans, can have the core processes or functions automated by software. These rely on a manual review or other human actions to complete the control practices.
3. Software supported controls: most automation sits in this category. Software provides assistance with the control triggers, reminders, central tracking, audit trails or other control elements to support the control practice. For example; system alerts and logs, task lists and trackers, intranets and document repositories, and knowledge management solutions.
There's so many software solutions now - it's less common to see controls that are completely manual. We still see manual controls in some areas like the Board of Director meetings, risk assessments and registers, and business continuity practices. The modern focus of InfoSec compliance is automating the control practices to the extent possible. This may be using existing software solutions, and in some cases procuring software specifically to manage the control practices.
Our InfoSec Practice Guide has a comprehensive list of the InfoSec practice areas, and associated software types that provide solutions to automate those practices. This has over 30 categories of software, which each have many software products within those. Some types of software cover a broader range of practice areas but provide a lesser extent of automation, like knowledge management solutions (eg. Confluence, Notion). Others are quite specific and comprehensive in their level of automation, like system monitoring tools (eg. Datadog, Threat Stack).
Without going into over 30 categories, we'll explore the top five categories that we see have the biggest impact on InfoSec compliance automation.
Security and Compliance platforms: solutions like Vanta, Drata, and Hey Laika, have combined a general set of security tools, integrations and "out-of-the-box" compliance practices to specifically solve InfoSec compliance with standards like SOC 2 and ISO 27001. The convenience of these combined functions and how it supports the compliance audits have disrupted the InfoSec compliance industry with a rapid uptake of these solutions.
GRC Software: governance, risk and compliance solutions like ZenGRC, OneTrust and 6clicks provide functionality to assess, log, monitor and manage risks and control practices in a central system. These can be used to perform the governance level control activities and act as a central documentation store to satisfy your audits and compliance objectives.
Configuration & Policy Monitoring: solutions like Cloud Conformity, Cloudcheckr and 40Cloud, identify, assess, monitor and assist in managing broad and detailed security practices for cloud infrastructure. These are effective in supporting "in the cloud" security and compliance to be combined with your organisational control practices.
Knowledge Hubs: solutions like Confluence and Notion provide general functionality to document and manage various control practices and other business activities in one place. These can be an effective alternative to Security and Compliance Platforms, or GRC Software for those that want to customise their own approach and link their security and compliance to the broader business activities. The simple functionalities to document policies and registers, link pages, record workflows and audit trails, approvals, and communicate and track between multiple parties, enables broad coverage of security and compliance control practices. Some service providers have built "lift-and-shift" solutions to implement a more "out-of-the-box" approach within these knowledge hubs.
HRM Software: Human resources actually forms a large component of security and compliance. While these software solutions are specifically designed to manage employees, they cover a broad range of control practices across employee onboarding, off-boarding, performance management, organisational policies, training and development. This software also solves broader business goals than just your security and compliance.
It's important to consider a holistic strategy to software and your security and compliance goals. You'll probably find that many of your existing software product have "automation" solutions to various security and compliance practices. In general, it's best to use these existing solutions as it helps to integrate your security and compliance goals with the broader operations and business goals. Get in touch if you want to see our full practice guide with over 30 categories of software and example vendors for each.