Periodic controls are the meetings, reviews and other activities that are performed at regular intervals.
The periodic make up about 20% of your InfoSec compliance activities. These controls are prone to being missed or forgotten due to their periodic nature, rather than being directly triggered like event-based or a continuous part of your operations like other areas.
Periodic controls are one of the three types of controls to manage in your InfoSec compliance program:
1. Continuous: system settings, policies, user guides, and other documentation that continuously apply and we audit “as is”.
2. Periodic: annual, quarterly or monthly board meetings, risk assessments, and other reviews that occur at regular intervals. We audit to see they were performed within those defined frequencies.
3. Event-based: controls applied to new joiners, terminations, incidents, change releases, and other events that the controls should be performed in conjunction with. We audit to see there were performed for each related event or occurrence.
Aside from being missed or forgotten, these periodic controls are also prone to lacking audit evidence to prove their performance. Typically for reviews and meetings the evidence only needs to demonstrate the subject(s), date, and attendees or control operator.
The non-exhaustive list of control activities that fit into this periodic category, includes;
- Board of Director, Senior Leadership Team, and all-hands meetings;
- Risk assessment reviews or workshops;
- Reviews or internal audits of the controls framework;
- Review and update of the documented policies;
- Technical security reviews and vulnerability scans;
- Security and Operations governance meetings;
- System access reviews;
- Monitoring of anti-virus and operating system updates;
- Backups and restoration tests; and
- Business continuity and disaster recovery testing exercises.
Most of these periodic controls take a broad and high-level view of the relevant area. This is a way of checking everything is working as intended or identify areas that may require further actions. We audit the design of these controls in a Type 1 audit. For the Type 2, the primary focus is on ensuring they were performed in accordance with their defined frequency (+/- a couple of weeks). These controls are most commonly monthly, quarterly or annual in their frequency.
How to effectively manage periodic controls
There's a few tips that help ensure these periodic controls are effective in practice:
Using software to trigger and document these controls, helps ensure they're not missed and that they meet the audit requirements. By nature of these reviews and meetings, periodic controls are less suitable to be automated. But there are GRC solutions, specialised software like BoardPro, or just general tools like your calendar, that can be used to set up the trigger points and reminders, and document the key details of these controls when they are performed.
Like any business activity, it's important to have clear responsibilities and ownership to ensure the controls are managed effectively and given the appropriate focus, when required. For periodic controls, this may be a primary reviewer, responsible owner of the function area, or the chair of a meeting. It's often best to have two levels of ownership assigned, perhaps a performer and secondary reviewer, so that it's less likely to be missed, forgotten, or inadequately performed.
Periodic control reviews
Checking in on the listing of controls every month or quarter can identify which periodic controls are coming up, or if any have been missed. If you have a designated contact responsible for your cybersecurity compliance, they may be best placed to run through this list and touch base with each area to check their respective periodic controls have been performed and documented.
Across all control types; the greater the awareness across the organisation, the more likely they are to succeed. This is particularly important in control areas where it's difficult to have a single person responsible. It's also particularly helpful in periodic controls where a key employee on leave when the controls are meant to operate may require another control operator in that instance.
What periodic controls do you perform?
If you've completed our Readiness Assessment - these are listed in the Controls Matrix section of the report. You can filter on the Frequency/Population column to select each frequency and see which controls apply accordingly. eg. select "Monthly" to see your monthly controls.
If you haven't completed our Readiness Assessment - try it out now! It's a free resource that maps your controls and identifies any gaps with recommendations. It's the best first step for any business pursuing InfoSec compliance with standards like SOC 1, SOC 2, ISO 27001, HIPAA, GDPR, and the Consumer Data Right (all of which can be covered by a single assessment).