From digital startups to financial firms, the ability to demonstrate information security per not only investor demands, but also board members and potential business partners, is widespread. As privacy and security consultants who also prep companies for certification, we’re seeing how the need for privacy and security compliance, long since a demand for healthcare, now stretches across industries.
Take this example. An online company selling a product that’s gained rapid popularity attracts the attention of a multi-national interest. It’s a dream scenario for a start-up. A great concept, proven, that garners the best possible outcome: a well-heeled investor. Then a painful reality sets in during due diligence.
The straightforward request of “Let’s start with a review your policies and procedures” has everyone scrambling. Why? Because they don’t exist – at least in the format and detail that a true commitment to privacy and information security calls for.
A high-dollar investment from an established global entity is going to have requirements attached to it that a digital startup likely didn’t include in their gotta-get-launched-yesterday operational plan. Especially when the investor demand reflects an expected alignment with the standards to which their organization adheres, ISO 27001.
Digital startups are one thing, but what about established businesses? Maybe there are industry-related policies and procedures in place but the type of business never called for compliance with a particular set of security standards. Now there’s an opportunity to expand into government work. To play in the big sandbox, there’s a need not only to implement an information security program, but one that adheres to the NIST cybersecurity framework that was updated in April 2018. That’s a big leap.
There are common denominators for most certifications and regulatory needs. You may be asked to achieve ISO 27001 certification or HITRUST. Or you may need to choose the best assessor for your SOC certification process. Almost certainly, no matter your business, you’ll need a security risk analysis.
Start with the fundamentals. In nearly every state there are breach notification laws that require you to have an information security program in place. If not a specific program, then at minimum you need to be able to demonstrate administrative, technical and physical safeguards of sensitive data – whether that’s PHI or client financial information. Once you take care of the basics, your business will be ready for the next great opportunity, and able to meet investor demands.
Work with a team that knows how to map your path to certifications and regulatory standards regardless of industry. Apgar & Associates’ certification readiness preps you for HITRUST, ISO and more. Call us today to get started: 503-384-2538.
