How to Prepare for an External Compliance Assessment

by | Mar 13, 2024 | Assessments, Compliance

Over the years I have had many people ask me what they should do to prepare for an external compliance assessment. Or even worse, I’ve had people come to me in a panic because they have an external compliance assessment in a few weeks. My response is: If you are doing things correctly, it should be nearly stress-free, and you shouldn’t need to do much, if anything, special.

That is usually met with disbelief: “Assessments are so stressful, and we have to provide so much supporting documentation.” Just as you would not start training for a marathon a week before the race, likewise, you should not be scrambling to prepare for an assessment or audit just before you are scheduled to have one.

Further, if you are waiting until the last second, then you have not really embraced the spirit of the underlying framework or standard for which you are about to be assessed, and you surely are not getting the benefits of the underlying framework. Not only that, but a seasoned assessor/auditor will quickly see through your façade and start writing deficiencies.

What should you do instead? Take advantage of the controls imposed by the framework and use them as a tool for helping your company improve.

Here are some tips to help you thrive in your compliance journey and, by extension, your next external compliance assessment.

  1. Executive management has to be onboard and committed to meeting your framework. If they are not, they will not provide time/resources to fulfill the required obligations.
  2. Establish compliance goals and make sure those goals align with the overall corporate goals. They should be supportive of each other, not in conflict or competition with each other.
  3. Make sure you have well-documented/repeatable internal processes.
    1. Your internal documentation should define the roles and responsibilities for meeting your own policies and procedures.
    2. Processes should describe desired outputs and timeframes for completion of tasks, the required artifacts, and storage requirements.
  1. Thoroughly and competently perform your routine maintenance activities, such as annual control assessments, risk assessments, security awareness training, and incident response testing. It is much better for you to discover your weaknesses and fix them before an outside assessor/auditor or agency finds them. Or even worse, before you fall victim to a cyber attack.
  2. Stick to the schedule, and make compliance maintenance a priority. It is easy to prioritize other matters over your routine maintenance or internal assessment tasks. Those activities are an investment in the company, so give those responsible the time and resources to complete their tasks.
    1. You can break down larger tasks into smaller, more manageable tasks. For example, if you can’t assess all of your information security controls at once, do smaller chunks quarterly or semi-annually.
  1. Maintain good records. Don’t consider the tasks complete until all outputs are documented, labeled, and stored in the appropriate repository. Make sure to include details of the task completed (i.e. who, what, where, when), and when possible, map supporting documents and artifacts back to specific requirements.
  2. If you have the budget, consider using a governance risk and compliance application. There are many tools on the market that will help you manage your compliance efforts, timeframes, accountability, artifact management, etc. It won’t do the work for you, but it will make it easier for you to stay on track and to prove your compliance/conformance to anyone who may ask.
  3. Resulting records should not be used only to satisfy your assessor/auditor. To get the most bang for your buck, the results should serve as inputs into your corporate strategy, planning, and budgeting activities.

The key to being prepared for an audit or assessment is to view the actual external assessment as an afterthought. You must institutionalize the underlying framework/standard so that it is interwoven into the fabric of the organization. Compliance or conformance should be baked into your business, and it must also have executive support.

In that way, it is not something that you do to satisfy an assessor or auditor; instead, it is just the way you do business. If you are doing it right, an auditor could show up tomorrow, and in a few minutes you can show them anything and everything they would want to see.

A good assessment is designed to show that you are doing things right; it’s not a “gotcha” exercise. Assessments are an opportunity to grow and get better. Once you view them in that light, rather than an adversarial type of relationship, your whole perspective will change.

Do you want help getting to that place? Reach out today.

Subscribe to Our Monthly Newsletter

Free education for cybersecurity.


Your personal information will not be shared and you are able to unsubscribe at any time.