In my last post I mentioned that it is worth the effort when drafting work instructions that match actual practice. Now, I want to take that one step further and hit on a point that can many of us that go through compliance audits.
In a perfect world, compliance audits are a quick check under the hood and a handshake. Unfortunately, they are much more involved than that. One practice point that I want to share that can help the compliance audit practice is related to structuring work instructions and established procedures to meet compliance requirements. For things like software updates and critical vulnerability scans, you can make your life simpler by a little forward thought. Take for instance PCI audit requirements for software update frequency, if your work procedures are written to the requirements of PCI you are one step ahead of the game. Further, if you address your authoritative system inventory with a procedure that is used to perform periodic security scans; the compliance requirements, documentation requirements and actual practice go full-circle without any additional work.
Saving additional work is critical. Having disparate compliance efforts, documented procedures, and actual practices are just asking for things to get out of sync. The investment in making the procedures match compliance requirements is not a new one, but common sense for those with any regulatory footprint. This can assist staff that are new to compliance requirements as well as make business plans clear in time-critical situations such as a company acquisition.
Do you write your procedural inventory to the compliance requirements? If so, share your efficiency tips below.