Compliance

Compliance involves an entity conforming to a set of requirements identified by a regulatory authority. Adhering to a particular standard can be required by laws and regulations, organizational policy, business functions, third party service provider compliance requirements, or a combination of the aforementioned. Failure to meet compliance requirements typically results in financial obligations and/or cessation of the associated business function. 

QoS can assist organizations in implementing, assessing and/or auditing most information security related compliance standards. Audits, third-party assessments and certifications are three main objectives pertaining to regulatory standards. The compliance governing body determines which of those three objectives are applicable to particular standard.

What’s the difference between Audits, Assessments and Certifications? 

Audits include an independent review and examination of records and activities to assess the adequacy of system controls, to ensure compliance with established policies and operational procedures, and to recommend necessary changes in controls, policies, or procedures. The audit report provides the overall results of compliance. Typically, auditors are certified in accordance to the requirements set forth by the applicable regulatory authority. 

QoS provides our clients audit support services in an advisory role within our clients’ internal compliance team. Having worked with a variety of auditors, our expertise has proven instrumental in navigating the audit process. 

Assessments consist of testing and/or evaluation of system controls in an information system to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the requirements for the system. Assessors are usually subject matter experts attesting to an organization’s compliancy. Assessors may carry a variety of industry certifications and / or degrees, they may or may not be certified by a governing body. 

Certification verifies the correctness of applied compliance requirements and issues a certificate (proof) as to its correctness. Certifications are issued by the respective compliance regulatory committee upon the recommendation of an approved auditor. It is pertinent to execute due diligence when achieving industry compliance as not all regulations require a certification, but for those that do the authoritative body are very perspective regarding the requirements and approved auditors.

QoS experts bring industry knowledge to provide the following compliance services: 

    • Compliance boundary scope development
    • Compliance and Security control mapping, development and implementation
    • Implementation of policies, processes and procedures key in meeting regulatory requirements
    • Readiness assessments for a variety of frameworks and regulations to include: PCI-DSS, Sarbanes-Oxley (SOX), Service Organization Controls (SOC), International Organization for Standardization (ISO) 27001/2, Federal Risk and Authorization Management Program (FedRAMP), Federal Information System Management Act (FISMA), General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA)