For more than twenty years, I have worked extensively in auditing and compliance roles across various consulting firms and industry verticals. My experience encompasses both performing and undergoing audits, including PCI, SOC 2, and ISO 27001 assessments. In addition, I have prepared numerous organizations for ISO 27001 audits and guided them through the IT-related aspects of Sarbanes-Oxley (SOX) compliance. Over this period, I have utilized a wide range of Governance, Risk, and Compliance (GRC) platforms.
Among the many tools I have employed, one solution consistently distinguishes itself in terms of functionality, seamless integration, and cost-effectiveness: SimpleRisk GRC.
Key Advantages of SimpleRisk for Auditing
A central feature that elevates SimpleRisk is its integration with ComplianceForge’s Secure Controls Framework (SCF). In previous roles, I managed teams responsible for conducting SOC 2, SOX, PCI, and HITRUST assessments across numerous business units. Each year, these teams faced “audit fatigue,” largely due to the repetitive and overlapping demands of multiple frameworks. Had the SCF been available at the time, it would have streamlined the process considerably. The SCF maps nearly 250 frameworks across approximately 1,500 controls, enabling auditors to conduct a single, comprehensive assessment that meets the strictest framework requirements and thus covers multiple, less stringent standards simultaneously.
Versatility for Both Internal and External Audits
The SimpleRisk Compliance module supports both internal and external audits. In a recent ISO 27001 audit conducted in September 2024, SimpleRisk served as the sole platform for managing all audit-related activities. External auditors were granted restricted access through SimpleRisk’s granular authentication and role-based access controls. This approach allowed them to verify previously completed internal audits and review control evidence efficiently, resulting in a repeatable, standardized process for future assessments.
Conducting a Single Audit Across Multiple Frameworks
Step 1: Import Frameworks from the SCF Extra
The initial step involves loading all required frameworks from the SCF Extra within SimpleRisk.
Step 2: Establish the Most Stringent Control Tests
Next, create the audit control tests based on the most stringent framework within your selection. Since the SCF maps controls across multiple frameworks, focusing on the strictest requirements ensures compliance with all supplementary frameworks simultaneously.
Control tests can be created directly via the SimpleRisk user interface or through the Import/Export Extra. To streamline the development of test objectives, test steps, and expected results, ChatGPT or similar tools can assist in generating the necessary metadata.
Example:
- Objective Request: “As an IT auditor, write a [Framework Name]-compliant objective from this control: [Control Text].”
- Test Steps Request: “As an IT auditor, write [Framework Name]-compliant test steps from this objective: [Objective Text].”
- Expected Results Request: “As an IT auditor, write [Framework Name]-compliant expected results from these test steps: [Test Steps Text].”
Step 3: Update Active Audit Controls
Once the audit is initiated, update each active audit test control by uploading evidence and confirming adherence to the expected results. Evidence may be sourced from various SimpleRisk modules, making it easy to maintain documentation centrally.
Centralized Evidence Management Within SimpleRisk
Governance:
Documented exceptions, policies, procedures, guidelines, and standards are stored in the Governance module.
Vulnerability Management:
Vulnerability data, often integral to demonstrating compliance, can be managed directly in SimpleRisk with Qualys, Tenable.io, Rapid7 Nexpose, or InsightVM.
Asset Management:
Asset Management serves as a repository for any type of organizational asset—IT infrastructure, real estate, construction materials, insurance policies, or human capital.
Risk Management:
The risk register, accessed through the “Review Regularly” screen, provides an overview of all open risks, their status, and the next scheduled review date.
Incident Management:
In alignment with NIST 800-61, Incident Management includes predefined playbooks and the ability to create custom ones. This feature supports a comprehensive, end-to-end approach to incident handling, from minor events to critical incidents, including annual tabletop exercises.
Risk Assessment:
During a recent ISO 27001 certification process, Risk Assessment was employed to track annual policy attestations and security awareness training. This ensured that compliance-related knowledge and responsibilities were properly managed and demonstrable to external auditors.
Comprehensive Evidence in a Single Platform
During our ISO 27001 certification, the only external sources of evidence not maintained within SimpleRisk were dependencies on AWS and GitHub. All other required controls and evidence were managed through SimpleRisk. This integration significantly reduced the complexity and administrative overhead often associated with audits.
In contrast to many GRC platforms, which can make the auditing process cumbersome and inefficient, SimpleRisk streamlines the process, offering efficiency, efficacy, and simplicity. For organizations and audit teams seeking a more effective approach, SimpleRisk provides a unified, user-friendly solution that supports both internal and external compliance needs.
