Compliance assessments

Compliance assessments

Compliance Assessments and Certification

The most common way companies prove they are trustworthy from a data security perspective is by achieving compliance certifications. Some businesses have legal or regulatory obligations which often require good data security practices but don't provide any certification to prove to customers that they are being met (ex: CCPA, GDPR, and HIPAA). Many more businesses can benefit by undergoing an assessment to certify they are meeting compliance framework requirements and receive a report proving their security posture.

For example, the Department of Health and Human Services does not endorse any HIPAA certification, and there is no standardized certification and accreditation process. While some companies claim to be HIPAA certified, there is no such designation. Other frameworks such as PCI DSS require that merchants and service providers attest to their compliance through assessment by designated external entities known as Qualified Security Assessor Companies (QSACs), or self-assessment, depending on the organization’s size and transaction volume. 

In addition to simply understanding whether or not you need to be assessed and certified against a law, framework, or standard, you must also understand the details of the assessment, certification, and reporting process:

  • Who can perform the assessment?
  • Is the assessment point in time or over a period of time?
  • What are the reporting requirements?
  • Once I receive my assessment report from my auditor, do I need to communicate it to a governing body?
  • How long is the certification valid?

Regardless of what you are certifying against, the process requires work. The above questions can help ensure your efforts to comply with a given law, framework, or standard are rightly recognized and that you can successfully maintain that compliance for as long as it is needed.


Next Section