Top 8 Questions to Ask a Compliance Provider

If you are in the market for a Compliance Provider to help you achieve attestation with a framework like SOC 2, HIPAA, NIST 800-171, ISO 27001, or CMMC, you might find it difficult to compare apples to apples. How do you choose the best one for your business?  

We’ve probably all shopped online for expensive technology like smartphones at some point. 

You compare all the features, look at the reviews, research their technical support, and find the best price. Finally, you find the right phone at a great price, but then you realize that you need to add additional accessories that aren’t included, like a car charger or a protective case.   

And, of course, what good is the phone if you don’t purchase a phone plan from a 3rd party that has optimal coverage in your area? Finally, does the phone you already selected work with that plan?

It goes without saying that the process can be challenging, and all the components must synchronize smoothly within your schedule to ensure you don't end up without a functional mobile phone. 

Shopping for a Compliance Provider can be just like shopping for a phone. You want to find the best product that suits your needs and budget, but you also need to consider other factors that affect your experience.

Just like you need accessories and a phone plan to make your phone work, you need additional services and support to make your compliance process work. However, unlike phones, Compliance Providers are not standardized and easy to compare.  

Different Compliance Providers may offer different levels and types of services. Some may only provide basic compliance assessments and reports, while others may include comprehensive management software and monitoring, penetration testing, an auditor, and security and compliance consulting. Some may specialize in certain regulations or industries, while others may cover a wide range of areas.  

You want to find out what services the provider offers, how they match your needs, and if you will be shopping for multiple vendors to complete the compliance puzzle. 

Lucky for you, we’ve compiled a list of the most important questions you should ask a Compliance Provider before signing a contract. 

Here are the top 8 questions to ask a compliance provider before you sign a contract: 

1. Do you provide compliance automation software that streamlines compliance workflows and assures audit readiness?

Compliance automation software is a tool that helps you follow rules. It does this by collecting proof of your security measures and matching them to the right standards. It also creates reports and alerts, and notifies you of any problems or gaps.  

Compliance automation software can reduce human errors, reduce audit risks, and save you time and money overall by reducing manual work (like trying to track everything in a spreadsheet and confusing back and forth communication through email). It can also help you maintain continuous compliance by monitoring your security controls and providing real-time feedback (after all, this is not a once and done checklist!). 

Although compliance automation software seems expensive, you have to consider the return on investment (ROI).  By streamlining the compliance process, reducing the time and resources required to achieve and maintain compliance, and minimizing the risks associated with non-compliance, you ultimately save money in the long run.  

We’ve all experienced the waste of time and potential for error with back-and-forth communication with multiple versions of files. Your 3rd party assessor will thank you when he/she can go to one portal to collaborate, generate reports, and access the evidence.   

BEMO’s compliance offering includes the licensing, deployment, and user training of a leading-edge compliance automation software that covers all your compliance bases, including governance and risk management. 

2. Do you have a 3rd party assessor that will work with our IT and Security teams to validate our security controls and deliver the report?

A 3rd party assessor is a qualified auditor who will evaluate your security controls against the framework criteria you’ve selected and issue the official report. Ultimately, your goal is to receive a favorable final report from an unbiased, trusted 3rd party to prove to your customers, partners, or regulatory agencies that you’ve done your due diligence. Great, now you have another item to shop for – a 3rd party assessor.  But how do you go about finding a 3rd party assessor? 

BEMO not only procures the trusted auditor as part of our compliance offering, but interfaces with the auditor on your behalf. 

3. Do you offer a 3rd party penetration testing service?

A penetration test is a simulated cyberattack that aims to identify and exploit vulnerabilities in your network, systems, and applications. It is a crucial step to assess your security posture and validate your security controls. A 3rd party penetration testing service will provide you with an independent and objective assessment of your internal and external vulnerabilities (identify doors you’ve left open for cyber-attacks), as well as recommendations on how to fix them.  

BEMO includes 3rd party Penetration testing service as part of our compliance packages, taking charge of all the procedures and processes (including coordinating the timing of the tests, meeting with you to interpret the results, and taking remediation action to close the gaps).  Our offering includes 2 pen tests per year, with remediation in between.  Which brings us to another important question to ask… 

4. Do you assist with remediation or are we on our own?

Remediation is the process of fixing any gaps or weaknesses in your security controls that are identified during the assessment process. Remediation is essential to achieve and maintain compliance, as well as to protect your organization from cyber threats. Many compliance providers only show you the gaps found in penetration tests, vulnerability scans, readiness assessments, etc., but do not help with remediation (fixing the problem).  Remediation can be challenging and time-consuming without proper guidance and support.  

As already noted, BEMO facilitates remediation as a result of the pen testing.  Additionally, BEMO’s solution is to deploy our Platinum Security Package in advance of your compliance effort to minimize the remediation phase.   

We manage your ongoing security, so you don’t face a painful remediation process or worse yet, a security breach.   

As part of BEMO’s compliance offering, we will secure your Microsoft 365 environment with our Platinum Package, which is our most comprehensive security package, going beyond the required compliance baseline and designed to make you compliance ready.  

We deploy, monitor, and manage Microsoft365 security in the areas of email, identity, device, document, guest management, configuration control, cloud app, and handle vulnerability management and managed threat detection and response, SIEM deployment and alert analysis.  

The Platinum Security package includes Employee Cybersecurity Awareness software and Cloud Backup software – both requirements in most compliance initiatives. 

`Which brings us to our next question… 

5. Do you assign a Security Engineer who will work with our IT, main stakeholders, and Security teams to validate that our security controls are configured correctly?

 A BEMO Security Engineer will help you achieve compliance by working with your team to validate that your Microsoft cloud security controls are configured and monitored correctly. The Security Engineer will also provide guidance, best practices, and support throughout the compliance journey to strengthen your company’s security posture.   

6. Do you have a Compliance Engineer who will monitor, diagnose, and repair any security control in a timely manner to ensure we remain compliant?

If you’ve never been through the compliance process before, or you have and don’t have the luxury of a full-time Compliance Officer, this question is key.  You want to work with a competent Compliance Engineer that will oversee your audit readiness, interface with the auditor, and translate complex compliance requirements into clear language and straightforward expectations.  

A Compliance Engineer can help you maintain compliance by continuously checking your security controls for any changes or errors and fixing them as soon as possible. A Compliance Engineer can also provide proactive recommendations on how to improve your compliance posture and prevent future issues.  

BEMO conducts comprehensive quarterly compliance reviews with your stakeholders to ensure that your technology systems, processes, and practices align with relevant standards, new regulatory requirements, and best practices. 

We evaluate your company’s IT infrastructure, policies, controls, and documentation to identify any gaps or non-compliance issues and take action to remediate within 72 hours, so you don’t fall out of compliance.   

We also monitor your controls and systems and alert you of any suspicious activity to take preemptive measurements. You can learn more about it by clicking here.

7. Do you assist with policy management?

Policy creation is the process of developing and documenting policies that define how your organization manages its security and privacy practices. Policies are important to establish clear roles and responsibilities, set expectations and standards, communicate procedures and processes, and comply with regulations and laws. Auditors look for evidence that you follow the policies and procedures you’ve established.  

Policy creation can be complex and tedious without proper expertise and experience. Therefore, it is important to ask if the compliance provider will assist you with policy creation or expect you to do it entirely yourself.

While Policy Management might be 20% of the compliance process, it could possibly take up 80% of the time! 

BEMO provides assistance with creating and updating an IT Compliance Handbook that includes policies such as Information Security, Disaster Recovery, Business Continuity Plan, Incident Response, and many more. 

Additionally, the compliance automation software manages the policies and tracks employee acceptance, reducing administrative overhead and oversight when onboarding new users. 
 
Check out our videos on some of these policies:

8. Is your pricing transparent and does it include everything?

There’s nothing worse than spending hours shopping and thinking you have the best deal, only to realize that everything WAS NOT included in the price, or you will have to hire additional resources to manage your security or compliance, adding time and money to the process.  Pricing can vary depending on the scope, complexity, and duration of the compliance project, as well as the quality and reputation of the compliance provider.  Here’s a quick list of the components you should cost out: 

• 3rd party Penetration Testing 
• 3rd party Auditor 
• Compliance Automation Software 
• Comprehensive Managed M365 Security Services to get you secure and keep you secure 

• Comprehensive Managed Compliance Services to get you compliant and keep you compliant 

BEMO believes in transparency in pricing and providing the best value for an end-to-end solution for SMBs, with no surprises. And, if you haven’t migrated to Microsoft 365, we throw in Migration services for free! We assign a dedicated Project Manager to guide you through the migration, security, and compliance journey to ease the burden on your team so you can focus on your core business. 

Get ready for Compliance!

Download for free everything you need to know about our Platinum Cybersecurity package to get you a solid basis before heading on towards Compliance.

Free Download

Make sure to download the checklist with all 8 questions so that you don’t forget any details on your next meeting with a compliance provider.