Professional Documents
Culture Documents
EB 2021 Compliance Benchmark Report NL 1 0
EB 2021 Compliance Benchmark Report NL 1 0
A - L I G N .C O M
Introduction
Faced with demand from customers and Meanwhile, new regulations and
partners for assurances that sensitive frameworks are on the horizon, such as
data will be protected across corporate the U.S. Cybersecurity Maturity Model
boundaries, as well as regulatory Certification (CMMC).
Survey Methodology
0 10 20 30 40 50 60
Finance
73
Manufacturing
0 10 20 30 40 0-1 2-3 4-5 6+
44
Manufacturing
SOC 1 SOC 2 ISO 27001 ISO 27701 PCI DSS
50
0 30 60 90 120 150
79 HIPAA HITRUST FEDRAMP FISMA CMMS
30
83 0 10 20 30 40 50 60
Finance
36
Manufacturing
0 10 20 30 1-2 months 3-6 months Over 6 months
0 10 20 30 40 50 60
Finance
Manufacturing
0 10 20 30 40 Yes, built or Yes, auditor No Not sure
145 purchased provided
0 10 20 30 40 50 60
Finance
Manufacturing
0 10 20 30 40 < $50k $50-100k $100-200k > 200k Not sure
24
14 12
0 10 20 30 40 50 60
Finance
82 Manufacturing
Budget No Impact Budget Not Sure
0 10 20 30 40
Increased Reduced
11
71%
Yes
Organizations Conduct
Multiple Audits as Disjointed,
Redundant Projects
• Writing policies
• Collecting evidence
• Remediating issues
10%
Unfortunately, it seems that Other
organizations spend significant time
preparing for audits and assessments,
with 51% of respondents familiar with
the audit process spending one to two
17%
> 6 Months
months on prep each year. This was the
most common amount of time spent Time Spent
across companies of all revenue and Preparing for
employee sizes. Audits Annually
51%
1-2 Months
Some organizations (17%) even spend
upwards of six months preparing for
audits and assessments. This happened
more often in companies with over 22%
$1 billion in revenue, which may be due 3-6 Months
to having more audits, assessments,
To demonstrate
effective controls to
the C-suite
SOC 1
SOC 2
ISO 27001
FEDRAMP
FISMA
CMMC
10
75%
8
6
50%
4
25%
2
0
SOC 1 SOC 2 ISO 27001 ISO 27701 PCI DSS HIPAA HITRUST FedRAMP FISMA CMMC
IT Services
12
100%
10
75%
8
6
50%
4
25%
2
0
SOC 1 SOC 2 ISO 27001 ISO 27701 PCI DSS HIPAA HITRUST FedRAMP FISMA CMMC
Organizations Struggle
with Staffing and
Evidence Collection
At A-LIGN, we often hear that auditing • Challenges in Evidence Collection:
and assessing can be a stressful 27% pointed to tedious and manual
experience. evidence collection. (Which is
perhaps unsurprising given our
When audits are reactive—versus findings that most organizations
proactively managed as a strategic aren’t using technology to ease the
initiative—teams may feel like they’ve process).
been thrown a ticking time bomb. They • Lack of Budget: Close to 10%
rush to gather evidence and organize called out budget constraints as a
themselves before an auditor comes top challenge to their compliance
into the picture. And often, there’s a program efforts.
different auditor for each unrelated
audit, which can lead to duplicated work We don’t find it surprising that
and other challenges. organizations struggle with staff time
and evidence collection, especially
Respondents reported several since most are not consolidating audits
challenges that made the auditing or using compliance management
process difficult: technology to streamline processes.
Employees already strapped for time
• Limited Staff: 44% of respondents don’t have the bandwidth to prepare
named limited staff resources for an audit—and the one to two
dedicated to compliance as their months that 51% of knowledgeable
greatest challenge. respondents reportedly spend on audit
44% 27% 9% 6% 5% 5% 4%
Limited staff Tedious and Budget Complexity in Multiple Lack of Other
resources manual evidence constraints conducting auditors with technology
dedicated to collection multiple different solutions to
compliance audits workflows streamline the
audit
From the EU’s GDPR and California’s more privacy controls into their
CCPA to up-and-coming legislation in compliance programs. In our survey,
Virginia and other U.S. states, privacy is 35% of respondents noted that they
at the forefront of regulators’ minds. And needed higher levels of security
it’s not just regulators—consumers are controls. This trend is only likely to
concerned about their privacy and data. continue, as COVID-19 has driven an
increase in remote work and generated
An impressive 71% of respondents said new cybersecurity and privacy
that privacy regulations had an impact concerns.
on their compliance practices. Many
noted that increased requirements GDPR remains the gold standard for
and upcoming legislation are driving privacy, and much of the new legislation
these changes—48% said that growing coming into existence borrows heavily
privacy requirements are necessitating from it. That said, organizations face
additional work, while 27% said that a patchwork of laws in the U.S. and
proposed legislation is pressuring them globally. As more national, regional, and
to stay more current. local governments turn their attention
to privacy, we predict that organizations
As awareness around privacy grows, will continue to evolve their compliance
organizations are looking to incorporate programs to match.
What impact has the increased focus on privacy had on your compliance practice and audits?
100%
75%
48%
50% 35% 28% 27%
25% 18%
Special Thanks
We thank our respondents for candidly sharing their
compliance program experiences. We also thank Eagle
Certification Group in particular for their valuable
contributions to this report.