In an era where digital threats loom large, the European Union has introduced the NIS2 Directive—an evolution of its cybersecurity strategy to safeguard essential services and networks. For businesses operating within the EU, understanding this directive is crucial for compliance and enhancing their cybersecurity posture. 

This blog post will guide you through the intricacies of the NIS2 Directive, discussing who needs to comply, its purpose, coverage, requirements, and timeline. By the end, you’ll know how to prepare your organization for this pivotal shift in cybersecurity governance. 

What is the NIS2 Directive? 

The NIS2 Directive, a successor to the original NIS (Network and Information Systems) Directive, marks a significant step forward in the EU’s approach to cybersecurity. It aims to address the growing complexities and sophistication of cyber threats that can disrupt essential services. While the original NIS Directive laid the groundwork for cybersecurity measures across member states, NIS2 expands on these foundations, introducing more stringent requirements and a broader scope. 

The directive aims to bolster the EU’s resilience against cyber threats. By enforcing higher cybersecurity standards, NIS2 seeks to protect critical infrastructures and sectors vital to modern society’s functioning. From energy and healthcare to transport and finance, the directive ensures that all essential services maintain robust cybersecurity practices to safeguard against potential disruptions. 

NIS2 is not just about setting rules but about fostering a cybersecurity awareness and action culture. The directive encourages organizations to take proactive measures in identifying and mitigating cyber risks, ultimately leading to a more secure and resilient European digital landscape. 

Who must comply with NIS 2? 

The NIS2 Directive casts a wide net, encompassing a broader range of sectors and entities than its predecessor. While the original NIS Directive focused primarily on operators of essential services (OES) such as energy, transport, and health, NIS2 extends its reach to include digital infrastructure providers, public administration entities, and other critical sectors. 

Organizations that fall under the directive’s scope must comply with its requirements, regardless of size. This includes private and public entities providing essential services or operating critical infrastructure within the EU. 

Organizations must assess whether they fall within the directive’s scope and understand their obligations. Compliance with NIS2 is not optional. Failure to adhere to its requirements can result in significant penalties and reputational damage. Therefore, organizations must proactively align cybersecurity practices with the directive’s mandates. 

What is the purpose of NIS2? 

The NIS2 Directive is designed to enhance the EU’s cybersecurity resilience and protect its digital landscape from evolving threats. The directive aims to ensure that essential services and critical infrastructure remain operational and secure, even in the face of cyber threats. 

One of NIS2’s primary objectives is to foster a harmonized approach to cybersecurity across EU member states. The directive seeks to eliminate fragmentation and inconsistencies in cybersecurity measures by establishing common standards and practices, ensuring that all member states work collaboratively to address cyber risks. 

Furthermore, NIS2 aims to enhance information sharing and cooperation between member states. This collaborative approach enables member states to pool their resources, expertise, and knowledge, strengthening the EU’s cybersecurity posture. 

What does NIS2 cover? 

The NIS2 Directive covers a wide range of sectors and entities. Its scope includes traditional critical infrastructure sectors, such as energy, transport, and healthcare, digital service providers, public administration entities, and manufacturing industries. 

Within these sectors, the directive applies to organizations that provide essential services or operate critical infrastructure. This includes entities responsible for maintaining the security and availability of network and information systems that underpin these services.  

The directive also emphasizes the importance of supply chain security. With cyber threats often exploiting vulnerabilities in the supply chain, NIS2 requires organizations to assess and mitigate risks associated with their third-party suppliers and service providers. 

What are the NIS2 requirements? 

The NIS2 Directive establishes requirements for organizations to achieve their objectives. These requirements cover various aspects of cybersecurity, including risk management, incident reporting, and governance. 

Firstly, organizations are required to implement robust risk management practices to identify and mitigate cyber risks. This includes conducting regular risk assessments, implementing appropriate security measures, and continuously monitoring their network and information systems for potential threats. 

Secondly, the directive mandates timely incident reporting. Organizations must report significant cyber incidents to the relevant national authorities without delay. Timely incident reporting facilitates information sharing and collaboration between member states, enabling a coordinated response to cyber threats. 

Lastly, NIS2 emphasizes the importance of cybersecurity governance. This includes appointing a designated person or team responsible for overseeing cybersecurity measures and ensuring compliance with the directive’s requirements. 

What are the minimum measures for NIS2? 

Beyond the key requirements, NIS2 mandates the following baseline security measures: 

• Policies and procedures to assess the effectiveness of cybersecurity risk management measures 

• Security in system acquisition, development and maintenance, including vulnerability handling and disclosure 

• Risk analysis & Information system security 

• Supply chain security 

• Policies on appropriate use of cryptography and encryption 

• Incident handling 

• Basic computer hygiene and trainings 

• Business Continuity measures (back-ups, DR, crisis management) 

• HR security, access control policies and asset management 

• Use of MFA or secured voice/ video/text comm & secured emergency communication 

What are the penalties for non-compliance? 

Failure to comply with NIS2 can result in financial penalties for an organization. The dollar amount of fines will be based on an organization’s classification. Essential entities are large companies (250+ employees or €50M+) that operate in sectors of critical importance. Important entities are large companies operating in the other sectors or medium-size companies (50-249 employees or €10M-50M) operating in any of the sectors in scope. 

For essential entities administrative fines can be up to €10,000,000 or at least 2% of the total annual worldwide turnover in the previous fiscal year of the company to which the essential entity belongs, whichever amount is higher. 

For important entities, administrative fines can be up to €7,000,000 or at least 1.4% of the total annual worldwide turnover in the previous fiscal year of the company to which the critical entity belongs, whichever amount is higher. 

Conclusion 

The NIS2 Directive represents a significant advancement in the EU’s efforts to enhance cybersecurity resilience and protect critical infrastructures. The directive aims to create a safer and more secure digital landscape for all member states by establishing common standards, fostering collaboration, and addressing supply chain security. 

For organizations, compliance with NIS2 is not just a legal obligation—it’s an opportunity to strengthen their cybersecurity posture and gain a competitive advantage. By implementing robust risk management practices, timely incident reporting, and effective governance frameworks, organizations can protect their operations, safeguard customer trust, and contribute to the overall cybersecurity resilience of the EU. 

Organizations should consider engaging with cybersecurity experts like A-LIGN to stay ahead of evolving cyber threats and ensure compliance with the NIS2 Directive. Reach out to our team today. 

In an era where cybersecurity breaches are increasingly common, the demand for regulatory compliance has skyrocketed. To shed light on how businesses can effectively manage these demands, FTV Capital sat down with Scott Price, the Founder and CEO of A-LIGN—a leading provider of cybersecurity and compliance solutions.

Founded in 2009, A-LIGN was established to align companies’ strategic and compliance objectives, transforming how audits are conducted to save time and reduce costs. With a global presence and over 4,000 clients, A-LIGN offers streamlined services, including compliance assessments and cybersecurity testing.

Scott discussed the pivotal role of external investment from FTV in 2018, which provided financial support, market credibility, and growth opportunities. This partnership facilitated A-LIGN’s expansion and allowed Scott to enhance his leadership skills alongside a board of experienced professionals. Scott also emphasized the importance of innovation and leadership development at A-LIGN, highlighting their Leadership Academy, which fosters a culture of continuous improvement and innovation among employees.

With a commitment to quality, transparency, and continuous innovation, A-LIGN remains at the forefront of helping organizations build trust and confidence in a complex cybersecurity environment.

Read the article: https://ftvcapital.com/insights/a-lign-ceo-scott-price-on-delivering-mission-critical-cybersecurity-solutions-and-nurturing-a-leadership-culture/

According to the HITRUST 2024 #TrustReport, only 0.64% of organizations that received HITRUST certifications reported a security breach in their certified environments over 2022 and 2023. This statistic is a powerful testament to the robustness of the HITRUST framework and its unparalleled commitment to leading the industry in data protection standards.

With such a high success rate, it’s clear that HITRUST’s security assessments, including the new AI Risk Management Assessment, can play a critical role in safeguarding your organization’s AI initiatives. Are you assessing the risks associated with your AI tools before deploying them? Conducting due diligence is crucial to ensure that you have the necessary controls in place to mitigate risks.

Read our blog to learn how this framework ensures your business’s AI initiatives are secure, compliant, and aligned with industry best practices.

What is the HITRUST AI Risk Management (RM) Assessment?

The HITRUST AI Risk Management Assessment is a streamlined self-assessment designed to help organizations evaluate and manage the risks associated with AI.

This framework is built upon the National Institute of Standards and Technology (NIST) AI Risk Management Framework (RMF) and the ISO 23894 standard. HITRUST has consolidated the overlapping controls between these two standards into 51 key controls featured in the AI Risk Management Assessment.

One major advantage of the HITRUST AI Risk Management Assessment is its accessibility. Organizations do not need to be HITRUST-certified or even planning certification in the future to take advantage of this assessment.

Additionally, this framework is not restricted to the healthcare industry. Any company, regardless of the sector, can apply the assessment to measure AI-related risks.

Benefits of the HITRUST AI RM Assessment

The primary benefit of the HITRUST AI RM Assessment is that it offers a comprehensive yet simplified framework for managing AI-related risks.

Without this assessment, organizations would need to navigate hundreds of controls from both the NIST AI RMF and ISO 23247 standards. HITRUST significantly reduces this burden, saving security teams valuable time and resources.

By completing the HITRUST AI RM Assessment, organizations position themselves to meet emerging AI compliance regulations and requirements. This proactive approach ensures that your AI initiatives align with industry standards and best practices, providing your organization with a competitive advantage while saving time and effort in the future.

Moreover, the HITRUST AI RM Assessment helps organizations comply with specific directives outlined in frameworks such as ISO/IEC 42001 and the EU AI Act. These regulations mandate periodic AI risk assessments, and the HITRUST AI RM Assessment ensures your risk management practices are both comprehensive and in compliance with current and forthcoming international standards.

Who should use the HITRUST AI RM Assessment?

The HITRUST AI RM Assessment is suitable for a wide range of organizations. This self-assessment is not mandatory for companies that are HITRUST-certified and utilizing AI in their operations.

However, any business looking for valuable insights into the state of their AI development and usage would benefit from this assessment. It helps organizations identify areas for improvement and ensure they are maintaining compliance as both technology and regulations evolve.

Companies can choose to conduct the assessment internally or hire a trusted third-party auditor, such as A-LIGN, to ensure a thorough and objective evaluation. For organizations lacking internal expertise or resources, working with a trusted audit partner can be particularly valuable.

Achieving AI compliance with HITRUST

As AI adoption continues to grow, organizations are investing heavily in integrating AI technology into their daily operations. In 2024, businesses are projected to spend billions on AI initiatives, with adoption rates soaring across multiple sectors.

HITRUST’s anticipated AI certification, set to be released in November 2024, will further support organizations’ compliance efforts. By completing the AI risk management assessment now, businesses can position themselves for success and be well-prepared for upcoming certification requirements.

Contact us to learn more about how A-LIGN can help your organization complete a HITRUST AI Risk Management Assessment today.

The Digital Operational Resilience Act (DORA) represents a significant step in ensuring financial institutions and other organizations can withstand, recover, and adapt to cyber threats and technological disruptions. 

Understanding the Digital Operational Resilience Act 

The Digital Operational Resilience Act, or DORA, is a legislative framework introduced by the European Union. It aims to enhance the operational resilience of financial institutions by establishing uniform requirements across EU member states. This regulation focuses on safeguarding the financial system from digital disruptions that could have widespread economic impacts. 

DORA was developed in response to the growing reliance on digital services and the increasing frequency of cyber incidents affecting financial institutions. By harmonizing regulations, DORA seeks to create a more robust and consistent approach to managing operational risks. It emphasizes the importance of maintaining continuity of critical services even during disruptions. 

Who needs to comply with DORA? 

Compliance with DORA is mandatory for a wide range of financial entities operating within the European Union, including banks, insurance companies, investment firms, and other financial market participants like fintech companies and payment service providers. Additionally, third-party service providers that offer critical services to these institutions are subject to DORA’s requirements. 

The purpose behind DORA 

The primary goal of DORA is to safeguard the stability and integrity of the financial system by ensuring that financial institutions can withstand and recover from digital disruptions. This includes significant cyber-attacks, technological failures, and other operational challenges that could impact business continuity. 

DORA aims to reduce discrepancies in how different EU member states address digital operational resilience by establishing a unified regulatory framework. This consistency enhances the financial sector’s overall security and minimizes the potential for systemic disruptions. 

Another critical purpose of DORA is to foster consumer trust in the financial system. By ensuring that institutions are equipped to handle digital risks, DORA helps maintain the integrity and reliability of financial services, ultimately benefiting consumers and investors. 

What DORA covers 

DORA covers a comprehensive range of areas critical to enhancing operational resilience. These areas include risk management, incident reporting, testing and assessments, and governance of third-party service providers. DORA provides a holistic approach to managing digital operational risks by addressing these essential elements. 

DORA’s central focus is risk management, requiring organizations to implement measures to identify, assess, and mitigate digital risks. This involves developing robust risk management frameworks and conducting regular risk assessments to identify vulnerabilities. 

Incident reporting is another crucial aspect of DORA. Financial entities are required to report significant incidents promptly to competent authorities. This facilitates timely responses to incidents and enables authorities to monitor and manage risks effectively. 

DORA requirements explained 

DORA sets forth specific requirements for financial institutions and third-party providers to achieve its objectives. Based on the published regulation, key requirements include: 

1. ICT risk management framework: Comprehensive system for identifying, assessing, managing, and mitigating ICT risks. 
 
2. Incident reporting: Processes for managing and reporting ICT-related incidents to authorities. 
 
3. Digital operational resilience testing: Regular testing, including vulnerability assessments and penetration testing. 
 
4. Third-party risk management: Managing risks from ICT third-party service providers. 
 
5. Information sharing: Promoting cyber threat and incident information sharing among entities. 
 
6. Governance and accountability: Clear roles and senior management oversight for ICT risk management. 

Preparing for DORA compliance 

Organizations must take a proactive approach to preparing for DORA compliance. This involves conducting thorough assessments of existing systems and processes to identify gaps and areas for improvement. This assessment serves as the foundation for developing a comprehensive compliance strategy. 

Organizations should prioritize the development of robust risk management frameworks that align with DORA’s requirements. This includes enhancing incident response capabilities, implementing effective governance structures, and ensuring continuous monitoring of digital risks. 

Engaging with stakeholders across the organization is crucial for successful compliance. This includes fostering collaboration between IT, risk management, compliance, and other relevant functions to ensure a coordinated approach to achieving digital operational resilience. 

Conclusion 

The Digital Operational Resilience Act represents a significant milestone in enhancing the resilience of financial institutions in the digital age. DORA aims to protect consumers, maintain economic stability, and foster trust in the financial system by establishing uniform requirements for managing digital risks. 

For organizations subject to DORA, compliance efforts should be approached proactively and comprehensively. By prioritizing risk management, incident response, and collaboration with third-party providers, organizations can achieve digital operational resilience and position themselves for success in an increasingly interconnected world. 

The path to digital operational resilience may present challenges, but it also offers opportunities for growth and innovation. By embedding resilience into their operational strategies, organizations can thrive in digital disruptions and build a more robust, secure financial ecosystem. 

Now that the Department of Defense (DoD) has finalized the Cybersecurity Maturity Model Certification (CMMC) 2.0 framework, businesses within the Defense Industrial Base (DIB) must act swiftly to ensure they are compliant with the updated standards. The 32 CFR rule for CMMC 2.0, which was published in October 2024, introduces a streamlined framework with three control levels designed to safeguard sensitive data including Controlled Unclassified Information (CUI).  

Why should you get in line for a CMMC 2.0 assessment now, and what are the risks if you wait? Keep reading to find out. 

The urgency of CMMC 2.0 compliance 

CMMC 2.0 is a non-negotiable requirement for all entities engaged with the DoD, including prime contractors and their subcontractors. Contractors must obtain CMMC certification under one of the three trust levels to demonstrate that they have adequately implemented cybersecurity measures. For organizations that fall into CMMC Levels 2 and 3, an audit is not just a recommendation — it is a necessity. 

The stakes are high. Because CMMC certification will be required to continue working with the DoD, non-compliance could result in a catastrophic loss of business. Delaying action could jeopardize your organization’s ability to secure future contracts and maintain existing ones. 

Why you shouldn’t wait to get in line for a CMMC 2.0 assessment 

1. Bypass the mad dash to find an available C3PAO. 

There are currently less than 60 accredited CMMC Third Party Assessment Organizations (C3PAOs) available to assess the roughly 80,000 organizations that will need certification. As the demand for these assessments increases, it’s likely that C3PAOs will be overwhelmed with audit requests, creating long waitlists and potential delays. If you secure your spot in the assessment queue now, you can avoid the rush and ensure that your organization isn’t left scrambling to find an available assessor. 

2. Pick the best assessor. 

Acting early allows you to choose an experienced, high-quality assessor rather than settling for whoever is available. Working with a seasoned assessor increases the likelihood of a smooth certification process and ensures that your organization’s unique compliance needs are fully addressed. Companies like A-LIGN can provide comprehensive support beyond just CMMC certification, acting as a single provider for all your compliance needs. 

3. Lock in a favorable price. 

As demand for CMMC assessments rises and the number of available assessors decreases, the ability to negotiate pricing will diminish. By getting ahead of the curve, you can lock in a competitive price for your assessment and avoid the financial strain of last-minute certification efforts. 

4. Ensure complete CMMC readiness. 

The process of preparing for a CMMC 2.0 audit is complex and time-consuming, potentially taking up to 12 months depending on the current state of your cybersecurity practices. Starting early gives you time to undergo a CMMC readiness assessment. This mock audit allows you to identify and remediate any gaps in your cybersecurity framework before the formal assessment, increasing the chances of passing on the first try. 

5. Gain a competitive advantage. 

Achieving CMMC 2.0 certification before your competitors not only secures your position within the DoD supply chain but also enhances your reputation as a reliable partner. Prime contractors will likely prioritize subcontractors who have already secured their certification, reducing project risks associated with non-compliance. Early certification can give you the upper hand in winning contracts and retaining existing business. 

6. Avoid business disruption and contract losses. 

Delaying your certification could lead to significant business disruptions, particularly as CMMC 2.0 becomes a contract requirement. Prime contractors will begin demanding proof of compliance from their subcontractors, and failure to provide this could result in lost contracts or delays in renewals. Acting now minimizes the risk of these disruptions and ensures that your business remains competitive and compliant. 

Get in the CMMC queue with a top federal assessor today 

The transition to CMMC 2.0 marks a significant shift in the cybersecurity landscape for DoD contractors. Now that the final rule has been published, the time to act is now.  

A-LIGN is here to guide you through the complexities of CMMC 2.0 compliance. As one of the first authorized C3PAOs with extensive experience in federal assessments, we can help you navigate the path to certification.  

Contact us today to secure your spot in our CMMC certification queue and learn how we can support all your compliance needs. 

The rapid growth of artificial intelligence (AI) has brought many privacy, ethical, and security concerns to the forefront of business operations. ISO/IEC 42001 is the world’s first AI management system standard created to address these concerns, providing the necessary guidelines to safeguard AI systems and ensure ethical AI practices. With many organizations new to the world of AI compliance, we developed an ISO 42001 checklist to help you evaluate your organization’s readiness for certification. 

Download the ISO 42001 checklist 

Why ISO 42001 and AI compliance matters 

With the widespread adoption of AI across numerous industries, the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) developed ISO 42001 in 2023 to provide guidance to organizations providing, producing, or using AI systems. 

Ensuring the ethical and secure deployment of AI solutions is critical, so ISO 42001 can be essential for organizations to ensure there are correct controls in place to safeguard sensitive data.  

Achieving ISO 42001 certification and upholding the highest AI security practices can help your business demonstrate trust with key stakeholders, gain a competitive edge in the market, and foster a culture of security within your organization. 

Understanding the ISO 42001 readiness checklist 

 Before you start your ISO 42001 compliance journey, it’s imperative you have a comprehensive understanding of the framework to adequately prepare for certification. From there, your security team can start to determine if the proper controls are in place to adhere to the standard and safeguard data. 

Follow the ISO 42001 checklist below to demonstrate your dedication to AI compliance and prepare your team for certification. 

Getting started with ISO 42001 

The first step on the road to AI compliance is to adequately prepare your team by understanding the critical documents and policy requirements highlighted in the standard. 

Understand the standard 

Buy the standard(s) from ISO and understand each of the annexes needed to meet the object of the certification: 

• Annex A: Serves as a control framework for meeting organizational objectives by addressing AI related risk 

• Annex C: Highlights AI related risk sources 

Understand critical documents 

Gain a well-rounded understanding of the required documents outlined in the standard to build a responsible management system that aligns with your business goals. 

• ISO 22989: AI Concepts and Terminology 

• ISO 23894: AI Risk Management 

• ISO 31000: Enterprise Risk Management 

• ISO 42005: AI Impact Assessments 

• ISO 5338: AI System Lifecycle Processes 

• Others: 

• ISO 24368: AI Overview of Ethical and Societal Concerns 

• ISO 38500: Governance of IT  

• ISO 38507: Governance Implications of the use of AI 

Understand policy requirements 

Ensure policies are fit for purpose and fit for use in the context of your specific organization and is applicable when needed. 

Examples of policy categories include appropriateness, framework for objectives, documentation and accessibility, review and adaptation, and more. 

Initial analysis and planning 

Once your team understands critical documents and policy requirements, then you can perform an initial analysis of your management system and identify any gaps or corrective actions ahead of the external audit. 

Perform a gap analysis 

Via self-assessment, independent certification body, or compliance software tool, complete a gap assessment. Make sure to involve various department heads in the analysis to ensure comprehensive coverage. 

Develop an implementation plan 

Prioritize action items based on the gap analysis findings and assign responsibilities/deadlines for each action item. 

Engage with an advisory or consultant partner to ensure your management system is built appropriately in the context of your organization. 

Implement management system 

Organize training sessions for employees on new processes and controls and set up a monitoring system to track the implementation progress. 

Undergo internal audit 

Train internal staff to perform audits or hire external auditors for an unbiased review ahead of the official certification. 

Conduct management review 

Document all management review meetings and decisions for audit purposes, including feedback mechanisms and staff insights on the AI management system. 

Identify corrective actions 

Develop a standardized form and tracking system for reporting and resolving non-conformities and corrective actions. 

Ensure proper documentation 

Create, review, and update a centralized repository for all ISO 42001-related documents to ensure ongoing compliance.  

Engage with auditors for ISO 42001 

Interview and engage a certification body that understands your context to assess and certify your management system so you can offer additional levels of assurance to your customers.  

Choose a certification body 

Evaluate multiple certification bodies to compare expertise, costs, and reputation and choose a quality audit partner that aligns their goals with yours. 

Ensure certification body is compliant with their accreditation body and International Accreditation Forum (IAF) requirements. Check references from other companies certified by the body. 

Hold pre-audit meeting 

Prepare a list of questions and clarifications regarding the audit process and discuss the scope of the audit in detail to ensure full preparedness. 

Ensure audit readiness 

Conduct a pre-audit checklist review with the internal team responsible for ISO 42001 compliance. Simulate audit scenarios to prepare staff for the actual audit. 

Undergo the external audit process 

Designate a team member as the point of contact for auditors to streamline communication. From there, undergo assessment with interviews of key personnel and review of documentation. 

Identify follow-up actions 

Schedule a meeting to discuss audit findings and plan for immediate, short-term, and long-term actions based on the audit report with your internal team. 

Ensure continuous improvement 

Establish a continuous improvement team to oversee progress post-certification and integrate ISO 42001 compliance metrics into regular management reviews. 

Partner with A-LIGN to achieve ISO 42001 compliance 

Obtaining certification and upholding compliance with ISO 42001 is crucial for organizations leveraging AI. By utilizing this readiness checklist and collaborating with quality partner like A-LIGN, organizations can effectively navigate the standard, build brand reputation, and foster trust in your AI systems with key stakeholders. 

Be one of the first to achieve ISO 42001 certification and set your team up for ISO 42001 certification success by downloading our readiness checklist now. 

Establishing a solid foundation in information security is essential for leveraging artificial intelligence (AI) effectively. ISO/IEC 27001 provides the crucial framework for information security management and sets the groundwork for the new standard for AI, ISO/IEC 42001. By adhering to the principles of ISO 27001, organizations can create robust management systems that not only meet security standards but also pave the way for successful and secure AI implementation. This blog post will explore how ISO 27001 serves as the foundation for ISO 42001, offering a path to compliance. 

1. Scope of ISO 27001 and ISO 42001 

ISO 27001 focuses on information security management systems (ISMS). It provides a framework to protect sensitive information through risk management processes. 

ISO 42001 deals with AI management systems. This standard includes responsibilities specific to AI, such as ethical considerations and impact assessments. 

Work required 

To align your organization with both standards, build upon your ISMS and create an AIMS. Integrate responsible AI practices to ensure comprehensive scope coverage. 

2. Normative references in ISO 27001 and ISO 42001 

ISO 27001 references various information security management standards. These guidelines help organizations maintain data integrity, confidentiality, and availability. 

ISO 42001 incorporates AI-specific standards, like ISO/IEC 22989. These references focus on ethical AI use, risk management, and system integrity. 

Work required 

Integrate AI-specific normative references into your compliance framework. Ensure that your organization adheres to both information security and AI-specific standards. 

3. Terms and definitions 

ISO 27001 includes terms related to information security, such as risk, policy, and controls. These terms are essential for implementing a robust ISMS. 

ISO 42001 introduces AI-specific terms, including AI risk, AI policy, and AI objectives. Understanding these terms is crucial for effective AI management. 

Work required 

Update your organization’s documentation and training materials to include AI-specific terms. This will help employees understand the nuances of both standards. 

4. Context of the organization 

ISO 27001 requires organizations to understand the context of their information security needs. This involves assessing internal and external factors affecting information security. 

ISO 42001 extends this concept to AI. Organizations must understand the specific context of their AI systems, including stakeholder expectations and potential impacts.  

Additionally, ISO 42001 requires organizations to understand their role in the AI ecosystem as provider, producer/developer, or user. 

Work required 

Analyze AI-specific issues and assess stakeholder needs. Document these findings to align with the requirements of both ISO 27001 and ISO 42001. 

5. Leadership commitment 

ISO 27001 emphasizes leadership commitment to information security policies. Top management must demonstrate their dedication to maintaining a secure environment. 

ISO 42001 similarly requires leadership commitment but focuses on AI management. This includes defining roles and responsibilities specific to AI. 

Work required 

Ensure that your organization’s leadership demonstrates a commitment to both information security and AI policies. Assign roles to manage AI-specific responsibilities effectively. 

6. Planning for risks and opportunities 

ISO 27001 involves planning to address information security risks and opportunities. This includes risk assessments and treatment plans. 

ISO 42001 extends these requirements to include AI risk assessment and impact evaluation. Organizations must identify and mitigate AI-specific risks. 

Work required 

Implement AI risk and impact assessment processes. Adapt your existing risk management frameworks to include AI-specific considerations. 

7. Support resources and competence 

ISO 27001 mandates the allocation of resources, competence, and awareness for information security. This ensures effective implementation and maintenance of the ISMS. 

ISO 42001 requires similar support for AI management. Organizations must provide resources, training, and communication channels specific to AI. 

Work required 

Allocate resources for AI management and provide necessary training. Establish communication channels to facilitate information flow regarding AI policies and practices. 

8. Operational planning and control 

ISO 27001 focuses on operational planning and control for information security. Organizations must have processes in place to manage and monitor security controls. 

ISO 42001 extends these requirements to AI systems. This includes planning and controlling AI operations, as well as conducting regular risk and impact assessments. 

Work required 

Develop operational controls specific to AI systems. Conduct regular assessments to ensure compliance with both ISO 27001 and ISO 42001. 

9. Performance evaluation 

ISO 27001 requires organizations to monitor, measure, analyze, and evaluate information security performance. This involves regular audits and reviews. 

ISO 42001 similarly mandates performance evaluation but with a focus on AI systems. Organizations must establish specific metrics and criteria for AI performance. 

Work required 

Establish performance metrics for AI systems and conduct regular evaluations and audits. This will help you maintain compliance with both standards. 

10. Continual improvement 

ISO 27001 emphasizes continual improvement of the ISMS. Organizations must address nonconformities and implement corrective actions. 

ISO 42001 also focuses on continual improvement but in the context of AI management. This includes addressing AI-specific nonconformities and applying corrective actions. 

Work required 

Implement processes for continual improvement of your AI management system. Address nonconformities and apply corrective actions to maintain compliance with ISO 42001 and ISO 27001. 

Conclusion 

Understanding the overlap between ISO 42001 and ISO 27001 can streamline your compliance efforts. By integrating AI-specific requirements into your existing information security framework, you can ensure comprehensive and efficient management of both systems. 

By following the steps outlined in this blog, your organization can stay ahead of the curve with robust security and ethical AI practices. If you need further assistance, experts at A-LIGN can guide you through the compliance process. 

Brand reputation is everything in the digital age. Many consumers refuse to do business with brands they don’t trust. One of the sure-fire ways customer trust can be broken? Mishandling or inadequately protecting their data. 

It’s no surprise then that corporate compliance teams have become critically important. They identify and mitigate risks for the organization, including risks with direct legal and financial consequences of noncompliance. Additionally, these teams can avoid or minimize the impact of security incidents, safeguarding the brand’s reputation. 

Data from A-LIGN’s fourth annual Compliance Benchmark Report shows that establishing customer trust and validating IT controls are increasingly important drivers of compliance programs. Rather than merely checking off the minimum regulatory requirements, companies are building a robust security-focused culture throughout the organization to stay relevant. 

In this post, we’ll dig into the data from this year’s report and share how companies can adapt their compliance strategies in response.  

What the data says about the “why” behind compliance 

A-LIGN’s 2023 survey data showed pressure from above and on the bottom line when it came to the motivations behind compliance. One of the top reasons organizations pursue a cybersecurity audit was a board-level or C-suite mandate (23%), hinting that team members responsible for compliance saw it as a top-down order rather than an ongoing, continuous process within the organization. Another big driver of compliance in 2023 was increasing revenue and winning new clients (23%). This data points to a reactive approach toward compliance, with companies embarking on a new audit when an executive or prospective customer asks for one. 

Beyond mandates: A focus on IT controls 

In 2024, executive mandates and new business were the least popular responses to the question, “What is the driving force behind your organization’s compliance program?” On the other hand, the importance of establishing trust with customers and partners rose by 36% from the previous year. Additionally, 55% more companies stated that validating IT controls drove their compliance programs in 2024 compared to 2023. 

These findings indicate a growing emphasis on trust and security — and an overall maturation in how organizations approach security compliance. Instead of waiting for C-suite mandates to tell them what must be done, compliance teams are taking a more proactive and strategic stance that focuses on what can be done.  

Why did this shift occur? As we covered at the beginning of this article, brand reputation is more important than ever. Proactively improving your security posture and publicly sharing your successes can bolster your brand reputation. It’s also possible that businesses have seen — or, worse, experienced themselves — the pitfalls of reactive compliance: lost business, security breaches, and expensive fixes.  

How businesses can build a culture of security 

As the importance of data security continues to rise, so too will the need for comprehensive and forward-thinking compliance programs. Businesses must prioritize transparency and robust security practices to maintain trust with stakeholders and ensure their internal controls are up to par. 

Becoming more proactive toward compliance isn’t easy, but some tweaks to internal processes and attitudes can help get you there. Here are some ways your organization can take steps toward fostering a culture of security.  

Regular audits and assessments 

• Internal audits and continuous monitoring: Conduct regular internal audits to identify and address vulnerabilities before they come up in external assessments. These periodic internal audits, combined with continuous monitoring of your IT systems, will help you detect and mitigate issues promptly. 
• Third-party assessments: Be proactive about engaging third-party auditors instead of waiting until a customer, executive, or investor asks for an audit report. You can also be more strategic about external audits by consolidating all your annual audits into a single compliance event. 

A comprehensive compliance strategy 

• Leadership commitment and internal collaboration: Leadership should prioritize security and compliance, as they set the tone for the entire organization. The leadership team can then encourage collaboration between IT, legal, compliance, and other departments to create a cohesive approach to security. 
• Promote your compliance efforts: When you complete audits and certifications successfully, flaunt them! Celebrate the news internally, and display certifications prominently on your website and in marketing materials to build customer confidence. 

Adapting to regulatory changes 

• Stay informed: Keep up with changes in regulations, industry standards, and security best practices by subscribing to relevant industry newsletters. Check the websites of governing bodies, like the AICPA Auditing Standards Board (ASB) and the International Organization for Standardization (ISO), regularly for updates. Popular resources for security and compliance news include Infosecurity Magazine, SC Magazine, and Compliance Week.  
• Practice agile compliance: Be prepared to adjust your compliance strategies quickly in response to new regulations or emerging threats. If your organization stays sufficiently informed about changes, you can use internal audits and continuous monitoring tools to identify potential gaps and adapt your controls and processes accordingly. 

Get more insights in A-LIGN’s Compliance Benchmark Report 

What does it really mean to build a culture of security? How many audits are companies doing, and what does that translate to in dollars? The 2024 edition of A-LIGN’s annual Compliance Benchmark Report includes insights like these, gathered from a survey of nearly 700 business leaders and compliance experts. It also offers benchmarks related to compliance audits, enabling companies to assess their existing strategies against industry standards. 

See the highlights and download the full report here. 

We’ve written before about the importance of balancing audit cost and report quality to ensure the report you get is actually useful to you. In this year’s Compliance Benchmark Report, we asked nearly 700 professionals about their compliance programs and found that companies care about quality, too: 

• 69% of survey respondents said the quality of compliance reports is extremely important. 
• 22% said report quality was their top reason for choosing an auditor. 

But even if you know that quality is important, how can you tell the difference between a thorough audit report and a deficient one? Some auditors may rely on their clients’ lack of compliance knowledge to help them skate by with superficial reports, but you don’t have to be an expert to spot some common red flags. 

Here’s what to look out for. 

High-level audit report red flags 

Here are a few basic factors that should make you think twice while reviewing your audit report: 

• Perfect report (no exceptions): Many organizations think a “clean” report with no exceptions is ideal, but that can be a sign that your auditor isn’t being thorough. In a SOC 2 report, for example, it’s possible to receive an unqualified opinion that still contains some exceptions. Exceptions help you understand where you can make changes to improve security. So, if you receive an unqualified opinion with no exceptions, take an extra minute or two to check for some other red flags before you accept the result. 
• Vagueness: Are there any specific references to your organization’s security environment? If the report looks like it could have been written about any company, your auditor might be cutting corners to get reports out faster. A vague, cookie-cutter report is a waste of money — you can’t act on it, and customers or partners who read your report may find it inadequate. 
• Short report: If it has appropriate and sufficient management controls and respective auditor tests, the report will be long – sometimes 100 pages or more. The length will depend on the report’s scope and the complexity of the controls tested, but you should give a short report a second glance to ensure it is comprehensive. 
• Uncooperative auditor. Aside from the report itself, it’s a red flag if your auditor is unwilling to answer questions asked by other auditors or stakeholders about the report. The auditor may be hiding shoddy work or lack of expertise. 

Technical red flags 

Once you’ve done a quick first read of the report and your auditor’s opinion, review it a second time and keep an eye out for these issues: 

• Unclear system scope: The name and scope of the system being audited should be clearly defined — for SOC 2, this should be in sections 1 and 2 of the report. The system description (section 3) should be thorough, addressing all five components of your organization’s internal controls per the COSO framework: control environment, risk assessment, control activities, information and communication, and monitoring activities. 
• Undefined subservice organization controls: Most companies use subservice organizations, which the AICPA defines as vendors that “perform some of the services provided to user entities that are likely to be relevant to those user entities’ internal control over financial reporting.” Common examples are third-party IT providers, some SaaS vendors, cloud service providers, or data centers. Any relevant subservice organization controls should be clearly described in the report. The auditor should also cross-reference the subservice organization’s own audit report to verify responsibility for the control lies with that organization and not a fourth-party provider. 
• Undefined user entity controls: Similarly, as a service organization, your company likely requires users to take responsibility for some controls to properly and securely use your product or services. These “complementary user entity controls” should be explicitly described in the report in a way that readers of the report will understand. 
• Lack of follow-up testing: If exceptions are found, the auditor should inform management personnel at the service organization (in other words, your company’s leadership or compliance/advisory team), record their response, and perform subsequent testing. If none of this is documented in the report where exceptions are found, it does not meet quality standards. 

What to do if you find red flags in your audit report 

If you’ve noticed several of these red flags in your most recent audit report, you may wonder what to do next. The first step is to reach out to the auditor about your concerns. If they followed compliance best practices correctly, they should be able to answer your questions thoroughly. As we discussed earlier in this post, it’s a bad sign if the auditor refuses to engage with you about the report. A compliance partner acting in good faith should be happy to help you understand the audit report. 

In the event that your auditor does not provide sufficient answers, it may be time to look for a new one. 

The best way to obtain a high-quality audit report 

A-LIGN’s 2024 Compliance Benchmark Report found that a trusted auditor with positive market perception is the top factor companies look for to ensure a high-quality audit report. A reputable auditor should: 

• Have a large team of expert auditors 
• Have many years of experience in compliance audits 
• Be licensed to perform the specific audit you need 
• Regularly undergo and pass peer reviews as well as quality reviews by governing bodies (such as HITRUST, the PCI Council, or the ANSI National Accreditation Board) 

See how your compliance strategy stacks up 

Wondering what other companies look for in an auditor? How many audits are other companies doing each year? How much do they spend on audits? What challenges are compliance teams facing right now? The fourth edition of A-LIGN’s Compliance Benchmark Report uncovered key themes in the world of compliance, including report quality, audit efficiency, a culture of security, and the importance of partnership. 

Download the report now to see where your compliance program stands.