Enterprise failing a security audit sought a way to be "always audit-ready"

In 2016, auditors at a €4bn enterprise found the organization fell short of standards and requirements, lacking consistency across its security program, with incomplete out-of-date polices, lack of documented processes, and poor employee engagement. Gaps in process and urgent threats were addressed sporadically with a triage mentality – “just make the problem go away as quickly as you can.” Client sought a better system of security management that would be “always audit ready” and “always incident ready.”

Create a management system of high employee engagement and measurable continual improvement in all areas of security management. Ensure the client’s process are being successfully implemented by contemporaneously reviewing artifacts as they are created.

Using online collaboration software and NIST and Baldrige performance excellence frameworks, senior consultants coached and mentored members of the client’s security and technology teams to improve each work activity related to security. Together, the consultants and team members noted changes and suggestions for improvement, thereby measurably continually improving each work activity.

Within three months, every work activity (process) of security had a thread of documented improvement. Within 6 months, every new development, new application, and new threat was routinely entered into the collaboration site, including each item into the continual improvement processes conforming to international standards. Auditors arrived for a routine annual audit, and instead of taken two weeks to review every work activity and its proofs, the auditors were able to review the documentation and witness the real-time engagement of all employees in continual improvement. Auditors required only two days to satisfactorily complete an audit that normally takes two weeks.