Can you describe a time when you planned and led an engagement with independent assessors to earn ce

Situation:

In my role as a Governance, Risk, and Compliance Lead at CirrusMD, we needed to earn and maintain several critical certifications to enhance customer trust and comply with industry standards. This was especially important as we were dealing with sensitive healthcare data, and our clients included large corporations and government agencies that required stringent compliance.

Task:

The specific certifications we aimed to earn included FedRAMP, ISO 27001, and SOC 2. Achieving these certifications was crucial for demonstrating our commitment to security, availability, and integrity, which in turn would support our business growth and customer trust.

Action: To plan and lead the engagement, I undertook several steps:

1. Preparation and Planning: I conducted a comprehensive gap assessment to identify areas needing improvement to meet the certification requirements. This involved detailed analysis and mapping of existing controls to the required standards.

2. Building a Cross-functional Team: I assembled a cross-functional team that included members from IT, security, legal, and operations. This team was responsible for implementing the necessary controls and preparing for the audits.

3. Developing Documentation: I led the development of essential documentation, including the System Security Plan (SSP), Plan of Action and Milestones (POA&M), and various policy and procedure documents. Ensuring that all documentation was accurate and up-to-date was a priority.

4. Engaging with Assessors: I coordinated with independent assessors to schedule the audits. This involved multiple pre-audit meetings to clarify expectations and ensure that our team was fully prepared.

5. Evidence Collection and Management: I drove the evidence collection process, ensuring that all required evidence was gathered, assessed, and mapped to the compliance requirements. This was managed using a GRC tool that I implemented to streamline the process.

6. Training and Awareness: I also led the security training program to ensure all employees were aware of and adhered to security protocols and compliance requirements. This included regular phishing campaigns and security awareness modules.

Result: The engagement was successful, and we achieved FedRAMP, ISO 27001, and SOC 2 certifications.