Using cPaks and tPaks in Proactive Compliance Management (PCM)
The word "audit" makes people nervous. In actuality, the only nervous people are those who are just not prepared to pass it. Remember...the questions are only hard if you don't know the answer. When an auditor shows up, rest assured that you'll receive a list of questions that you must answer AND provide evidence to back up your answers. You typically have about 30 days to complete all of the audit questions. So specifically, you get questions that require that you:
​
-
provide an answer
-
produce evidence
-
show framework relationships
​
This can be difficult. Many people in the IT or MSP world know the answers to the questions, but do they have it documented to prove the answer? Will they have the information to prove compliance? Forms, lists, databases, images, screenshots, reports, procedures, and policies are all good forms of evidence if you have them as they pertain to the question.
​
Basic workflow?
​
-
Read the question
-
Answer the question to the best of your ability
-
Provide documentation as evidence to backup your answer
-
Provide framework mappings if available.
​
Remember in school when a friend was able to steal the questions to the test before test day? It made it so much easier to pass the test with flying colors. It would be cool if you knew what questions an auditor was going to ask! Well stop worrying about that test because we already know the questions. In fact, AssureSphere360 already knows more that 2400 actual audit questions that are most likely to be asked! Not only that...we know the best practice answers as well. We built compliance packs (cPaks) to handle each question that may come at you. A cPak contains the auditors question, provides a best practice answer, provides 4 or 5 documentation titles that serve as evidence of the Q&A pair, and provides 4 or 5 of the framework mappings.
​
​
​
Go through the cPaks and modify them to suit your business requirements. Then, look at the evidence suggestions to determine if you have documentation that can serve as this evidence. Don't worry if you don't have documentation to back it up yet.
tPaks to rescue!
​
tPaks are templates and samples based on cPak audit questions and answers. tPaks are built on control domain requirements. Access Management, Backup and Recovery, and Breach Management are all examples of control domains. Each tPak covers approximately 25 to 50 templates/samples, and the best part is that they cover all evidence requirements.
Simply grab the template/sample, modify it to your organization's requirements, and store the docs in your AssureSphere360 directory within your documentation platform.