Introducing Books

The months leading up to audits can be some of the most stressful for security and privacy teams. Some audits can take up to 9 months to prepare for and another 3 months to complete, with security and privacy teams spearheading the evidence collection. Collecting evidence used to be a walk in the park, but that was before multi-cloud environments, new standards, and emerging regional privacy requirements. For most, evidence collection has turned into a complex, manual, time-consuming, siloed, and overall painful process. 

Audits depend on the evidence gathered. Companies need evidence that’s sufficient, relevant, and reliable; all while balancing multiple frameworks, competing priorities, and larger business goals. Teams need an easier way to monitor controls and collect evidence.

Today we’re launching Books, the new way to collect and organize evidence directly in Riscosity. Gone are the days when a security tool surfaces findings but doesn’t allow you to build an evidence book with helpful context tailored to those findings. We understand that evidence lies at the heart of audits and assessments – so we built Books to make evidence collection easier. Continue reading to learn why evidence collection is important, why we built Books, and how you can join our beta program.

The Role Evidence Plays in Compliance

Evidence is a critical layer of any audit process because it validates through documentation that a company adheres to established security measures. Being secure and compliant is not only about having secure infrastructure; it’s about ensuring that every aspect is verifiable and auditable. Comprehensive evidence serves multiple purposes:

• Verification of Controls: Evidence is needed to verify the existence and effectiveness of cybersecurity controls.
• Compliance Assurance: Evidence demonstrates compliance with industry and location-specific regulations, protecting companies from costly fines.
• Continuous Monitoring for Improvements: Evidence can ensure an organization has a baseline for how to improve, ensuring teams can remain nimble and adapt to emerging threats and technologies based on current guardrails in place.

Evidence Requirement Examples 

ISO 27001: ISO 27001 audits assess risk assessment and treatment plans, information security policies, access controls, and incident response procedures. Organizations typically present documentation such as risk registers, information security policy documents, access control logs, and incident response plans to provide evidence. 

HIPAA: HIPAA compliance audits assess healthcare organizations’ efforts to safeguard protected health information (PHI). The audit includes reviewing efforts like risk analysis, data access controls, and encryption procedures. Organizations need to provide evidence showing that there are measures implemented to protect PHI.

GDPR compliance: GDPR audits assess how organizations handle personal data and comply with data protection regulations. Evidence needs to confirm that the organization is transparent in their data processing activities, can perform data protection impact assessments (DPIAs) and can conduct thorough impact assessments.

SOC 2: SOC 2 audits assess security policies, and incident response and monitoring activities. Organizations provide evidence through policy documentation, change logs, and incident response logs to prove they have implemented adequate controls to secure and manage its systems.

We Built Books to Make Collecting Evidence Easy

One critical aspect of compliance is evidence collection. According to a 2023 report,  70% of organizations need to demonstrate compliance or conformity to at least six frameworks, spanning across information security and data privacy taxonomies. In that same report, 60% of GRC users said they’re managing compliance efforts manually via spreadsheets. That means teams know evidence is required, but are stuck:

• Collecting screenshots and context
• Maintaining an up-to-date data flow inventory 
• Writing and implementing policies from scratch and ensuring they stay updated
• Tracking whether employees have accepted policies

These are only a few of the many tasks that teams need to complete. From security frameworks like SOC 2, to regulations like GDPR, to industry-specific standards such as HIPAA, organizations are challenged with providing the required evidence to achieve and maintain compliance. 

A Sneak Peak of Books from the Lens of GRC

For quarterly audits, a GRC team may need to compile a list of services in use to account for accepted or known risks, or provide additional context of the sensitive data being shared with specific vendors. With Books, they can pull any required insights directly from Riscosity and build a comprehensive report. Since there are often hundreds of controls that evidence is needed for, this can save days of work rather than having to go through all the access hoops of collecting information from different departments or services. 

The Benefits of Books

Riscosity offers many ways to show controls and meet frameworks like SOC 2, GDPR, and ISO 27001, among others. Enabling users with a way to create a book showing different evidence needed for specific requirements can give security and privacy teams the peace of mind they deserve. With Books, teams can easily:

• Ensure real-time and audit-friendly evidence collection
• Create shareable reports to update key stakeholders on security and compliance status and efforts 
• Map evidence to each control or requirement
• Make adjustments based on regulatory requirements to any Book at any time
• Export evidence from Books in industry standard formats

Books enable teams to leverage relevant information surrounding their environments and code, without running into roadblocks.

Join the Books Beta Program

We're releasing Books in beta to gather user feedback, helping us make the product as effective and useful as possible before the full launch. If you’re interested in trying Books out for yourself, you can sign up on the waitlist here. This is just the beginning, and we’re already hard at work on the next set of features to accelerate how teams collect and prove that all data in transit is secure.