Why Is Assurance Important? What Does It Mean To GRC?

You cannot be awesome without assurance, maybe mediocre at best. Assurance is something you can prove and it is the output of security, compliance and resilience practices. There are several levels of assurance:

• No Assurance is where there are no reasonable grounds to conclude controls are applicable, properly scoped, implemented correctly and/or operating as intended. No assurance is at best an assumption.
• Low Assurance is where there is reasonable confidence that applicable controls are properly scoped, implemented and free of obvious errors.
• Moderate Assurance is where there are increased grounds for confidence that applicable controls are implemented correctly and operating as intended.
• High Assurance is where there is overwhelming evidence of due diligence and due care that applicable controls are implemented correctly and operating as intended.

The more robust the rigor of an assessment, the more reasonable it is to demonstrate higher assurance. Low rigor is low assurance at best, unless scoping or evidence has been gamed and then it is No Assurance. Therefore, the concept of obtaining a "SOC 2 audit in 2 weeks for $5,000 " that is presented as something to be trusted is simply marketing dishonesty and is intellectually reprehensible. In their race to the bottom, the audit/certification mills promoting this nonsense do not sell trust or security. In reality, they just tarnish the concept of third-party audits/assessments and should be ashamed of passing off a minimally-scoped and low rigor assessment as a genuine assurance process that is worthy of trust.

If that sounds harsh, let's look at an authoritative source for guidance on the meaning of these key terms. The NIST Glossary is a great place to start:

• TRUST is defined as "A belief that an entity meets certain expectations and therefore, can be relied upon."
• SECURITY is defined as "A condition that results from the establishment and maintenance of protective measures that enable an organization to perform its mission or critical functions despite risks posed by threats to its use of systems. Protective measures may involve a combination of deterrence, avoidance, prevention, detection, recovery, and correction that should form part of the organization’s risk management approach."
• ASSURANCE is defined as "Grounds for justified confidence that a [security or privacy] claim has been or will be achieved."

The idea of trust as being something that can be relied upon is crucial. Stakeholders being presented with a SOC 2 audit report that is the result of gaming the scope of applicable controls or the evidence relied upon to demonstrate conformity with those controls is not trust. That SOC 2 audit report provides essentially no value and is the antithesis of trust since it does not accurately belay the actual security practices that exist within the organization. At best, it is security theater and at worst it is fraud.

We want GRC processes to be awesome and that means organizations need to implement security, compliance and resilience practices that can provide assurance to both internal and external stakeholders. That is how you build trust. Weakly scoped certifications that mean nothing are just a parasite feeding on the cybersecurity industry.

What Does The GRC COA Offer?

The GRC COA offers educational resources for cybersecurity and data protection practitioners. These cover a broad range of topics that go beyond just governance, risk, compliance and common requirements to cover trending topics of interest withing the GRC community, as well as helpful resources to point people in the right direction. We also highlight organizations that excel in within the GRC community.