Table of Contents

0 Overview of the Compliance Module        2

1 Setting up your GRC Library        2

2 Identifying your Applicable Frameworks/Controls - Applicability (Option 1)        5

2A - How to write the Statement of Applicability (not required for all regulations)        11

3 Identifying your Applicable Frameworks/Controls - Applicability (Option 2)        13

NOTE: Auditor Guidance on How to Write an Internal Control:        16

4 Adding Internal Controls to the 1Risk Platform (skip this section if you have applied the methodology in steps 2 and 3 here)        17

5 Adding Internal Controls        18

Option 1: Control Library > Internal Control Mapping        18

Option 2: Internal Control Library        19

6 Evidence Collection: How to Create an Evidence Request        22

7 How to Manually Create or Update an Evidence Record        22

8 How to Approve or Reject and Re-Open Evidence        26

9 Monitor Evidence Collection Status from the Document Request Tab        28

10 External Audit from the 1Risk Platform        28

0 Overview of the Compliance Module

The 1Risk Platform Compliance Management module enables you to manage and automate compliance workflows and certifications for most global regulations and standards.

Currently, CyberOne maintains a library of more than 100 crosswalked, global regulations and standards ready for compliance. You can customize your GRC Library and add regulations and standards at any time, either from our existing library, or you can update and add new obligations yourself or via your account manager/support@c1risk.com.

Common Certifications readiness and maintenance is easy to set up on the platform, including IS0 27001, AICPA SOC Type 1, 2 and 3, CMMC, NIST 800-171, FedRAMP, PCI, HIPAA Security and Privacy, GDPR, LDPR, CCPA/CPRA, UK Cyber Essentials, CCC (Saudi Arabia CyberSecurity Compliance Certification) and more.

This training manual will guide you through the processes required to deliver, automate and continuously monitor your compliance, as well as enhanced compliance features, including Asset-based Compliance Managed, Risk-associated Compliance, Quarterly Access Review and more.

1 Setting up your GRC Library

See also our training manual “Getting Started”

C1Risk maintains an Obligations Library of more than 100 global regulations and standards on your behalf. You can access these frameworks, select those you want to see if your company Obligations Library or add new ones at any time in the 1Risk platform.

Can’t find what you are looking for, or know of an update to a regulation or standard, contact your account manager or support@c1risk.com for assistance. We ask for a 2 week SLA to add new Obligations to the library.

• In your 1Risk environment, go to Account Name and click on it
• Click Settings
• Use the drop-down to select the frameworks you need
• Click save
• Go to GRC Library in your platform to view your chosen frameworks

2 Identifying your Applicable Frameworks/Controls - Applicability (Option 1)

Once you have set up your GRC library, the next step in the compliance process is to identify which controls within the framework in which you are working are in scope for compliance. There are two options for doing this quickly and efficiently in the 1Risk Platform.

A common mistake made by companies is to simply assume that all controls in a standard/regulation or requirement must be satisfied to achieve certification. In many cases, this is not the case and by simply reviewing the framework and discarding those controls that do not apply to you will save you time and money when it comes to audit.

EXAMPLE: If you don’t have a building, you don’t need a physical security control for controlling access to your building, but you DO need controls to demonstrate controlling remote access for your employees.

Certifications like ISO/IEC 27001 require a Statement of Applicability, where you must identify why a control is not in-scope. You can identify both in-scope (applicable) and not applicable controls in the 1Risk platform.

1 Go to your GRC library and select the regulation or standard.

2 We recommend you select the obligations sections tab, which divides out control requirements by their relevant sections (Access Control, Governance, Asset Management, Risk Management, etc.).

3 From the Obligation Section, select a section and then select the control library tab to see the control requirements.

Helpful tip: Use [Control+Shift or Right Click to open each control in a separate window so you can review them]

NOTE: Check the Guidance section in your control. Many of our controls (ISO, SOC, PCI, 800-171) include additional guidance provided by auditors to help you understand if the control is in-scope, how to develop an internal control, and the type of evidence required to verify the control during audit.

4 From the Control Library list view select all controls in the Obligations Section that are either in-scope or not in-scope.

5. Click on the activity buttons and select [SOA] (Statement of Applicability).

6. Choose Yes or No

NOTE: You can write the actual applicability statement later once you have identified the controls in-scope or not in-scope.

7. Now you will see in the list view which controls you have selected. They will also appear in the Applicability Tab in the Compliance Module

OR/

2A - How to write the Statement of Applicability (not required for all regulations)

Once you have identified which controls are or are not in-scope for certification/compliance, you can add a written statement qualifying your choice.

1. Go to Applicability in the Compliance Module
2. Click on any of the SOA/Controls that you have identified as Applicable/Not Applicable
3. Click Edit and add your statement
4. Click Save

3 Identifying your Applicable Frameworks/Controls - Applicability (Option 2)

The second option for getting your compliance activity up and running quickly and starting to build out your internal control implementation and evidence collection is to migrate relevant control frameworks from the Control Library to your Internal Control Library. This is a quick and efficient process and is particularly useful if you are focused on a single framework.

1. Go the Internal Controls Tab in Compliance
2. In the activity menu select [+Copy from Control Library]
3. Look up the relevant framework.

HELPFUL TIP: Take the Content Source for your requirement from one of your controls in the control library and use this as the search

4. Select all
5. Select ‘Apply’
6. You will now see the control framework in the Internal Controls.
7. Click into any control and modify it to make it into an internal control
8. Note the Control framework has been mapped, as part of the migration and the implementation guidance now appears in your internal control record, which makes it easier for you to write your internal controls based on guidance provided by our external audit partners.

NOTE: Auditor Guidance on How to Write an Internal Control:

See our video training on how to write and internal control

1. What is the activity being implemented?
2. Who is responsible for its implementation?
3. How often is the control implemented?
4. What is the strength of the control?

1. Not Implemented (0%)
2. Partially implemented (1% to 80%)
3. Fully implemented (80% to 100%)

5. What kind of control is this?

1. Detective
2. Corrective
3. Preventative

6. Is this a key control (is it associated with and does it help resolve a risk in the risk register)?

4 Adding Internal Controls to the 1Risk Platform (skip this section if you have applied the methodology in steps 2 and 3 here)

First, here are some helpful tips to help expedite certifications, including ISO 27001 and SOC 2.

I. AICPA SOC 2 Certification:

When you engage an external auditor for SOC 2 Certification, know that the auditor will provide you with a set of Internal Controls when they complete the SOC 2 Type 1 report.

Preparing for SOC 2 Type 1, only requires that you list the documentation/evidence that you have in place to demonstrate that you are implementing the required controls. Evidence collection for certification will not typically begin until the SOC 2 Type 1 report has been created by your Auditor.

Once your SOC 2 Type 1 report has been created, you can upload it in the 1Risk Platform as your set of internal controls and your PBC (provided by client) evidence list.

The 1Risk platform can then integrate with your systems or send automated notifications out to evidence owners to begin the documentation process for your certification.

Auditors are then provided access to our system to view and validate your evidence.

Ii. ISO/IEC 27001 Certification

Follow Step 2a and 2 or 3 above to identify your controls in-scope for ISO Certification.

Once your ISO controls have been migrated from the Control Library, ISO does not require amended internal controls to be written for certification. We DO RECOMMEND that you write internal controls, however, you may choose to do this during a surveillance audit year, once you have automation established on the 1Risk Platform.

ISO auditors will focus on the documentation you can provide to verify the implementation of each of the control requirements outlined by ISO that are in-scope for your organization.

NOTE: Remember, with ISO, you are REQUIRED to submit a SOA that describes why the control is in-scope or NOT in-scope for audit.

5 Adding Internal Controls

See our video training on how to write and internal control

You can add Internal Controls via bulk upload from a C1Risk Template, or manually from either the Control Library > Control Record, or the Internal Controls Library Tab.

Internal Controls should be mapped to an associated framework (regulation/standard) or frameworks. Note that Internal Controls may be mapped to one or more frameworks to enable you to build a consolidated set of Internal Controls. This will enable you to scale your compliance management program with time and cost savings by reducing the number of implemented controls and eliminating repetition at both the control implementation and evidence collection stages in the compliance process.

Option 1: Control Library > Internal Control Mapping

1. Go to your GRC library and select the relevant framework
2. Go to the Control Library and open the control statements
3. Go to the Internal Control tab in the control statement
4. Click Add New

HELPFUL TIP: If you have already created an Internal Control, you can select [Look up] in the control statement and connect a control. This also enables you to map multiple internal controls to a single statement.

Screenshot below

Option 2: Internal Control Library

If you plan to create a consolidated set of Internal Controls to map to multiple frameworks, you can start from the Internal Control Library in the Compliance module, add your Internal Controls, then map them to the appropriate frameworks in your GRC Library.

1. Go to the Compliance Module Internal Controls tab
2. Click Add New
3. Populate the fields (see video for tips: See our video training on how to write and internal control
4. Click Save
5. Go to the Control Library tab in the Internal Control record
6. Select [Look up]
7. Add the appropriate framework - control statement

HELPFUL TIPS: When you map a Control Library Statement, check the crosswalk tab in that Statement to see which other frameworks overlap. This may save you time when mapping additional frameworks.

NOTE: The 1Risk Platform does not automatically migrate all crosswalks. Crosswalks are a reference point for you to choose whether or not to migrate suggested overlapping requirements.

NOTE: Here are some tips for writing an internal control:

See our video training on how to write and internal control

What is the activity being implemented?

Who is responsible for its implementation?

How often is the control implemented?

What is the strength of the control?

Not Implemented (0%)

Partially implemented (1% to 80%)

Fully implemented (80% to 100%)

What kind of control is this?

Detective

Corrective

Preventative

Is this a key control (is it associated with and does it help resolve a risk in the risk register)?

6 Evidence Collection: How to Create an Evidence Request

Once Internal Controls have been established, evidence is used to verify the implementation of controls for compliance.

The requisite evidence is often provided by the auditor during the readiness period, generally following a readiness assessment. NOTE: C1Risk will provide you with a readiness assessment for most audit requirements. Contact your account manager or support@c1risk.com

Evidence lists from auditors (sometimes referred to as information Request - IRL’s or  Provided by Client PbC lists) can be bulk uploaded into the 1Risk Platform. Contact support@c1risk.com. We request an SLA of 10 business days, however, escalation is possible.

In the 1Risk platform, you can automate evidence collection in the following ways:

1. Using API integration to automatically pull data into the 1Risk Platform from your business systems
2. By Frequency (cadence) or collection: Set up continuous monitoring in your platform by indicating the frequency at which the evidence needs to be collected and verified, either via API or from an evidence owner. The system will automatically run an API call or send out notifications to the evidence owner based on the desired frequency (daily, weekly, monthly, quarterly, etc.)

HELPFUL TIP: Note you can manage your quarterly access review on the 1Risk platform using this methodology - see our training on Quarterly Access Review.

7 How to Manually Create or Update an Evidence Record

1. Go to the Evidence Library tab in the Compliance module
2. Select [Add New}
3. The following fields must then be populated: (see page screenshot below and explanation below, below)

Evidence Name and Description

• Evidence Name: A summary of the evidence record needed
• Evidence Description: Provide a detailed description of the evidence required. This information will be provided to the evidence owner as guidance to help ensure they upload the correct data

Evidence Start Date and End Date and Request Frequency

• Auditors require evidence to be up to date.
• As such they typically require a CREATION PERIOD and a COLLECTION PERIOD for the INITIAL AUDIT
• Thereafter evidence must be collected based upon frequency required (daily, monthly, quarterly, etc.)

• The Evidence Start and End Date refers to the creation period within which the evidence should have been created and/or reviewed and/or updated.
• While you can set the Evidence Start Date and End Date for a period in the future. The Document Request will send on the END DATE, as this signifies the end of the period in which the evidence can be created and the beginning of the COLLECTION PERIOD

• Follow the example below: FIRST TIME EXTERNAL AUDIT

• Audit Review Period: July 01
• Evidence Creation Period: Generally at least a 3 month period, so February 01 - May 31
• Evidence Collection period: Generally 30 days given to evidence owners to provide evidence so June 01 - June 30
• In this case the Start and End date should be as follows:

• Start Date: February 01
• End Date: June 01

• Follow the example below for: SUBSEQUENT, SURVEILLANCE, ANNUAL AUDIT

• The Evidence Start and End Date no longer need to be established
• The Frequency of the collection needs to be established using the drop down
• The system will collect evidence based on the Frequency selected.

Collection Method

• Select Manual to send a notification to an evidence owner
• Select Automated to engage an API integration and contact support@c1risk.com

Collection Due Days

You can adjust the time you allow the evidence owner to provide the evidence to you.

Primary Contact

The Primary is the evidence owner who will provide the evidence for verification. A notification will be sent to the evidence owner starting at midnight on the Evidence End Date and subsequently based upon the Request Frequency selected.

Additional Contacts

If there are collaborators who need to view or share this Evidence Record, they can be added here.

Approval Process

You can choose to add a review process to the Evidence Collection workflow. This will enable two possible additional steps:

1. You can use this as a check and balance to verify the evidence that is collected and either approve or reject it (rejecting re-opens the record with a comment to guide the evidence owner on new/additional evidence to provide.
2. You may add an additional reviewer or multiple reviewers to implement a review process where at least one, all, or all must approve in a specific order. In the case of the latter, the order is specified by adding the owners in order:

1. Example: If Mike approves first, then Jane, the Lynn is the final approval

1. Add Mike
2. Add Jane
3. Add Lynn

2. Each time one approves, the next person will be notified that they may now approve or reject.

8 How to Approve or Reject and Re-Open Evidence

The Evidence Reviewer(s) will receive a notification when evidence is submitted. The email will be white-labeled for your company.

If the evidence is either incorrect or insufficient, the approver should reject the evidence.

1. Follow the link in the notification email to the evidence record.
2. Select Approve or Reject

1. Approve = Evidence Collection terminates here until next review period based on frequency.

3. If the approver selects reject, a comment box opens for the approver to provide guidance to the Evidence Owner to re-submit.
4. The Evidence record is re-opened and a notification is sent to the Evidence Owner.

5. NOTE that the email contains the guidance comment from the approver.

6. Once the evidence has been re-submitted and approved, the approval record will show in the Evidence Record, and it will also show in the Document Request Library

9 Monitor Evidence Collection Status from the Document Request Tab

This is a helpful tip to using the system. The status of all evidence collection items can be monitored from the Document Request Tab, which shows the status of the Request.

NOTE: Escalation is available for expired Evidence Collection > Document Requests. If the contact has an assigned manager in the 1Risk Platform (see adding users), the system will automatically notify the manager that evidence is overdue from the team member.

10 External Audit from the 1Risk Platform

External Auditors can be provided a Lite User license for the Audit Period to review and verify all evidence and controls in the audit scope. C1Risk has role-based access to enable the auditor to access the Control Library (source), Internal Control and associated Evidence.

We provide specific training for auditors to use our platform and we also maintain partnerships with a number of different audit firms. Contact support@c1risk for more information or for help engaging your audit firm.