Event-based controls are performed in conjunction with ad-hoc events that occur; new employees, incidents, and change releases, for example.
Event-based controls are the most prone to failure. That is, we see the most exceptions in audits for InfoSec compliance standards like SOC 1, SOC 2 and ISO 27001, when it comes to these controls that are tied to ad-hoc events. These controls make up about 30% of your InfoSec compliance activities.
Event-based controls are one of the three types of controls to manage in your InfoSec compliance program:
1. Continuous: system settings, policies, user guides, and other documentation that continuously apply and we audit “as is”.
2. Periodic: annual, quarterly or monthly board meetings, risk assessments, and other reviews that occur at regular intervals. We audit to see they were performed within those defined frequencies.
3. Event-based: controls applied to new joiners, terminations, incidents, change releases, and other events that the controls should be performed in conjunction with. We audit to see there were performed for each related event or occurrence.
The main fail-point we see with event-based controls is that these events occur but the controls do not. They can be missed, forgotten or started but not completed like any other business task. The task in this context includes ensuring audit evidence is retained to satisfy the audit.
The non-exhaustive list of events that trigger control requirements as part of your InfoSec compliance, are:
- New employees
- New contractors
- New customers
- New third-party vendors
- Asset disposals
- Vulnerabilities identified
- Change releases
Each time these events occur, it's expected your associated controls will be performed in line with how they are defined and meet the relevant requirements (eg. SOC 2 criteria, your customers expectations).
The other challenge with this type of event-based control, is that the circumstances surrounding each event may be different and in some cases unanticipated. For example, the new employee might be the CEO’s son and therefore “skip” some of the usual background checks or onboarding steps. Change release may have no customer impact or may otherwise be considered minor and not require the same approvals, testing or release notes.
Auditors are afforded a level of judgement when it comes to these sorts of situations. But in some cases these may need to be “exceptions”, to provide transparency to end users of the report that they didn’t operate as they are defined and described in the report. The best way to avoid this, is to proactively document the nature of the event and reason for not performing the control as described. This demonstrates the effective governance of the process and may negate the need for noting an exception.
How to implement effective event-based controls
There's a few tips that help ensure these event-based controls are effective in practice:
Using software to trigger or even perform these controls, helps ensure they're not missed. That applies consistency in the way they are performed or documented. It can provide an automated system trail for audit evidence. There's lots of software out there that automates various processes or functions that can support your InfoSec compliance. If you want to explore how you can increase the automation of your controls, ask us about our InfoSec Practice Guide. We've developed a comprehensive guide of control practices and the types of software solutions that support an automated approach. Keep in mind; most controls can't be fully automated - they still need people operating them!
Integrate the controls in the process
The most effective controls, are those that are an integrated part of the process. This is why automation works well. But even where you don't automate the controls, you can integrate them as a core part of the process. For example, having employees sign off the Code of Conduct is prone to failure if that's a standalone step reliant on the HR Manager initiating it and following up until the employee has completed it. But if it's done as part of the Employment Contract, or onboarding checklist, then it's much less likely to be missed. That's especially true if payroll follows that step; employees are pretty quick to realise if they're not being paid! This same concept applies across most control areas; the use of checklists, linking controls to broader processes, or pre-defined workflows, help ensure the controls are performed as required.
Like any important business activity, it's important to have clear responsibilities and ownership to ensure the controls are managed effectively and given the appropriate focus, when required. A two-level ownership model works well; an individual control operator is the person directly responsible (eg. HR Manager for onboarding employees), and an accountable owner of the overall area, (eg. the COO, CFO or CEO) that a number of control areas report up into. These owners should be well versed in both the requirements of the controls and any audit or other obligations in relation to them.
It's normal to see business operations change, things being missed or otherwise not performed as anticipated previously. Checking in on the controls every month or quarter can identify if anything has gone awry and address that accordingly. Checking in doesn't need to be an internal audit or onerous exercise. It's often as simple as having all the control owners in one room with a quick touchpoint or individually asking each control owner to confirm their respective controls. Doing so may not validate the controls are optimal, but it is often enough to identify any material changes, maintain awareness of the control obligations, and check that things are in good shape for the future audits.
Across all control types; the greater the awareness across the organisation, the more likely they are to succeed. This is particularly important in control areas where it's difficult to have a single person responsible, like where incidents and risks are identified and need to be reported and managed through the correct channels.
What are your event-based controls?
If you've completed our Readiness Assessment - these are listed in the Controls Matrix section of the report. You can filter on the Frequency/Population column to select each event type and see which controls you have that apply to those events. eg. select "All new employees" to see the new joiner controls.
If you haven't completed our Readiness Assessment - try it out now! It's a free resource that maps your controls and identifies any gaps with recommendations. It's the best first step for any business pursuing InfoSec compliance with standards like SOC 1, SOC 2, ISO 27001, HIPAA, GDPR, and the Consumer Data Right (all of which can be assessed in this free software).