B4Restore Storage and Backup News
February 2022

Documentation is Key to Compliance

GDPR has been a compliance accelerator in recent years. However, today’s growing threat landscape is what has really prompted companies to focus sharply on compliance. But what is compliance, and how do you go about achieving it?

Legislation and compliance requirements are constantly evolving. After all, what is good practice today can be risky tomorrow. For instance, many companies require two-factor authentication, which was practically non-existent just a few years ago.

The IT audit starts with Management

Successful compliance requires the conscious focus of the company’s Management. IT audits should be conducted at regular intervals by an external auditor. And it is Management’s responsibility to:

  • Define policies for compliance and audits
  • Communicate to staff
  • Make compliance a priority

No documentation? No compliance.

An external IT auditor can help assess the set requirements and criteria and, on that basis, define how the company can introduce controls and procedures that streamline processes and document concrete compliance measures and requirements. 

There are various levels of compliance, for example:

  • Supplier management, detailed service level agreements.
  • Governance – Who has access to which systems? Can one person have access to both the production environment and backup data? (Separation of Duties). 
  • Technical – e.g. backup logging
  • Controls of core systems – Can workflows be configured and reconstructed?
  • Incident response – What is the continuity plan?
  • Physical (traditional) control – e.g. confidential printouts must not be left in the server room or no paper in the server room

Even something as simple as configuring a workflow, such as a service desk system, can qualify as compliance – remember, it’s also important to be able to reconstruct and document the execution of control processes. 

The primary rule for compliance is: Without documentation of your IT processes, you have no proof of their execution, which means that they haven’t in fact been executed.

This would be the strict conclusion of an IT audit. 

Don't miss out on more articels, news and inspiration about IT security, IT compliance, storage and backup, sign up for our newsletter.

Contact us