The management of compliance gaps is therefore a key issue, which inevitably raises several questions.
- How is a compliance gap characterized?
- What happens if they are not managed properly?
- What solutions should be implemented in companies?
Before answering that question, let's start at the beginning.
What is a compliance gap?
A compliance gap is a situation where the rules defined by the information system security policy (ISSP) are not being properly applied. A compliance gap is characterized by a finding of non-compliance with an established standard.
Most of the time, discrepancies are detected duringexternal audits conducted by independent auditors. These auditors inspect, question, and document any non-compliance issues they identify. Audits are conducted at regular intervals to ensure that these discrepancies are addressed and to monitor the corrective actions taken by the company over time.
Every company is susceptible to compliance gaps, whether technical or organizational in nature. That is why it is essential to implement a proactive strategy for detecting these gaps, which can take several forms.
Technical gap
A technical gap generally refers to a vulnerability, misconfiguration, or design flaw in the company's technical infrastructure.
Failure to apply a critical update, failure to activate a security feature... There can be many sources of discrepancies.
Organizational gap
An organizational gap occurs when security policies or procedures defined within an organization are not properly followed, implemented, or documented.
A frequently observed case is that of a company that has established a cybersecurity awareness policy, requiring employees to complete an awareness training course. However, during an audit, it may be found that this training has only been carried out once every two years, or that employee engagement in e-learning training is unsatisfactory. Whether minor or major, organizational compliance gaps must be closely monitored.
What happens if the company does not address these discrepancies?
Compliance gap management is a requirement for all companies, regardless of their sector of activity. This management is an integral part of an IT security management system (ISMS) and is not limited to simply identifying problems: it also requires corrective measures to be put in place to resolve them.
When a discrepancy is identified—whether it be a vulnerability, non-compliance, or any other malfunction—it is imperative to document it, follow up on it, and ensure that appropriate action is taken to resolve it.
Beyond cyber risk, the absence of a deviation management system can have detrimental consequences for the company, such as the loss of certification (ISO 27001, TISAX, etc.).
Increase in attack surface
The lack of compliance gap management within a company increases cyber risk. For Baptiste David, " in terms of risk management, not addressing a gap is equivalent to leaving a known hole open and widening the company's attack surface." This is a mistake that can be severely punished in the event of a breach.
Legislative sanction
Leaving compliance gaps unaddressed exposes companies to potential penalties from regulatory bodies.
These penalties can take the form of significantfines, such as those imposed by authorities such as the CNIL: under the GDPR (General Data Protection Regulation), a manager can be prosecuted if negligence is evident. The penalty can range from two months to ten years' imprisonment (Article 131-4 of the Criminal Code), with or without a fine of at least €3,750.
In addition, and with the aim of making a lasting impression, authorities may choose to adopt a " name and shame ." This involves making the company's violation public, thereby discrediting the offending brand among its customers and suppliers.
Increase in cyber insurance costs
Insurance companies are paying increasing attention to risk management and the safety of their customers. Organizations that neglect compliance gap management may therefore face higher insurance premiums, as insurers consider them to present an increased level of risk.
Furthermore, if a company fails to take the necessary measures to correct identified discrepancies and vulnerabilities, insurers may refuse to cover incidents that occur as a result of an unresolved discrepancy. The company will then have to bear the costs associated with the damage or disruption alone. A double penalty, so to speak.
4 tips for managing your compliance gaps
Centralize discrepancies
The first step in managing compliance deviations is to centralize them. In other words, when a user identifies a deviation or anomaly, they must be able to report and document it quickly. This centralized approach facilitates the monitoring and evaluation of actions taken to resolve deviations.
Prioritize discrepancies
The second step is to prioritize compliance gaps. This involves determining which issues are most critical and require corrective action.
During certification audits, auditors typically assign severity levels to the non-conformities they identify, classifying them as "minor" or "major" based on their impact on safety and compliance. By prioritizing discrepancies based on their importance, the company can focus on the most critical ones first, ensuring that the most serious issues are resolved quickly.
Agree not to resolve certain discrepancies, with exception management
Sometimes it is necessary to recognize that a problem exists and that it may be justified not to address it immediately. This is referred to as compliance waivers.
It is not uncommon, for example, to see medical imaging machines (scanners, MRI machines) using Windows operating systems that are no longer supported. Since the life cycle and amortization period for this equipment can be as long as several decades, hospitals and health centers have to make do and accept the discrepancies—while still adding additional security measures around the equipment in question.
Set goals for yourself
When addressing a compliance gap, whether minor or major, you must set a date by which it must be corrected or addressed. By setting a deadline for resolving the gap, you establish accountability and follow-up measures.
If this objective is not achieved, it may indicate a problem in understanding or implementing corrective measures. Fortunately, there are technical solutions available to simplify this work!
4 reasons to manage your compliance gaps with tenacity
The Tenacy solution offers several features for managing compliance gaps.
#1 Centralization of different sources
The solution's interface allows you to centralize all sources of compliance gaps, whether they come from annual audits, technical solutions, or connectors integrated with third-party platforms. This centralization provides a comprehensive view of all gaps encountered, eliminating information dispersion.
#2 Accurate tracking of compliance deviations
The Tenacy platform offers the ability to track the progress of each deviation in detail. Instead of simply reporting a problem, the tool provides information such as:
- the date on which the difference was identified;
- the person who identified it;
- the actions planned to correct it...
... all accompanied by comments from internal teams.
#3 Simplified prioritization
The Tenacy interface facilitates the prioritization of compliance gaps. This task, which often falls to the CISO, involves assessing the criticality of each gap based onits potential impact on the company. The Tenacy platform simplifies this process by standardizing criticality assessments, while allowing the CISO to add specific information.
#4 Real-time reporting
Tenacy offers advanced reporting functionality, allowing you to view the status of compliance gaps in real time. This gives you complete visibility into the progress of issue resolution, along with performance metrics such as validity and percentage of planned actions completed.
![[White paper] 5 keys to managing your cybersecurity](https://cdn.prod.website-files.com/68eccb60f9cf9c228c061b75/695f73ba996b3472b4fa4e34_visuel-tenacy%20(2).jpg)
