OneTrust Automated certification as a pillar of trust

OneTrust has just launched an automated certification process for information security. What types of certification does this solution cover?

Alexandre Berthier: Our aim is to increase the level of confidence that companies have in managing and protecting their information systems and data by ensuring they have implemented policies, procedures and certifications.

For France and Europe, the certifications covered include ISO 27001 and its derivatives, Network and Information Security 1 and 2 (NIS 1 and 2) and the Payment Card Industry Data Security Standard (PCI DSS). For the United States, it covers certifications such as Systems and Organizations Controls 2 (SOC 2) and the Health Insurance Portability and Accountability Act (HIPAA).

We help companies prepare the certification processes in terms of workflow and scope, then collect the evidence and prepare all the documents needed to achieve the target certifications.

To what extent can this kind of process be automated?

Alexandre Berthier: The information we need for a particular certification programme usually comes from two different sources. The first source is the questionnaires we send to the various in-house departments involved. We help companies automate the process of collecting this information. This is the workflow part.

The second source is through APIs, which we use to gather evidence relating to the controls carried out by the organisation. These APIs connect to the company’s IT system, such as its Active Directory or other authentication solution. One of the main challenges of automation is reducing the time it takes to obtain certification. This can cut the time spent by as much as 50% compared with manual or semi-automated procedures.

Another benefit of automation is that a control used in ISO 27001, for example, can be used in NIS, and vice versa. This principle of sharing controls also extends to questions in the questionnaires. After the work has been done once, it can be duplicated and used for several projects at the same time.

How do you help with regulatory monitoring and updates?

Alexandre Berthier: Almost every day, new standards and regulations are created and existing ones are updated. In the United States, for example, there is a different data protection law in each state. And if you take the specific case of transferring personal data between the US and Europe, you are faced with a Data Privacy Framework that is a highly unstable, provisional arrangement.

In Europe, the introduction of NIS 2 is a real paradigm shift, with new obligations and a revised sanctions regime. And by January 2025, the Digital Operational Resilience Act (DORA), designed to ensure the financial sector stays resilient through severe operational disruption, will come into force. These are the types of constant changes that businesses need to keep up with and comply with.

We have in-house teams of lawyers and cybersecurity experts who continually update our platform and can guide our customers through their compliance projects.

What are the other benefits of automation?

Alexandre Berthier: First of all, companies can avoid the fines imposed by certain regulations for non-compliance. Failure to comply with the NIS 2 Directive, for example, can result in financial penalties of up to €10 million or 2% of annual worldwide turnover.

In terms of business, completing certification projects twice as quickly also means that companies boost their chances of growing their business and of keeping their ecosystem ahead of the game. We often see suppliers being downgraded by their customers because they are behind schedule when it comes to certification. If one of your major client sees you as a legal risk, you may be forced out of the game.

Which broad family does certification automation fit into?

Alexandre Berthier: At OneTrust, certification automation is part of a wider group focused on security, which also includes IT risk management and third-party risk management activities.

We are finding that security teams and Data Protection Officer (DPO) teams are working together much more frequently. This trend is inevitable, because once users have given their consent and the data has been acquired, it needs to be protected.

We are therefore helping to break down silos within companies. The challenges associated with the GDPR on the one hand and NIS or ISO 27001 on the other can be dealt with separately, but when synergies exist, the trust customers place in a given company can be built more quickly.