Skip to main content

Audit to ComOps workflow

Below are the recommended steps to take if you've already completed an audit in Hyperproof and are working towards continuous ComOps.

Tip

You may have already completed some of the steps listed below. For example, if you already have a program with controls, skip to step three!

Step One: Stand up a program

Your program is where you'll manage and track all activities for your compliance framework. Hyperproof offers an extensive risk management and compliance framework library of over 70 templates with requirements and controls that can be fully customized to suit your organization.

Refer to Creating a program with illustrative controls.

Tip

Don't see your framework in Hyperproof's framework library? You can create a custom program using your own requirements.

See Creating your own program.

Step Two: Link controls to the program

You can import your own controls into Hyperproof if you did not include illustrative controls when you created your program. Refer to Importing controls into an existing program.

If you selected the option to include illustrative controls with your program, they are automatically linked to your program's requirements.

Step Three: Conduct an internal control or requirement assessment (optional)

Assessments help you review, evaluate, and improve controls or requirements across your organization. Controls and requirements can be audited for attributes such as design, language, effectiveness, and reliability. When your organization’s controls and requirements are sufficient, internal DRL-based audits run much smoother because a bulk of the work is already done.

Assessments are recommended if your organization uses Hyperproof's illustrative controls. Organizations that use their own custom-written controls typically have already reviewed those controls and written them to align to the organization's specific processes prior to importing them into Hyperproof.

Tip

Before creating an assessment, keep in mind that the individual or team performing the assessment should have the ability to determine the operational effectiveness of the controls or requirements and edit them as needed.

Assessments help with:

  • Early detection - Routinely checking your controls and requirements for exceptions lets you find them more quickly.

  • Continuous improvement - Looking critically at your controls and requirements is the best way to ensure you’re not wasting resources.

  • Risk reduction - Timely finding of exceptions and non-functional controls and requirements minimize risk exposure.

  • Audit preparation - If you find and fix issues with your controls and requirements, there will be fewer for your auditor to report.

Refer to Using Hyperproof to perform assessments.

Step Four: Organize proof

This is where the bulk of your time will be spent when moving towards a ComOps approach. When your proof is organized, it's easier to manage. When it's easier to manage, you save time and effort in the long run.

Linking proof from your latest audit to your controls

In theory, the audit requests from your latest completed audit should contain your organization's most up-to-date proof. It's best practice to review those audit requests and use that proof as a starting point in the organization process. Hyperproof's link-back proof feature allows you to easily link the proof from your latest audit to your controls. From there, you can then easily sort the proof into labels, setup automated evidence collection, and schedule automated tests.

Refer to Linking request proof to controls or labels.

Labels

Labels allow you to provide structure and taxonomy to the proof you upload. On top of that, you can assign ownership, set freshness, create tasks, and reuse proof across objects. Labels are similar to folders in that they can contain multiple pieces of proof. Rather than linking individual pieces of proof to a control, you can link those pieces of proof to a label and link the label instead.

Refer to Creating a label and linking proof.

Hypersyncs

Hypersyncs automate the evidence collection process, saving your team the hassle of manually collecting and organizing evidence. Avoid nagging people for information by ensuring that your data comes directly from your preferred service app. Best of all, you can utilize Hypersyncs with both labels and controls.

Hyperproof supports connections with over 50 service apps like AWS, Azure, GitHub, and ServiceNow.

The basic Hypersync workflow is as follows:

  • Establish the connection between Hyperproof and the service app.

    • This step will more than likely need to be handled by your organization's system admin or IT admin. Depending on the service app you're connecting to, your admin may need to grant you app-specific permissions. Note that you only need to connect to a service app once. If you store proof in multiple service apps, you'll need to connect to each of those apps separately. Refer to What information does my IT admin need to know?.

  • Create the Hypersync.

    • This is where you determine what proof you want to sync to Hyperproof. You'll specify how often you want to collect proof, i.e. daily, weekly, or monthly, and how you want to add proof, i.e. by versioning or new files. You can also specify how you want the proofdisplayed, i.e. PDF or Excel spreadsheet. Refer to Creating a Hypersync.

  • Monitor the Hypersync via the Automations tab or Settings > Connected accounts.

LiveSync

Similar to Hypersyncs, LiveSync allows you to automatically and continually import proof into Hyperproof. LiveSync ensures that proof in Hyperproof is up-to-date and in sync with the proof stored in your external cloud service. LiveSync is a great option if you use external storage apps like Google Drive, Confluence, Dropbox, SharePoint, OneDrive, OneDrive for Business, Box, or Amazon S3.

Refer to Using LiveSync.

Repeating tasks

Repeating tasks are routine tasks set to repeat based on a schedule or an event. Tasks that repeat based on a schedule can be set to repeat on an interval of daily, weekly, monthly, quarterly, semiannually, or annually. Tasks that are based on an event and linked to a control or label can repeat when there is new proof or a new proof version, if a test fails or needs to be reviewed, if there is a change to the freshness status, or if there is a change to the custom field(s).

It's recommended to setup the following event-driven repeating tasks on your controls and/or labels:

  • when there is new proof or a new proof version

  • when a test fails

Refer to Creating a repeating task.

Freshness

Freshness is a status setting that indicates whether a control or label is up-to-date and in compliance with the requirements of the program that contains it. When you set a freshness policy, you define its expiration period. At the end of this period, the freshness status automatically changes from Fresh to Expired. Think of it as extra assurance when it comes to keeping the proof in your program up-to-date.

Refer to Turning on freshness.

Step Five: Set up automated control testing

Once your proof is organized, it's recommended to create automated tests on your controls. This takes the arduous task of manually testing each and every control in your organization and turns it into a well-ordered process where the majority of the work is done by Hyperproof. Automated testing is essential to the continuous ComOps approach. To test a control, a Hypersync must be linked to the control.

Refer to Creating and running an automated control test.