The Power of Coordinated Audits: ECS’s Compliance Journey with BARR—Webinar Recap

Leaders on ECS’s GRC and cyber compliance teams spoke alongside BARR Advisory Attest Services Manager Steve Ryan in a recent webinar explaining how achieving compliance against multiple security frameworks through BARR’s coordinated audit approach has helped ECS stay ahead of cyber threats while maintaining a competitive edge.

ECS Senior Director of Cyber Compliance Beverly Goodwin said the organization began its compliance journey in 2018 with an ISO 27001 certification. 

“It was a business need,” Goodwin explained. “Our security operations center provides continuous managed security services for various clients, and when you’re managing clients’ infrastructure, including their systems and data, that requires a level of trust, reliability, and adherence to security standards and mature frameworks.”

As the organization grew, ECS knew they needed to add additional frameworks to their GRC program to grow and maintain trust with customers across a diverse range of industries.

“By aligning with a broader set of industry standards, such as SOC 2, SOC 1, HITRUST, and PCI, we’ve been able to grow and strengthen our security measures by introducing these stronger and more effective controls across different areas,” Goodwin said.

Knowing the heavy lift required to achieve compliance across so many frameworks, ECS enlisted the help of BARR Advisory, one of just a few firms in the U.S. that is eligible to perform audits against all of the highest-regarded information security standards, including SOC 1, SOC 2, HITRUST, PCI DSS, and ISO 27001.*

Leveraging BARR’s coordinated audit approach, ECS has achieved compliance against all of these frameworks.

“It’s just one audit, and at the end of it, you get the five different reports,” Ryan explained. “So how do we do that? It’s one team. You’re going to have one main point of contact,” he said.

“I have been overseeing the ECS account for quite some time now, so I’m overseeing their SOC 2, their SOC 1, their ISO journey, [and] I’m overseeing their HITRUST as well,” Ryan added. “My team underneath me, they are very well cross-trained—meaning that, when we’re talking HITRUST, they know what avenues of that HITRUST control or evidence that they’re looking for applies to the ISO certification that they’re going through.”

“It doesn’t feel like we’re just talking in silos,” Ryan said. “The goal is to feel as though we’re just having a conversation of security, and then on the back side, the onus is on us to map them out to the different frameworks.”

This approach not only makes the audit process more efficient, but also helps ECS stay ahead of the evolving threat landscape.

“Working all together with one contact, one firm even, we know what that roadmap looks like for the next couple of years,” Ryan said. “We have a number of experts on staff [who] specialize in ISO, they specialize in HITRUST, they specialize in PCI. They’re going to be able to tell you before the regulation comes out, or the new version comes out, ‘Hey, here’s what we’re going to look for next year.’”

Using BARR’s forward-thinking, future-ready approach to achieve compliance across multiple frameworks has empowered ECS to maintain a competitive edge and positioned them for rapid growth.

“It really does just put us in more of a competitive space within the industry,” Sydney Will, GRC project manager at ECS, said. “We do maintain many other standards as well…all of that gives ECS a competitive edge, and it has allowed us to grow as a GRC department and have that collaboration and that trust in each other.”

Goodwin notes that achieving compliance with frameworks like HITRUST is also “a requirement to do business with some of our customers.” What’s more, it shows current and potential customers that ECS exceeds government standards for keeping information secure. 

“Having a lot of frameworks in place goes above and beyond those regulations. You can meet that bare minimum, you can call yourself HIPAA compliant—great, you’re compliant with 2013 standards. Information security has changed quite a bit since then. We have this thing called the cloud now,” Ryan said. “So I think it’s really important to always stay ahead of those regulations” by leveraging frameworks like HITRUST, which is updated multiple times each year.

For organizations unsure of where to start on their compliance journeys, Will suggests starting with ISO 27001 as a foundational framework to build trust with customers domestically and internationally. “ISO in general provides a level of governance that really sets the foundation,” she said. “You need a foundation to be able to build off of, and it is surprising, quite honestly, how much overlap you’ll find.”

Ryan said organizations should start small. “Don’t try to hike Mount Everest if you’ve never hiked before. You can get every single framework under the sun right off the bat, [but] you’re going to spend more time trying to plan out how to even do that than it would take just to get that first audit complete,” he said. “What’s really important is to prioritize.”

Goodwin also suggested that organizations hone in on scope from the start. “The fact that we’re building off of one scope really helps us. Our policies and procedures carry through; it’s just adding controls and being a little stronger in our controls as you go up the ladder to what I call the Big Kahuna, which is HITRUST.”

Ryan agreed, saying “scoping is everything.”

“Similar [to how] we don’t have to tackle the entire framework ocean that’s out there right off the bat, we don’t have to tackle the entire large company and corporate structure. We can target business units first [and] build upon it,” he said.

“Customers are getting smarter. I’ll call it like it is. They know how important data security is,” Ryan concluded. “ECS is thinking about taking a well-rounded approach and always staying one step ahead of those attackers as much as you possibly can.”

Hear the full conversation to learn more about how BARR’s coordinated audit approach streamlined compliance for the ECS team, or contact us today for a free consultation.

*BARR Certifications is the certifying body that provided the ISO 27001 audit.