top of page
Case Study Icon
Case Study Icon

Ensuring Compliance & Efficiency
Documenting New Processes

i-confidential Security Consultancy Offering Logo

"...these improvements enabled the organisation to embed and maintain their new cyber security and IT control requirements."

Initial Assessment and Planning

 

  • Stakeholder Engagement - We began by engaging with key stakeholders to understand the organisation’s current processes, control requirements, and documentation challenges. This included identifying the owners of the central and distributed processes that were operated by all the lines of business.

  • Gap Analysis and Prioritisation - We conducted a thorough gap analysis to identify discrepancies between any existing process documentation and the new control standards.

Framework Development

 

  • Control Standards Mapping - We mapped the new standards to the organisation’s internal processes, ensuring each requirement was addressed in the documentation.

  • Template Creation - We developed a standard process manual template, incorporating best practices for clarity, detail, and compliance. We ensured these were fit for purpose and met the internal requirements.

Process Documentation

 

  • Discovery Exercise - For each process manual, we identified all key resources needed to document the processes and explained to them their role, gaining buy-in up front.

  • Collaboration - We worked closely with process owners and subject matter experts to gather accurate and comprehensive process details.

  • Drafting Manuals - We used our process template to draft detailed manuals, ensuring each process step was clearly documented and aligned with control standards.

 

 

Review and Validation

  • Internal Reviews - We validated the accuracy and completeness of the manuals with process owners, control owners, and risk and compliance teams.

  • Collaboration - We worked with multiple internal teams to ensure a full understanding of the process manual and confirmed acceptance.

Implementation and Training

 

  • Dissemination - We distributed the finalised process manuals to all relevant departments and stakeholders.

  • Training Sessions - We managed a handover to internal teams to carry out design effectiveness testing on the processes.

 

Continuous Improvement

 

  • Feedback Mechanism - Throughout the engagement we established a feedback mechanism for continuous updates and improvements to the process manuals based on user input and evolving standards.

Approach

Objectives

The primary goal was to produce detailed process manuals for IT and cyber security processes that adhered to the new standards, ensuring consistency, clarity, and compliance across all departments and locations.

Not only did these documents need to map out the processes, including detailed steps, they also had to highlight the primary and secondary controls for those processes, roles and responsibilities, associated risks, and Key Control Indicators (KCIs). This would enable a regime of control testing to help the organisation meet regulatory requirements.

Background

An international financial services organisation faced a significant challenge. It needed to develop a number of new internal process and control manuals that aligned to the requirements defined in new standards.

These were required by the regulator and would also allow them to start control testing for the first time. With diverse operations spanning multiple countries, the organisation required a systematic approach to develop comprehensive, consistent, and compliant process documentation.

The organisation enlisted i-confidential to lead this initiative.

Outcomes

 

Compliance Achievable: We successfully created internal process manuals to comply with new control standards, allowing the organisation to test compliance and ultimately reduce regulatory risk.

Consistency Across Lines of Business: We ensured the uniformity of process documentation across multiple locations, improving operational consistency and efficiency.

Enhanced Employee Understanding: Comprehensive training improved employee understanding and adherence to new processes and controls. In addition, control owners and process roles and responsibilities across multiple lines of business were well defined.

Audit Readiness: We prepared the organisation for internal and external audits with well-documented, compliant processes.

Key Control Indicators: By defining effective Key Control Indicators, control effectiveness could be measured using the i-confidential metrics library.

Process Gaps: We provided the organisation with a list of gaps against the new standards, allowing them to determine the appropriate remediation treatment.

Conclusion

i-confidential provided the client with cyber and IT process manuals that met the requirements of the new standards, as well as those of the regulator.

 

This enabled control owners to understand how to operate their processes so they were effective and provided a sound basis for first-line control testing to assure them.

 

Together, these improvements enabled the organisation to embed and maintain their new cyber security and IT control requirements.

bottom of page