Mason Karrer

IT Compliance - All About That BaseStandard

Blog Post created by Mason Karrer Employee on Mar 26, 2015

When it comes to IT risk management approaches few things can spark more debate than the use of standards. To explore that is to ponder another alphabetic quagmire of acronyms, categories, and random numeric designations. So which one’s the best? Is there even such a thing as “best”? My answer is always the same. The best one is the one that’s best for you. In other words it depends.


The reality is you rarely have a choice. If your business accepts credit cards in any significant volume of transactions then PCI compliance becomes a business requirement. Want to set yourself apart in Europe? Perhaps ISO-27001 certification is en vogue. Opening a new power plant? Welcome to the electric world of NERC enforcement. It’s the same story throughout every industry and geo. The list goes on.


We operate in a world of multiple standards and requirements and rapid change. How can you find efficiencies and cut through duplicate work? When you already have your hands full with meeting the requirements you don't want to struggle with the mechanics of managing them on top of it. That's why we’ve gone to such lengths to transform the “ask once answer many” dream into reality by wrestling this problem into workable solutions that make the process of IT risk and compliance easier.


Gartner’s most recent IT Risk Management Magic Quadrant once again named RSA Archer a GRC industry leader, which we're excited and proud to say makes us the only leader in all four major evaluations (the other three being IT Vendor Risk, Business Continuity, and Operational Risk). In an MQ report two years ago Gartner flattered us with an unexpected notation in their analysis about the extensive breadth and depth of Archer’s embedded content libraries. I say unexpected because it’s not a specifically weighted category they rank separately, but rather an additional observation they chose to make on their own and share with their readers independently. We were humbled to say the least but also delighted in the validation of the conscious decisions we’ve made over the years to invest in those aspects of Archer.


One of the more tangible aspects of Archer’s GRC libraries is the inclusion of many large format technology related standards. Make no mistake, it’s a TON of work to process and map those together. The past few years brought an interesting turn of events in their revision timing. Most major IT related standards are published by totally separate entities and consortiums, each according to their own schedules. Since the development of those standards is often collaborative and even political, delays can occur causing official releases to slip by a year or longer, which is exactly what happened for a few of them.


The result was a rare perfect storm of circumstances that dropped new versions of COBIT, PCI, ISO 27001, NIST 800-53, and the ISF's Standard of Good Practice on the collective market all within about 18 months of each other, plus a major revision to HIPAA and ongoing NERC changes to boot! This was unprecedented and if you have to maintain compliance with more than one of those, chances were you were scrambling. So we marshalled resources and hustled up in order to have all of them fully mapped and ready to go shortly after their release. Because of the unique way we enable IT risk and compliance in Archer, the result was to enable our customers to quickly adapt to any combination of those changes without missing a beat.


We’ve always recognized two of the most powerful resources we can give customers are flexible options and the freedom to make Archer their own. We do this with a fundamental appreciation that they too have a choice in the market. So when they choose us we take our commitment very seriously to give them the best tools we can to drive their information risk and compliance programs effectively. One of the great things about Gartner’s approach to industry analytics is the emphasis placed on independent customer validation and opinions. Our customers continue to have a profound influence on the direction of Archer and they challenge us in the most fantastic ways. That alone really is its own reward. But undisputed GRC market leadership feels pretty good too.


Please visit Steve and Patrick’s blogs for additional insights, and check out our Community page for more information on the MQ series.



Gartner, Magic Quadrant for Business Continuity Management Planning Software, Roberta J. Witty an John P. Morency, 27 August 2014.

Gartner, Magic Quadrant for IT Risk Management, Paul E. Proctor and John A. Wheeler, 10 March 2015.

Gartner, Magic Quadrant for IT Vendor Risk Management, Christopher Ambrose et. al., 29 October 2014.

Gartner, Magic Quadrant for Operational Risk Management, John A. Wheeler and Paul E. Proctor, 15 December 2014.