Reporting on your organization’s privacy and security management has become increasingly important with the advance of new legislation, for example the Network and Information Security 2 (NIS2) directive and the Digital Operational Resilience Act (DORA). In this brochure, we will clarify the relevance of ‘in control statements’ and explain how you can easily generate them yourself with just a few mouse clicks.
The shift from audits to proactive In Control Statements
With the advance of new regulations that apply to more and more organizations, we expect that managing all of these upcoming regulations is only sustainable by asking regulated companies to proactively and periodically submit ‘in control statements’.
In highly regulated environments such as accounting, in control statements are already used. It is a way to verify to a supervisory authority that an organization has done their accounting truthfully and lawfully. In control statements are a useful tool, because it saves supervisory authorities time and money. International banking system SWIFT for example requires users to submit an annual self- attestation report. As an increasing number of organizations needs to be regulated regarding information security, it is likely that a change towards active reporting will occur here.
Purposes of In Control Statements
In control statements bring trust and confidence to investors and potential clients and show compliance to regulatory bodies. They provide a quick overview that shows the status of the controls in your privacy and security management system. You as CEO can request this statement to see the status of your organization’s privacy and security management and relay this information to investors, potential clients and other stakeholders. It is also possible to provide regulatory bodies with the statement, as various regulations require documentation of ongoing privacy and security management.
Case study in the retail sector
In the retail sector, you could use an in control statement to show compliance to several measures of the NIS 2 directive, for instance supply chain security. This measure requires organizations to assess the overall security level for all suppliers in the chain and choose security measures for direct suppliers. You can use the in control statement to show you performed the assessment and audited the companies along the supply chain.
Similarly, NIS2 requires security in network and information systems acquisition, development and maintenance, which includes vulnerability handling and disclosure. One of the biggest challenges for the retail sector concerns the point-of- sale systems, which are vulnerable for attacks due to old operating systems. It is estimated that the 7-Eleven attacks in Denmark were caused by entrance through these old systems . An in control statement can show that an organization has identified this vulnerability and is actively implementing controls.
How Anove can help
In the Anove app you can automatically generate an in control statement with several unique features. Besides the general aspects, such as risks and controls, Anove’s statement optionally shows the maturity level and the desired maturity level. Moreover, you can create a different statement per regulation. These unique features enable you to be proactive in your reporting and show you are in control to whoever requests it. This also allows you to be compliant to frameworks in other regions or growth markets.
An In Control Statement in just one click
Anove gives you the opportunity to create an in control statement that is tailored to your organization in just a few clicks. This can easily be done at ‘Control Management’ at the tactical level.
The Control Management page shows the list of controls for your organization, sorted per regulation. From this list, you can choose which controls you want to select, for example only the NIS2 controls.
After selection, you simply click ‘Generate in Control Statement’ and this will be provided for you in PDF-format.
Take the step towards digital compliance and assurance with Anove. Enhance your data processing registers and protect your organization's credibility and trust in the digital age. Anove is your dependable partner in streamlining security and privacy efforts – it's time to embrace a more efficient and secure future.
Have you become eager to learn more about what digital assurance can mean for your company? Please get in contact with us for an informative talk or get a free demo of Anove.
BBP Media. (2022). NIS2 is Coming – And the Retail Industry is Not Prepared. https://www.bbpmedia.co.uk/business-insights/retail/nis2-is-coming- and-the-retail-industry-is-not-prepared.html.
CBS. (2023). Bedrijven; bedrijfsgrootte en rechtsvorm. https://opendata.cbs.nl/#/CBS/nl/dataset/81588NED/table.