Nobody Wants the Same Valentine’s Card

by Joseph Kirkpatrick / February 14th, 2023

In the words of Jim Gaffigan, “I hope you like what some other guy wrote.” When you receive a Valentine’s Day card, have you ever thought about how many people got that same card? It’s meaningless when the canned text applies to you and everyone else in the world. Instead, it’s nice to get a heartfelt message that is uniquely written for you.

An audit report is a love letter to your clients. It should be YOUR description of what YOU’RE doing to protect their information. Your SOC 2 audit report should be uniquely written to explain your controls and why they matter to your client. Your SOC 1 audit report should have complementary user entity controls written in a way to help your client understand what they should specifically be doing to interact with your system and processes. Your ISO 27001 audit report should explain distinctly how you’ve designed your Information Security Management System. Your clients will feel special to know that you took the time to write something to help them understand.

We’re seeing lots of clients use compliance platforms and policy templates, which provide canned control descriptions. These descriptions are showing up in everyone’s reports and turning them into boilerplate language. Worse yet, maybe the static language they gave you doesn’t match with what you’re actually doing and it opens you up to liability! Your clients don’t want to read what a tool wrote. They want to hear thoughtful descriptions about what you do and why.

KirkpatrickPrice advocates for a quality approach to cybersecurity and compliance audit reports. Whether you seek to comply with SOC 1, SOC 2, ISO 27001, NIST 800-53, or the HIPAA Security Rule, they all start with the foundational element of a risk assessment. From there, YOU design your controls in a way that addresses the threats to YOUR business. No two businesses are alike, so please don’t send the same Valentine’s card to them all. It’s time well spent to think about your controls and write them in a way that is applicable to you and your client. They will love you for it.

About the Author

Joseph Kirkpatrick

Joseph Kirkpatrick is the Managing Partner at KirkpatrickPrice and holds the CISSP, CISA, CGEIT, CRISC, and QSA certifications, specializing in data security, IT governance, and regulatory compliance. He enjoys helping our clients and stakeholders by navigating them through the complex maze of compliance and regulatory requirements.