Passing the Entry Exam
Before any SEC Party can use the Data Communication Company’s systems (DCC), they must prove their own systems are secure. And rightly so. The User Security Assessment process safeguards the whole industry. It ensures all Users manage the risks in their end-to-end smart systems at least in line with the ISO27005 standard.
To complete DCC User Entry, an initial Full User Security Assessment (FUSA) must be conducted by external specialists – the Competent Independent Organisation (CIO) and fully ratified by the SEC Security Sub-Committee (SEC SSC). These gatekeepers will dictate the follow up actions from each audit.
Once the initial audit has been passed, the requirement remains. It’s a three-year cycle. Full User Security Assessment in Year 1, with Years 2 and 3 dictated by the type of DCC User and number of domestic premises supplied.
The emphasis of Year Two audits, usually a Verification User Security Assessment (VUSA), is on whether SEC parties have continued the good practice that allowed the Year One audit to be successful. Are business processes still being conducted in line with clear policies and procedures? Has there been any significant updates to the Party’s network architecture? And how are security risks being assessed, monitored and mitigated now that the Party has moved out of design phase and into implementation?
Second Year audits are an ideal opportunity to take stock on business security and ensure secure operational controls and risk management procedures have been embedded.
Our experts have been through this process several times. We can help you determine how your security controls and risk governance align to the requirements of SEC CIO audits. We’ll spot gaps and recommend ways to close them before you spend money on your official audit process.
In our experience, preparation like this is a great way to minimise the time and effort needed to participate in the ongoing CIO audit cycle.
For more information, please get in touch at Engage Consulting.