Many small and mid-size businesses breathe a sigh of relief once they earn a compliance certification, but the work doesn’t stop there. Certifications like SOC 2, ISO, or CMMC aren’t one-time milestones. They’re ongoing commitments that require fresh evidence, updated controls, and regular monitoring.
In this episode, Marie Joseph, Manager of Compliance Advisory at Trava, breaks down the reality of maintaining compliance over time. She discusses why frameworks evolve and how managed compliance services can take the stress off your team’s plate. Plus, she shares common mistakes businesses make during recertification and how to stay audit ready all year long.
Key takeaways:
- How compliance frameworks evolve and why it matters
- Common mistakes companies make before audits and how to avoid them
- How managed compliance services free up your team’s time
One of the top tips Marie shared in this episode for staying proactive and organized with compliance is using a Compliance Calendar. You can download a free copy today—based on the same calendar Marie uses every day to manage SOC 2, ISO 27001, CMMC, NIST, and other frameworks: https://travasecurity.com/pod-compliance-calendar
Episode highlights:
(00:00) Compliance: What happens after you get certified?
(02:32) Framework changes and renewals
(05:17) Why compliance is never “done”
(09:14) The audit mistake SMBs make most often
Episode Transcript
[00:00:00] Marie Joseph: Once you get that certification, there’s now that commitment to get that certification annually ,and prove that there is continuous upkeep of all the things in your policies that you said you would do.
[00:00:32] Jara Rowe: Welcome back to The Tea on Cybersecurity. This time we are spilling the real tea on compliance as a whole. So I know a lot of times companies get their annual compliance certification, whichever framework it may be, but then they kind of think that it’s set and done and they don’t upkeep it, which isn’t that great of a thing.
[00:00:54] Jara Rowe: So. I have Marie Joseph here with me for us to dive a little bit more on about how compliance is not rinse and repeat. Hey Marie,
[00:01:03] Marie Joseph: Hey, happy to be back.
[00:01:04] Jara Rowe: How’s it going?
[00:01:06] Marie Joseph: Doing good.
[00:01:07] Jara Rowe: Alright, so just in case this is someone’s first time tuning in, please intro yourself briefly.
[00:01:15] Marie Joseph: I’m Marie. I am a manager of Compliance advisory here at Trava Security. I help my customers get through whatever compliance framework they throw our way, whether it be security or privacy, and then also just some general cybersecurity things.
[00:01:30] Jara Rowe: All right. I love it.
[00:01:31] Jara Rowe: So, like I mentioned that compliance certifications are typically done annually. But when it’s time to renew, can companies simply reuse the same controls and evidence? Why or why not?
[00:01:46] Marie Joseph: So they can technically use the same controls, and the evidence piece is where you would have to kind of give updated evidence. I would say that’s. Sometimes easier to see from the SOC two perspective because you have an observation window usually for that, where everything in that window has to have one of those dates on it, basically.
[00:02:09] Marie Joseph: So. You could technically use the same sheet or document and then you just have to put like the updated date on it in some way. But in some cases, some, some of those controls maybe, or maybe changed depending on if your architecture stayed the same or not, which is usually more relevant for people like SaaS companies or people that have a cloud environment in general.
[00:02:31] Jara Rowe: Okay, perfect.
[00:02:33] Jara Rowe: So I know that frameworks change over time, so what does that look like exactly? When it comes to like renewals, and then are there any upcoming changes that companies, I guess, particularly that we work with should be paying attention to?
[00:02:50] Marie Joseph: Yes. I would say majority of the time, most of the changes are pretty minor. They might be like condensing the list of controls in some way or renaming them. Some senses, but that really just impacts your audit really, that you have to make sure that any documentation that states that control number or the title of it is also changed.
[00:03:12] Marie Joseph: I’d say that sometimes I’ve seen it impact kind of internal audits for the most part, but the controls would still operate the same, or they might add an amendment to it where they add an additional control, and then you would have to make sure that you have something to satisfy that, where that might.
[00:03:28] Marie Joseph: Make it that you have to now create a new document to prove that you meet that objective going forward, or turn something on in your cloud environment, for example. So that’s usually kind of where you’ll see a lot of the changes. And then sometimes you’ll see frameworks for. Become mandatory. And for example, one of ’em to talk about would be like CMMC.
[00:03:48] Marie Joseph: That’s a good one to bring up just because that is now becoming mandatory for anyone that has a DOD contract and utilize CUI in any way. And that one is going into effect in the, the. Later this year type of thing, kind of now almost. I’ve probably, by the time you listen to this episode, so that’s one of the bigger changes I would say.
[00:04:08] Marie Joseph: Another big one that I see a lot of my customers go for is really with the ISO 27 and thousand one. That was. Renewed and had some updates in 2022. So there’s that new standard, and now all programs from the 2013 version must be compliant by October, 2025 with the new standard. And those were just minor changes.
[00:04:29] Marie Joseph: There was also like an amendment that incorporates kind of climate change in some way. So. Every framework kind of has new things coming about, and they restructured every so amount of years because I mean, you would expect it to because security is changing every day. The framework should also be changing every day.
[00:04:46] Marie Joseph: And some other ones are really just like in regards to like PCI or like NIST, for example. And then a lot of different privacy laws are constantly changing. More states are getting their own, some things are getting federally regulated in some way. And then, AI has. Kind of had its nice little boom here too, where now you a of AI regulations and AI frameworks coming out where people wanna get certified in that area too.
[00:05:09] Jara Rowe: Yeah. It sounds like a lot to keep up with if. You aren’t in this day, in and day out for sure.
[00:05:18] Jara Rowe: So, why is it risky for a business to treat compliance as a one and done milestone?
[00:05:24] Marie Joseph: Definitely because that’s not reality, where once get that certification, there’s now that commitment to get that certification annually and prove that there is continuous upkeep Of all the things you said in your policies that you said you would do, so a lot of times you’ll have something that you do this quarterly or do this monthly.
[00:05:44] Marie Joseph: Like for example, people say they run vulnerability scans on a monthly basis where. You then should have been collecting evidence on a monthly basis proving that, where it’s not really a one and done because your program was supposed to be continuous anyways, which is what you to with that certification.
[00:06:00] Jara Rowe: Mm-hmm. For sure. We’re actually gonna talk a little bit more about like continuous monitoring, compliance, cybersecurity in a later episode. So I’m really excited to dive into that. So what type of service or program can help juggle all of these things when it comes to the frameworks and regulations changing, and I mean even getting a different framework, maybe there’s a new customer, that someone is wanting to sign and they require something else.
[00:06:32] Jara Rowe: So how can all of this be maintained?
[00:06:36] Marie Joseph: Great question. I would say in a lot of cases, a lot. With like medium, small, medium sized businesses, people don’t have that headcount available to have someone that’s fully focused on compliance. and a good way to like juggle it would be hiring kind of a third party as an advisor or consultant or similar to like what a lot of our customers do, which is compliance as a service, where we are the ones that are continuously monitoring and upkeeping the program on your behalf and you really just kind of have to show up for a lot of the things or.
[00:07:06] Marie Joseph: Sign off on them in some way and help us just with the upkeep of your program, but we’re making sure you hit all those milestones so that you don’t have to worry about something kind of falling off the rails.
[00:07:17] Jara Rowe: For sure, and especially again in a previous episode, you and I were talking about like the GRC tools and I may purchase that, but I have no idea like what to do. So this program like managed compliance or compliance as a service would be able to help me with things like that as well.
[00:07:34] Marie Joseph: Exactly.
[00:07:35] Jara Rowe: All right.
[00:07:36] Jara Rowe: Fantastic. So, what ROI can businesses expect from managed compliance services?
[00:07:44] Marie Joseph: I would say the big one would be overall time, back in their day, especially if we’re not. Right next to the audit window closing or getting to that external audit. In general, we like to kind of spread out a lot of the controls and everything, and then take on all the controls that we can on the customer’s behalf to make sure that they can go back to doing their daily job that they like doing more, because no one really likes to do the compliance and security piece.
[00:08:09] Marie Joseph: They can lie to me all they want, but I know, I know it doesn’t sound as fun, but I enjoy doing it and so does my team. So that’s kind of why, give them back that time of the day to do what they love. And then they also wouldn’t have to check in on all those continuous check-ins that I was talking about earlier, like checking to make sure their monthly scans run.
[00:08:25] Marie Joseph: We’re helping them check that piece and then making sure that they know to check in when they need to.
[00:08:30] Jara Rowe: Yeah, for sure. I’ve actually talked to a Trava customer, will not give the name, but they were like, I understand why cybersecurity and compliance is important, but this is not something I enjoy doing. So then, that’s what like Marie and her team are for is to really, you know, allow. the customers to really focus on the things that they like.
[00:08:52] Jara Rowe: but they know that compliance and cybersecurity is important, so they hire the pros to do that.
[00:08:57] Marie Joseph: Exactly. I would say another big one that they don’t like doing is like that external audit piece. They, they don’t like the communication of it and all that, and that’s something we just take off their hands with our CS packages, where it’s like, I love going through audit, so let me do it for you.
[00:09:12] Jara Rowe: Yeah, it’s fantastic.
[00:09:14] Marie Joseph: What’s one common mistake companies make when it’s time to recertify?
[00:09:19] Marie Joseph: I would say not prepping in any way and not having some sort of compliance calendar that they were following the whole year. That’s one of the bigger things. And then making sure that they have that fresh evidence. Gathered prior to their audit starting. In some cases, they think that like they can just say, oh, I looked at it, but not documented anywhere.
[00:09:39] Marie Joseph: Where I see that mistake happen a lot too, where the auditor’s asking for proof, you at least review the document and they don’t have anything. So I think those are the bigger mistakes because they kind of waited until the very end of their timeline to start gathering new evidence. Or like I said, maybe not gathering it at all and just waiting until the auditor asks
[00:09:57] Jara Rowe: yeah. Can’t just wait for it. You have to prepare.
[00:09:59] Marie Joseph: Exactly. Prepping is the big thing,
[00:10:01] Jara Rowe: Yeah, absolutely. Okay.
[00:10:11] Jara Rowe: So I feel like we’ve covered a lot of information here and definitely proven that compliance isn’t completely rinse and repeat. You can use reuse controls, but the evidence has to be different when it’s time to recertify. Correct.
[00:10:19] Marie Joseph: correct.
[00:10:20] Jara Rowe: Yes. And then it also proves that once you’re compliant, it’s not set and done because you have to have new evidence. These frameworks and things change. So it’s really important to keep up with those things. And if you don’t have the time and capacity, that is where a managed compliance service comes into the picture.
[00:10:42] Marie Joseph: Exactly then becomes an annual and continuous commitment.
[00:10:45] Jara Rowe: Yeah. Fantastic. All right, so everyone, once you are certified, you have to continue to upkeep your cybersecurity and things like that. So if you need help. You can reach out to Marie.
[00:10:59] Marie Joseph: Yes, would love to.
[00:11:01] Jara Rowe: She is a, she’s a professional. She does this day in and day out. Well, Marie, I appreciate your time and expertise. Thanks for joining me on another episode of The Tea on Cybersecurity.