Remember earlier this year when everything was business as usual? How quickly our lives have changed in the past month. COVID-19 has wreaked havoc on everyday life for individuals and businesses across the nation. Even though much of our nation has shut down, many of our regulatory and contractual requirements haven’t gone anywhere, especially as they relate to information security.

In fact as we work remotely, information security is more important than ever. You may have been asked for a SOC report, PCI ROC, ISO certification, HITRUST certification or any number of third-party reports that demonstrate a secure environment to your customers or regulators, and in the current environment, you may not be sure if this is possible. However, many organizations are still being asked for these assurances on the security of the data they handle from customers, government regulators, and prospects. Fortunately, the regulatory and accreditation bodies that oversee these services have been very proactive amid the pandemic and are coming out with new guidance that will help businesses and auditors alike move forward utilizing technology and remote work to complete these audits.

The Transition to Remote Work

Remote work has posed a new concern for many companies. How do we stay connected? What impact will remote work have on our current projects? How do I effectively communicate with my team and my clients? Remote work doesn’t have to be scary. In fact, it can be just as productive as being in the office. You may already have access to tools that can help mimic an in-office experience. Tools such as WebEx, Skype, Zoom, Slack, and Microsoft Teams allow teams and clients to video conference, share screens, and potentially perform observations. For those of you that may have been avoiding this technology, what better time to become acquainted with these tools and learn the many capabilities they offer?

Regulatory and Accreditation Organizations Response

Regulatory and accreditation bodies have recognized that the COVID-19 pandemic has created new challenges for both organizations and their assessors. In response, many have issued additional guidance on meeting regulatory requirements during these unique circumstances.


The AICPA has released guidance on how to conduct remote audits while many organizations have limited access to their facilities to employees only. At this time, no formal guidance has been issued relative to SOC 2 reports that are so critical for many; however, much of the guidance for remote financial audits can be applied to these SOC audits. In addition, CPA firms may employ alternate procedures where observations were once utilized to document the effectiveness of a control. If no evidence can be gathered where physical observation was once utilized, a worst case scenario is a possible scope limitation for certain physical controls.


HITRUST has released new guidance on the impact of COVID-19 on CSF assessment procedures, including new bulletins that have waived the requirement for on-site assessments and addressed the impact of COVID-19 on assessment timelines. Although HITRUST has waived the onsite requirement for a period of time, HITRUST still requires that HITRUST Authorized External Assessors obtain sufficient and appropriate evidence in order to determine requirements are met. This process most notably affects requirements that would typically be tested using an onsite observation, such as observations of physical and environmental protections in place. For these observations, HITRUST has outlined examples of alternate procedures an assessor can leverage in order to obtain sufficient appropriate evidence of implementation. These include evaluations of evidence such as camera footage, facility diagrams, access logs, installation and maintenance records, etc.

As far as timelines go, HITRUST recently announced a new Bridge Assessment is available for companies needing help in maintaining their HITRUST CSF Certification due to the COVID-19 crisis. This allows companies to maintain a form of HITRUST CSF Certification status for an additional 90 days even if the validated assessment submission due date is missed. If your organization needs a HITRUST Bridge Assessment, contact us. We’re even offering a special rate for new customers. Latest updates with guidance on HITRUST can be found in their formal HITRUST bulletins.


ISO recently released a statement in light of the COVID-19 pandemic indicating that all ISO governance and technical meetings should be conducted virtually or postponed until a later date. Many ISO accreditors, who typically allow no more than 30% of an audit to be conducted remotely without special permission, are allowing fully remote audits at this time.


The PCI Security Standards Council has also provided guidance for remote audits in response to the COVID-19 pandemic. PCI SSC had already issued guidance related to remote audits but continues to monitor the COVID-19 pandemic and will provide updates as necessary. External penetration tests continue to be business as usual. However, new processes have been implemented that allow internal penetration tests to be conducted without setting foot on the premises.

The common denominator across these assessments is the need to address observations for physical and environmental protections. As discussed, most cases do not have to have an impact or delay your current needs to keep your business moving and meeting your compliance obligations. Regardless of the assessment, your organization is undergoing, LBMC can help you achieve your compliance needs. LBMC has implemented processes and updated testing procedures to conduct successful observations remotely.


LBMC recognizes that every organization is different. If you have questions on how COVID-19 affects your organization’s IT compliance audit you can continue to monitor LBMC’s COVID-19 Resource Center or contact us here.


Want to learn more? Listen to our Cybersecurity Sense podcast by Chelsea Smith and Bill Dean.