Being audit-ably compliant – Compliance from the NERC CIP auditor’s point of view.
Standards are often somewhat ambiguous, leaving room for misinterpretation especially for the first time reader and implementer. Facing a NERC CIP audit is a challenge, especially when there are multiple interpretations of the same CIP requirement.
To arrive at the correct interpretation, a detailed analysis of each of the standard’s requirement should be conducted well in advance, preferably as soon as the applicable standard’s draft is available from NERC. This analysis should identify a list of data elements to be captured and stored as evidence, in the context of the entity’s CIP implementation plan including existing policies, procedures and processes. Special attention should be given to the identification of all evidence data elements that should cover the type of evidence requested in the RSAW and CIP standards documents.
The NERC CIP auditors ask for evidence for existence of written policies and procedures, and repeatable, consistent execution of those procedures, along with an audit trail of completion. The type of evidence needed will be listed in the RSAWs as well as any additional evidence defined in the standard documents for each requirement.
Generally, most of the technical controls related to the CIP requirements will need the corresponding policies and well-defined processes deployed and also the corresponding procedures designed with appropriate set of clear and consistent instructions.
Many times, the same data element can be utilized to meet the evidence needs of related CIP requirements. This overlap of the evidence data elements may further indicate a close relationship of the processes and opportunity to optimize the compliance activity related effort by interconnecting the processes. This can be better done using well-designed process automation tool that supports the entire life-cycle of the process and tracks the progress to make decisions to meet the end goals in time.
The auditors will be looking to verify of the accuracy and comprehensiveness of the evidence presented to them in the RSAW. The quality of the evidence depends highly on the quality of the execution of the processes itself.
Finally, the auditors will be also verifying how well the exceptions to the deployed procedures are managed by the entity during the process execution. When the process execution cannot be completed through the expected critical path, there should be provisions for changing the process paths and procedural steps to meet the process goals.
Even after understanding the standard, producing all the evidence, processes and policies as well as the execution of those processes is a real challenge. Many times that data exists in multiple places created and executed by multiple people. It’s helpful to have a software product created just for the purpose of tracking procedures and policies and the execution of such procedures. It’s especially helpful to have an audit-ready repository of evidence that is sustainable and repeatable year after year.