From Spreadsheets to Simplicity: Annual Policy Attestation Made Easy with SimpleRisk | SimpleRisk GRC Software

Sometimes, sleep deprivation merits unexpected rewards. In the process of remediating various ISO 27001 controls, I faced a challenge: finding a seamless yet effective means to capture enterprise-wide annual policy attestation and security awareness compliance. The solution needed to be automated, auditable, and scalable—but the SimpleRisk "Document Program" feature lacked native policy attestation capabilities. And with my boss’s mantra, “eat our own dog food,” echoing in my mind, I knew I had to find a way to make SimpleRisk work for this.

Then one night at 3 a.m., I had the proverbial lightbulb moment. The SimpleRisk Risk Assessment Extra could bridge the gap! With a bit of creativity, I realized I could repurpose its functionality to streamline policy attestation and launch a security awareness campaign. Here’s how I did it.

The Problem: Simplifying Compliance

ISO 27001 compliance mandates annual policy attestation and security awareness training. Traditional approaches often involve manual processes, multiple tools, or additional platforms—creating inefficiencies and potential bottlenecks. I needed an out-of-the-box solution that would:

1. Avoid additional logins or accounts for employees.
2. Provide automated tracking and reporting.
3. Deliver an auditable process for our ISO auditor.

The Solution: Repurposing SimpleRisk’s Assessment Extra

The answer lay in SimpleRisk’s Assessment Extra module. Here’s the step-by-step process I followed:

1. Policy Mapping: I created a spreadsheet matrix detailing which departments needed to attest to specific policies based on roles. Policies were already stored on our enterprise Google Drive, ensuring easy access for employees.
2. Custom Assessments: Using the Assessment Extra, I designed one-question surveys for each initiative:
   • “Have you read and agreed to each policy below?”
   • “Have you completed the annual security awareness training from the link below?”
3. Proof of Completion: The “attach a file” feature allowed employees to upload screenshots of their security awareness completion splash screens.
4. Automation: Employees received automated daily email reminders to complete the assessments, ensuring consistent follow-up without manual effort.
5. Tracking and Reporting: Each assessment included unique tokens, making it easy to track responses and resend specific links to stragglers.

The Results: Compliance Without Drama

Employees were given 30 days to complete both initiatives. Our CEO set the tone by completing his attestation on the first day, inspiring others to follow suit. Automated reminders encouraged compliance, while the tokenized links streamlined follow-up for those with “lost email” excuses.

At the end of the 30 days, two crucial boxes were checked for our ISO 27001 compliance efforts. The process was efficient, auditable, and—most importantly—scalable. Even our ISO auditor praised the solution!

Why It Works

SimpleRisk’s flexibility was key to success. Its unlimited user capability meant no additional accounts or costs, while the Assessment Extra’s simplicity allowed for easy customization. This solution not only met ISO requirements but also set a foundation for annual reuse, reducing future workload.

Bonus Applications

The same process can be adapted for:

• Annual third-party vendor policy attestations, using shared Google Drive folders for external access.
• Quarterly security awareness refreshers or other compliance-driven training initiatives.

Lessons Learned

While no system guarantees 100% compliance or proof that employees read every policy, this approach provided a documented, automated process that satisfied auditors and minimized manual effort. It’s a pragmatic balance between effectiveness and feasibility.

Final Thoughts

Compliance challenges often require creative solutions. By repurposing the tools at hand, we turned a late-night idea into an ISO 27001 compliance success story. If you’re facing similar challenges, consider exploring innovative uses of your existing platforms. You might just find your own 3 a.m. lightbulb moment.