How Prepared Are You for the NERC CIPv5 Audit?


How planned are you for the NERC CIPv5 audit? Maybe you’re ready to jump in with both feet, peradventure you have no idea where to start, or maybe you’re somewhere in the middle. No subject where you land, there are some best practices to help you along the way. While I can’t warrant to rid you of all past sins and violations, I do have pointers based on actual savoir faire that has produced great results.As an example, my company helped a big utility company prepare for a CIPv5 MRRE audit, with at best one issue identified outside of what we already reported due to the auditors catch evidence from a different sample set. Also, when we performed one-on-one raising and solutioning sessions during a validation of three EMS environments, rework standings (areas where evidence was determined to be insufficient) were reduced from an initial 60 percent, to 30 percent, and at the end of the day down to 10 percent.I’m happy to share lessons learned from our happenings with you. But before we proceed, you must begin with the end in mind. Let’s affect that your goal is to exit the audit with zero decrees, a handful of recommendations, and the respect and admiration of your management team and baronesses. I believe these best practices can help you meet that ideal.As you may know, the auditors are trained professionals, and they know how to assess demonstration. By extension, our goal beyond being secure and compliant is to concisely up evidence that substantiates CIP compliance. Think in terms of evidence that bequeath pass the “man on the street” test to anticipate and respond clearly to audit have doubts.We termed this “quality evidence,” which consists of three most important attributes:Source data – For each requirement, identify sufficient and seize key evidence to provide reasonable assurance that is extracted from the roots and is sufficient and appropriate to support the auditors’ findings and conclusions. Evidence should be attributable to the way and show when it was generated. It’s helpful to provide screenshots showing both archaic/time and device name.Clarity – Good evidence provides “bumf,” not just “data.” Some evidence contains so much data that the import is lost. By contrast, quality evidence is focused and contains only the essentials requested by auditors. Embed information in the evidence to help provide additional signification. For example, a concisely worded statement explaining that a signature represents okay and review of a document can reduce follow-up questions and annotation efforts.Completeness of people – Ensure the source data is accurate and complete. Doing so can help finish out sure that all items in the given population are captured, addressed and connected to provide support for the auditors’ findings and conclusions. Provide assurance of the basis’s accuracy and completeness by comparing different sets of data for differences and enchanting corrective action, when necessary, to resolve deviations.With this in opinion, here are my top five audit readiness recommendations:1. Prepare in advance

Leave a Reply

Your email address will not be published. Required fields are marked *