NERC CIP Audit and 693; we are ready when you are!
The professionals at Lazarus Alliance are completely committed to you and your business’ NERC CIP audit success. Regardless of whether you represent the private sector or the public sector, we stand ready to partner with your organizations. Our competition may want to keep you and your employees in the dark where security, risk, privacy and governance are concerned hoping to conceal their methodology and expertise. We don’t prescribe to that philosophy. We believe the best approach is transparent and built on a partnership developed on trust and credibility.
Lazarus Alliance’s primary purpose is to help organizations attain, maintain, and demonstrate compliance and information security excellence – in any jurisdiction. Lazarus Alliance specializes in IT security, risk, privacy, governance, cyberspace law and NERC CIP audit compliance leadership solutions and is fully dedicated to global success in these disciplines. We can help your organization too! Our clients come from all business sectors across the world.
Comprehensive NERC CIP Audit Services
Once a company has made the decision to enlist a third party to provide a service, it wants assurances that those services will be provided in a timely, accurate, and secure manner. A NERC CIP audit or 693-based audits shows your commitment to maintaining a sound control environment that protects your client’s data and confidential information.
Lazarus Alliance's NERC CIP services are designed to serve the needs of North American bulk power system covered entities in regard to CIP compliance. Lazarus Alliance offers a complete range of services built around the key areas of CIP compliance standards:
NERC CIP Overview:
- NERC CIP-002: Critical Cyber Asset Identification
- NERC CIP-003: Security Management Controls
- NERC CIP-004: Personnel and Training
- NERC CIP-005: Electronic Security Perimeter
- NERC CIP-006: Physical Security of Critical Cyber Assets
- NERC CIP-007: Systems Security Management
- NERC CIP-008: Incident Reporting and Response Planning
- NERC CIP-009: Recovery Plans for Critical Cyber Assets
- NERC CIP-010: Configuration Change Management and Vulnerability Assessment
- NERC CIP-011: Information Protections
Frequently Asked Questions
Who must comply with NERC CIP?
Entities that own, operate, or control BES components, including electric utilities, power marketers, generators, and cooperatives in the U.S., Canada, and parts of Mexico, must comply with NERC CIP.
Who conducts NERC CIP audits?
Audits are conducted by Regional Entities (REs) under NERC or the Federal Energy Regulatory Commission (FERC), with third-party firms like Lazarus Alliance assisting.
What are the penalties for NERC CIP non-compliance?
Penalties include fines up to $1.29M per violation per day, corrective action plans, and potential loss of operational authority, enforced by FERC.
What is the NERC CIP audit preparation process?
Preparation includes:
- Conduct gap analysis.
- Update RSAWs and documentation.
- Perform internal audits.
- Train staff.
- Engage third-party consultants (e.g., Lazarus Alliance, Continuum GRC).
How does NERC CIP align with NIST 800-53?
NERC CIP maps to NIST 800-53 controls (e.g., AC, AU, CM families), ensuring compatibility with federal cybersecurity standards.
What is the role of third-party auditors in NERC CIP?
Third-party firms (e.g., Lazarus Alliance) conduct gap analyses, mock audits, and compliance assessments to prepare for RE audits.
Companion Services
- Compliance Readiness Assessments
- Subject-Matter Expertise
- NERC CIP Evidence Request Tool (ERT) orientation
- Gap Assessments
- Client Advocacy
It is crucial for electric utilities to be prepared for malicious attacks and internal actions that could negatively affect their operations and organization. Utilities must consider how they are being logically and physically accessed in order to optimize their security approach. While utilities have a reputation for engineering just about everything, they often treat security programs and systems as “add-ons”. This approach only ensures that the expenditures are more costly and far less effective, and have a shorter operational life cycle.
To ensure effective regulatory compliance with the NERC CIP audit standards, and to enhance their risk management programs, Information Technology, Physical and Personnel Security programs and Business Continuity should be engineered into literally every project and operational processes so that actual use of these practices in daily functions strengthens the security of the utility while supporting safe and secure operations. In short, they should be built into the very infrastructure of utility operations whether it is a Systems Operations Control Center, Substation or Generation Facility.
Contact us for more information
What to Expect
Lazarus Alliance’s NERC CIP audit process initially takes just a few weeks from start to completion to baseline your organization depending on your team’s availability. We are cognizant that our clients have full time, everyday obligations in addition to dealing with auditors so we are flexible to your needs and work around your schedule to provide a quality audit and report in the time frame you desire.
A significant differentiator you will immediately appreciate is our Proactive Cyber Security™ NERC CIP audit methodology which take a continuous audit approach rather than the end of reporting period Audit Anarchy approach by other firms. We will also utilize our proprietary IT Audit Machine technology to set you up for success. The IT Audit Machine is a full-featured and highly collaborative assessment and reporting tool only available from Lazarus Alliance.
Lazarus Alliance creates sustainable NERC CIP audit partnerships with our clients. We have a proven methodology and project plan that helps our clients achieve compliance on budget and on schedule. You will come to appreciate our Service, Integrity and Reliability which will be apparent to you from the very first call.