The Appliance Of Compliance

Compliance Management

Sector-specific, geographic and legal obligations are creating a multi-layered millstone of compliance around the neck of industry. Businesses striving to achieve regulatory compliance often end up with management systems for each certification, resulting in multiple data silos.

Consequently, many organisations are carrying deadweight in the form of duplicated data or are applying inconsistent practices, policies and procedures to satisfy the requirements of each standard.

Today’s compliance landscape presents a complex maze of ever-shifting requirements with compliance standards routinely revised and updated. New iterations of standards such as PCI DSS 3.0 and ISO27001:2013, PAS 99 etc will add further complexity.

In particular, ISO27001:2005 (soon to be ISO27001:2013) is becoming a critical compliance element for those organisations wishing to demonstrate appropriate data in the light of new cyber threat and internet borne attacks. But achieving compliance will often be an arduous undertaking requiring the transition of data from one compliance standard to the next.

However, shifting compliance requirements need not be a daunting prospect. Through the use of strategic management it is possible to rationalise, simplify and reduce the cost of compliance. By bringing together multiple standards, governance frameworks and associated management systems under a Compliance Management strategy, it becomes possible to generate cost savings, improve efficiency and create data transparency.

Compliance Management is an emerging discipline that allows various standards to be supported at the same time, without duplication, enabling the organisation to accommodate change cost effectively and efficiently.

It involves the combined management of compliance standards by centralising standards and using commonalities to derive a common framework, whilst modelling the business processes to ensure success with implementation. Compliance standards and systems often have shared requirements and by identifying these it is possible to create efficiencies, reduce costs and the diminish the drain on resources.

Compliance standards often have many aspects in common despite focusing on very different areas; be it information security, quality, or environmental health, for example. Management systems also have commonalities that lend themselves to being managed in an integrated way. For example, there will often be areas of overlap between compliance requirements such as:

  • Policy and Procedural Authoring
  • Risk Management and Methodology
  • Formal management system implementation
  • Certification matrices
  • Auditing practices.

By determining and using these repeat processes to create a single point from which to manage related and disparate standards, it becomes possible to reduce resource requirements, reuse common documentation requirements, eliminate duplicated documents and governance, and increase visibility and governance at Board level.

Yet the appliance of Compliance Management should not be relegated to box-ticking and deduplication. It provides a real opportunity to get to grips with the business and gain insight into how the organisation functions as a whole. By looking at the business in its entirety, a solution can be designed that will rationalise processes and maximise management buy-in.

This starts at the grass roots, with simple considerations such as how roles and responsibilities are assigned. For example, if implemented correctly, role-based access can not only ensure accountability but also promote communication across the enterprise and create better visibility of the way the business functions all the way up to board-level.

When initiated with a business process modelling strategy in this way, the benefits of Compliance Management can be even broader, helping to lower system maintenance costs, reduce training and support, improve consistency and structure, and create a transparent enterprise where management are able to make better, informed decisions.

Louise T Dunne

Louise T Dunne is MD of Auriga, a data, ICT and security consultancy that blends security with business process to provide business insight. She has extensive governance, risk and compliance knowledge having worked in information security for over a decade. A CESG Marketing Management Forum Member, IISP member with ITPC status, BSI BS 25999 Business Continuity Practitioner, CESG CLAS consultant, BSI Qualified ISO27001 Lead Auditor, and a Professional Member of the BCS and a BCS Qualified Business Process Modeller, she has also sat on the Management Committee for the Tiger Penetration Testing Scheme and was a Founder Member of the CREST Scheme. Louise is actively engaged in public and private sector security projects and regularly publishes articles and speaks about security.