To comply or not to comply? That is NOT the question.
Taking a black and white approach to compliance is ideal and easy, but with increasing risk in today’s business landscape, compliance management is complex. Addressing every single regulation, standard or rule, and implementing all of it is a daunting task that may lead you to a “coverage” or “assurance” score—but may also leave you asking, “how did I get that?!”
There has to be a better way…
In our Spring ’17 release, ACL introduces Compliance Maps, a content-loaded compliance management feature that provides a central location to manage your requirements—placing power back into your hands as the compliance professional (not the regulator) to determine for yourself where on the compliance spectrum you want to be.
Organizations can now choose their own adventure. Let me explain before you call the authorities…
Step 1: Check the damn box!
For some, compliance is just a set of boxes to check. So as you identify which risks are relevant to your organization, the first step is to get rid of the requirements that you don’t need to worry about. Simply put, make your checklist smaller.
Take for example, COBIT 5’s APO04 standard on innovation which states: “Assess the potential of emerging technologies and innovation ideas.” But what if your IT department relies on third-party services for all of its IT needs?
Answer: Not applicable. Check! And move on…
Step 2: Take control by interpreting controls.
No company can manage thousands of disparate, ongoing compliance activities. Compliance Maps are designed for you to choose at what level you want to demonstrate compliance.
This means you make room for some healthy interpretation of your current environment. Or as our Chief Product Officer Dan Zitting says:
“Think like a defense attorney, not a contracts attorney.”
On one end of the spectrum, there are compliance professionals who take requirements too literally, burdening themselves with checklists. Requirements come in the form of nested trees with sections, subsections and sub-sub sections. So why not decide for yourself at what level of granularity you want to map your control tests to and then provide a “defense attorney”-like rationalization?
Say, for example, that your organization has a password policy for information security. COBIT 5’s APO 13 states: “Manage security.” Drill down a level further and you have: “Establish and maintain an information security management system,” “Define and manage” and “Monitor and review.”
Compliance Maps allows you to choose how you want to document your compliance. That is, whether or not you want to just mark the parent requirement as “covered” with a rationale, or go through the whole mapping exercise and link requirements to specific controls within your projects.
Step 3: Think of compliance as an outcome.
Think outside the box, literally. Compliance should be an outcome and reflection of a well-controlled organization, and not a distraction from running it. Certainly as landscapes change and as any organization grows, it becomes subject to more regulations and standards. ACL’s approach to compliance reduces this burden by focusing on the testing of controls, not the requirements. That said, Compliance Maps make testing manageable. Results are aggregated so you can have a better view of coverage and know where the working requirements are.
The ACL way—and the ACL Platform—helps simplify compliance management programs. In summary, Compliance Maps lets you decide if a requirement (or a set of requirements) is: