We see vastly different parts making up the compliance programs in our clients, but they ALL include three key components.
There’s no right or wrong way but it’s helpful to understand how these fit together. Our infographic below provides a summarised view of these three components.
1. Internal governance
No matter what software or services you plan to use for your compliance, you need to maintain internal governance activities. This includes your management structures, defined processes, the systems you use to track and operate processes, and how you manage your employees, amongst other things.
These can’t be outsourced. They can be simplified and supported by software or third-party service providers, but they will always remain your responsibility to operate and ensure they meet your compliance obligations. Those obligations include your customers requirements, any regulations that apply and your internally defined policies that are influenced by those other requirements. These policies are a really critical foundation for all three components of your compliance and best to define early so the remaining pieces fall into place in a way that fits. This is why we built PolicyTree to help clients implement policies their way at the start, to ensure compliance fits and meets your unique requirements.
2. Software and platforms
Every company uses some form of software that forms part of the compliance program. We can broadly look at this in two sub-parts:
Software in scope of compliance, typically includes the key systems holding sensitive data and the others that support those systems. For our typical SaaS clients, that’s the cloud infrastructure like AWS, their own in-house build product(s), their code repository, authentication software, and sometimes a few other types that come into scope. These are important in two ways; they both need to be secured and operated effectively in order to be compliant with security compliance standards, but also they often have features that automatically address compliance requirements. For example that includes AWS having network firewalls, applying encryption to databases, and enabling effective recovery of systems. For Okta, it’s strengthening authentication to other systems.
Governance, risk and compliance software is designed to centrally manage compliance obligations. This is a very broad category, and includes platforms that enable audits and compliance to be verified effectively - like our own platform, Pillar. It also includes security compliance platforms designed for maximum automation for security standards. And there’s finally general GRC platforms that are much broader than security compliance to implement and maintain the risk registers, vendor tracking and compliance controls across any standards. There is a lot of overlap with all three sub-types here that can be complementary or alternatives.
3. Professional services
There are two main categories of professional services, generally called “consultants” and “auditors”. That differentiates those that implement and maintain compliance (consultants), and those that verify compliance and issue the accreditations (auditors). There needs to be segregation between these two roles, based on the independence requirements of audit firms.
Using consultants is optional. Most companies prefer to use their personnel to build their compliance capability in-house, but engaging third-party consultants can save those internal responsible owners some of their time, and add capability especially if there are no internal security experts.
Using auditors is required for any formal compliance accreditations. It’s that independent audit and issuance of assurance reports or certifications that constitutes compliance with many of the industry standards. For regulations you can be compliant without verification from auditors, but providing audited assurance reports builds greater trust with third-party stakeholders like customers that are accountable for your compliance. For example, using third party services that handle relevant data like the personal data of EU citizens, triggers GDPR compliance requirements that apply for the enterprise.
You can read more about these components in our various other blog posts. We have a broad range of posts about the internal governance in our Best Practices Series.