When implementing a compliance framework, it’s rare that the project lead takes the time to think deeply about the business goals of the project. Why would you? They’re simple – meeting regulatory (or client) compliance requirements. DUH?!?
While this may be one of the business goals, it should not be the driver and does not provide value to the business. Having business goals tied to the compliance project can dramatically change its implementation and have it become a value creator for the business. Like any other major project, ensuring alignment with the company’s strategy and goals is vital for long-term success. Well thought out goals can be the difference between a compliance project being overhead and becoming a way to implement best practices.
Some standards require documented goals. ISO 27001 is specific about this. There’s mention of it in COBiT, although may not be considered a key control for SOX.
Example Compliance-Driven Goals
Goal 1: To meet client and regulatory information security requirements.
Goal 2: To ensure the correct, timely and secure processing client information.
Both are good goals. Goal 1 is important, but not necessarily value-creating, as it simply defines why the framework and processes exist. It’s good to keep this in focus.
Goal 2, while not required, is where the compliance framework can create value. Instead of being reactive, merely meeting client requirements, the compliance framework can be implemented in such a way that it improves quality and security, actually reducing costs (less failure) and improving business processes. From this goal, there’s a clear path to focus on reducing errors, improving performance and security.
Coming up with good compliance goals can be a lot of work, but is a very powerful process. Its one that spans more than just your security team; it reaches and out includes the business’ leadership team, developing stronger buy-in and support to the compliance efforts.