Compliance Objective

Short Description

A compliance-objective is an objective, owned by a party, that aims to reach and maintain a state of affairs in which a specific set of entities that this party controls are in accordance with a specific set of requirements (e.g., laws, regulations, standards, etc.). A party that has compliance objectives will have a management process that aims to realize these objectives, for the purpose of becoming compliant.

A party may decide to pursue compliance objectives that pertain to itself, e.g. to ensure it has good quality management (compliance with the ISO 9001 standard) or information security management (ISO 27001) in place. Or that it conforms to regulations such as PSD2 (for financial organizations), or GDPR.

A party may also decide to pursue compliance objectives that pertain to specific classes of entities such as information (or other) processes, various kinds of equipment, or other resource classes, e.g. to ensure quality, safety etc. The compliance objective should then also specify the appropriate normative framework(s), e.g. specifications, regulations, etc., that elements of such classes are expected to comply with.

Compliance objectives should also be associated with assessment frameworks that auditors will use for determining the compliance-levels for each of these objectives.

Purpose

The purpose of compliance-objectives is help parties determine and prioritize the work they need to do in order to become compliant.

Criteria

A compliance-objective is an objective that

• is associated with one or more (classes of) entities that are controlled by the owner of the objective;
• is associated with one or more normative frameworks that these (classes of) entities are to comply with;
• may be associated with appropriate assessment frameworks that auditors must use to determine the level of compliance.