What exactly does IT compliance mean? First of all, it is about being in compliance with regulatory requirements – something that is also called rule conformity. This includes requirements regarding information security, availability, data protection and data retention in organizations. All of this should be a top-level management priority in your company.
The onus is on management
According to the law, the members of the executive management are responsible for implementing compliance in companies. Given the enormous importance of information technology for a company’s operations and continued existence, managers need to handle this topic with particular care – and protect their company from identifiable risks. If management fails to do so, it can be held responsible.
As digitalization increases, so do risks
Digitalization is expanding in the environment of medium-sized industrial companies as well – from smart shop floor solutions supported by the Internet of Things (IoT) in production to intelligent management systems for the supply chain. The benefits of widespread digitalization also entail an ever-increasing risk of being targeted by cybercriminals. And it means that additional regulatory requirements need to be taken into account and reconciled with each other.
Integrating IT compliance risks
Integrating IT compliance risks into the overall risk assessment system (enterprise risk management) is becoming increasingly important for companies. At first glance, this means to reconcile different risk approaches, such as IT security-based risk assessment (risks to which information assets are exposed due to IT processing), with data privacy-driven risk assessment (risks to the rights and freedoms of data subjects). The more complex the business models and the more international the companies are, the more it becomes necessary to design and implement a consistent IT compliance system. Many companies therefore rely on proven frameworks and standards.
ICS procedures are no longer enough
Many companies also recognize that previous ICS (internal control system) procedures, such as quarterly “self-assessments”, are no longer sufficient to keep up with the dynamics of change and collect qualitative findings and key figures.
Last but not least, the ongoing coronavirus crisis shows that, in addition to the expected risk scenarios, the “black swan”, i.e. an unforeseeable event, can also rapidly become relevant. For example, in addition to having sufficient VPN licenses for staff working from home, alternative European video telephony services have also become the focus of attention during the coronavirus crisis. This shows how carefully operated IT compliance contributes to the resilience of companies:
Data protection > Ensuring availability
Ensuring availability > Business continuity management
Connecting the dots
One approach to integrating different management system structures existing in companies can be to converge systems. In this process, the existing structures are combined by way of mapping. One variant can be a basic design following the principles of the IDW PS 980 structuring approach. In its auditing standard PS 980, the Institute of German Auditors (IDW) has described the structuring of a compliance management system resting on seven pillars, each of which forms the basis of recognized auditing procedures:
- Compliance culture
- Compliance objectives
- Compliance risks
- Compliance program
- Compliance organization
- Compliance communication
- Compliance monitoring and improvement
This structure can also be used for mapping a company’s data protection management system. Existing structures (KPIs, dashboards, reporting channels, etc.) are used by leveraging synergies and can subsequently be extended to form an information security management system (“ISMS”).
Source: COBIT 2019 «Governance System Principles» (ISACA 2018a, S. 17)
This creates a wealth of synergies. The approach contributes to optimizing governance, since stakeholders from different disciplines are now likely to act in concert. In addition, there is more transparency across the board (compliance, data protection, information security). A further added value can be seen when the standards of a governance framework such as COBIT5 are applied to the target structure of a converged system.
Summary and outlook
As business models become increasingly digitalized and regulatory environment ever more dense – the General Data Protection Regulation, the Act to Protect Business Secrets, the IT Security Act, Critical Infrastructure Protection (KRITIS), the Principles of Proper Accounting (GoBD) serving as examples – companies cannot avoid implementing a structured management approach. Such an approach offers the chance to use existing systems and implement the convergence of systems that exploits synergies. This enables transparency and controllability to be increased – and depending on the chosen structure, these systems can be subjected to certification or conformity assessment by independent third parties.
For more information on IT compliance and our services, please visit https://www.tuv.com/germany/de/it-compliance.html.
Mastering Risk & Compliance
Stefan Eigler has been in charge of data protection at TÜV Rheinland as Practice Leader Mastering Risk & Compliance since mid-2018. As a recognized Asia expert, he set up TÜV Rheinland’s data protection Consulting Services group in Shenzhen, Greater China, with local colleagues and developed it further in numerous local customer projects. Stefan Eigler is a Master of Laws (Compliance) and a Diplomwirtschaftsinformatiker (University degree in Business Information Technology) as well as a certified CISM, CISA, CCSP, ISO27001 Lead Auditor and SAP CBA. As a proud Rhinelander, he prefers to spend his free time exploring the region with his wife and children and their two dogs.
Electric mobility: charging infrastructure getting more extensive
The new decade is all about climate protection – and one of the major challenges we face is climate-friendly (electric) mobility. The new EU emissions target, which comes into force in 2021.
Cool title – no applicants? Sorting the good ads from the bad
Skills shortages, the talent war and demographic change – all excellent choices for a round of buzzword bingo as played by HR specialists. The job market’s not getting any easier for employers.