IT Compliance Framework – robust and flexible
"When will the next piece of legislation be enacted in the EU, the USA or Asia which will affect our IT systems?" This is a question which many CIOs have frequently asked themselves over recent years. A look at the list of IT-related regulations will show that IT managers already have to cope with significant number of pieces of legislation, for example:
- Basel II
- GDPDU
- Protection of privacy
- Sarbanes-Oxley Act (governing financial statements) from the US SEC
- Act 21 (product quality) from the FDA
On the other hand, CIOs are also interested in implementing best practice frameworks such as ITIL, BS 7799 or the IT baseline protection manual, CMMI, PRINCE2 and GAMP4, in order to increase profitability, customer satisfaction and the quality of the services provided.
Our practical experience shows that the regulatory requirements of the legislators can be mapped onto existing best practice frameworks using the comprehensive CobiT governance model. For this purpose, each individual legal requirement must be analyzed in detail to identify its relevance to a control element in CobiT. From the other perspective, the different best practice models are also broken down into their individual components at the level of CobiT control elements, so that ITIL or GAMP4, for example, can be mapped traceably to CobiT.
What are the benefits of all this? Together with well-defined processes for developing and using this compliance framework, in future it will allow new external requirements to be mapped rapidly and flexibly onto the CobiT model and solutions for implementing the requirements to be developed directly from the process of mapping to best practices.
The effects are reinforced by the major overlaps between the different legislative requirements:
Once Act 21 CFR Part 11 has been implemented for a system, more than 60% of the requirements of the Sarbanes-Oxley Act are already covered.
We will be happy to help you to solve this puzzle and can provide you with support in developing an integrative and scalable IT compliance framework on the basis of our practical and professional experience.