Frameworks, standards, regulations … compliance, accreditation, certification, and best practices: These IT governance and compliance terms are commonly used by IT professionals and thrown about in the industry, but do we know their actual meaning if they overlap or how they may have different meanings for different business? Let’s take a deeper dive into the most common IT governance and compliance terms and see what they really mean.
Consistent use of terminology
Something that seems so simple may not be. There is often confusion around the use and meaning of many frequently used IT governance and compliance-related terms. Occasionally, they may reference one another to some extent and may even overlap. However, they really stand alone and have a specific meaning. In many instances, they should not be used synonymously. Additionally, some reference compulsory actions that organizations must take and others are voluntary, but depending on the business and sector may be beneficial nevertheless.
It becomes a problem when the IT governance and compliance terms are used by someone to represent one thing but understood by another as something else. This may not be because the person doesn’t know what they are talking about but rather due to the inconsistent use of these terms by so many people. It may be difficult to ensure clarity across the board, but at a minimum, within your organization and its surroundings, there should be some consistency. So that at least your teams are all speaking the same language and all have a clear understanding of what each other is referencing. As these terms arise in conversations that are generally important.
Understanding IT governance and compliance terms in relation to one another
As these terms are sometimes used interchangeably (albeit incorrectly), a good way to understand them as stand-alone terms is by considering them in relation to one another. By doing this it is easier to see how they are different, where they overlap, and when they can be substituted without affecting their meaning or what they are depicting through their use.
Let’s consider some of the most commonly used ones (the ones that we all use and should probably use correctly), but funnily enough, these are the ones that tend to be muddled the most.
Framework and standards
Framework
A framework provides an organization with a structure to follow, it’s a system, with different approaches to attain a defined goal. Examples of IT frameworks include NIST, COBIT, ISO/IEC27000 series, to name a few.
In IT (and elsewhere) many frameworks exist and there are even multiple frameworks for the same goal. A framework often comprises standards, guidelines, and methods based on best practices and some or all of these can be used to achieve the goal. As a framework often includes these elements, it is understandable that these terms are sometimes substituted for one another when referenced.
By following a framework, you can manage, develop, document, and implement your actions to reach your desired goal. It’s good to note that a framework is not necessarily compulsory to follow, but rather a beneficial means to an end goal. Having said that, although adhering to a particular framework may not always be obligatory, by not using a framework other legally obligatory conditions may be overlooked which is likely to cause issues in the long run (some food for thought).
An organization can choose to use part of a framework or an entire framework and some or all of the models or techniques therein.
Let’s consider the ISO/IEC 27000-series. It is also known as the ISO 27000 Family of Standards. So, this possibly shows how the confusion around frameworks and standards can arise: as the ISO 27000 Framework encompasses multiple security standards which together provide the framework for asset security management. A very widely used standard which forms part of this framework is ISO/IEC 27001 for information security management. This gives an idea of the overlap between a framework and a standard.
Standards
Standards are published documents that establish specifications and procedures developed to ensure the consistency and reliability of the materials, products, methods, and services that people, organizations, and industries use every day.
In a single standard document, an organization can see the requirements, the recommended best practices, test methods, and guidelines for a particular outcome.
Standards are used by governments as well as organizations across multiple industries to meet certain requirements. They can be voluntary (some industry standards and internally developed standards) or mandatory. The latter usually requires compliance because of government regulation or contractual requirement and noncompliance will result in penalties. A regulatory standard is usually developed to address a specific requirement for public safety or wider benefit.
Standards can be national (adopted and circulated to the public by a national standards body — the British Standards Institution in the UK, for example), regional (developed, adopted, or circulated by regional entity—European Committee for standardization for example) and international (a standard used in multiple countries and is represented and has input by all countries involved).
Using standards can be beneficial in so many ways. Conforming to a standard can be a competitive business advantage. Standards can help make achieving other compliances easier and help organizations avoid penalties. They ensure quality and reliability, encourage customer and client trust and acceptance, allow for system interoperability, and intracompany collaboration. Globally adopted standards encourage international operations and trade.
So, although all standards are not always legally required, more often than not the advantages that some offer make them good to use anyway. For example, a standard like PCI DSS in the credit card industry, which is an industry recommendation and not mandatory to adopt is, however, beneficial as it lessens the repercussions of other legally binding regulations (like GDPR) if a breach were to happen and this data were compromised. PCI DSS sets out ways to protect identities (personal information).
The tricky part is figuring out which standards are most beneficial to your organization or your business activity, so you use the ones that are most relevant to your requirements rather than taking on the entire universe of standards available, unnecessarily. As, generally, conforming to a standard is labor-intensive.
In a nutshell, a framework defines a flexible system that provides the structure and guidance to help organizations progress in the right direction. It allows an organization more choice over the practices it uses and can evolve as the organization requires. Whereas a standard is mostly inflexible, it is usually accepted as the best method and the specifications defined must be followed to accomplish the result. A framework may comprise a number of standards to encourage consistency for established specifications. (For more on standards vs. framework, check out this article on TechGenix.)
Legislation and regulation
Not to be confused with regulation, legislation is tantamount with statutory law. The legislation describes the legal requirements as well as the consequences or penalties for violating those requirements. However, regulation is the continuous process of monitoring and enforcing the law. Regulation is usually a response to a problem, for example to protect privacy, prevent fraud, provide security, and prove accountability. These all represent issues that need solutions, and it enables legislation.
These terms are often confused because regulation is also a document that specifies the act and description of regulation.
The General Data Protection Regulation (GDPR) is a good example. It, itself, is a document that describes the regulation, it defines the controls and requirements that need to be fulfilled for an organization to operate within the law. It addresses the issues around privacy of EU citizens and is a legal requirement. It is also valued as a regulatory framework.
Multiple regulations exist to solve issues across numerous sectors and it can be overwhelming for many businesses. A lot of the time a business may be subject to the authority of more than one regulating body locally as well as globally. In addition to standards, formal laws and regulations need to be appropriately identified and a legal adviser or team of advisers is probably the best way to determine which demand compliance and the scope of compliance in respect to the business and activities.
Compliance and conformance
To comply is to adhere to the rules, regulations, and standards as required. Compliance usually relates to mandatory standards and regulations. Conformance, however, is the state of having satisfied the requirements of a specific standard or behaving in accordance with the requirements.
Accreditation and certification
These two terms are often used interchangeably, but they are not synonymous. The terms actually represent different activities. As a business or organization, you are likely looking to get certified — to receive a certification certificate, to be able to say “we are ISO 270001 certified,” for example. To accomplish this, you need to have fulfilled the certification requirements and passed the various certification audits. So, this takes us to accreditation. In order for a certification body to undertake the certification audit and issue the certificate of certification to you, that body needs to be licensed to do so — they need to be accredited.
Your business is getting certified (you receive the certification from a licensed certification body) and the body performing the certification must have received accreditation (the license) from an accreditation body to do so. Make sense? Accreditation means that the body is formally certified and competent to perform the specific certification task. Certification means that the business has shown that the service, product, or system being certified satisfies specific requirements or has achieved a certain level of conformity in a particular area. It’s important that you ensure your business is certified by an accredited certification body — if you expect your certification to hold value. Any certification is a long and intensive process, but they can demonstrate that your services or products meet high expectations and that you are a reputable business in your specific field. Sometimes certifications can be mandatory (by law or contractual obligations) when you need to deal with certain entities, industries or government bodies. However, other times, it may just be a beneficial investment for your business.
IT governance and compliance terms: It’s all in the detail
Understanding the detail behind these commonly used terms is useful. With a clearer understanding, you can make more informed decisions and can communicate more simply with fellow colleagues on which processes to follow and the necessary steps to action to assist your organization best and establish its long-term goals. This will ultimately support the desired IT and business outcomes.
Additionally, clarity in this regard can help you to avoid getting caught up in any unnecessary IT governance and compliance hype. So, you remain focused on the tasks at hand rather than implementing duplicate or unsuitable practices just because — for no reason other than not wanting to miss something out because you don’t understand what it is you are referencing or what the other person is actually proposing.
There is an abundance of resources for IT professionals and organizations to utilize to drive improved business. The possibilities for improvement are great if the right resources are leveraged, but care must be taken to not leverage the unnecessary. As in the same way as having restraints on resources can negatively impact a business, so can utilizing too many unnecessarily.
Ensuring that you obtain the correct tools for the job is sure to be more beneficial than acquiring multiple and duplicate tools that have no bearing on your business or activities at all.
So, understand what you need (so that you can communicate it simply), why you need it (to comply or for business benefit), the best way to accomplish it (adopting a framework, standard, or getting certified). Filter out the unnecessary (the stuff that has no bearing on your business), as there is far too much available to adopt all of it.
Featured Image: Shutterstock
