We’ve worked in IT GRC (Governance, Risk, and Compliance) for over 10 years. One of the promises of GRC tools is that they can automate compliance.
But what does this mean? Does it mean compliance is automatically tested and computed based on input data?
Not exactly, although this is where everyone wants to get to.
Currently, automating compliance means automating the requesting, gathering, and attestation on compliance evidence. Some companies have implemented parts of this process while others have implemented the full process.
The drawback to this “automation” is that someone still needs to manually evaluate the evidence provided and then evaluate the data as a whole.
We’ve developed a better way, and we call it Automated Compliance Testing (ACT).
We analyze data from your Service Management tools to provide you a complete picture of your compliance.
It’s no longer sampling, it’s full records testing.
We’ll be talking more about this in future posts and at the ISACA CACS Conference on April 30.