A few weeks ago, a customer asked me an informal question: “What do you think about Compliance as a Service?”

This question was the starting point for this article.

Compliance as a Service(CaaS) is a framework that enables companies to outsource roles, figures, and skills needed to implement and maintain compliance, to facilitate and simplify adherence with regulatory requirements.

Why Compliance-as-a-Service (CaaS)?

Companies typically outsource figures that are not within the boundaries of their core business. Just think of how many companies, especially in the SME sector, use external suppliers for Facility Management activities, Energy Manager, Prevention and Protection Service, but also the Legal Department. Recently, thanks to the introduction of EU Regulation 2016/679 (EU-GDPR), also for privacy activities with the role of the Data Protection Officer.

So, why not use the same approach for compliance?

Recently in cyber security and Data Protection we have seen a strong evolution of regulations and standards (see below). As a result, companies are struggling to keep pace and increase the demand to their partners of complete and reliable offers that can help them to achieve and maintain compliance.

  • 2012 
    • ISO/IEC 22301:2012 - Review of the standard according to Annex SL
  • 2013
    • ISO/IEC 27001 - Review of the standard according to Annex SL
    • PCI DSS 3.0 - Payment Card Industry - Data Security Standard
    • ISO 20022:2013 - University Financial Industry - Message Scheme
  • 2015
    • ISO/IEC 9001 - Review of the standard according to Annex SL
  • 2016
    • EU NIS - European directive for the protection of networks and information system
    • PCI DSS 3.1 - Payment Card Industry - Data Security Standard
  • 2018
    • EU GDPR - European General Data Protection Regulation
    • PCI DSS 3.2 & 3.2.1 - Payment Card Industry - Data Security Standard
  • 2019
    • ISO/IEC 27701 - Extension to ISO/IEC 27001 for Privacy Information Management System
    • ISO/IEC 22301 - Review of the standard
    • EUROPEAN CYBERSECURITY ACT - EU-wide cybersecurity certification framework for ICT products, services, and processes

Think, for example, about an ISO 9001 and ISO 27001 certified company:

  • It must have a Quality Manager and an ISMS Manager, trained and skilled  
  • It shall conduct a periodical risk analysis for ISO 9001, but also another one about information security according to ISO 27001, and must keep the documentation  
  • It shall conduct a third risk analysis regarding personal information to comply with the GDPR  
  • It must also have a DPO or in any case a privacy team for the management of issues related to the GDPR and other requirements from local regulations 
  • Must also carry out internal audits on all systems (ISO 9001, ISO 27001, GDPR)

Therefore having external professionals who are competent, trained and available “on-call” becomes a very interesting approach to managing compliance.

The strategies to address CaaS

The market is oriented on two main strategies:

1. Coaching: largest companies prefer a coaching approach, being accompanied by a team of expert for the first period, acquiring competences, then train their employees and internalize the activity.

2. Full outsourcing: the smaller companies (with some exceptions) prefer to completely outsource the compliance, building a relationship of deep trust with the advisor company.

CaaS: benefits and constraints

After seeing the needs that push the companies to the CaaS, we analyzed the benefits and the constraints of CaaS.

Let's start with the benefits:

  • undoubtedly, a specialized advisor will always have a team of experts with a thorough knowledge of standards and regulations, and costs of training and updating will not be paid from the organization
  • the great competence will allow companies to respect the principle of accountability, which is now a frequent requirement
  • all modern regulations provide a risk management strategy and the use of external collaborators, with the experience that only the market can guarantee, allows companies to reduce risks, organizational and individual
  • the chance to have a dedicated resource will allow companies to schedule periodic activities required for the compliance (risk assessment, management review, internal audit) and contractual flexibility will also allow contacting the advisor at any time

Of course, some risks should also be considered:  

  • in case of unplanned emergencies (i.e. incident management), the advisor may not be available   
  • in case of new regulations or standard, may be difficult to find properly skilled resources  
  • the companies must remember that a consultant will always remain external to the company, with the risk that he doesn’t fully understand the business dynamics and for this reason he could use too general schemes 

Roles in the CaaS

Data Protection Officer

The EU-GDPR art.37 describes when a company needs to designate a DPO. This is the person in charge of monitoring compliance with EU-GDPR about the protection of personal data.

In 2018, with the entry into force of EU-GDPR, the role of the DPO is certainly the most popular and widespread in the CaaS sector.

Chief Information Security Officer

The CISO is a C-Level in charge of information security in a company. This person directs the establishment and implementation of policies and procedures, manages security technologies and responds to incidents while keeping in mind business objectives.

The main goal of a CISO is to shift the view of information security from a technical problem to a strategic priority.

Risk Manager

The approach to compliance goes through risk management.

The Risk Manager is responsible for determining the risks throughout the whole organization of the company or in a narrow scope. This person addresses any kind of risk: security, financial, safety, etc.

Risk Manager designs and implements a risk management process (risk assessment, treatment, acceptance, and communication) to define the level of risk the company is willing to take.

Internal Auditor

The Institute of Internal Auditors (IIA) defines an internal audit as an “independent objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.”

Management System Manager

Many ISO standards (i.e. ISO 9001, ISO 27001, ISO 22301, …) require the implementation of a Management System. ISO defines an MS as “how an organization manages the interrelated parts of its business to achieve its objective”.

An MS Manager is in charge of defining a framework to implement and manage the MS according to relative standards.

These figures and their roles in the CaaS will be described in the next articles. If your business is considering outsourcing compliance get in touch with our expert to book a free call.

Eugenio Bonzi

Written by Eugenio Bonzi

I am the Senior Data Protection Consultant in Advantio. I have great experience in ICT and Telco services, where I covered several roles and responsibilities. In the last 10 years, I focused my attention in information security and business continuity compliance.