Compliance & Objectives

Let’s begin this lesson with an oversimplified definition of compliance. Compliance, or being compliant, means that you are meeting your obligations. If you want to attend a football game, you must have a ticket. If you have that ticket, you comply and can enter.

What do we mean by obligations, though? There are what some GRC professionals might describe as big or capital letter OBLIGATIONS and what they might describe as little or lowercase obligations. Typically, they mean that there is a top-level source document (OBLIGATION) and lower-level objectives (obligations) within the source document. The top-level source documents are standards, regulations, laws, and etc. While the lower level objectives are the individual control statements contained in the top-level document.
To help make this clear, we will use the term Obligation to mean the top-level source documents and Control Objectives to mean the specific controls that the Obligation wishes to enforce. PCI-DSS, HIPAA, FedRAMP, and others are Obligations. Controls such as you must maintain an 8-character password, are Control Objectives.

Finally, we said earlier that compliance is mostly binary, but that isn’t always the case. Compliance in the strictest sense means that your organization has met each Control Objective to the letter, and many Obligations require organizations to have an independent 3rd party assess the organization’s controls to ensure compliance. In these cases, the 3rd party assessor certifies that the organization is in compliance. Other Obligations, however, allow organizations to self-certify --- meaning that the organization agrees it has met the Control Objectives of an Obligation or the spirit of each objective. This brings us to exceptions. There are certain instances when an organization can be compliant yet not meet every Control Objective. You may, for instance, have met most objectives but failed to fully meet a handful of objectives to the letter, or you have certain compensating controls in place that generally create the same level of protection as Control Objective demands. In any case, your organization will likely want to consult with an independent assessor about exceptions and compensating controls prior to claiming certification.