30 Days of IT Compliance Q&A #6: How Do I Get Compliance Buy-In From Other Departments?

Meeting the complinace requirements of mandates like PCI or HIPAA can consume considerable effort and resource for organizations. Standards such as ISO 27001 can be extremely daunting for enterprises as the scope can be so larger and cover so many different areas. So how do you do you tackle such projects?

Secure Executive Sponsorship

Compliance requirements are often driven by a business requirement … what is the cost of not being PCI compliant … how much are penalties for HIPAA violations … or in order to bid on a piece of work you must show evidence of your ISO certification.Understanding these business requirements will help you gain buy-in throughout your organization.

Then you need to head to the top! To really drive momentum you need executive sponsors. Without them you are going to have an uphill battle trying to on-board the various department, teams, technology and processes into the organization. Next, start aligning roles to these executive sponsors.For example, who is the information asset owner? Maybe it is the CEO or CISO. This will provide clarity and ownership of the responsibility.

The sponsors will help communicate the importance of adhering to the policies and procedures, secure resources to develop and implement programs, and provide on going funding to maintain compliance or certification.

Identify Stakeholders

Once you have the top level sponsors, the next stage is to identify other stakeholders. You can use techniques such as stakeholder mapping to help tease out the detail. Each stakeholder will be impacted by the compliance program, so include them in the process as early as possible. You’ll want to demonstrate how this will benefit them and help alleviate any resistance to change. Compliance is largely a task of project management, and your interpersonal and management skills will be very important to your success.