SP9: Ensure compliance
Previous process: Ensure continuity
Next process: Manage human resources
Many organizations are subject to various types of compliance requirements, such as laws, industry standards, etc.
The compliance management process in YaSM (fig. 1) is responsible for identifying the compliance requirements which are relevant for the organization's services, processes and systems and for defining the approach for fulfilling those requirements.
All applicable compliance requirements are managed through the compliance register, where the properties of the requirements are described. The compliance register also lists any compliance controls or mechanisms which need to be in place to achieve compliance. In this respect, compliance controls and mechanisms may be technical solutions or suitable organizational procedures built into the service management processes, policies and guidelines.
Typically, the compliance process will be called upon to assess the implications on compliance requirements when services or processes are to be established or modified.
If the compliance manager detects that compliance controls and mechanisms need to be upgraded, it will be the responsibility of the service or process owners to create those controls as part of the service or process implementation.
Compatibility: YaSM provides a basic process for ensuring compliance with laws, regulations, industry standards, etc., which highlights the most important compliance-related activities and describes the interfaces with the other YaSM processes. This process aligned with ISO 20000, the international standard for service management (see ISO/IEC 20000-1:2018, section 10).
The compliance management process in YaSM has the following sub-processes:
- SP9.1: Identify compliance requirements
- Process objective: To identify the compliance requirements which need to be fulfilled by the service provider.
- SP9.2: Define compliance controls
- Process objective: To define the objectives and specify the details of the controls and mechanisms which need to be put in place to fulfill the compliance requirements.
- SP9.3: Perform compliance reviews
- Process objective: To submit the compliance controls and mechanisms to regular reviews, and to identify areas where compliance must be improved.
This section lists the documents and records produced by the compliance process. YaSM data objects [*] are marked with an asterisk, while other objects are displayed in gray.
- Change record
- A change record contains all details of a change, documenting the lifecycle of a single change. In its initial state, a change record describes a request for change (RFC) which is to be assessed and authorized prior to implementing the change. Further information is added as the change progresses through its lifecycle. [*]
- Compliance register
- The compliance register is a tool used by the compliance manager to keep an overview of all compliance requirements applicable to the service provider. The compliance register also states the controls and mechanisms put in place to ensure the service provider organization fulfills the compliance requirements. [*]
- Compliance review report
- A compliance review report records the details and findings from a compliance review or audit. This report is an important input for improving the service provider’s compliance with legal requirements, industry standards, etc. [*]
- Suggested process modification
- A suggestion for modifying one or several service management processes. Suggestions for process modifications or improvements may originate from anywhere within the organization.
- Suggested service modification
- A suggestion for modifying a service, for example to improve service quality or economics. Suggestions may originate from anywhere within or outside of the service provider organization.
[*] "YaSM data objects" are those documents or records for which the YaSM model provides detailed recommendations: Every YaSM object has an associated checklist (see example) describing its typical contents, and an associated lifecycle diagram depicting how the status of the object changes as it is created, updated, read and archived by various YaSM processes (see example).
"Other objects" are mostly informal data or information where YaSM has less strong views about their contents. There are no associated lifecycle diagrams or checklists.
Process metrics are used, for example, to assess if the service management processes are running according to expectations.
Roles and responsibilities
Process owner: The compliance manager's responsibility is to ensure that standards and guidelines are followed. In particular, this role ensures compliance with internal policies and external legal requirements.
|YaSM role / sub-process
|Identify compliance requirements
|Define compliance controls
|Perform compliance reviews
Is based on: The compliance prozess from the YaSM Process Map.