Compliance with External Requirements. 

There is little awareness of external requirements that affect IT, with no process regarding compliance with regulatory, legal and contractual requirements.

There is a well-organised, efficient and enforced process for complying with external requirements, based on a single central function that provides guidance and co-ordination to the whole organisation. There is extensive knowledge of the applicable external requirements, including their future trends and anticipated changes, and the need for new solutions. The organisation takes part in external discussions with regulatory and industry groups to understand and influence external requirements affecting them. Best practices have been developed ensuring efficient compliance with external requirements, resulting in very few cases of compliance exceptions. A central, organisation-wide tracking system exists, enabling management to document the workflow and to measure and improve the quality and effectiveness of the compliance monitoring process. An external requirements self-assessment process is implemented and has been refined to a level of best practice. The organisation's management style and culture relating to compliance are sufficiently strong and processes are developed well enough for training to be limited to new personnel and whenever there is a significant change.

There is full understanding of issues and exposures from external requirements and the need to ensure compliance at all levels. There is a formal training scheme that ensures that all staff are aware of their compliance obligations. Responsibilities are clear and process ownership is understood. The process includes a review of the environment to identify external requirements and on-going changes. There is a mechanism in place to monitor non-compliance with external requirements, enforce internal practices and implement corrective action. Non-compliance issues are analysed for root-causes in a standard manner, with the objective to identify sustainable solutions. Standardised internal best practices are utilised for specific needs such as standing regulations and recurring service contracts.

Policies, procedures and processes have been developed, documented and communicated to ensure compliance with regulations and with contractual and legal obligations. These are not always followed and some may be out-of-date or impractical to implement. There is little monitoring performed and there are compliance requirements that have not been addressed. Training is provided in external legal and regulatory requirements affecting the organisation and the defined compliance processes. Standard pro-forma contracts and legal processes exist to minimise the risks associated with contractual liability.

There is an understanding for the need to comply with external requirements and the need is communicated. Where compliance has become a recurring requirement, as in financial regulations or privacy legislation, individual compliance procedures have been developed and are followed on a year-to-year basis. There is, however, no overall scheme in place ensuring that all compliance requirements are met. It is likely, therefore, that exceptions will occur and that new compliance needs will only be dealt with on a reactive basis. There is high reliance on the knowledge and responsibility of individuals and errors are likely. There is informal training regarding external requirements and compliance issues.  

There is awareness of regulation, contract and legal compliance impacting the organisation. Informal processes are followed to maintain compliance, but only as the need arises in new projects or in response to audits or reviews.