Compliance automation: challenges, practical tips, and KPIs

Written by Ivar van Duuren

November 29, 2023

security island

In our daily practice, we’ve noticed that companies often work across multiple systems to meet certain compliance standards. For example, consider entering a new employee into an HR system.

Often, it starts with one HR system, after which the HR person asks another colleague by email to create a ticket. After that, another person requests access to certain business applications in the IT ticket system. And many things are still maintained in Excel or other working documents.

Error-prone situation resulting in corrective measures

This situation is error-prone because processes span multiple systems involving multiple people. The chance of someone forgetting something is greater, so the result is not always what it should be.

As a result, subsequent remedial work is required and the organization is startled by things that don’t work. When entering a new employee, this can be overseen. But when it comes to information security and the risk of incidents, it is a different story.

The ideal world: automatic triggers and to-do’s

In an ideal world, every process starts at a certain defined place. For example, that new employee or supplier entering the organization. Then, all successive steps flow automatically from one system to another. 

Each time an employee needs to do something, he or she is triggered by a certain system he or she already uses. For example, with an MS Teams Notification. In the ideal world, the result is also recorded there. And if someone forgets something, a trigger is created for that person.

What are the benefits of compliance automation for organizations?

When organizations automate their processes like this, they save time. Employees spend less time emailing back and forth and checking things. Instead, there is a smooth flow, where the right person is asked to participate in the process at the right time. As a result, you’ll notice a rise in the quality of the process.

For example, if a new employee joins the company, you’ll notice that this process will be completed quicker when automated. All the rights are set up correctly in an effective way. This way, employees can focus on what’s important, which is getting access to the right resources. And all this is recorded in a place where you have a good overview of the result.

This is what we call compliance automation.

Typical challenges with compliance automation

When your organization starts with compliance automation, you’ll have to have an overview of the processes you want to automate. It takes some work to map that out properly. 

It helps to have a system that keeps track of the outcome of all those automated processes. For example, if you want to comply with a standard for information security. You also have to deal with an auditor who visits once a year to assess whether everything is going well. And of course, you want to have an overview yourself.

You’ll also have to figure out how to link all the systems you work with and how to create a smooth flow. That also means you have to have the internal or external capacity to properly automate those processes.

In short, it is very important to have one system that links with all your other systems and automated processes.

How to stay up-to-date with the standard?

Of course, it’s one thing to implement a standard. Then you have a process of maybe three months to a year, where you’re busy shaping the policy and implementing all the requirements the standard places on you.

The real work comes after because by then you’ll have to keep track. You’ve created policies, but how do you know that the policies are being implemented?

So you must have a system where you can record all actions, including repetitive actions. And where you make sure that those actions also end up with the right employees in a place where they already work. So that they don’t have to log into yet another system whose password they lose. For example when tasks end up in their Microsoft Outlook, so they can handle them quickly and conveniently.

This way, you make it easier to stay up-to-date with everything that this standard requires of your organization and employees.

How do you measure the success of compliance automation initiatives?

You can measure the success of compliance automation by assessing how much time an employee saves with the automated process. Before you start compliance automation, map out how many FTEs are engaged in the process. And afterward, you check: how much extra time do employees have now that the process is automated and no longer carried out manually?

Or assess the turnaround time of certain processes. For example, that new employee joining the company. How long does that whole process take now, from entering personal data to having the Certificate of Good Conduct (VOG) in and having access to certain company systems? After automating the process, you can see how much shorter the turnaround time has become.  

A third measure or Key Performance Indicator (KPI) is the quality of the process or the error rate. How often did things go wrong in the past and how often was a corrective action needed? Or were things forgotten that were needed for that particular process?

Also measure your success by goals, for example in the area of information security. Think of reducing the number of incidents as a KPI.

Overview and sample documentation

ISOPlanner was initially set up as an application to keep a good overview of all the policies and tasks involved in maintaining an ISO standard. However, after several successful implementations, we noticed that our customers also needed documentation for the specific ISO norm. For example, if they start with the ISO 27001 standard.

For this purpose, we partnered with Instant27001, which allows our customers to activate that entire package of documentation within ISOPlanner. This gives them a filled management system at once, including all the policies and processes they need. This also saves them a lot of time.

Case study: municipality and the BIO standard

One example of this collaboration was for a municipality in North Holland that wanted to comply with the BIO standard, an information security standard specifically for governments.

Working with ISOPlanner and Instant27001 gave them access to lots of templates for BIO policies and processes. They no longer had to create these themselves. The templates were loaded into the ISOPlanner system and, based on the documentation, they could very quickly start implementing the compliance standards. They also got a very good overview of all required activities and the status of implementation. In short, this overview and documentation saved them a lot of work and made them more efficient.

About Ivar van Duuren

Ivar van Duuren is a co-founder of ISOPlanner. At previous jobs, he experienced the fragmented ISO certification approach with loose documents and the pressure to do it within a certain deadline.

A simpler system that provided an overview and insight into the required measures and planning was the answer to this frustration. With its unique integration with Microsoft Outlook and Microsoft Teams, ISOPlanner provides a simple and clear tool during certification processes.

More tips about compliance automation?

Feel free to contact us. We would love to think with you!

Related Articles

3 Expert Tips to Implement ISO Standards More Efficiently

3 Expert Tips to Implement ISO Standards More Efficiently

When you start implementing an ISO standard, you need to think about things you need to take care of, such as scheduling an internal and an external audit. If you develop software, you may need to do a pen test to check out vulnerabilities. In addition, you need to...

Information security with ISOPlanner: building on a solid foundation

Information security with ISOPlanner: building on a solid foundation

One piece of advice we sometimes hear when it comes to ISO certification is that every ISO implementation is customized. On the one hand, that's true, of course. Because every organization is different. So each organization itself has to look very carefully at exactly...

Sign Up For Our Newsletter

Join over 1.000 ISO professionals for the latest ISO insights