Compliance-fissioning
For some organizations, the span of the assessment scope is equal to the OCE. However, for others the OCE could reveal quite large and therefore demanding in terms of resources, time, finance as well as being a considerable source of stress. To rationalize the resources, avoid endless, tedious and unmanageable projects, poor outcomes, frustration, huge set of evidences, and minimize the risk of non-compliance, it is paramount to reduce the scope of an assessment as much as possible. Hence, subdividing the validation of the organization compliance into multiple assessments, each associated to a specific scope dealing with a subset of the OCE.
In physics, fission is the act of splitting a nucleus of an atom into nuclei of lighter atoms. “Compliance-fissioning” is the term I give to the act of splitting the OCE. An analogy could be a global country subdivided into territories or states.
The management of the organization compliance program to a specific regulation or standard is equivalent to the management of multiple compliance projects, each one associated to a manageable scope, timeline, resources and budget. It is the responsibility of the government (Executive Boards + Compliance managers) to clearly draw and document the OCE and each portion (nuclei) in terms of the scope/ object of the assessment and what is excluded from it (from the original OCE).
There is a panel of ways to OCE-fission. Production channels, legal entities, business units, region, assets, network subnets are just few examples. I however draw your attention to the fact that the definition of the boundaries as it could be a sensitive matter in some cases where the regulatory or standardization bodies set the rules for such segregation. Not abiding with these rules put the whole compliance at risk. A good practice is to be aware of what is allowed and to involve the compliance validation body early in the loop and get their approval. Based on my experience, compliance bodies tempt to stay unengaged, away from any "official" and clear validation in this matter. However, proactively sharing our compliance plan and map with them is a good thing, something they could not ignore and could be used in a later stage.
Didier Godart
Check my PCI ressources (Tools, book, templates) on PCI-GO