Don’t underestimate it! A maturity assessment could last between a few days to several months, depending on the wideness of the scope (see part 3), the level of control of the environment - meaning the internal business and technical knowledge and expertise, the level of understanding of the targeted regulation/standard (these two aspects were discussed in part 2) and last but not least the mindset and attitude of the stakeholders. Individuals who do not fully adhere to our project constitute a threat to its sustainability. Hence, the importance of clearly introducing the project, the rationals, the risks for the company, explaining why their participation is key and what is expected from them. Management endorsement and sponsorship is of course paramount, here.
A maturity assessment process encompasses the following steps:
- Identify the requirements and optional recommendations applicable to the current context. Rationals for non-applicable requirements/recommendations must be explained. Using a compliance dashboard listing all controls with their mandate or optional status is a good way to do so. The PCI Compliance Dashboard is a good example.
- Determine what kind of evidences is required to proof/validated compliance. The PCI evidences book is a good example.
- Identify the stakeholders: individuals sharing business or technical expertise of the environment and who should take part to the exercise.
- Determine compliance status: determine the compliance status of components in scope against relevant requirements and recommendations through brainstorming sessions and interviews with the actors
- Document the rationales for compliance. Don’t limit yourself to a “Yes we do this or that", justify in details. Collect evidences of compliance. Mark non-compliance area as findings.
- Identify ambiguous areas to be further investigated with the assistance of the community or experts.
- Report the outcome of this analysis to the compliance team, sponsors and stakeholders. The report should covers the snug part (what we are good at) and areas for improvement.