This section provides orientation on managing compliance projects, available through the Compliance module.
Compliance projects can be created to verify compliance through a set of activities, which involves the selection of a scope of analysis and the application of interviews to examine the level of fulfillment of the requirements pre-established by one or more authoritative documents. A compliance project uses the GRC Metaframework methodology (see figure below), in accordance with the guidelines outlined in ISO 31000 and ISO Guide 73, and adopts a management cycle based on the phases below.
• Inventory: set of activities that involve specifying the properties of the project and selecting the requirements and objects to be investigated.
• Analysis: set of activities aiming to ensure that interviews are completed and reviewed so that the level of compliance with certain requirements can be measured for the objects in the scope of the project, as selected in the Inventory phase, as well as to collect evidence. In addition, reports can be generated to display analysis results.
• Evaluation: this phase involves deciding whether to accept a non-compliance or send it to treatment. This decision should be based on the results obtained in the analysis phase and on the organization’s tolerance of certain non-compliances.
• Treatment: process of monitoring the non-compliance treatment events generated during the evaluation phase.