Question: Is there a compliance monitoring programme that verifies ongoing adherence to internal and external obligations?
Objective — Why This Matters
Controls drift over time. A monitoring programme ensures obligations are continuously met, evidence remains fresh, and deviations are corrected before audits or incidents expose gaps.
Maturity Levels (0–5)
0 — Unaware
No structured monitoring; point-in-time checks only.
No structured monitoring; point-in-time checks only.
1 — Ad Hoc
Occasional checks; results not logged or trended.
Occasional checks; results not logged or trended.
2 — Defined
Compliance calendar with scope, owners, and evidence requirements.
Compliance calendar with scope, owners, and evidence requirements.
3 — Managed
Reviews executed to plan; deviations tracked to closure.
Reviews executed to plan; deviations tracked to closure.
4 — Integrated
Automated evidence collection where possible; dashboards for leadership.
Automated evidence collection where possible; dashboards for leadership.
5 — Optimized
Risk-driven sampling, continuous controls testing, lessons learned updated into procedures.
Risk-driven sampling, continuous controls testing, lessons learned updated into procedures.
How to Level Up
| From → To | Actions |
|---|---|
| 0 → 1 | Establish a quarterly checklist of top obligations and the evidence required. |
| 1 → 2 | Create a compliance calendar with named owners and due dates. |
| 2 → 3 | Track deviations and corrective actions; perform management reviews. |
| 3 → 4 | Automate evidence capture (configs/exports); publish dashboards. |
| 4 → 5 | Shift to risk-based sampling; periodically recalibrate based on findings. |
People / Process / Technology Enablers
- People: Compliance Lead, Control Owners, Internal Audit.
- Process: Calendar, sampling plan, deviation/CAPA workflow.
- Technology: Evidence repository, task tracker, dashboards.
Evidence Required
- Compliance calendar and completed checklists for the last cycle.
- Deviation log with owners and closure dates.
- Management review minutes and KPI snapshot.
Metrics / KPIs
- Percentage of planned checks completed on time.
- Number of deviations by severity.
- Median days to close deviations.
Low-Cost / Open-Source Options (MSME)
| Purpose | Tool | Notes |
|---|---|---|
| Calendar & tracking | Sheets / Trello | Simple cadence and status. |
| Evidence | GitHub / Drive | Version-controlled evidence packs. |
| Dashboards | Metabase | On-time completion and deviation trend. |
Common Pitfalls
- Evidence kept in personal drives with no version history.
- “Tick-box” exercises without remediation.
- No management visibility.
Compliance Mapping
| Standard | Clauses / Notes |
|---|---|
| ISO/IEC 27001 | 9.1, 9.2 (monitoring, internal audit). |
| NIST CSF 2.0 | GV-6 (oversight), MEA (measurement). |
| DPDP Act 2023 | Ongoing duties and records of compliance. |
| NIRMATA Scoring | RC-Q10 Level ≥ 3 requires calendar + deviation tracking + review minutes. |