Optimize > Compliance and Approvals
Why
Many domains and countries have standards and regulations that software products must comply with. In this strategic activity, product teams understand the difference between product quality and product compliance. Keeping software products compliant is no small effort. Product certification (compliance) or product qualification (approvals) is the process of certifying that a certain product meets qualification criteria stipulated in contracts, regulations, or specifications of industry standards. The most common product compliances include ISO 27001, the international standard for an ISMS (Information Security Management System), privacy regulations such as the EU General Data Protection Regulation (GDPR).
Proper management of product compliance and the processes around it enables product teams to achieve the following.
- Meet Legal Requirements: Comply with increasingly rigid regulatory requirements set out. E.g. PCIDS, HIPAA, GDPR.
- Mitigate Risks: Systematic risk management covering people, processes and technology
- Cost Optimization: Optimized costs via optimizing processes. Avoid the financial penalties and losses associated with data breaches.
- Win New Business: Meet strict client demands for greater data security.
- Brand Reputation: Demonstrate that the product is of high quality and can be used with confidence.
When damages are incurred due to non-compliance, the consequences are severe: heavy fines, and potentially long-term damage to brand reputation.
How
- Find out what standards, regulations are required to be complied with. There are some key types of regulatory requirements to be aware of:
- Country/Region Regulations: Such as GDPR, The EU-U.S. Privacy Shield Framework
- Domain-Specific Standards: Different domains of products have specific standards that apply to them.
- Requirements for Testing: Some domains (e.g. medical, bank, and finance) require specific tests to be performed on products.
- Requirements for Documentation: Sometimes, certain compliance documents must be prepared to ship with products.
- Work with certification bodies and consultants (e.g. legal) on the plan to achieve compliances & approvals.
- Implement people, processes, and technology standards within the company, product teams, and in the product itself. This includes product architectural decisions on key quality attributes.
- Perform regular audits to certify the compliances.