Compliance as Code

With the advent of natural language processing, artificial intelligence, and JSON-LD, technology allows us to standardize, harmonize, and ubiquitize compliance requirements and our responses to them.
  • Laws, regulations, and standards are written on computers. Why shouldn’t they contain machine-readable information?
  • With the advent of natural language processing and artificial intelligence, why does the interpretation of these documents have to be done by nameless people in a back room that want no credit and provide no proof of their work?
  • The Internet of Things is pervasive, so why aren’t our policies, standards, and procedures written in a way so that our organization’s policies, standards, and procedures instruct both people and computers to behave the way we want?
Compliance as Code gives us the schemas, APIs, tools, and methodologies to simultaneously read, interpret, and output compliance requirements in human and machine-readable formats.

So what’s the problem?

So-called “compliance frameworks” or “harmonization frameworks”, including (but not limited to)

  • AICPA Trust Services Criteria
  • HITRUST
  • NIST 8204 & 8278 (OLIR)
  • PCI-DSS
  • Shared Assessments
  • Secure Controls Framework
  • Nymity Privacy Framework
  • Unified Compliance Framework

produce “mappings”, “audit guides”, “policies”, “standards”, and even “system security plans”. We call this collection of their outputs compliance framework documents.

For far too long these compliance frameworks have masked

  • who has created their mappings;
  • the methods by which the original documents were analyzed and their citations and mandates tagged;
  • the rules by which their citations and mandates are mapped to, or harmonized with, reference controls.

In other words, they have failed to meet the burden of proof to support their work.

In addition, there has been no standardization of output. No standard schema by which these compliance frameworks form and present their data. No standardization by which their data can be shared between systems, or read by machine agents.

Compliance frameworks must be structured in a way to support the burden of proof.

Compliance frameworks must present this burden of proof in a way that both humans and machine agents can read and confirm their assertions.

Compliance frameworks must, therefore, provide their content in JSON-LD or XML formats with schemas published and validated by schema.org or GRCschema.org.

Therefore, we the signatories of this proclamation, hereby call upon all compliance frameworks to

  • utilize a schema that can be validated by grcschema.org or schema.org;
  • publicly document all methods by which original documentation language is analyzed and tagged;
  • publicly document how each citation and mandate is mapped or harmonized to a reference control;
  • present all output, whether a mapping, audit guide, policy, standard, procedure, plan, etc. in both human-readable and machine-readable formatting, to include JSON-LD or XML.

Current signatories

Check out other supporters and discussions about this proclamation.

Become a signatory

Thank you for your support by becoming a signatory, showing your support for the Compliance as Code initiative co-sponsored by GRCSChema.org and Unified Compliance.

We will not sell your contact information and will only use it for data-centric related communication. We never show your email address to anyone else, but any other information you provide will publicly be available in the list of signatories.