Compliance as code aims to improve the software development process through automatically demonstrating that new code complies with relevant policies and regulations.
To do compliance as code, the aim is to define your compliance policies such that they can be written as tests. Any software that you plan to put into production has to pass those tests.
The purpose of treating these policies as code is not just to capture policies as software and data, but to automate compliance for consistent application across the enterprise and apply software engineering practices to them — for instance, keeping the code under version control, and observing and monitoring policy operation.
It is a continual process, achieved by running software to automate the implementation, verify, remediate, monitor and perform compliance status reporting.
What is it?
As the software development process has sped up, through practices such as continuous delivery, many firms in highly regulated industries have struggled to demonstrate compliance.
By codifying your compliance requirements so they can be written as tests, you’re able to automate the implementation, verification, remediation, monitoring, and compliance status reporting.
Compliance as code falls into the ‘everything as code’ movement and is a natural follow-on to the DevOps movement, which aimed to bring developers and engineers together to work collaboratively. This thinking quickly evolved to suggest multidisciplinary teams should include any business function that has a say in achieving or verifying software into production. What’s more, this could be accomplished in an automated way through software tools that test the code for, in this case, compliance, before releasing into production.
What’s in for you?
Compliance is often seen as a bottleneck in the software delivery process, slowing organizations down through laborious compliance procedures. Compliance as code promises to introduce automation — enabling you to get new digital services to market faster. It also has the benefit of automating the creation of an audit trail to prove compliance.
Because compliance as code needs multidisciplinary teams to collaborate, you can spread knowledge of compliance to a broader audience within the enterprise.
What are the trade offs?
As with many agile practices, if they’re new to your organization, that can be a cultural challenge. Some experts might argue that some compliance rules cannot be automated. Even so, much of the data requirements to drive the decisioning can itself be automated.