Decoder: Compliance as code

Compliance as code aims to improve the software development process through automatically demonstrating that new code complies with relevant policies and regulations.

To do compliance as code, the aim is to define your compliance policies such that they can be written as tests. Any software that you plan to put into production has to pass those tests.

The purpose of treating these policies as code is not just to capture policies as software and data, but to automate compliance for consistent application across the enterprise and apply software engineering practices to them — for instance, keeping the code under version control, and observing and monitoring policy operation.

It is a continual process, achieved by running software to automate the implementation, verify, remediate, monitor and perform compliance status reporting.

What is it?

The process of defining your compliance requirements in such a way that you can automate it and write tests for it — then demonstrating compliance by passing those tests and producing an audit trail of having done so.

Learn more

What’s in it for you?

You can reduce the risks of non-compliance and deliver value to your customers faster, when compliance isn’t an inhibitor.

Learn more

What are the trade-offs?

The effort to create automatable compliance rules and automate their end-to-end compliance activities versus the costs of continuing to operate the same manually. A critical factor in this trade off though is the opportunity cost of not automating.

Learn more

How is it being used?

Highly regulated industries, where the cost implications of compliance are high, have much to gain from compliance as code.

Learn more

What is it?

As the software development process has sped up, through practices such as continuous delivery, many firms in highly regulated industries have struggled to demonstrate compliance.

By codifying your compliance requirements so they can be written as tests, you’re able to automate the implementation, verification, remediation, monitoring, and compliance status reporting.

Compliance as code falls into the ‘everything as code’ movement and is a natural follow-on to the DevOps movement, which aimed to bring developers and engineers together to work collaboratively. This thinking quickly evolved to suggest multidisciplinary teams should include any business function that has a say in achieving or verifying software into production. What’s more, this could be accomplished in an automated way through software tools that test the code for, in this case, compliance, before releasing into production.

What’s in for you?

Compliance is often seen as a bottleneck in the software delivery process, slowing organizations down through laborious compliance procedures. Compliance as code promises to introduce automation — enabling you to get new digital services to market faster. It also has the benefit of automating the creation of an audit trail to prove compliance.

Because compliance as code needs multidisciplinary teams to collaborate, you can spread knowledge of compliance to a broader audience within the enterprise.

What are the trade offs?

As with many agile practices, if they’re new to your organization, that can be a cultural challenge. Some experts might argue that some compliance rules cannot be automated. Even so, much of the data requirements to drive the decisioning can itself be automated.

How is it being used?

Compliance as code has attracted a lot of attention in the financial services sector, as well as in manufacturing and supply chain organizations — especially for those organizations looking to move to modern software development processes.

Security policy as code

Learn more

Threat modeling

Learn more

Zero-trust architecture

Learn more