Matt and Mark have both responded to my response.  Matt writes:

Thanks for keeping us honest Ian! I would be pretty blind to claim that overall regulatory compliance can be solved with any IT solution (…or set of …or service of). But I didn’t [...]]]> Compliance as a Service – Counter-counterpoint

Matt and Mark have both responded to my response.  Matt writes:

Thanks for keeping us honest Ian! I would be pretty blind to claim that overall regulatory compliance can be solved with any IT solution (…or set of …or service of). But I didn’t make that distinction in my previous post. But, is that the basic point you’re making? …that IT compliance is a subset of overall Compliance? Or is there more to it?

Yes and no.  I do believe the IT compliance is a subset of overall Compliance, but that wasn’t my basic point.  My most basic point was, because Big C Compliance is so truly tied to people and process it cannot be delivered as a service.  The reason I responded to you and Mark about this was that I didn’t want the conversation to start off with a definition of Big C that was too limited and too IT-centric.

Understanding that big-C Compliance requires much more than IT controls, would it seem more realistic if we said IT-compliance-as-a-service? or IT-Audit-as-a-service?

IT audit/compliance can and should be delivered as a service.  And not just the tools and tooling for it, but ownership of the compliance state and risk as well.  To me this is a natural extension to Managed Security Services and companies like Counterpane and IBM offer this to an extent.

The main thing I’m wondering is if organizations would get value from an external party taking over the IT audit portion so that the org itself (who might be anticipating regulatory pressure) wouldn’t have to figure out which questions to ask, how to ask them, how to build controls to get the right answers, and how to prove that the answers are what they should be.

This is spot on and I believe this is valuable to companies of all sizes.