Managing company-specific baselines
We need to know where we are in order to determine where we want to go. A baseline helps us test where we are (the maturity level) as well as where we wish to go (the ambition level). You could say that a baseline objectifies qualitative positions and goals.
There are a whole range of baselines. Sometimes the baselines are so well established that we regard the baselines as standards (eg number series, units, or practically, container dimensions or track width). The legislator increasingly obliges companies to account for the organization of compliance with legal requirements, for example for taking appropriate and effective control measures aimed at protecting data. Such requirements are also contractually imposed by a company on its information service providers.
What are appropriate and effective controls included in business processes supported by IT systems? Using baselines, a company objectifies the requirements of its business processes and can implement targeted control measures.
Some examples of baselines
Depending on the business activities, the company management chooses the standards and baselines. The legislature may require the company to adopt standards, customers may require the use of standards and baselines from their supplier(s), and organizing business operations may be more effective and cost-efficient with standards and baselines.
We can identify baselines when organizing business activities. Some examples.
The information infrastructure usually consists of a network, databases and systems with which the employees of a company communicate with each other and with the outside world. Companies are increasingly using cloud vendors to organize their information infrastructure. To facilitate the acquisition and management of these infrastructures, baselines are available against which acquisition and use can be tested. Think of ISO, NEN or NOREA models. Both internal implementation and outsourcing can be accountable using baselines.This is just a placeholder to help you visualize how the content is displayed in the tabs. Voel je vrij om dit te bewerken met je eigenlijke inhoud.
Cloud environments offer the ability to apply baselines. MS 365 and Azure tenants do this by letting their customers use baselines to effectively organize IT risk management and compliance management. This is just a placeholder to help you visualize how content is displayed in the tabs. Feel free to edit this with your actual content.
To IT systems, which support business processes with embedded control measures, the company management sets functional and non-functional requirements. If the IT systems are developed then the requirements mirror in user stories and otherwise the requirements mirror in a baseline used in a package selection.This is just a placeholder to help you visualize how the content is displayed in the tabs. Feel free to edit this with your actual content.
Baselines are practical and effective for making agreements. When agreeing to provide information, a baseline can be added to a request for proposal allowing the offer to be tested against that baseline. In this way, the baseline is used as a practical assessment framework. During contract management, baselines help manage mutual expectations.
The baselines give a sense that no essential management measures have been forgotten. It also avoids agreeing on duplicate measures. The baselines are not static because laws, regulations, contractual agreements and policies can change the baselines.
Companies use the baselines when managing changes in the organization of business activities.
What is our service?
Before we can start, we need an overview of the responsibility and liability domain, and insight into the business activities of organizational units. Based on this context information, we can take the next steps.
- Compile and company-specific and, if required, manage baselines: based on the current picture of applicable laws and regulations, contractual agreements and policies, we compile company-specific baselines in collaboration with employees. In doing so, we use available and proven sector- and segment-specific baselines as much as possible. Baselines can cover technical information infrastructure or functional and non-functional requirements for IT systems. It is also possible that a baseline relates to a theme, for example the processing of personal data.
- Applying baselines: we use baselines in change and selection processes. Using a baseline, we “measure” where we are (the maturity level) and where the organization wants to go (the ambition level). The chance of a successful change process increases if the change capacity of the employees is in line with the change steps towards maturity. The IT systems to be selected that support the business processes must be appropriate for the change process to be undertaken.
- Maintaining baselines: changing business activities, legislation and IT systems require maintenance of baselines. By working with general baselines as much as possible, maintenance can be limited.
It is obvious that the corporate compliance function manages the agreed-upon baselines and helps the functional departments apply the baselines effectively.
Attracting external professionals
There are times when a company hires outside professionals to manage parts of the standards and apply baselines. An example is MYOBI’s TTP policy, which includes the code of conduct aimed at protecting personal data and information security. The maturity levels are reflected in the Accountability Seal.
The involvement consists of:
- Based on the research, it is determined which steps must be taken to be (demonstrably) compliant with the baselines; and
- The justification for an outcome must be documented to demonstrate compliance.
We use a methodology for compliance with baselines. The results of such a methodology are a report of findings and other reports. Based on this, operational improvements can be initiated.
Submit your question to our experts
Questions about our services? Feel free to contact us, we are happy to help you.