The Way We Manage Compliance Is Wrong… And Is Changing! Bringing DevOps Principles to Controls and Audit

The presentation titled The Way We Manage Compliance Is Wrong… And Is Changing! Bringing DevOps Principles to Controls and Audit was delivered by Ian Miell, a consultant with over 25 years of experience in software consulting. The presentation outlined several key points regarding the traditional methods and future direction of compliance management in organizations.

Key Points:

• Traditional compliance management relies heavily on manual processes, including spreadsheets and Confluence pages, which are deemed inefficient and increasingly outdated.
• There is a shift toward automating Governance, Risk, and Compliance (GRC) processes, inspired by DevOps principles, to streamline governance and provide real-time assurance.
• The Continuous Compliance Framework (CCF), an open-source initiative, aims to automate compliance checks and integrate with various systems to provide a holistic view of an organization's compliance status.
• The framework is built around existing standards such as the Open Security Controls Assessment Language (OSCAL) and is designed to handle complex, hybrid cloud environments.
• Challenges include the conservative nature of large institutions and the need for significant changes in regulatory standards like the EU's Digital Operational Resilience Act (DORA).

Lessons Learned:

• Current audits are predominantly manual, process-focused, periodic, and lack real-time consistency, making them incompatible with agile methodologies.
• There is a need for continuous compliance mechanisms to replace sporadic audit checks and establish ongoing monitoring systems that provide timely feedback and improve security posture.
• Organizations must adapt to new regulatory demands, highlighted by increasing calls for operational resilience and consistent monitoring.

Future Directions:

• Further development of plugins and integrations for popular systems to enhance the Continuous Compliance Framework's capabilities.
• Adapting to a more scalable approach in compliance management, considering the infrastructure and regulatory changes.
• Engaging with compliance leaders and engineers to address their specific needs in automating and managing compliance efficiently.

This presentation emphasized the crucial role of automation in compliance, aligning with evolving standards and practices, and the transformative potential of applying DevOps principles to the compliance and audit landscape.

This is the end of the AI-generated content.

In 2025, many organizations still manage critical compliance controls through manual checks, spreadsheets, Word documents, and Confluence pages—approaches that are error-prone, inefficient, and increasingly outdated. In 2023, frustrated by these challenges, a group of Cloud Native engineers decided to address this gap head-on by creating an open-source solution designed from the ground up to automate Governance, Risk, and Compliance (GRC).

This initiative aligned with broader movements across the industry, including NIST's Open Security Controls Assessment Language (OSCAL) and the European Union's Digital Operational Resilience Act (DORA), underscoring a global shift toward standardized, automated compliance frameworks.

This session shares our journey into Continuous Compliance: the motivations behind the project, key lessons learned from our mistakes, and insights from ongoing development and community advocacy. Attendees will gain practical guidance on leveraging Continuous Compliance principles to reduce risk, streamline governance processes, and move their organizations beyond manual compliance into automated, real-time assurance.