Regulatory Compliance Modelling Using Risk Management Techniques

We describe a novel approach to regulatory compliance decision support that leverages an asset-based cyber security risk management approach following ISO 27005, and illustrate this with an example based on the General Data Protection Regulation (GDPR). Previous work in regulatory compliance modelling and decision support utilises semantic vocabularies and reasoning techniques, and our approach has the primary benefit that regulatory compliance is integrated with other domains of risk management, so that insight from domains such as cyber security combined with regulatory compliance for privacy can be gained based on a single model of the user's sociotechnical infrastructure. The main contributions of this paper are: to show how regulatory requirements may be modelled as “compliance threats” in an asset-based risk management framework; to illustrate mapping from the GDPR's legal text to domain assets, processes and relationships, compliance threats and control strategies to mitigate the threats; to show how the threats are triggered via recognition patterns based on asset configurations; to illustrate how the different types of regulatory requirement, e.g. obligations, prohibitions and derogating conditions, are represented in such a scheme; and finally to describe how to model causal dependencies between choices made to address a compliance threat and downstream additional compliance requirements.