The legal compliance process details how the organization maintains a current list of applicable legal compliance requirements. This process is an iterative process with its own lifecycle with internal and external audits. Compliance audits are critical when managing legal frameworks such as HIPAA, GDPR, and PCI.
The gap assessment is an expert-led process and includes interviews with several department and subject matter experts. This process includes a review of all relevant evidence that supports compliance with the required framework. This also includes digital documentation artifacts, documentation of completed procedures, configuration review, relevant certificates (example, certificate of asset destruction from a third party), and other evidence as defined by the compliance framework.
Without an established process in place to stay up-to-date on compliance requirements, organizations run the risk of non-compliance with legal and other compliance requirements, including financial penalties, higher credit card transaction costs, and data breaches. The audit helps in avoiding the consequence of non-compliance.