Most organizations have policies.
Very few actually enforce them.
That gap between writing policies and actually making sure they are followed is where risk lives. And that’s exactly the problem I set out to solve by building a Policy Compliance Framework for Gobuy Aviation.
This wasn’t just an academic exercise. I approached it like a real-world GRC project, focusing on structure, accountability, and continuous monitoring.
Let me walk you through how I built it.
The Problem: Policies Without Enforcement
Gobuy Aviation, like many organizations, lacked a structured and enforceable compliance framework.
That means:
- Policies may exist, but no one is consistently checking if they are followed
- Responsibilities are unclear
- Monitoring is inconsistent
- Regulatory risks increase over time
So the goal was simple:
Build a framework that ensures policies are not just written, but actively enforced
The Objective
The framework was designed to:
- Establish a structured approach to policy compliance
- Align with international standards such as ISO 27002
- Define clear roles and accountability
- Enable continuous monitoring of compliance activities
- Reduce operational and regulatory risks
Step 1: Define the Scope
Before building anything, I clearly defined what the framework would cover.
It applies to:
- Information security systems
- Access control processes
- Incident management
- Data protection
- System configurations
- Employees and third parties
This ensures the framework is not limited to IT alone, but covers the entire organization.
Step 2: Develop Core Policies
A total of 10 policies were developed to support the framework:
- Information Security Policy
- Information Classification Policy
- Identity and Access Management Policy
- Privileged Account Policy
- Secure Configuration Policy
- Incident Management Policy
- Clear Desk and Clear Screen Policy
- Artificial Intelligence Policy
- Data Protection and Privacy Policy
- Third-Party Risk Management Policy
These policies form the foundation of the compliance structure.
Step 3: Align Policies with ISO 27002
To ensure the framework follows global best practices, each policy was mapped to ISO 27002 control themes:
- Organizational controls
- Technological controls
- Physical controls
- (and indirectly) people-related controls
This alignment ensures the framework is structured, standardized, and audit-ready.
Step 4: Build the Compliance Framework (The Core)
This is where the real work happens.
Each policy is tied to:
- A specific compliance activity
- A responsible owner
- A monitoring frequency
- Evidence to prove compliance
Here is a simplified example:
| Policy | Activity | Owner | Frequency | Evidence |
|---|---|---|---|---|
| IAM Policy | User access review | IAM Specialist | Monthly | Access reports |
| Incident Management | Incident monitoring | Security Team | Daily | Incident logs |
| Data Protection | Data compliance review | Compliance Officer | Quarterly | Audit records |
This structure ensures:
- Nothing is left unchecked
- Responsibilities are clear
- Compliance is measurable
Step 5: Introduce AI Governance (A Key Differentiator)
One of the most important additions was the Artificial Intelligence Policy.
AI introduces new risks:
- Data leakage
- Lack of transparency
- Uncontrolled automation
Instead of treating AI like a normal policy, I built a dedicated compliance framework for it, including:
- AI usage monitoring
- Data handling reviews
- Approval processes for AI tools
- Risk and impact assessments
- Annual governance audits
This aligns with emerging AI governance practices and positions the framework for future risks.
Step 6: Establish Policy Governance
Each policy includes a document control structure, defining:
- Author
- Owner
- Reviewer
- Approver
- Review timelines
This ensures:
- Accountability
- Traceability
- Proper lifecycle management
Without this, policies quickly become outdated and ineffective.
Step 7: Define Monitoring vs Review
One critical distinction in the framework is:
- Policy Review (Annual) → strategic updates
- Compliance Monitoring (Monthly/Quarterly) → operational enforcement
This ensures policies stay relevant while compliance is continuously tracked.
Step 8: Provide Implementation Recommendations
To make the framework practical, I included key recommendations:
- Establish a dedicated governance team
- Conduct employee training and awareness
- Use automated tools for monitoring
- Perform regular audits
- Continuously update policies for emerging risks
What Makes This Framework Effective
This framework works because it:
- Moves from documentation to enforcement
- Assigns clear ownership
- Defines measurable compliance activities
- Aligns with international standards
- Adapts to emerging risks like AI
On A Final Note
Building a Policy Compliance Framework is not about writing documents.
It’s about creating a system where:
- Policies are enforced
- Risks are monitored
- Accountability is clear
If organizations get this right, they don’t just improve compliance.
They build resilience.
If you are getting into GRC, this is the mindset you need:
Don’t just ask, Do we have policies?
Ask, Are we actually following them?
That is where the real work begins.
Here is the link to my Policy Compliance framework https://drive.google.com/file/d/15t66ot2sdqyk60lsPSY221y14L6JgnX5/view?usp=sharing
