The Nine Controls You Need to Achieve Information Compliance

By: In: Compliance On: Feb 24, 2017
The Nine Controls You Need to Achieve Information Compliance

In general there are nine universal risk controls recommended for achieving compliance. Some businesses may have to adhere to more strenuous regulations, and different regions may have different laws that need to be considered. But, for the most part, these same controls can be seen across industries.

Let’s take a look at each of them as they relate to records and information management.


Governance is the overarching management and accountability for a compliant RIM function. It involves the creation of polices and the oversight, review and documentation of operational issues, business process, risk capacity, infrastructure, legal, compliance and regulatory control concerns.  Essentially, it’s a way to hold organisations and individuals accountable for the way they use information.

Why is it important?

Without oversight to how records and information are created, organised, secured, maintained, used and disposed of, the potential for data breaches or regulatory infractions is greater.


Inventory refers to your organisation’s ability to know what records exist in any format (digital and physical) and where they are stored. A good inventory includes structured, semi-structured and unstructured data.

Why is it important?

To protect your records, you must first know they exist. With no inventory, information can easily slip through the cracks, resulting in potential data breaches or compliance violations. Furthermore, if your organisation is looking to move to a data lifecycle management strategy—where documents are indexed and stored (or destroyed) based upon their value—a centralised inventory of all records is essential.


Retention is the managing of records (in any format) according to laws, regulations, and operational obligations. It includes classifying or tagging records to enable retention rules to be assigned—i.e., when to destroy a document versus when to archive it.

Why is it important?

Storing records forever increases litigation risk and discovery and storage costs. At the same time, destroying information without regard to legal requirements can lead to severe sanctions, fines, unfavourable settlements and brand damage.


Disposition relates to a decision made about a record that has met the end of its required retention period. The record may be destroyed, moved to an archive for long-term preservation or designated as valuable beyond its original purpose.

Why is it important?

Records that are kept beyond their relevancy or those that are disposed of improperly can result in increased litigation risk and regulatory violations. Additionally, even if compliance is met, data kept indiscriminately can result in higher storage costs.

Legal Holds

Legal holds are used to suspend the retention requirements and cease destruction of certain groups of records, even if they’re eligible for destruction.

Why is it important?

Documents relevant to current legal proceedings may need to be held longer than their assigned retention time. With no way to earmark these documents as an exception to regular disposition processes, they may be inadvertently destroyed. This can result in fines, sanctions and unfavorable legal rulings.

Privacy and Security

Privacy and security controls (such as data classification and secure shredding) protect information according to laws, regulations, and operational requirements throughout its lifecycle, regardless of where it is stored.

Why is it important?

The rise of bring-your-own-device (BYOD) policies coupled with ever-growing amounts of data means there is more sensitive information being exchanged in more places. Your organisation needs to keep pace with these changing laws and regulations in order to ensure compliance.

Vendor Management

Vendor Management is the process of selecting a third-party vendor to ensure they comply with your organisation’s records and information management policies and standards.

Why is it important?

Current vendors may be by-products of mergers and acquisitions or the result of decisions made by other departments. With today’s growing amount of data and changing regulations, they may no longer be the right fit.


Staffing refers to having the correct personnel required to administer, maintain and support your records and information management programme wherever business is conducted, both as an independent function and within LOBs. RIPTION SUPPORTING MATION

Why is it important?

Ensuring that your records and information management programme is functioning at all times requires a staff knowledgeable in data security, privacy and compliance. To best ensure compliance, your organisation needs dedicated experts.


Training encompasses the development, delivery and monitoring of training of all employees, contractors and vendors who create, receive or manage records and information in compliance policy.

Why is it important?

Some studies estimate that as many as 60% of data breaches originate from employee negligence. Properly training employees on compliance processes can drastically mitigate risk.

What’s next?

For a more in-depth exploration of the risk controls needed to achieve compliance, as well as guidance in building and refining a robust information compliance programme, read Risk Control: An Advisory and Action Guide.


← Why Records and Information Managers Need to Work with Corporate Real Estate Information Management in the Global Mid-Market - is Education Working? →

Leave A Comment

About the author

John Apthorpe

John Apthorpe, Commercial Director, Iron Mountain John Apthorpe heads up Iron Mountain’s business services sector in the UK. His primary objective is to lead and drive commercial strategy and business development activities across a range of large corporate organisations and ensure Iron Mountain is the market leader in records and information management. Prior to joining Iron Mountain in 2005, John was with IT content delivery firm Akamai, where he was responsible for the sale and implementation of cloud based SaaS solutions for customers. With over 20 years experience, John has also held a number of senior roles with IT companies. His experience of working with large corporate clients extends to organisations from all industry sectors, although he has specialised in working with commercial organisations including Iron Mountain’s largest energy clients over the past three years. John holds an MBA from Henley Management College and a BA (Hons) in business studies.