The Main, Main Thing
There are four aspects to dealing with regulatory compliance:
1. Understanding your organization;
2. Understanding the Authority Documents you must comply with;
3. Internalizing your compliance requirements in the form of policies, standards, and procedures; and
4. Implementing and auditing those policies, standards, and procedures.
If you don’t understand your organization, how will you understand which parts of which Authority Documents apply to your organization’s situation and which don’t? If you can’t make heads or tails of what the Authority Documents are actually saying you should do (or refrain from doing) how are you going to be able to interpret them and incorporate them into your policies, standards, and procedures? And if you don’t align your organization’s policies, standards, and procedures with the Authority Documents you have to follow, you will fail at complying.
Therefore, you are going to need to tackle managing regulatory compliance in the order above. Start with your organization. Once you’ve learned enough about it to navigate your leadership structure, organizational structures, and communication patterns, you can target which Authority Documents pertain to which groups. Then you can build your Authority Document lists and harmonize the controls within them, boiling their mandates down to simple language and de-duplicated common controls. Once you’ve achieved that level of understanding what you must do, you can internalize those mandates as organizational policies, standards, and procedures. Only then can you begin to implement them and stand up and be audited, showing you are compliant.