NDMO Compliance Checklist: Governance, Evidence and Readiness
Review the governance, controls, evidence, ownership and executive oversight required to prepare your organization for an NDMO readiness assessment.
Updated 2026-07-04 / 15 min
Executive introduction
Use the checklist to test operational readiness, not just documentation.
Documented compliance is not sufficient when executives need confidence that governance operates in practice. Policies, standards and committees only create readiness when they are supported by clear ownership, repeatable controls and evidence that can be produced.
Evidence ownership matters because readiness often fails at the point of proof. A control may exist, but if no owner knows what must be retained, where it is stored or how current it is, the organization may struggle under review pressure.
Executives should use this checklist as a structured preparation tool. It is guidance for readiness discussion, not a formal determination of compliance, legal advice or regulatory approval.
Readiness scale
Rate each check by evidence maturity.
Self-assessment scores should not be represented as formal compliance conclusions. They are useful for prioritizing review, evidence collection and remediation.
1
Not established
2
Documented
3
Partially operating
4
Operating
5
Evidenced and monitored
Checklist domains
Governance, controls, evidence and executive assurance.
Domain 1
Governance and accountability
- Named executive sponsors are accountable for data governance readiness.
- Data governance roles distinguish policy ownership, control ownership and evidence ownership.
- Named owners have accepted accountability for defined data domains.
- Decision rights are documented for data classification, sharing, exceptions and remediation.
- Governance forums receive material that separates decisions, risks and status updates.
When this becomes an advisory issue
External advisory support may be useful when ownership disputes remain unresolved, committee mandates are unclear or decision rights do not match actual operating practice.
Domain 2
Policies and standards
- Required policies are approved, current and assigned to accountable owners.
- Policies are supported by operational procedures that teams can follow.
- Standards define evidence expectations rather than only intent.
- Policy exceptions are formally approved, time-bound and reviewed.
- Teams understand which standards apply to their data, systems and processes.
When this becomes an advisory issue
Support may be useful when policies exist but operating practices differ, or when teams cannot translate policy requirements into practical control routines.
Domain 3
Data inventory and ownership
- Material data assets are inventoried with owner, system and business purpose.
- Inventory records distinguish authoritative sources from duplicate or derived stores.
- Ownership records are reviewed when organizations, systems or processes change.
- Critical reports and data products are linked to source systems and responsible owners.
- Unowned or disputed data assets are tracked as readiness issues.
When this becomes an advisory issue
Support may be useful when inventories are incomplete, ownership is disputed or critical data assets cannot be traced to accountable business owners.
Domain 4
Data classification
- Classification rules are documented and understood by business and technology teams.
- Data assets have classification labels or documented classification decisions.
- Classification informs access, sharing, retention and protection practices.
- Classification exceptions are recorded and reviewed.
- Evidence exists to show how classification decisions were applied.
When this becomes an advisory issue
Support may be useful when classification labels exist but are inconsistently applied, not evidenced or disconnected from access and protection controls.
Domain 5
Data quality
- Priority data domains have defined quality expectations.
- Quality controls are linked to business impact and decision use.
- Quality issues have owners, severity and target resolution dates.
- Quality reporting distinguishes recurring issues from one-off incidents.
- Data quality evidence is retained and available for review.
When this becomes an advisory issue
Support may be useful when quality checks are informal, issue ownership is unclear or quality reporting does not support executive decisions.
Domain 6
Data lifecycle and retention
- Lifecycle requirements are defined for creation, use, sharing, retention and disposal.
- Retention expectations are mapped to systems, data owners and business processes.
- Archiving and deletion practices are evidenced where applicable.
- Legacy data stores are reviewed for ownership, purpose and retention risk.
- Lifecycle exceptions are visible to governance forums.
When this becomes an advisory issue
Support may be useful when retention decisions are inconsistent, deletion practices are unclear or lifecycle controls depend on individual manual effort.
Domain 7
Data sharing and access
- Access approval criteria are documented for material data sets.
- Data sharing decisions identify purpose, recipient, owner and approval route.
- Periodic access reviews are performed and evidenced.
- Exceptions to access or sharing standards are approved and time-bound.
- Third-party data exchanges are visible to accountable owners.
When this becomes an advisory issue
Support may be useful when access approvals, sharing decisions or third-party data exchanges cannot be consistently evidenced.
Domain 8
Privacy and protection alignment
- Privacy and protection dependencies are mapped to data governance responsibilities.
- Sensitive data handling expectations are reflected in procedures and controls.
- Security and privacy evidence can be connected to data ownership and classification.
- Control gaps are escalated through a shared issue-management route.
- Management reporting shows dependency risks rather than isolated workstream updates.
When this becomes an advisory issue
Support may be useful when privacy, security and data governance teams operate separate control models without a shared evidence view.
Domain 9
Operational control execution
- Control owners understand the activity they must perform and evidence.
- Control frequency, trigger and evidence requirements are documented.
- Control failures are logged and assigned for remediation.
- Manual controls have backup owners and review routines.
- Executive reporting distinguishes missing documentation from failed operational controls.
When this becomes an advisory issue
Support may be useful when controls are designed but not operating, or when control execution depends on undocumented individual knowledge.
Domain 10
Compliance evidence
- Evidence owners know what must be retained and where it is stored.
- Evidence is mapped to obligations, controls and accountable owners.
- Evidence quality is reviewed for currency, completeness and traceability.
- Readiness reporting identifies missing, weak or disputed evidence.
- Evidence repositories avoid uncontrolled personal storage and unmanaged copies.
When this becomes an advisory issue
Support may be useful when evidence is distributed, stale, ownerless or cannot be produced consistently under review pressure.
Domain 11
Issue management
- Readiness gaps are recorded with risk, owner, target date and decision need.
- Remediation actions distinguish quick fixes from operating-model changes.
- Overdue actions are escalated through defined governance routes.
- Issue closure requires evidence, not only verbal confirmation.
- Recurring gaps are analyzed for root operating-model causes.
When this becomes an advisory issue
Support may be useful when issues repeatedly return without closure, remediation dates move without governance or owners lack authority to resolve gaps.
Domain 12
Executive reporting and assurance
- Executive reporting shows readiness, evidence maturity, material gaps and decision points.
- Reports distinguish documented, partially operating, operating and evidenced controls.
- Heatmaps are supported by evidence rather than subjective confidence alone.
- Assurance findings are translated into prioritized executive actions.
- Sponsors can see which decisions or resources are needed to improve readiness.
When this becomes an advisory issue
Support may be useful when management reporting does not support decisions, hides material uncertainty or combines documentation status with operational readiness.
Executive interpretation
What the pattern of answers may indicate.
High documentation and low evidence
The organization may understand the requirement but cannot yet prove operational implementation. This is often a readiness risk under scrutiny.
High control activity and unclear ownership
Teams may be working hard, but accountability may not be strong enough for sustainable governance or executive assurance.
Strong technology controls and weak governance
Technical mechanisms may exist, but decisions, exceptions, reporting and ownership may still be fragmented.
Numerous unresolved exceptions
The issue is usually not exception volume alone. Leaders need to understand whether exceptions are approved, time-bound, risk-assessed and actively reduced.
Strong local practices but inconsistent enterprise implementation
Some functions may be mature while the enterprise remains exposed because practices are not standardized, evidenced or governed consistently.
Next step
Turn checklist findings into a readiness discussion.
If the checklist reveals unclear ownership, weak evidence, inconsistent operating practice or unresolved exceptions, a focused assessment can help prioritize the next practical step.