Managing multiple InfoSec frameworks, controls, and evidence for those controls all at the same time is a pretty tall order.
The average modern company has 13 frameworks between security and privacy in place. While they all have their own flavor, these frameworks all share a common goal—ensuring that organizations adhere to external standards, with the intention of protecting and securing company and user data.
The goal is a noble one to be sure, but as we know all too well, managing it all is pretty complex. Each framework is its own ecosystem, with its own intricacies and specificities. PCI-DSS, ISO 27K, SOC 2, HIPAA, and their counterparts each have their own language and their own requirements, even when referring to overlapping elements.
For example, when it comes to password management, ISO 27001:2013 A.9.4.3 states, “Password management systems shall be interactive and shall ensure quality passwords.” Meanwhile, over in PCI-DSS, 8.2.3 outlines the specific requirements needed for passwords. They “require a minimum length of at least seven characters,” they must “contain both numeric and alphabetic characters,” etcetera, etcetera, etcetera.
This makes managing various frameworks especially tricky for you, the compliance leader. You're the one tasked with repeatedly turning to the same people—the IT team, the security architects, HR personnel, whoever—to get the evidence needed to prove your controls are in place. You have to nudge, cajole, and sometimes even beg those same people for the same pieces of evidence, when you may already have what you need, hiding behind a different name.
This lack of unified language creates a bunch of unnecessary problems:
To illustrate, take a look at what happened to one of our customers; When preparing for PCI-DSS in January, they found an issue in their control of encrypting data at rest. Instead of re-assessing the process, finding an optimal cost-effective solution for the organization, and thereby fixing the issue, they simply found a workaround tailored for the immediate need. When ISO 27001 rolled around in March, they deployed another temporary fix. By the time they started to think about preparing for SOC 2, there was no budget left for a proper solution for this same control.
To solve these challenges, organizations need one common language of compliance. When everyone is speaking the same language, issues can be solved in a broader way and a methodology can be implemented and maintained over time. Cross-audit evidence sharing is the optimal way to prevent issues from becoming siloed, saving organizations time, money, and efforts.
With cross-audit evidence sharing, you can easily maintain one unified list of controls, based on (or referring to) their policies and procedures, which has already been approved by management. Moreover, that unified list of controls is already mapped to each of the frameworks that are relevant to the organization, for now and in the future. This includes assignment of requirements and evidence, to collect and fulfill that unified list of controls.
We all know that achieving and maintaining compliance can be a headache, to say the least. I can’t promise you that using one unified framework will remove all your compliance challenges.
That would take a miracle.