I’ve got a lot of stuff. So in order to keep it all safe and secure, I’ve got this great alarm system on my front door. Also: eight custom locks and a small moat in front of the building with an alligator. No one’s getting through that door unless they’re authorized. My buddy was here and I was showing off my awesome setup, and we were about to leave and get a pizza and he says, “Hey. Your window’s open.”
And it was true. I’d left my ground-floor window wide open. So much for security.
I confess. That was a parable. (Not an anecdote.) But you see the point: All your random security measures won’t keep you secure unless you first think about the risks that exist, create an overall objective to address those risks, and then make sure your specific security measures will together achieve your objective. If my objective is perimeter defense, all those controls dealing with the front door are inadequate to keep out an intruder if I’m not securing the window too. I should have eliminated most of those locks (and the moat) and used some of the cash to buy a decent window lock. Or have the window alarmed. You get the idea.
That leads us to the topic of Unified Control Frameworks. Back in December 2021, we mentioned them as one of the “Top Compliance Trends for 2022.” We’ve gotten a lot of queries about Unified Control Frameworks since then. Compliance leaders usually think of them as a way to simplify Compliance, and that’s true. But there are other significant benefits to using a Unified Controls Framework.
Let’s talk about:
As a company grows and matures, it will find many different regulations and other frameworks that can enable its business. Each of these regimes has hundreds or thousands of different requirements, and applying these controls can cause friction with business practices. A Unified Control framework harmonizes these requirements, improving a company’s security posture and Compliance posture, while likely reducing the long-term costs of managing controls.
You don’t need to start from scratch to create a Unified Control Framework—there are a number of guides to give you a solid head start. For example, the AICPA has already mapped the trust services criteria (TSC) of SOC 2 to ISO 27001, NIST CSF, GDPR privacy framework, and certain other frameworks. The mapping does not necessarily show the correlation of TSC to all of a particular framework’s controls, but to many of them. Of course, a company known for it’s stellar data-oriented Compliance automation solutions, such as anecdotes, can do the hard work of mapping frameworks for you.
While there are so many benefits to having a Unified Control Framework, here are just 5 ways a UCF can help you:
Traditionally, Compliance was an isolated process. If a company wanted to do business requiring a SOC 2 audit, it had to comply with SOC 2, so implementing controls for that purpose was a project. Then if the company wanted to penetrate the European market, it also had to meet ISO 27001, so that was a separate project. But with the right controls in place under a Unified Control Framework, a company may have multiple frameworks, but their Unified Control Framework allows them to reduce the number of controls they have—often to a fraction of their previous number of controls—in one centralized, organized location. So it’s much easier for the company to manage its Compliance system.
Employees bear the load of providing evidence when a company has an endless series of Compliance projects. It might seem more intuitive, from a management perspective, to have separate controls for each framework, go through an audit, get certification, and repeat the process for the next framework. But to employees, audits represent a huge burden that takes them away from their day jobs. By eliminating duplicative controls, a Unified Control Framework reduces that burden.
The opening parable was simple: anyone who wants their home to be secure knows that all apertures must be secured, windows included. But for a company with thousands of controls, it’s too easy to lose sight of its own control objectives and whether its controls can meet them. Each business is unique, and the frameworks it adopts may not have sufficient controls for the business’s actual security and Compliance needs. Analyzing controls in light of control objectives helps you identify blind spots: Do you have twenty controls that cover one aspect of your control objective but leave other aspects unaddressed? Grouping controls by control objective lets you see beyond the minutiae of each control and focus on their purpose. So you can see if the net result of all your controls is to keep your business secure.
Creating a Unified Controls Framework builds trust within customers and prospects by communicating to them the business’s commitment to security and Compliance. In addition, having a Unified Control Framework means your company is always ready to take advantage of opportunity, and can therefore penetrate more markets and jurisdictions easily, since onboarding another framework is simply a matter of adding it to your Unified Control Framework and then go on working as usual, with possibly a handful of new controls—instead of hundreds or thousands more.
Being able to unify controls, and thus eliminate redundant controls, can save money. In one case, a major bank had to comply with more than fifty different regulations relating to IT and security, a total of nearly 5000 controls. The bank looked to the most robust regulation—call it Reg A—and determined how controls in the other frameworks correlated to Reg A’s controls. The company ended up with only 1200 controls to manage—a 76% reduction in the number of controls, and a 50% reduction in the costs of managing them.
Simple: when your company uses only one Compliance framework. Otherwise, if a company has two or more frameworks, there is likely an overlap in at least 50% of their controls. But what if a company’s Compliance leader really just wants to pass the next audit and not spend more time thinking about controls? The trouble with that approach: without a Unified Control Framework, a company may not mature easily, or it will realize sooner or later that it needs a Unified Control Framework in order to grow, and then implementation will be harder (though probably still possible) to do.
Since having a Unified Control Framework is a hallmark of maturity, the forward-thinking company will create one as soon as it can, preferably when it adopts its second framework. For one thing, the sooner you start, the easier it is to create it because there’s less built-up Compliance infrastructure to unwind. And when you start early with a Unified Control Framework, it becomes baked into the company’s Compliance processes and can grow organically with the company.
Creating a Unified Control Framework yields long-term dividends, in reducing the time and money it takes to manage Compliance. It helps you eliminate redundant controls. You find blind spots and fix them. You ease your employees’ Compliance-related burdens. You build customer trust. And by looking at sources that have already cross-mapped the controls of different frameworks, you can get a head start in creating a Unified Control Framework.
Now, about that window…