Unified Control Frameworks: Are You Serious? (About Growth, That is)

I’ve got a lot of stuff. So in order to keep it all safe and secure, I’ve got this great alarm system on my front door. Also: eight custom locks and a small moat in front of the building with an alligator. No one’s getting through that door unless they’re authorized. My buddy was here and I was showing off my awesome setup, and we were about to leave and get a pizza and he says, “Hey. Your window’s open.”

And it was true. I’d left my ground-floor window wide open. So much for security.

I confess. That was a parable. (Not an anecdote.) But you see the point: All your random security measures won’t keep you secure unless you first think about the risks that exist, create an overall objective to address those risks, and then make sure your specific security measures will together achieve your objective. If my objective is perimeter defense, all those controls dealing with the front door are inadequate to keep out an intruder if I’m not securing the window too. I should have eliminated most of those locks (and the moat) and used some of the cash to buy a decent window lock. Or have the window alarmed. You get the idea.

Let’s Talk About a UCF - Unified Control Framework

That leads us to the topic of Unified Control Frameworks. Back in December 2021, we mentioned them as one of the “Top Compliance Trends for 2022.”  We’ve gotten a lot of queries about Unified Control Frameworks since then. Compliance leaders usually think of them as a way to simplify Compliance, and that’s true. But there are other significant benefits to using a Unified Controls Framework.

Let’s talk about:

• Unified Control Frameworks (UCF) 101
• Creating and implementing a Unified Control Framework
• Benefits of a UCF Controls Framework
• When not to use one
• How soon to start creating yours

Unified Control Frameworks 101

As a company grows and matures, it will find many different regulations and other frameworks that can enable its business. Each of these regimes has hundreds or thousands of different requirements, and applying these controls can cause friction with business practices. A Unified Control framework harmonizes these requirements, improving a company’s security posture and Compliance posture, while likely reducing the long-term costs of managing controls.

Some Thoughts to Consider First:

• When creating a Unified Control Framework, you will find correlations between frameworks, simply because the triangle of security—confidentiality, integrity, and availability—are goals of information security, and therefore, goals of all information security frameworks as well.

• A Unified Control Framework that is part of a Compliance OS is hugely beneficial to a company that aims for Compliance maturity. This combination of features lets you get evidence hands-free, whenever it’s needed, and reduces the noise from repetitively seeing evidence of the same kind and for the same objective, and the mistakes that result from dealing with controls that are so similar.

• Consider the risks you have, and the control objectives that would address those risks. Controls that have the same purpose can be bundled together in a Unified Control Framework, and give you a chance to see whether, in aggregate, your control objectives are being met, and which of your controls overlap and can be eliminated because an equally or more rigorous control is accomplishing the same thing.

• The above approach also helps you respond better to new risks in the future. That is, when you need to consider new controls as a countermeasure to newly identified risks, you can choose those that are more beneficial to the overall frameworks you need to comply with.

Good News

You don’t need to start from scratch to create a Unified Control Framework—there are a number of guides to give you a solid head start. For example, the AICPA has already mapped the trust services criteria (TSC) of SOC 2 to ISO 27001, NIST CSF, GDPR, and certain other frameworks. The mapping does not necessarily show the correlation of TSC to all of a particular framework’s controls, but to many of them. Of course, a company known for it’s stellar data-oriented Compliance automation solutions, such as anecdotes, can do the hard work of mapping frameworks for you.

5 Benefits of a UCF/Unified Controls Frameworks

While there are so many benefits to having a Unified Control Framework, here are just 5 ways a UCF can help you: 

1. Making Compliance Easier to Monitor. 

Traditionally, Compliance was an isolated process. If a company wanted to do business requiring a SOC 2 audit, it had to comply with SOC 2, so implementing controls for that purpose was a project. Then if the company wanted to penetrate the European market, it also had to meet ISO 27001, so that was a separate project. But with the right controls in place under a Unified Control Framework, a company may have multiple frameworks, but their Unified Control Framework allows them to reduce the number of controls they have—often to a fraction of their previous number of controls—in one centralized, organized location. So it’s much easier for the company to manage its Compliance system.

2. Reducing the Burden on Stakeholders. 

Employees bear the load of providing evidence when a company has an endless series of Compliance projects. It might seem more intuitive, from a management perspective, to have separate controls for each framework, go through an audit, get certification, and repeat the process for the next framework. But to employees, audits represent a huge burden that takes them away from their day jobs. By eliminating duplicative controls, a Unified Control Framework reduces that burden.

3. Improving Security. 

The opening parable was simple: anyone who wants their home to be secure knows that all apertures must be secured, windows included. But for a company with thousands of controls, it’s too easy to lose sight of its own control objectives and whether its controls can meet them. Each business is unique, and the frameworks it adopts may not have sufficient controls for the business’s actual security and Compliance needs. Analyzing controls in light of control objectives helps you identify blind spots: Do you have twenty controls that cover one aspect of your control objective but leave other aspects unaddressed? Grouping controls by control objective lets you see beyond the minutiae of each control and focus on their purpose. So you can see if the net result of all your controls is to keep your business secure.

4. Enabling Growth. 

Creating a Unified Controls Framework builds trust within customers and prospects by communicating to them the business’s commitment to security and Compliance. In addition, having a Unified Control Framework means your company is always ready to take advantage of opportunity, and can therefore penetrate more markets and jurisdictions easily, since onboarding another framework is simply a matter of adding it to your Unified Control Framework and then go on working as usual, with possibly a handful of new controls—instead of hundreds or thousands more.

5. Reducing Costs of Compliance. 

Being able to unify controls, and thus eliminate redundant controls, can save money. In one case, a major bank had to comply with more than fifty different regulations relating to IT and security, a total of nearly 5000 controls. The bank looked to the most robust regulation—call it Reg A—and determined how controls in the other frameworks correlated to Reg A’s controls. The company ended up with only 1200 controls to manage—a 76% reduction in the number of controls, and a 50% reduction in the costs of managing them.

When Not to Use a Unified Control Framework

Simple: when your company uses only one Compliance framework. Otherwise, if a company has two or more frameworks, there is likely an overlap in at least 50% of their controls. But what if a company’s Compliance leader really just wants to pass the next audit and not spend more time thinking about controls? The trouble with that approach: without a Unified Control Framework, a company may not mature easily, or it will realize sooner or later that it needs a Unified Control Framework in order to grow, and then implementation will be harder (though probably still possible) to do.

How Soon to Start Your Unified Control Framework

Since having a Unified Control Framework is a hallmark of maturity, the forward-thinking company will create one as soon as it can, preferably when it adopts its second framework. For one thing, the sooner you start, the easier it is to create it because there’s less built-up Compliance infrastructure to unwind. And when you start early with a Unified Control Framework, it becomes baked into the company’s Compliance processes and can grow organically with the company.

Long-Term Dividends

Creating a Unified Control Framework yields long-term dividends, in reducing the time and money it takes to manage Compliance. It helps you eliminate redundant controls. You find blind spots and fix them. You ease your employees’ Compliance-related burdens. You build customer trust. And by looking at sources that have already cross-mapped the controls of different frameworks, you can get a head start in creating a Unified Control Framework.

Now, about that window…