Heavily regulated companies spend a lot of time mapping and creating new business processes to meet compliance requirements. This is especially frustrating for businesses that face multiple compliance requirements.
We see this often in the financial technology (FinTech) and healthcare technology (HIT) space. Companies like these have an almost unmanageable number of regulatory frameworks to navigate. (SOC 2, ISO 27001, GLBA, HIPAA, HiTrust, SLAs, OCR, Customer Audits, and Bank Audits to name a few).
Tyically, the natural course of action is to handle each compliance requirement individually. This means that someone is almost continuously attempting to map processes to the respective compliance requirement, gather audit evidence from operations personnel, and play interference with auditors.
This strategy is costly, disruptive, and very frustrating.
Unified Control Framework
What isn’t obvious is that almost all of the various compliance requirements overlap – sometimes nearly 100% overlap. Check out this mapping we put together for SOC 2, HIPAA, PCI, NIST 800-53, and ISO 27001 for example:
That means that if your company is aligned with ISO 27001, for example, you may already meet (or almost meet) compliance requirements for a half-dozen other frameworks.
Developing a Unified Control Framework (UCF) simply means that you document all of your existing processes in a way that makes sense to your company and map those processes to your company’s various compliance requirements. It becomes a custom-fit internal control framework.
Benefits of creating a UCF
1 | Focuses on well-defined processes rather than “meeting compliance requirements.”
2 | Consistent numbering scheme (compliance frameworks change all the time).
3 | Easier to manage who owns each process, what they are responsible for, and why.
4 | Simplifies compliance management to one set of controls.
5 | Creates a consistent mechanism to communicate with external auditors and business partners.
Let’s Get Started
If your company needs help navigating security and compliance requirements (or if you want a copy of our mapping spreadsheet) – take the next step and contact us. We can help develop a strategy to simplify security and compliance requirements (and even get rid of PBC lists by using inview).