Simplify Compliance by Creating One Set of Controls to Manage Risk (Unified Control Framework)

Heavily regulated companies spend a lot of time mapping and creating new business processes to meet compliance requirements. This is especially frustrating for businesses that face multiple compliance requirements.

We see this often in the financial technology (FinTech) and healthcare technology (HIT) space. Companies like these have an almost unmanageable number of regulatory frameworks to navigate. (SOC 2, ISO 27001, GLBA, HIPAA, HiTrust, SLAs, OCR, Customer Audits, and Bank Audits to name a few).

Tyically, the natural course of action is to handle each compliance requirement individually. This means that someone is almost continuously attempting to map processes to the respective compliance requirement, gather audit evidence from operations personnel, and play interference with auditors.

This strategy is costly, disruptive, and very frustrating.

Unified Control Framework

What isn’t obvious is that almost all of the various compliance requirements overlap – sometimes nearly 100% overlap. Check out this mapping we put together for SOC 2, HIPAA, PCI, NIST 800-53, and ISO 27001 for example:

That means that if your company is aligned with ISO 27001, for example, you may already meet (or almost meet) compliance requirements for a half-dozen other frameworks.

Developing a Unified Control Framework (UCF) simply means that you document all of your existing processes in a way that makes sense to your company and map those processes to your company’s various compliance requirements. It becomes a custom-fit internal control framework.

Benefits of creating a UCF

1 | Focuses on well-defined processes rather than “meeting compliance requirements.”
2 | Consistent numbering scheme (compliance frameworks change all the time).
3 | Easier to manage who owns each process, what they are responsible for, and why.
4 | Simplifies compliance management to one set of controls.
5 | Creates a consistent mechanism to communicate with external auditors and business partners.

Let’s Get Started

If your company needs help navigating security and compliance requirements (or if you want a copy of our mapping spreadsheet) – take the next step and contact us. We can help develop a strategy to simplify security and compliance requirements (and even get rid of PBC lists by using inview).

2 thoughts on “Simplify Compliance by Creating One Set of Controls to Manage Risk (Unified Control Framework)

  • Christian, I enjoy following your posts. I’d add two points: 1) COBIT 5 is a great starting point for cross-framework control mapping, as ISACA has already mapped it to many other standards (but not all). 2) A common control framework is certainly critical to sustainable policy and regulatory compliance, but it can have unintended consequences. I’ve seen organizations then push the entire common framework to their entire environment, rather than taking a risk-based approach to selecting which “common” controls apply to which applications. As you could guess, the efforts failed.

  • Chris, that is a great point. It shouldn’t be inflexible, for sure. I guess the approach should be that controls should be “your controls” not controls driven by a given compliance requirement.

Leave a Reply