How to Harmonize a Multi-Framework Security Compliance Program across SOC 2, ISO 27001, PCI DSS, and More

One of the most frustrating problems security and GRC professionals face is managing complex compliance programs across multiple frameworks like SOC 2, ISO 27001, PCI DSS (and the whole alphabet soup of different frameworks.) Do these challenges sound familiar?

• You feel like you are managing 1000 pieces of redundant audit evidence requests
• You are burning political capital begging people to complete compliance tasks
• You don't have confidence at any given time if you are fully compliant or not
• Different business units are operating in silos and you don't have visibility

Yep, I hear this all the time from colleagues in the industry. It is frustrating to you and frustrating to the business too. The good news is that we have seen first-hand companies that have overcome these challenges (two examples at the end). But before we get into how to solve this problem, let's talk about why you have multiple frameworks to begin with.

Why Companies Have Multiple Frameworks

If you are managing a program with multiple frameworks, I want you to know that you are mission critical to the business. Why? Because you are likely supporting several key objectives. Here are three examples:

• There are customer contracts that require these frameworks. (You are supporting revenue.)
• Different industries have different preferences (e.g., some prefer SOC 2, healthcare requires HIPAA or HITRUST, international companies may prefer ISO 27001, etc.). So, for your company to do business in those industry vertices, they have to be compliant. You enable that objective.
• Companies often make strategic acquisitions and you inherit the compliance obligations of thos acquisitions. You make that possible.

So, if you are feeling discouraged, don't lose sight of the fact that you serve a critical function inside the business. At the same time, also remember that it's not your job just to manage these compliance obligations - you also have an important responsibility to manage them efficiently. How do you do that?

That is where multi-framework harmonization comes in. And in this next section I am going to give you the full playbook we follow at risk3sixty to implement it.

4 Steps to Harmonize a Multi-Framework Program

In this section, I am going to give you the 4-step process we follow at risk3sixty to harmonize multi-framework programs. I want to emphasize that these steps are not theory. I am not making this stuff up to write a LinkedIn article about it.

These steps are based what we have actually done with clients in the real world. If you follow these steps I feel confident you will be able to achieve results like CSG did (saved $1.5M) or Platform did (cut 900 duplicate controls). (I link to interviews with those clients at the end of this article.) In short, this is real world implementation proven in practice.

Also, as I started writing this article I realized it could be 10,000 words. So, in an effort to avoid writing a full book, I recorded videos for each of these steps to provide a more complete explanation. I encourage you to watch each video and download the free resourced referenced in each video.

#1: Governance

Step one is considering how governance should be structured at your organization to harmonize your compliance program. In the lesson below, I cover three important elements of Governance that will help you get the right leadership and oversight in place to effectively govern a harmonized compliance program:

• Context and Objectives: Understanding context and aligning yourself with the business
• Governance Program Elements: Establishing a governance program and elements to consider
• Org Structure: How your security and GRC organizations need to be structured to pull this off

#2: Policy Strategy

Step two is considering how to structure your policies so they support a harmonize compliance program. In the lesson below, I cover three important elements you need to create a policy set that supports a harmonized compliance program:

• Policy Architecture: How to decide policies you need and how to structure your policy set
• Writing Policy: How to writing readable policies and getting them approved
• Policy Maintenance: How to store, share, and maintain your policy set

#3: Risk Management

Step three is establishing an effective risk management program. In the lesson below I cover four important elements of risk management that will help you get the right decision makers in the right seats to govern a harmonized program strategy:

• Governing Body: We will talking about forming an information risk council to formally govern and make risk management decisions
• Risk Assessments: We will talk about why and how to perform risk assessments
• Risk Based Decision Making: We will talk about risk scoring, tracking risks, making decisions based on risk
• Project Management: We will talk about why and how to tactically manage risk treatment decisions and projects that fall out of uncovered risks

#4: Controls Mapping & Automation

The last thing that I want to acknowledge is that there is whole body of work related to mapping controls across frameworks, managing audit evidence, and continuously monitoring the operating effectiveness. A few thoughts on this:

Control Mapping is Not the Silver Bullet

I think there is a belief that the solution to this problem is mapping your controls across frameworks. While control mapping is an important element, it is not the silver bullet.

Why?

Because control mapping is not an exact science. So much of creating an enterprise control framework comes down to your own judgement, your business specific processes, and systems in scope. As a result, a generic control mapping is not enough. Instead, you will need to do some deep thinking about how to genuinely harmonize controls across frameworks, how to get everyone to buy-in on the mapping, and how to operationalize them going forward.

That leads to my second point.

You Probably Need a GRC Platform

Two, you probably need a GRC platform to pull this off. Specific elements like mapping controls, assigning owners, monitoring operation, automating as much as you can, and a lot more - can only be achieved over the long run in a system. While you can get started in excel, I just haven't seen programs managed very in the long term without a more sophisticated system.

At risk3sixty, we built fullCircle to do it. And no matter what GRC platform you prefer, these same principles apply. I would encourage you to check out the video below to spark some thoughts on the type of things you might need in a GRC tool.

Two Real World Examples

Okay, now that I have given you the playbook we use to pull of these type of programs, I want you to hear from the practitioners who have actually done it. The two examples below are real risk3sixty customers that accomplish harmonization projects with fantastic results. These are long form interviews, in their own words, that talk about the journey.

If you don't watch any other video in this article, watch these next two. Meghan and Joey are both outstanding GRC professionals that provide some great insight into what they had to do internally at their companies. I think their story will resonate and inform your own thinking as you take on this type of project.

CSG Saved $1.5M

Platform Cut 900 Duplicate Controls

Conclusion

I hope this article gave you some things to consider as you begin (or continue) to build out a harmonized program. If you would like to talk through what you are doing to get some feedback, or need some help, you can reach out to me anytime.