Organizations in 2020 are required to keep up with multiple data privacy regulations (e.g. GDPR, CCPA ) and voluntary cybersecurity compliance frameworks (e.g. SOC 2, ISO 27001). While frameworks like SOC 2, GDPR, and ISO 27001 are designed to protect individuals and companies, their complex requirements present a sizable and expensive challenge to the organizations that must comply.
Over the course of 2018 and 2019, Hyperproof’s leaders talked to over 180 individuals responsible for information security and compliance within their organizations to better understand the challenges they face in managing compliance requirements. One major challenge compliance teams ran into again and again is that they tended to do a lot of duplicative work in order to meet multiple regulatory standards.
While it isn’t super-complex for an organization to manage two or three IT compliance frameworks, that complexity grows exponentially when a compliance team has to manage five, eight or ten different frameworks. With Hyperproof’s new Crosswalks and JumpStart features, organizations are able to simplify compliance projects by consolidating compliance requirements, thus eliminating repetitive work needed to meet multiple compliance standards.
The Complexities of Keeping up With Multiple Compliance Standards
Experienced GRC professionals are well aware of the fact that various cybersecurity compliance standards have overlapping requirements. For instance, many cybersecurity frameworks have requirements around change management; they ask organizations to govern change in a sustainable and ongoing manager that involves active participation from both technology and business stakeholders to ensure that only authorized changes occur.
By identifying common requirements across multiple frameworks, a compliance team would be able to design and manage a smaller set of internal controls, save time when gathering evidence for audits (no need to gather the same evidence five times for five audits), and reuse existing controls and evidence files when they need to demonstrate compliance against additional frameworks.
By saving time across these processes, compliance teams would gain time back to focus on other strategic, risk mitigation projects.
Yet, identifying common requirements and common controls is difficult in practice. When compliance teams keep track of compliance requirements in spreadsheets, mapping out the relationships between all requirements quickly becomes overwhelming.
Given how much of a hassle it is to complete the mapping exercise, most compliance teams end up tackling compliance frameworks one at a time, thus repeating a lot of administrative work when they need to adhere to the next framework (e.g., re-creating controls that already exist and re-collecting evidence).
Hyperproof’s Crosswalks and JumpStart features are built to help organizations accelerate their efforts to meet multiple programs.
Hyperproof CrossWalks Eliminates Duplicative Work
Hyperproof has completed the mapping between requirements within various cybersecurity frameworks to help you jumpstart your efforts to adhere to multiple compliance programs. Thus far, we’ve lit up crosswalks between these frameworks:
- SOC 2
- ISO 27001
- NIST Privacy Framework 1.0
- NIST 80053 rev4
- NIST 800171 rev2
The mapping follows the Secure Controls Framework (SCF), a framework developed by Compliance Forge. The SCF is designed to empower organizations to design, implement and manage both cybersecurity and privacy principles to address the strategic, operational, and tactical needs of organizations, regardless of their size, industry, or country of origin. It has 32 domains and approximately 750 controls that are categorized within these domains to make it easier to manage. The SCF looks at the following spheres of influence to identify applicable controls:
- Statutory Obligations These are US state, federal, and international laws
- Regulatory Obligations These are requirements from regulatory bodies or governmental agencies
- Contractual Obligations These are requirements that are stipulated in contracts, vendor agreements, etc.
- Industry-Recognized Leading Practices These are requirements that are based on an organization’s specific industry.
We plan to add more crosswalks in the next few months and will continue to make new crosswalks available over time. With a tool that does the mapping for you, you can save time and money up front, and manage your compliance program more effectively in the long run by better prioritizing your work and focusing your efforts in areas where you have gaps.
When you create a new compliance framework, Hyperproof automatically shows you suggested controls you could use to meet requirements based on the controls you’ve already built out in Hyperproof.
Meet New Compliance Standards Faster
Hyperproof enables you to see the gaps between your existing control set, and what would be needed to adopt leading cybersecurity frameworks like NIST SP 800 series or the ISO 27000 series. Specifically, our JumpStart algorithm runs in the background and tells you the percentage overlap between requirements in your existing programs versus a new program you’re considering.
For instance, if you’ve already implemented SOC 2 and ISO 27001 and you’re thinking about implementing ISO27701:2019, Hyperproof will estimate how close you are to building out ISO27701:2019 using the existing controls in other programs, based on related requirements. You can use the JumpStart percentage to assess which program will tackle next.
Reuse Evidence Across Audits
Once you have a consolidated set of compliance requirements and controls, gathering evidence for compliance audits becomes a lot simpler. Once, you’ve uploaded evidence for all of your requirements for one framework such as SOC 2, this evidence is automatically applied to all other frameworks that share the same requirements. Collect evidence once instead of multiple times for multiple audits a year.
Streamline Key Processes in Your Compliance Programs
Crosswalks and Jumpstart aren’t the only features that can make your compliance programs easier to manage. Hyperproof comes with a number of other features that enable greater efficiency, including:
- Integrations with file storage systems where evidence is stored and productivity tools
- Collaboration capabilities between compliance managers, control operators, senior leaders, and external auditors (as a replacement for using email)
- Automated reminders to review controls and evidence
- Smart folders and labels to easily organize the evidence and efficiently reuse it across controls
If you’re looking for a better way to manage your compliance programs effectively at scale, we’d love to connect with you and provide you with a personalized demo.