One of the biggest challenges faced by compliance officers, CISOs, and CROs in today’s world is complying with various standards available in the market. There was a time when fulfilling one ISO standard was considered more than sufficient—but that is not enough in today’s society. To stay competitive, you need to be compliant with various regulations and standards like HIPAA, Sarbanes-Oxley (SOX), ISO 27001:2013, ISO 22301, NIST, PCI-DSS—and the list goes on.
Now, we face the challenge of managing compliance to all these standards within the organization. Does this mean that with the implementation of each standard, we should start adding more and more controls within our environment? And by doing so, are we going to make the environment and the users more efficient, or will this further complicate compliance by overburdening everyone?
The answer to all the above questions is simple: Controls Harmonization.
What is Controls Harmonization?
Controls Harmonization is not a word commonly used in organizations, but if it is implemented well, it can help an organization in many ways. It is a technique in which compliance experts review requirements from each standard clause by clause, defining a comprehensive list of controls to implement. The idea is to come across common requirements and a common set of controls (often called generic controls), which can be implemented to meet all the requirements.
For example, most of the standards today talk about conducting a risk assessment and documenting and tracking risk results. Instead of having different controls to meet different standards, you can define a single control as “Perform risk assessment per the organization risk framework and share trackable risk assessment results.” By doing this, you have defined and implemented one single control that makes you compliant with standards like NIST SP 800-53, PCI DSS 3.0, ISO 27001-2013, etc. This newly defined control is called a “harmonized control,” and the overall process is known as “controls harmonization.”
This concept can be easily applied to areas such as Incident Management, Business Continuity Management, monitoring of security logs, anti-virus implementation, information classification, and more.
Benefits of Controls Harmonization
- Improved compliance posture of the organization
- Well-defined controls
- Compliance to multiple standards with minimum set of harmonized controls
- Cost effective to the organization
- Streamlined controls are easy to change/remove
- Helps in faster decision-making
- Easy to maintain compliance to various standards
- Gives flexibility for introduction of a new standard
Next Steps: How to Measure Compliance
Once you have harmonized the controls, you can easily use one of the GRC products available in the market to assess your Organization Compliance Index. TruOps, our industry-leading GRC solution, helps you do this simply and efficiently. You can define the various controls implemented within the organization in the controls library and then do a self-assessment against them. TruOps also comes with a pre-defined controls library for your use. All assessments triggered are risk-based, allowing you to not just assess your compliance posture, but also identify risks and manage them. To learn more about TruOps and have a one-on-one conversation with one of our GRC experts, schedule a demo here.