Authored by Brian Odian for VikingCloud’s Compliance Elements Series, available on YouTube.
When planning a compliance program, you don’t want to make the mistake of planning for each individual standard you want to, or need to, comply with.
For example, a company may have ISO27000 certification requirements coupled with compliance to PCI DSS and GDPR. There would be so much duplication of effort if you followed the path of treating each requirement as an individual project.
Each standard you want to comply with, or apply to your organisation, must flow up into one overarching compliance program. And there are multiple reasons why that will work in your favour. The first being the synergies between standards that can reduce duplication and effort. This is just a subset of standards across the world that exist today.
After some extensive research we were able to find direct mapping tools or documents between the standards, or documents showing some correlation between the standards, as represented by the dotted lines.
So, revisiting our earlier example of a company with ISO27000, PCI DSS and GDPR requirements you can see here:
- PCI DSS and GDPR both map to ISO27001 controls so you have a commonality between everything.
- You can use those mapping tools in the development of a project plan where a single deliverable could cover all 3 standards.
Mappings, rolled up to a common program, are even more important if the assessment cycles of each standard are also different. For example, PCI DSS is assessed annually whereas ISO27001 may be performed in 3-year cycles with surveillance audits each year. Not worrying about a recertification of ISO27001 for 3 years until just before hand isn’t going to help with keeping compliance under control. But PCI DSS requirements do map to ISO27001 clauses so if you plan it right maintaining one can help maintain the other consistently.
Some of the mapping tools and documents out there are outstanding and really help with your planning, such as the CIS Controls Navigator. It’s an online tool where you can add or remove other standards and see how they map to the CIS Controls version 7, or the latest version 8.
The takeaway here is don’t re-invent the wheel. Take advantage of mapping tools and find synergies between your compliance standards to avoid duplication of effort.
