Getty Images/iStockphoto
How mapping security controls can ease the compliance burden
Being able to map cybersecurity controls to applicable standards and regulations can make compliance work less complicated – especially when automation and AI come into play.
CISOs and their teams are expected to demonstrate compliance with a range of regulations, frameworks and standards. With an alphabet soup of frameworks -- NIST, ISO, PCI DSS, HIPAA, GDPR and many other country- or sector-specific mandates -- there is a growing risk of duplicating effort, control gaps and audit fatigue.
CISOs can simplify governance by mapping security controls to the various domestic and international standards and regulations addressing cybersecurity through a unified control architecture.
Why control mapping matters
Enterprises that are required to demonstrate regulatory compliance must prove how they comply. In addition to a variety of audit tests, a map of the controls being used and the corresponding standards is an important piece of audit evidence.
Without a control map, CISOs and their teams can face redundant efforts when connecting controls to specific requirements, a lack of consistent application of controls within the enterprise and additional work gathering evidence for an audit.
Security teams can save time and effort by building a structured map of controls and requirements, consolidating all mapping into a single assessment. This helps strengthen cyber resilience by establishing a holistic baseline.
How to build a control-mapping strategy
Prior to preparing a control/standard map, define the overall strategy. This helps CISOs, auditors and regulators assess and verify compliance, minimizes duplication and enhances governance. The key is to define scope, establish a baseline control language and create a flexible and reusable mapping model. Adding AI to the process helps accelerate map preparation and assists with ongoing maintenance.
Obtain the most relevant and authoritative sources. Among the most important are:
- NIST CSF (Cyber Security Framework). This framework provides guidance across a broad range of cybersecurity issues; implementation is voluntary.
- NIST SP 800-53. Designed for government use, these cybersecurity controls can be used by the private sector. Implementation is voluntary but considered essential for demonstrating compliance.
- ISO/IEC 27001. This is the global cybersecurity standard; compliance must be officially demonstrated.
- CIS Controls. Developed by the U.S. Center for Internet Security, there are 18 specific controls to address; implementation is voluntary.
- SOC 2 Security Controls. Developed to comply with the AICPA's Trust Services Criteria, these are auditable controls.
- HIPAA. The HIPAA security controls, which are mandatory in healthcare, can be applied in many industries; compliance must be officially demonstrated.
- PCI DSS. The Payment Card Industry Data Security Standard is a mandatory requirement for organizations in the payment industry; it has six control objectives that delineate 12 specific requirements.
- FedRAMP. Based on NIST SP 800-53, these mandatory controls were designed for cloud service providers that handle federal data.
- CMMC. The Cybersecurity Maturity Model Certification was developed by the U.S. Defense Department to protect critical government data used by contractors.
- GPPR. The EU General Data Protection Regulation specifies how data generated and used by EU member nations and other nations that work with EU member states is protected from unauthorized use; compliance must be officially demonstrated.
Once the relevant requirements have been identified, develop a standard control language and taxonomy. Next, create a crosswalk or other approach where relevant data can be identified and used to support audits, prepare regulatory reporting and facilitate internal governance. Be sure to include information in the map that details evidence sources, e.g., origin and rationale.
Step-by-step approach
Follow these steps to establish your control mapping.
- Define scope. Begin by identifying the standards, regulations, frameworks and internal policies to be mapped.
- Build a catalog of cybersecurity controls. While there might be dozens of individual controls, try to group them in specific categories, such as access control and incident response.
- Pick your mapping approach. This can include 1:1 (one control to one standard), partial mapping (one standard to many controls) or thematic mapping (grouping controls into categories, such as access control).
- Define mapping criteria. Set rules for how to develop mapping. Include factors such as intent, outcomes, safeguards or requirements for evidence.
- Complete and document the mapping. Given the time it takes to complete a map, consider using internal experts dedicated to the project, external consultants or AI automation tools.
- Initiate stakeholder validation. Invite representatives from the legal, audit, compliance and engineering groups to review the map's accuracy.
- Launch the map. Once approved, integrate the map into governance, risk and compliance (GRC) workflows; risk assessments; reporting; and audits.
- Use change control to maintain maps. Noting that standards and regulations periodically change, use the change-control process to keep maps up to date.
Overcoming control mapping challenges
When planning and developing a control map, there will be difficulties to overcome. To mitigate them, try to standardize the language and map structure to minimize confusion.
Consistency counts for standards, as well. Depending on the standard, the content might be more general and broad-based, while others could be detailed, so ensure that the language is as consistent as possible. Some standards and regulations, such as HIPAA and GDPR, describe outcomes, whereas others, such as NIST, CIS and SOC 2, provide specific controls. Be ready to update maps with the latest versions as standards, regulations and frameworks change.
In the broader organization, be aware of the impact on other functions. Internal departments, such as security, risk management, compliance and engineering, might have differing views of controls and how controls are applied.
Also be sure to check evidence requirements. Once controls have been mapped, see if there are any variances in evidence requirements.
Tools and technologies
Automated tools can assist with control map development. To streamline the development and maintenance processes, consider tools with AI capabilities.
Some available products include:
- Archer Evolv, a control and regulatory mapping engine.
- CIS Controls Mapping, an Excel-based control mapping crosswalk to NIST, PCI DSS, ISO, HIPAA and SOC 2.
- Drata, an AI-based control mapping and monitoring tool.
- Hyperproof, an AI-based control mapping tool.
- LogicGate Risk Cloud, a tool to develop maps using workflows and mapping templates.
- NIST OSCAL (Open Security Controls Assessment Language), a set of NIST-developed hierarchical, formatted, XML- JSON- and YAML-based formats used for development and assessment of security controls.
- OneTrust, a tool that supports security map development using GDPR, DORA, ISO, NIST, HIPAA and others.
- Secureframe, an automated control mapping tool for SOC 2, ISO, HIPAA and other standards.
- ServiceNow GRC, a tool that includes crosswalk templates and evidence-collection features.
- Tugboat Logic, which is part of OneTrust, offering crosswalks for standards such as SOC 2, ISO and HIPAA.
Editor's note: The author chose to highlight these tools based on independent research, prioritizing anecdotally prominent and well-established offerings with significant user bases. This list is organized alphabetically.
Pros and cons of mapping with automation and AI
Control mapping benefits from automation, and, more specifically, AI-assisted automation. Tasks required for mapping can be streamlined and completed more quickly with AI than through manual approaches and existing mapping applications.
Among the advantages are faster control and standard matching. AI algorithms can analyze control intent across standards and frameworks. Automation also enables a team to use consistent language across different standards. AI can monitor attributes continuously and alerts when standards and regulations are updated.
Other benefits of automated mapping include streamlined map creation; rapid collection of relevant evidence from various sources and event-ticketing systems; streamlined workflows for the control-testing process; real-time version control for control maps and internal controls; and collection of relevant evidence for audit preparation and reporting.
If using automation, note that while AI can gather relevant regulatory and standards documents, it cannot interpret the standard's intent without human review. Also, AI-generated maps could contain errors that would affect compliance. It's up to people to confirm the work produced is accurate and understandable to auditors and regulators.
Paul Kirvan, FBCI, CISA, is an independent consultant and technical writer with more than 35 years of experience in business continuity, disaster recovery, resilience, cybersecurity, GRC, telecom and technical writing.