According to Tenable, over 44% of organizations use more than one security framework. Mapping controls from one framework to another is complex and adding to the complexity is the ambiguity of terms across the frameworks. Some frameworks have defined controls to follow, while others offer guidelines. At PolicyCo, we have created a mapping system that standardizes the terminology allowing us to easily map more than one framework to a procedure, policy, or piece of evidence. This required us to dissect the nuanced differences between the security frameworks allowing an organization to follow multiple frameworks while reducing the redundancy across an organization’s cybersecurity program. Below is the glossary of terms specific to mapping security frameworks back to the evidence, policies, and procedures.
Standards: Specifications that similar organizations can use to ensure materials, products, processes, and services meet industry best practices Clauses: Sections containing specific requirements and processes. Controls: Safeguards to reduce security risks
Criteria: An individual specification Category: Sections containing a set of specific criteria related to an aspect of the security program Internal Control: An organization’s objectives to protect information security
Category: Section containing specifications and objectives for information security and risk management Domain: Organized sections based on standard IT organizational structure Objective: Statement of the intended result Specification: Policies, procedures, guidelines, practices, or organizational structures, which can be management operational, technical, or legal Reference: An individual requirement/ control
Function: Organized cybersecurity activities and outcomes Category: A subdivision of a function that contains cybersecurity objectives Subcategory: Outcome driven statements and security controls Informative References: Detailed technical resources used to support implementing subcategories
Goal: Organized section of requirements that state the intended result Requirement: Organized sections of security protocols/controls for securing data Sub-requirements: The specific security control for obtaining data Compensating Control: A similar method for adhering to the requirement utilized when an entity cannot meet the requirement as expressly stated Guidance: The core purpose of the requirement and additional content to assist in the definition of the requirement
Manage Multiple Frameworks with PolicyCo
Cybersecurity compliance can be overwhelming; hopefully, we’ve cleared up some confusion on the language used by some of the most popular frameworks. If you are struggling with managing multiple cybersecurity frameworks, PolicyCo can help. Our platform streamlines compliance processes across frameworks for organizations, and our vCISO team has extensive experience developing cohesive policy language from a variety of framework controls. Contact us for more information.