According to Tenable, over 44% of organizations use more than one security framework. Mapping controls from one framework to another is complex and adding to the complexity is the ambiguity of terms across the frameworks. Some frameworks have defined controls to follow, while others offer guidelines. At PolicyCo, we have created a mapping system that standardizes the terminology allowing us to easily map more than one framework to a procedure, policy, or piece of evidence. This required us to dissect the nuanced differences between the security frameworks allowing an organization to follow multiple frameworks while reducing the redundancy across an organization’s cybersecurity program. Below is the glossary of terms specific to mapping security frameworks back to the evidence, policies, and procedures.

ISO

Standards: Specifications that similar organizations can use to ensure materials, products, processes, and services meet industry best practices

Clauses: Sections containing specific requirements and processes.

Controls: Safeguards to reduce security risks

SOC 2

Criteria: An individual specification

Category: Sections containing a set of specific criteria related to an aspect of the security program

Internal Control: An organization’s objective to protect information security

HITRUST

Category: Section containing specifications and objectives for information security and risk management

Domain: Organized sections based on standard IT organizational structure

Objective: Statement of the intended result

Specification: Policies, procedures, guidelines, practices, or organizational structures, which can be operational, technical, or legal

Reference: An individual requirement/ control

NIST

Function: Organized cybersecurity activities and outcomes

Category: A subdivision of a function that contains cybersecurity objectives

Subcategory: Outcome driven statements and security controls

Informative References: Detailed technical resources used to support implementing subcategories

PCI

Goal: Organized section of requirements that state the intended result

Requirement: Organized sections of security protocols/controls for securing data

Sub-requirements: The specific security control for obtaining data

Compensating Control: A similar method for adhering to the requirement utilized when an entity cannot meet the requirement as expressly stated

Guidance: The core purpose of the requirement and additional content to assist in the definition of the requirement

Manage Multiple Frameworks with PolicyCo

Cybersecurity compliance can be overwhelming; hopefully, we’ve cleared up some confusion on the language used by some of the most popular frameworks. If you are struggling with managing multiple cybersecurity frameworks, PolicyCo can help. Our platform streamlines compliance processes across frameworks for organizations, and our vCISO team has extensive experience developing cohesive policy language from a variety of framework controls. Contact us for more information.