Strong, reliable internal controls are an indispensable element of risk management. Properly functioning controls help to identify risks that could cause suffering, damage, harm, or other losses to your organization.
To implement those controls, organizations typically use a control framework to guide their efforts. A critical part of that exercise, in turn, is control mapping — where executives identify the controls they have in place already, and connect those controls to the various risks that might harm their organization or to whatever regulatory obligations the business has.
By mapping controls in risk management, you can see whether the organization has duplicative controls; many do, since different risks or regulatory obligations might require the same control, and different parts of your enterprise might implement the same control without knowing about the others.
Control mapping brings such issues to light, and lets you simplify compliance management: you can find the similarities in diverse control sets, and handle them together.
Benefits of Control Mapping
Control mapping makes it easier to see overlap between various control sets. Conversely, if any gaps exist across the regulatory frameworks or compliance requirements that your company must follow, you can identify those too with control mapping.
You can also identify the minimum security requirements necessary to comply with relevant regulations or contractual agreements, and then harmonize those requirements across multiple frameworks. Control mapping can also help your compliance and internal audit teams to track compliance progress and showcase compliance posture.
Control mapping streamlines the risk management process and reduces the burden on risk management and compliance teams. They can assess internal controls for one regulation, and then map those controls across many frameworks. By assessing controls just once and mapping them, risk teams can save both time and effort.
Lastly, effective control mapping can reveal the company’s current risk posture without getting sidelined by assumptions (“Of course we already have that in place. Like, we must, right?”) that could weaken risk management initiatives.
Step-by-Step to Map Controls in Your Organization
Some organizations struggle to map controls because they feel overwhelmed by the prospect of looking at multiple control sets, standards, and regulatory requirements. It is possible, however, to simplify and streamline your efforts by following the process described below:
Step 1: Build a Strong Risk Culture
Risk culture refers to the values, beliefs, attitudes, and understanding about risk shared by people across the organization. When the risk culture is strong, everyone understands the organization’s risk environment and adheres to risk management policies and practices to protect the organization.
By establishing a strong risk culture, you can be confident that everyone takes responsibility to manage and mitigate risk. Equally important, you can get the enterprise-wide support necessary to map existing controls. Developing a strong risk culture is an important foundational step for effective and streamlined control mapping.
Step 2: Understand Your Risk and Compliance Environment
Every organization faces a different set of risks and is required to comply with various regulations and standards. For example, counterfeiting is a massive risk in the retail industry, while data breaches threaten healthcare and financial services.
On the compliance front, healthcare companies must comply with HIPAA, while businesses that process credit card information must comply with PCI-DSS. Public companies must comply with the Sarbanes-Oxley Act for financial reporting, while companies working with government entities must comply with the NIST standard for cybersecurity. Many companies will need to comply with all those regulations, and more.
So before you start control mapping, understand which compliance frameworks and regulations apply to your industry and organization.
Step 3: Gather Relevant Data
Control mapping is impossible without collecting information about the controls first. Gather this data and place it in a centralized location, where anyone involved in the mapping process can access it.
Centralization provides a single source of truth, increases transparency, and promotes greater accountability. Use technology and software to simplify the data aggregation effort.
Step 4: Check Existing Frameworks
If your organization has an existing framework such as HIPAA, PCI-DSS, SOX, or SOC 2 that you previously compiled evidence for, map this evidence to a framework.
Step 5: Adopt the Secure Controls Framework (SCF)
The SCF is a comprehensive controls catalog that can help you map controls across various regulatory and contractual frameworks. Using it, you can easily combine evidence from similar controls needed across multiple regulations, simplifying the mapping process and control activities.
You can also leverage the SCF’s universal naming conventions, making it easier for multiple people working on the mapping process to collaborate, share information, and showcase proof of compliance.
Best Practices to Simplify Control Mapping
It’s helpful to follow some best practices to streamline the control mapping process. As you start mapping specific controls to compliance efforts, avoid doing it at the regulatory statement level. Instead, map these statements to categories. Then for each category, take the most stringent requirement, and count it as representative of, or satisfying, the entire category.
For example, NIST 800-53 is a robust cybersecurity framework that can scale to match your organization’s risk profile and security needs. Under this framework, the AC-2 control is meant for account management in an information system. You can map AC-2 to other account management controls with the same requirements from ISO, PCI-DSS, HIPAA, etc.
To establish a single consolidated set of controls or control framework for easier audits, cross-map controls and eliminate redundant ones; that is, controls that are repeated across multiple regulatory authorities of frameworks like SOX, PCI-DSS, and so forth.
Many existing online resources are available to assist with the mapping process. For example, numerous regulators map their controls to the NIST Cybersecurity Framework (CSF) and NIST SP 800-53, and provide mapping data on their websites.
Why Controls Should be Mapped to Both Risks and Compliance Requirements
Sometimes risk managers fall into a practice of “checking the box” when going through compliance and regulatory requirements. Experts warn against that check-the-box mentality. They advocate for making security decisions based on sound risk management, contending that risk-based decisions will result in a more compliant environment.
Easier said than done, however. Although an organization may manage risk well, it may still fall short of compliance requirements. Perhaps the company hasn’t documented its processes or mitigation measures properly for an audit. Maybe some compliance requirements haven’t been identified as key risks for the organization.
It’s also possible that the organization may have a significant risk exposure that isn’t addressed in any compliance or regulatory requirements. As a result, risk management and compliance — which are both important — are not equal. Therefore it’s critical to map controls to both risks and compliance requirements.
Include ZenGRC in Your Risk Management Plans
Streamline enterprise risk management with ZenGRC. This integrated governance, risk, and compliance tool helps you track and manage risks, regulations, and audits.
Its single source of truth repository centralizes all documentation for easy retrieval at audit time. Identify where you are compliant with applicable regulations and standards and where you fall short.
Automated workflows and reminders allow risk managers to assign and track tasks to completion with minimal effort. The ZenConnect feature enables integration with popular tools, such as Jira, ServiceNow, and Slack, ensuring seamless adoption within your enterprise.
Talk to the Reciprocity team if you want more information on ZenGRC.