The technological developments of the last decades offer organizations many opportunities and possibilities to expand their product portfolio and offer their services in new ways. This requires them to determine how to evolve from paper and manual management to create a reduced workload for preparing external assessments and improving internal controls. As organizations address these challenges, they are simultaneously struggling with numerous questions about reporting on risk and risk management, getting their internal controls in order and keeping the so-called “cost of compliance” within limits.
These organizational issues can be addressed by developing a multicompliance framework (MCF), which is an enabler to reduce the cost and effort of compliance.
The Complexity of Compliance
As every industry continues to grapple with an environment of change and uncertainty, upcoming regulations force an even greater focus on due diligence and transparency. It is increasingly difficult to keep up with all the compliance requirements necessary to be able to deliver the organization’s products and services to market.
An MCF can help an organization adapt to new norms and regulations in no time. An overview of the concept of the MCF follows.
The principle is twofold: to cover in the MCF all standards and control frameworks with which the organization must comply and to focus on internal controls instead of external audits. Based on all the requirements of the standards, control frameworks, and internal and external regulations, a list of internal controls can be developed. Since there is considerable overlap (figure 1) among the standards and control frameworks, it is possible to work with a list of controls that refer to the requirements of all obligatory standards and control frameworks.
Figure 1—Overlap in Standards, Regulations and Control Frameworks
Internal controls need to be embedded in the organization’s operations to enable the achievement of its strategy and objectives. This is done by mapping the defined internal controls to the organization’s internal policies, processes and other documents. The mapping of the controls, in both directions, is visualized in figure 2.
Figure 2—Mapping To and From Controls
The concept is to check each internal control only once and to have all necessary evidence available for each internal and external audit or assessment.
After the mapping, for each of the standards, a report is made with links to related processes and documents.
Figure 3 shows an example for International Organization for Standardization (ISO)/International Electrotechnical Commission (IEC) 27001.
Figure 3—Extract of ISO 27001 Report
|
ISO 27001:2013 Requirements |
Process or Document Name |
From |
|
4 Context of the organization
|
101 Management Organization |
MCF Controls |
|
106 Strategy Development |
MCF Controls |
|
|
4.1 Understanding the organization and its context
|
161 Enterprise Risk Management Process |
MCF Controls |
|
Mission, vision and objectives |
ISO 27001 Actions CompanyX |
|
|
Risk Optimisation |
Risk Governance and Management |
|
|
4.2 Understanding the needs and expectations of interested parties
|
List of Potential Customers |
ISO 27001 Actions CompanyX |
|
Demands from Regulator |
ISO 27001 Actions CompanyX |
|
|
4.3 Determining the scope of the information security management system
|
801 Information Exchange |
MCF Controls |
|
Policies and Guidance |
ISO 27001 Actions CompanyX |
|
|
IT Management Framework |
Management of IT |
|
|
Business Process Controls |
Management of IT |
|
|
4.4 Information security management system
|
102 Management System |
Governance Controls |
|
111 Quality, Security and Privacy Policy |
GDPR Controls |
|
|
112 Security & Privacy by Design Policy |
GDPR Controls |
|
|
IT Management Framework |
Management of IT |
|
|
Security |
Management of IT |
These reports can be made available to internal and external auditors without any additional work in the preparation of each audit.
This concept has several advantages:
- It results in significant savings to prepare the required documents and evidence for each audit.
- All information is easily available for all process and control owners who must define or verify compliance with the standards and regulations.
- There is no need to repeat the collection of evidence for different testing, assessments or audits.
- It prevents duplicate work.
Compliance as a Service
Voquals developed such an MCF, with a set of predefined example controls, which were created based on experience, best-practices and focusing on IT-related controls. The MCF covers the most important ISO standards and some data privacy and security control frameworks. For the IT-related processes, the framework covers the 3 latest versions of COBIT® (COBIT® 4.1, COBIT® 5 and COBIT® 2019) and the last version of ITIL. For each control, a description is provided, including some managerial items such as control owner and frequency. (A set of example controls can be obtained by contacting the author of this article.)
Figure 4 provides an introduction to a list of internal controls, with examples, and the sample text for 1 control: 102—Management System.
Figure 4—MCF Controls and Example Control
From these controls, a link is provided to the requirements of relevant standards and frameworks, as illustrated in figure 5, with an example of a possible mapping from the example controls 102.
Figure 5—Mapping from MCF Controls
One control refers to requirements of different regulations. This means that if 2 different regulations require the organization to implement the same control, it is necessary to define that control only once and, more important, to execute and test that control only once. This prevents duplicate work and saves time.
Once users understand the first part of the MCF, they can move on to the second part: the relationship to all the organization’s internal processes, policies and other documents.
Starting from the control 102, there are relationships to several internal policies, processes and documents. Those relationships are managed from those processes, policies and documents by mapping each item to 1 or more controls.
To make this process part complete, many “best standard” processes have been documented, which the user can use as a starting point to develop organization-specific processes or integrate into the organization’s already existing documented processes.
For each of these processes, a description is provided, with an indication of appropriate roles and responsibilities, based on the industry standards. For all IT-related processes, this is based on the COBIT 2019 guidance (as well as the previous versions of COBIT—COBIT 4.1 and COBIT 5—which are still available).
Maintaining this information is the next challenge.
For its setup, Voquals provides the service of keeping all required standards and regulations up to date. If there is an update, users need only to update the content of the control framework and, due to all the links provided, the evidence gathering and required updates on processes or policies are automatically triggered by the workflow on the publication site. Therefore, the organization is required to invest limited effort to become up to date with the latest requirements.
The final part of all this activity is collecting evidence on the controls and preparing the organization for internal and external audits. For this purpose, the MCF has defined an audit calendar.
Users can directly refer to the controls and frameworks that are related to these controls, or they can build their own audit programs.
Users can define 2 types of tasks:
- Based on the dates indicated on each control, tasks are automatically sent to the control owner.
- Based on the dates indicated on each framework, tasks are sent to the compliance officer or any other person who has the responsibility for this particular standard or regulation.
This generates the dates of the previous and next audits, which are used to define the audit calendar (figure 6).
Figure 6—Information for Audit Calendar
|
Standard |
Last Audit Date |
Last Audit Type |
Last Audit Scope |
Next Audit Date |
Next Audit Type |
Next Audit Scope |
|
ISO 9001 |
1/10/2020 |
Follow-up Audit |
Production and Sales Organisation |
7/10/2020 |
Certification Audit |
ALL |
| ISO 27001 |
5/21/2020 |
Certification Audit |
ALL |
9/21/2020 |
Follow-up Audit |
ISMS In General |
| CPMI |
6/25/2020 |
Follow-up Audit |
Network and Infrastructure |
11/25/2020 |
Certification Audi |
ALL |
This information can also be visualized through a business intelligence (BI) tool, as shown in figure 7.
Figure 7—Audit Calendar
To summarize, the MCF helps an organization to:
- Generate accurate and transparent reports to stakeholders
- Easily demonstrate to what extent the organization complies with guidelines and regulations
- Support both internal and external audits through better and faster preparation
- Better manage the EU General Data Protection Regulation (GDPR) program within the organization
- Be accountable in a natural way, supported with workflows and aligned to the organization’s own central processes
- Create support for compliance within the organization, as part of the operational business processes
- Significantly reduce the costs of complying with regulations or the cost of compliance
- Increase the organization’s resilience to regulatory compliance in the future
Because the MCF is a generic framework and contains content of the most commonly used norms, standards and frameworks, it helps every type of enterprise to better adjust its organization and comply more easily with guidelines and regulations. This enables the organization to realize significant savings on compliance costs.1, 2, 3
Those interested in learning more can find a complete demo of the MCF on YouTube.
Greet Volders, CGEIT
Is a managing consultant and chief executive officer of Voquals N.V., which she founded in 1995. Her main activity is providing advice for customers, and she regularly gives training and seminars related to enterprise governance of IT, process improvement and IT/business alignment. In 2004, Volders became an accredited trainer for the COBIT Foundation course and the IT Governance Implementation training, using COBIT, which she has continued for COBIT 5 and COBIT 2019. Since 2002, she has been an active member in several development teams for COBIT and she is regularly asked to serve as an expert reviewer for ISACA publications. She can be reached at gvolders@voquals.be.
Endnotes
1 Mavim, Leading Global Accountancy Firm turns to Mavim to Improve Compliance, Customer Profiles, The Netherlands, 2020
2 Mavim, American BioTech Company Leverages Mavim to Improve Operational Efficiency, Customer Profiles, The Netherlands, 2020
3 Mavim, Financial Services Provider Accelerates the Integration of 100 Global Acquisitions, Customer Profiles, The Netherlands, 2020