{"id":16792,"date":"2026-07-16T22:19:51","date_gmt":"2026-07-16T22:19:51","guid":{"rendered":"https:\/\/techtrendfeed.com\/?p=16792"},"modified":"2026-07-16T22:19:51","modified_gmt":"2026-07-16T22:19:51","slug":"how-mapping-safety-controls-can-ease-the-compliance-burden","status":"publish","type":"post","link":"https:\/\/techtrendfeed.com\/?p=16792","title":{"rendered":"How mapping safety controls can ease the compliance burden"},"content":{"rendered":"<p> <br \/>\n<\/p>\n<div id=\"content-body\">&#13;<\/p>\n<p>CISOs and their groups are anticipated to display compliance with a variety of laws, frameworks and requirements. With an alphabet soup of frameworks &#8212; NIST, ISO, PCI DSS, HIPAA, GDPR and plenty of different country- or sector-specific mandates &#8212; there&#8217;s a rising threat of duplicating effort, management gaps and audit fatigue.<\/p>\n<p>CISOs can simplify governance by mapping safety controls to the varied home and worldwide <a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/www.techtarget.com\/searchsecurity\/tip\/IT-security-frameworks-and-standards-Choosing-the-right-one\">requirements and laws addressing cybersecurity<\/a> via a unified management structure.<\/p>\n<section class=\"section main-article-chapter\" data-menu-title=\"Why control mapping matters\">\n<h2 class=\"section-title\"><i class=\"icon\" data-icon=\"1\"\/>Why management mapping issues<\/h2>\n<p>Enterprises which are required to display regulatory compliance should show how they comply. Along with quite a lot of audit exams, a map of the controls getting used and the corresponding requirements is a crucial piece of audit proof.<\/p>\n<p>And not using a management map, CISOs and their groups can face redundant efforts when connecting controls to particular necessities, a scarcity of constant software of controls inside the enterprise and extra work gathering proof for an audit.<\/p>\n<p>Safety groups can save effort and time by constructing a structured map of controls and necessities, consolidating all mapping right into a single evaluation. This helps <a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/www.techtarget.com\/searchsecurity\/tip\/Build-a-strong-cyber-resilience-strategy-with-existing-tools\">strengthen cyber resilience<\/a> by establishing a holistic baseline.<\/p>\n<\/section>\n<section class=\"section main-article-chapter\" data-menu-title=\"How to build a control-mapping strategy\">\n<h2 class=\"section-title\"><i class=\"icon\" data-icon=\"1\"\/>The way to construct a control-mapping technique<\/h2>\n<p>Previous to making ready a management\/commonplace map, outline the general technique. This helps CISOs, auditors and regulators assess and confirm compliance, minimizes duplication and enhances governance. The hot button is to outline scope, set up a baseline management language and create a versatile and reusable mapping mannequin. Including AI to the method helps speed up map preparation and assists with ongoing upkeep.<\/p>\n<p>Get hold of essentially the most related and authoritative sources. Among the many most vital are:<\/p>\n<ul class=\"default-list\">\n<li><b>NIST CSF (Cyber Safety Framework)<\/b>. This framework supplies steerage throughout a broad vary of cybersecurity points; implementation is voluntary.<\/li>\n<li><b>NIST SP 800-53<\/b>. Designed for presidency use, these cybersecurity controls can be utilized by the non-public sector. Implementation is voluntary however thought of important for demonstrating compliance.<\/li>\n<\/ul>\n<ul class=\"default-list\">\n<li><b>ISO\/IEC 27001<\/b>. <a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/www.techtarget.com\/whatis\/definition\/ISO-27001\">That is the worldwide cybersecurity commonplace<\/a>; compliance should be formally demonstrated.<\/li>\n<li><b>CIS Controls<\/b>. Developed by the U.S. Middle for Web Safety, there are 18 particular controls to handle; implementation is voluntary.<\/li>\n<li><b>SOC 2 Safety Controls<\/b>. Developed to adjust to the AICPA&#8217;s Belief Companies Standards, these are auditable controls.<\/li>\n<li><b>HIPAA<\/b>. The <a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/www.techtarget.com\/searchhealthit\/definition\/HIPAA\">HIPAA<\/a> safety controls, that are obligatory in healthcare, may be utilized in lots of industries; compliance should be formally demonstrated.<\/li>\n<li><b>PCI DSS<\/b>. The <a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/www.techtarget.com\/searchsecurity\/definition\/PCI-DSS-Payment-Card-Industry-Data-Security-Standard\">Fee Card Business Knowledge Safety Customary<\/a> is a compulsory requirement for organizations within the cost business; it has six management targets that delineate 12 particular necessities.<\/li>\n<li><b>FedRAMP<\/b>. Primarily based on NIST SP 800-53, these obligatory controls had been designed for cloud service suppliers that deal with federal knowledge.<\/li>\n<li><b>CMMC<\/b>. The Cybersecurity Maturity Mannequin Certification was developed by the U.S. Protection Division to guard vital authorities knowledge utilized by contractors.<\/li>\n<li><b>GPPR<\/b>. The EU <a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/www.techtarget.com\/whatis\/definition\/General-Data-Protection-Regulation-GDPR\">Normal Knowledge Safety Regulation<\/a> specifies how knowledge generated and utilized by EU member nations and different nations that work with EU member states is protected against unauthorized use; compliance should be formally demonstrated.<\/li>\n<\/ul>\n<p>As soon as the related necessities have been recognized, develop a normal management language and taxonomy. Subsequent, create a crosswalk or different strategy the place related knowledge may be recognized and used to help audits, put together regulatory reporting and facilitate inside governance. Remember to embody data within the map that particulars proof sources, e.g., origin and rationale.<\/p>\n<\/section>\n<section class=\"section main-article-chapter\" data-menu-title=\"Step-by-step approach\">\n<h2 class=\"section-title\"><i class=\"icon\" data-icon=\"1\"\/>Step-by-step strategy<\/h2>\n<p>Observe these steps to determine your management mapping.<\/p>\n<ol class=\"default-list\">\n<li><b>Outline scope.<\/b> Start by figuring out the requirements, laws, frameworks and inside insurance policies to be mapped.<\/li>\n<li><b>Construct a catalog of cybersecurity controls.<\/b> Whereas there is likely to be dozens of particular person controls, attempt to group them in particular classes, reminiscent of entry management and incident response.<\/li>\n<li><b>Choose your mapping strategy<\/b>. This could embody 1:1 (one management to at least one commonplace), partial mapping (one commonplace to many controls) or thematic mapping (grouping controls into classes, reminiscent of entry management).<\/li>\n<li><b>Outline mapping standards<\/b>. Set guidelines for  develop mapping. Embrace components reminiscent of intent, outcomes, safeguards or necessities for proof.<\/li>\n<li><b>Full and doc the mapping<\/b>. Given the time it takes to finish a map, think about using inside specialists devoted to the mission, exterior consultants or AI automation instruments.<\/li>\n<li><b>Provoke stakeholder validation<\/b>. Invite representatives from the authorized, audit, compliance and engineering teams to evaluation the map&#8217;s accuracy.<\/li>\n<li><b>Launch the map<\/b>. As soon as accepted, combine the map into governance, threat and compliance (<a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/www.techtarget.com\/searchsecurity\/definition\/governance-risk-management-and-compliance-GRC\">GRC<\/a>) workflows; threat assessments; reporting; and audits.<\/li>\n<li><b>Use change management to take care of maps<\/b>. Noting that requirements and laws periodically change, use the change-control course of to maintain maps updated.<\/li>\n<\/ol>\n<\/section>\n<section class=\"section main-article-chapter\" data-menu-title=\"Overcoming control mapping challenges\">\n<h2 class=\"section-title\"><i class=\"icon\" data-icon=\"1\"\/>Overcoming management mapping challenges<\/h2>\n<p>When planning and growing a management map, there might be difficulties to beat. To mitigate them, attempt to standardize the language and map construction to attenuate confusion.<\/p>\n<p>Consistency counts for requirements, as nicely. Relying on the usual, the content material is likely to be extra common and broad-based, whereas others might be detailed, so make sure that the language is as constant as potential. Some requirements and laws, reminiscent of HIPAA and GDPR, describe outcomes, whereas others, reminiscent of NIST, CIS and SOC 2, present particular controls. Be able to replace maps with the newest variations as requirements, laws and frameworks change.<\/p>\n<p>Within the broader group, concentrate on the impression on different capabilities. Inner departments, reminiscent of safety, threat administration, compliance and engineering, might need differing views of controls and the way controls are utilized.<\/p>\n<p>Additionally be sure you examine proof necessities. As soon as controls have been mapped, see if there are any variances in proof necessities.<\/p>\n<\/section>\n<section class=\"section main-article-chapter\" data-menu-title=\"Tools and technologies\">\n<h2 class=\"section-title\"><i class=\"icon\" data-icon=\"1\"\/>Instruments and applied sciences<\/h2>\n<p>Automated instruments can help with management map improvement. To streamline the event and upkeep processes, think about instruments with AI capabilities.<\/p>\n<p>Some obtainable merchandise embody:<\/p>\n<ul class=\"default-list\">\n<li>Archer Evolv, a management and regulatory mapping engine.<\/li>\n<li>CIS Controls Mapping, an Excel-based management mapping crosswalk to NIST, PCI DSS, ISO, HIPAA and SOC 2.<\/li>\n<li>Drata, an AI-based management mapping and monitoring instrument.<\/li>\n<li>Hyperproof, an AI-based management mapping instrument.<\/li>\n<li>LogicGate Danger Cloud, a instrument to develop maps utilizing workflows and mapping templates.<\/li>\n<li>NIST OSCAL (Open Safety Controls Evaluation Language), a set of NIST-developed hierarchical, formatted, XML- JSON- and YAML-based codecs used for improvement and evaluation of safety controls.<\/li>\n<li>OneTrust, a instrument that helps safety map improvement utilizing GDPR, DORA, ISO, NIST, HIPAA and others.<\/li>\n<li>Secureframe, an automatic management mapping instrument for SOC 2, ISO, HIPAA and different requirements.<\/li>\n<li>ServiceNow GRC, a instrument that features crosswalk templates and evidence-collection options.<\/li>\n<li>Tugboat Logic, which is a part of OneTrust, providing crosswalks for requirements reminiscent of SOC 2, ISO and HIPAA.<\/li>\n<\/ul>\n<p><i>Editor&#8217;s be aware: The writer selected to focus on these instruments based mostly on unbiased analysis, prioritizing anecdotally outstanding and well-established choices with vital consumer bases. This record is organized alphabetically.<\/i><\/p>\n<\/section>\n<section class=\"section main-article-chapter\" data-menu-title=\"Pros and cons of mapping with automation and AI\">\n<h2 class=\"section-title\"><i class=\"icon\" data-icon=\"1\"\/>Execs and cons of mapping with automation and AI<\/h2>\n<p>Management mapping advantages from automation, and, extra particularly, AI-assisted automation. Duties required for mapping may be streamlined and accomplished extra rapidly with AI than via handbook approaches and present mapping functions.<\/p>\n<p>Among the many benefits are sooner management and commonplace matching. AI algorithms can analyze management intent throughout requirements and frameworks. Automation additionally allows a group to make use of constant language throughout totally different requirements. AI can monitor attributes constantly and alerts when requirements and laws are up to date.<\/p>\n<p>Different advantages of automated mapping embody streamlined map creation; fast assortment of related proof from varied sources and event-ticketing methods; streamlined workflows for the control-testing course of; real-time model management for management maps and inside controls; and assortment of related proof for audit preparation and reporting.<\/p>\n<p>If utilizing automation, be aware that whereas AI can collect related regulatory and requirements paperwork, it can&#8217;t interpret the usual&#8217;s intent with out human evaluation. Additionally, AI-generated maps may comprise errors that will have an effect on compliance. It is as much as folks to verify the work produced is correct and comprehensible to auditors and regulators.<\/p>\n<p><i>Paul Kirvan, FBCI, CISA, is an unbiased guide and technical author with greater than 35 years of expertise in enterprise continuity, catastrophe restoration, resilience, cybersecurity, GRC, telecom and technical writing.<\/i><\/p>\n<\/section>\n<\/div>\n\n","protected":false},"excerpt":{"rendered":"<p>&#13; CISOs and their groups are anticipated to display compliance with a variety of laws, frameworks and requirements. With an alphabet soup of frameworks &#8212; NIST, ISO, PCI DSS, HIPAA, GDPR and plenty of different country- or sector-specific mandates &#8212; there&#8217;s a rising threat of duplicating effort, management gaps and audit fatigue. CISOs can simplify [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":16794,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[58],"tags":[9118,278,6991,4634,3194,211],"class_list":["post-16792","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-burden","tag-compliance","tag-controls","tag-ease","tag-mapping","tag-security"],"_links":{"self":[{"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=\/wp\/v2\/posts\/16792","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=16792"}],"version-history":[{"count":1,"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=\/wp\/v2\/posts\/16792\/revisions"}],"predecessor-version":[{"id":16793,"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=\/wp\/v2\/posts\/16792\/revisions\/16793"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=\/wp\/v2\/media\/16794"}],"wp:attachment":[{"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=16792"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=16792"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=16792"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}<!-- This website is optimized by Airlift. Learn more: https://airlift.net. Template:. Learn more: https://airlift.net. Template: 69d9690a190636c2e0989534. Config Timestamp: 2026-04-10 21:18:02 UTC, Cached Timestamp: 2026-07-17 21:07:01 UTC -->