3 compliance frameworks = 3X the
effort?
Payal Wadhwa
Sep 20, 2024
In the years gone by, this has meant mapping controls, risk assessment, gap analysis based on risk assessment, identifying relevant entities covered by the framework in question, setting up processes and checks, identifying frequency for evidence collection, gathering evidence and making sure evidence is correct. And then repeating all of those tasks whenever you want to add a new framework The other alternative is outsourcing, which ends up being a cost-heavy exercise—research places the average cost of compliance for multinational organizations at $3.5 million. And despite all this spending, security teams find themselves overburdened and sometimes pulled away from other critical tasks.
As you can see from this description, the reason why growing your compliance program has been such a hassle is basically this: it’s been difficult — if not entirely impossible — to avoid rework when you handle compliance the way you always have: manually. Manual effort is killing your momentum The first problem with manual compliance is that your data is stored in silos, right from risk assessment, access management, evidence collection and more. This means that you end up investing your already hard-pressed time and effort into tasks you have already completed, at least to some degree.
To illustrate, this is how you go about your first compliance framework: You define risk, then map controls to those risks, and then map controls to evidence and then start rounding up evidence of said controls. When you want to add a new framework, you know that commonalities exist. You just don’t know how to map these overlaps. So you repeat the whole cycle once again.
For instance, you may at best need to repeat checks at a greater frequency for a new framework, but at least you don’t need to start from scratch. Or maybe you need to provide the evidence in a slightly different format, but you don’t need to actually repeat the control management portion of the task. You get the idea.
Did you know that with Sprinto the additional effort to comply with SOC2 once you have PCI (and vice versa) is only 14%?
Without that visibility, you have no choice but to repeat the whole process. All. Over. Again.
And even when you outsource to, say a GRC consultant, a significant amount of manual effort remains for the internal team, resulting in the de-prioritization of other crucial tasks and delayed actions due to the extra workload. At the end of the day, a lot of the control management and evidence follow-up with internal teams, will rest on your shoulders, even when you outsource. Cross-map controls to end rework when complying with new frameworks Sprinto: The toolkit you need to grow a compliance program without increased effort