3 compliance frameworks = 3X the
effort?

Payal Wadhwa
Payal Wadhwa Sep 20, 2024
If the idea of adding new compliance frameworks fills you with dread, you’re not alone. Many GRC and security leaders who handle compliance manually know that a new framework means a TON of extra work that’s time-consuming and laborious (and you also know your time could be spent better elsewhere). But there’s a less labor-intense way to go about it…
IN THIS BLOG:  As your organization targets new geographies and sectors, it grows and adds new stakeholders, and also becomes more operationally complex. This organizational complexity and foraying into new markets often means complying with many new frameworks. Maybe you previously were SOC2 compliant, but now you need GDPR compliance, and so on. 

In the years gone by, this has meant mapping controls, risk assessment, gap analysis based on risk assessment, identifying relevant entities covered by the framework in question, setting up processes and checks, identifying frequency for evidence collection, gathering evidence and making sure evidence is correct. And then repeating all of those tasks whenever you want to add a new framework The other alternative is outsourcing, which ends up being a cost-heavy exercise—research places the average cost of compliance for multinational organizations at $3.5 million. And despite all this spending, security teams find themselves overburdened and sometimes pulled away from other critical tasks.

As you can see from this description, the reason why growing your compliance program has been such a hassle is basically this: it’s been difficult — if not entirely impossible — to avoid rework when you handle compliance the way you always have: manually. 
Manual effort is killing your momentum The first problem with manual compliance is that your data is stored in silos, right from risk assessment, access management, evidence collection and more. This means that you end up investing your already hard-pressed time and effort into tasks you have already completed, at least to some degree.

To illustrate, this is how you go about your first compliance framework: You define risk, then map controls to those risks, and then map controls to evidence and then start rounding up evidence of said controls. When you want to add a new framework, you know that commonalities exist. You just don’t know how to map these overlaps. So you repeat the whole cycle once again. 

For instance, you may at best need to repeat checks at a greater frequency for a new framework, but at least you don’t need to start from scratch. Or maybe you need to provide the evidence in a slightly different format, but you don’t need to actually repeat the control management portion of the task. You get the idea.
So why do you end up repeat the whole exercise? The reason is simple—until now, you have had no reliable system to gain visibility into where overlaps of controls and evidence lie. There was no trustworthy mechanism to get insights into how audit readiness on one framework implies control and evidence readiness on another framework, and to what extent. 

Without that visibility, you have no choice but to repeat the whole process. All. Over. Again. 



And even when you outsource to, say a GRC consultant, a significant amount of manual effort remains for the internal team, resulting in the de-prioritization of other crucial tasks and delayed actions due to the extra workload. At the end of the day, a lot of the control management and evidence follow-up with internal teams, will rest on your shoulders, even when you outsource.
Cross-map controls to end rework when complying with new frameworks
Sprinto: The toolkit you need to grow a compliance program without increased effort

Breeze through compliance with Sprinto