Mapping controls to requirements with Compliance Maps

Compliance Maps is an app on the Diligent One Platform.

You can use Compliance Maps to associate industry standards and regulations with your control frameworks. This allows you to visualize coverage, track regulatory changes, minimize organizational risk exposure, reduce operational burden, and provide boards and executive teams with a holistic understanding of the organization's global compliance posture.

What is Compliance Maps?

Compliance Maps is an app that centralizes the documentation of regulatory requirements and mapped controls. Using Compliance Maps, you can: 

  • identify applicable regulations and standards
  • harmonize a list of requirements across all applicable regulations and standards
  • map controls in frameworks to requirements
  • aggregate testing results and issues to track and report on compliance status in real-time

How it works

Federal organizations often need to be compliant with hundreds of requirements. Audit departments are also involved in compliance when they have internal policy requirements they need to track to ensure all is operating effectively.

Creating a compliance map

To showcase your organization's adherence to specifications relevant to the business, you can create a compliance map by:

  1. identifying compliance scope and noting which requirements are applicable to the organization
  2. specifying the rationale for requirements that are not applicable
  3. mapping controls to requirements

Once you map controls to requirements, testing results and issues are aggregated in the compliance map so that you can:

  • identify gaps
  • prioritize issues
  • track compliance progress

Relationships in Compliance Maps

The figure below illustrates the relationships between regulations/standards, requirements, and controls in Compliance Maps.

Notes

  • Interface terms are customizable, and fields and tabs are configurable. In your instance of Diligent One, some terms, fields, and tabs may be different.
  • If a required field is left blank, you will see a warning message: This field is required. Some custom fields may have default values.

Terms

The following list defines the terms used in Compliance Maps:

  • Regulations Authority documents that are written and issued by federal government departments, often categorized under an Act.

    Examples

    FedRAMP 2016 0.1

    Green Book - Revision 2014 (GAO-14-704G)

    NIST SP 800-53 Security Controls - Rev4

  • Standards Authority documents that are sources of best practice requirements and related citations.

    Examples

    COBIT 5 Framework

    Payment Card Industry (PCI) Data Security Standard

    COSO Internal Control Framework 2013

  • Requirements A series of directives that have been established to summarize a standard or regulation.

    Note

    Although requirements may be referred to as principles, attributes, activities, tasks, or steps in different regulations and standards, the common term used in Projects is Requirement.

    Examples

    • Establish and perform backup procedures for applications, databases, system configurations, network configurations, documents, and messaging systems.
    • Document the concept of operations in the continuity plan, including a system description, line of succession, and responsibilities.

  • Controls Measures or courses of action for assuring the achievement of an organization's compliance with requirements.

    Examples

    • Policies and procedures related to data backup are in place which make employee responsibilities clear and actionable.
    • Real-time data replication between servers is done in order to provide a "hot" backup should the core production system fail.
  • Applicable The indication of whether or not the requirement is relevant or appropriate for your organization.
  • Covered The indication that the requirement is met.
  • Control Weight The percentage of the requirement that the control covers.
  • Coverage A percentage measurement that indicates the extent to which applicable requirements have been indicated as "covered."
  • Gaps A count of the number of applicable requirements that are not covered.
  • Assurance A calculation that represents your organization's confidence in requirements being met.

Benefits

Implementing a successful compliance program requires intensive effort and specialized knowledge of regulations and standards.

Compliance Maps helps reduce this effort by:

  • centralizing compliance management create a comprehensive view for external parties, and allow them to quickly understand your organization's compliance program and progress
  • rationalizing and simplifying burden eliminate duplicated efforts through harmonized requirements and provide coverage over multiple, overlapping regulations and standards
  • easing issue management get oversight by easily tracking control testing progress, and capture and assign flagged issues for remediation throughout your compliance review process
  • providing assurance scoring and reporting score your assurance with a single, overall metric that gives management an instant understanding of the degree to which the organization is compliant by regulation, business process, or entity

Key benefits for different professionals

Professional title(s) Benefits
  • Chief Information Officer
  • IT Compliance Manager
  • Information Security Manager
  • Can attest to customers and other interested third parties that a strong control environment exists
  • Can prevent exposing the organization to regulatory enforcement action or data breaches
  • Chief Compliance Officer
  • Compliance Manager
  • Can collaborate with business stakeholders that are required to comply with various regulations and standards
  • Can manage compliance progress by centralizing the documentation of requirements and their mapped controls