Commanding Compliance: Demystify the Common Control Set

Understanding prevalent common control sets is pivotal for optimizing cybersecurity compliance programs. Let’s explore the benefits of these frameworks and how to employ them in AuditBoard’s CrossComply solution.

What Are Common Control Frameworks? 

A common control framework is a set of predefined controls with high-level control statements customized to your organization’s specific needs. It’s usually broken into relevant domains to identify where a single control can satisfy multiple framework requirements. Some examples of common control sets include:

• NIST 800-53 has built-in impact levels, depending on whether you’re trying to align your organization at a low, moderate, or high level.
• Center for Internet Security (CIS) has 18 high-level controls broken up into domains or control families, such as access control, environmental, and physical security. CIS controls are generally more technical and are supported by additional content published by CIS, such as the CIS Benchmarks.
• ISO 27001/27002 is almost a beginner’s common control set because it does not provide as much coverage as some of these larger, more broad common control sets. 
• Secure Controls Framework (SCF) is a catalog of controls supporting over 100 cybersecurity and data privacy laws, regulations, and frameworks. Its goal is to normalize disparate control language into something usable across departments. If you haven’t engaged an external auditor yet, SCF offers risk registers, a threat catalog, maturity scales, and evidence request lists. 

Choosing the common control framework that best suits your environment is critical. Therefore, consider where a specific control set will provide the best coverage. 

The Benefits of A Common Control Set

Common control sets have several advantages over ad hoc control sets your organization defines. First, when you use a common control set, you adopt a common language familiar to your auditors, vendors, and associated agencies. This continuity can make managing your working relationships and audit activities more straightforward. 

You can also use common control sets as an implementation roadmap. These sets adapt to framework changes to help you identify and update your roadmap for future compliance initiatives. Sets like NIST 800-53 that possess impact levels provide a great way to grow your organization into a higher level of security over time. The SCF provides a built-in maturity cycle based on The Capability Maturity Model Integration (CMMI)®, best practices that can help you understand what control structure you need to implement to satisfy the different frameworks that it supports. 

Another benefit of common control sets is testing guidance, which helps you understand what an external auditor will look for and how to structure your internal assessments to reflect that. This feature can help reduce testing or testing redundancy. You can implement the “test once, use many” approach, add efficiencies to your assessment program, and significantly reduce audit fatigue. 

Common Control Sets in CrossComply

AuditBoard’s CrossComply leverages SCF to map frameworks together. To use SCF as your starting baseline, follow three steps.

First, import the frameworks you’re interested in complying with via our AuditBoard Framework Content. Licensing may be required for some of the content. This will populate SCF Common Controls so that you can translate them into library controls. By leveraging the AuditBoard functionality to translate these common controls into individual library controls, they will inherit the framework mappings as provided by SCF so you have controls ready for implementation. At this stage, you are also able to map risks in your environment to the library controls.

Second, instantiate your controls against the appropriate inventory items to develop environment-specific controls from a common control set, or what is known as “control implementations”. Each of those instances is where you will perform some type of activity and reflect the control as it is in your environment. This could be a business unit if you’re doing SOC 2, or it could be a specific product that is the scope of your SOC 2. It’s very common to have multiple instantiated controls. 

Last, assess your controls using control assessments in CrossComply. Once completed, you’ll be able to review how the results flow into the associated frameworks. You can determine whether framework requirements are compliant or non-compliant or whether controls are effective or ineffective. This capability can help you prepare for external audits like PCI or SOC 2—in the case of ISO 27001, it is part of the certification requirement. 

With CrossComply’s help, organizations can strategically leverage these widely used common control frameworks to enhance operational efficiencies and bolster their security posture.

About the authors

Lorsine Lai is a Manager of Implementation at AuditBoard with over six years of SOX compliance and internal audit experience. Prior to joining AuditBoard, Lorsine spent six years at PwC within the Risk Assurance practice, focusing on IT audits for various companies across a myriad of industries. Since joining AuditBoard in 2020, she has advised over 50 clients, from small accounting teams to large multinational audit departments on various design options, workflow projects, and user adoption strategies.

Alan Gouveia is Head of Customer Experience, CrossComply at AuditBoard. Alan has worked in the GRC and cybersecurity space for over 20 years across multiple industries and organizations of different sizes. He specializes in a collaborative approach to GRC and cybersecurity, showing customers how to work across the entire organization to achieve business goals. Connect with Alan on LinkedIn.

Tim Devine is a Software Trainer on the AuditBoard Customer Education team. Tim has over a decade of experience in teaching and training environments and is the creator of AuditBoard’s custom instructor-led training program for Enterprise level subscription customers.