According to Tenable, over 44% of organizations use more than one security framework. Mapping controls from one framework to another is complex and adding to the complexity is the ambiguity of terms across the frameworks. Some frameworks have defined controls to follow, while others offer guidelines. At PolicyCo, we have created a mapping system that standardizes the terminology allowing us to easily map more than one framework to a procedure, policy, or piece of evidence. This required us to dissect the nuanced differences between the security frameworks allowing an organization to follow multiple frameworks while reducing the redundancy across an organization’s cybersecurity program. Below is the glossary of terms specific to mapping security frameworks back to the evidence, policies, and procedures.

ISO

• Standards: Specifications that similar organizations can use to ensure materials, products, processes, and services meet industry best practices

• Clauses: Sections containing specific requirements and processes.

• Controls: Safeguards to reduce security risks

SOC 2

• Criteria: An individual specification

• Category: Sections containing a set of specific criteria related to an aspect of the security program

• Internal Control: An organization’s objective to protect information security

HITRUST

• Category: Section containing specifications and objectives for information security and risk management

• Domain: Organized sections based on standard IT organizational structure

• Objective: Statement of the intended result

• Specification: Policies, procedures, guidelines, practices, or organizational structures, which can be operational, technical, or legal

• Reference: An individual requirement/ control

NIST

• Function: Organized cybersecurity activities and outcomes

• Category: A subdivision of a function that contains cybersecurity objectives

• Subcategory: Outcome driven statements and security controls

• Informative References: Detailed technical resources used to support implementing subcategories

PCI

• Goal: Organized section of requirements that state the intended result

• Requirement: Organized sections of security protocols/controls for securing data

• Sub-requirements: The specific security control for obtaining data

• Compensating Control: A similar method for adhering to the requirement utilized when an entity cannot meet the requirement as expressly stated

• Guidance: The core purpose of the requirement and additional content to assist in the definition of the requirement

Manage Multiple Frameworks with PolicyCo

Cybersecurity compliance can be overwhelming; hopefully, we’ve cleared up some confusion on the language used by some of the most popular frameworks. If you are struggling with managing multiple cybersecurity frameworks, PolicyCo can help. Our platform streamlines compliance processes across frameworks for organizations, and our vCISO team has extensive experience developing cohesive policy language from a variety of framework controls. Contact us for more information.

Originally published at https://policyco.io on December 14, 2021.

The Ambiguity of Compliance Terms was originally published in PolicyCo on Medium, where people are continuing the conversation by highlighting and responding to this story.