How to measure compliance via a central control framework.
Risk Cloud is a powerful tool for identifying and addressing control gaps within your organization. This help article will discuss three Risk Cloud features (i.e., Cross-Workflow Calculations, Table Reports, and Visual Reports) that organizations can use for understanding control gaps when multiple control frameworks are in-scope for the organization.
For the purposes of this article, we will consider a control program that assesses maturity against the Secure Control Framework (SCF) and ISO 27001. The program leverages SCF as its primary framework to assess control maturity and relies on mappings from SCF to ISO 27001 to assess the status of ISO 27001 compliance. While we will use SCF as an example of a central framework, please note that organizations often develop their own primary framework, typically made up of internal controls‚ which are mapped to other frameworks and imported to Risk Cloud.
Using Cross-Workflow Calculations to Calculate Control Scores
Cross-Workflow Calculations are a useful tool that organizations may use to identify control gaps. For more specifics on Cross-Workflow Calculations, please reference the help article linked below:
Through Cross-Workflow Calculations, the results from linked control evaluations may be displayed on the related control records themselves. Consider an instance in which SCF controls PRM-01 and PRM-02 are mapped to ISO 27001 control 6.1.1. If evaluations were performed on SCF controls PRM-01 and PRM-02, Risk Cloud can pull in these scores as an average on the mapped control record for ISO 27001 control 6.1.1. The result is a control score for ISO 27001 6.1.1 to better understand the control maturity without having to perform an evaluation on this ISO control itself.
To accomplish this, first create an evaluation scoring Field within your Control Evaluations Workflow. In this example, the evaluations on SCF controls are completed in an application called "SCF Compliance" with a Field titled "SP-CMM Level." Please note that each maturity level is assigned its own unique, numeric value.
Next, we'll create a Cross-Workflow Calculation within our SCF control repository workflow. Because there is a mapped relationship between our Control Evaluations and SCF Repository Workflows, we can pull in the evaluation Field from the Evaluations Workflow as a Field input to this calculation.
Lastly, we'll create a Cross-Workflow Calculation at the ISO 27001 repository level. However, the Field input for this calculation will be the Cross-Workflow Calculation created at the SCF Repository Workflow level since the relationship between the Control Evaluation and ISO 27001 Workflows is adopted via the SCF Repository Workflow.
The next step would be to complete the SCF evaluations using the Control Evaluations Workflow. Let's say that PRM-02 is given a maturity designation of "Continuously Improving," which has a numeric value of 5 and PRM-02 is given a maturity designation of "Well-Defined," which has a numeric value of 3. The result of these evaluations is that ISO 27001 requirement 6.1.1 will have a maturity score of 4, which is the average of the evaluations performed on PRM-01 and PRM-02.
Using Table Reports to Summarize Control Mappings
Using Table Reports, an organization can understand where the implementation of a central framework, SCF in this case, may not be addressing all ISO 27001 controls. In this example, an organization would want to create a Table Report displaying the relationships between SCF and ISO 27001. Additionally, maturity scores on the centralized control framework and their related Cross-Workflow Calculations may be displayed on Table Reports.
To start, create a Table Report including Fields from SCF and ISO 27001. Pull in the necessary Fields from each Workflow to help identify the controls from SCF and ISO 27001. For more information on how to create Table Reports, please reference the help articles below:
The primary Workflow you select for your Table Report is important because it will appropriately identify the gaps of the child framework you want to assess rather than the central framework you are already using. In this example, because SCF is the central framework and we want to understand where SCF controls may not be addressing ISO 27001 controls, the child framework should be the primary Workflow, followed by the SCF controls as a secondary Workflow.
Once this Table Report is created, your organization can analyze where control gaps exist. Null record data indicates areas where ISO 27001 standards are not covered by SCF controls via mappings and may need to be assessed outside of an SCF assessment. For example, no SCF controls are mapped to ISO 27001 controls 4.10, 4.20, 4.30, and 4.40.
If your organization wants to see all ISO 27001 controls that are currently mapped to the central SCF, you would add a "Not Null" filter to the unique SCF field identifier within the Table Report. Opposingly, if your organization wants to see all ISO 27001 that are not mapped to SCF controls, you would add a "Null" filter to the unique SCF field identifier within the Table Report.
Please see screenshots of Table Reports with these types of filters added below. The first Table Report has a "Null" filter on the SCF Fields. The second Table Report has a "Not Null" filter on the SCF Fields.
Using Table Reports to Display Control Maturity
As mentioned above, Evaluation scores and Cross-Workflow Calculations can be pulled into Table Reports to further understand control maturity across multiple frameworks in-scope for your organization. In the screenshot below, the Evaluation Score on the SCF control and related Cross-Workflow Calculation on ISO 27001 controls were pulled in as Fields to the report.
Organizations can go one step further and visualize their control coverage using Visual Reports. For example, a Visual Report can be created from the Table Reports referenced above, specifically the one with the "Null" filter, to display a count of the ISO 27001 controls not being met through SCF. Alternatively, organizations may pull in the Cross-Workflow maturity score hosted at the ISO 27001 workflow level. This visual report displays the maturity of ISO 27001 controls based on the SCF assessments. For more information on creating Visual Reports, please refer to one of our help articles on this topic:
