Everybody knows the story of the Rosetta Stone.
Vast bodies of work were written in Egyptian Hieroglyphs, but nobody alive could read them; when someone discovered a stone tablet that contained the same messages in both Greek and Egyptian, the mystery of Hieroglyphs unraveled.
“Frameworks” are the Rosetta Stones of IT Compliance.
They allow you to relate a compliance requirement to an activity and cross-reference other compliance requirements.
Arguably the NIST Cybersecurity Framework is the most prominent.
The NIST Cybersecurity Framework was issued by the National Institute of Standards and Technology, an arm of the US Federal Government.
It has since become required for all Federal agencies and, by extension, has been adopted by Federal contractors, large service organizations, and technology firms.
It is written in plain language, is rationally organized, and is open-source.
We’re big fans of open-source projects.
But most importantly, every requirement in the Framework relates to both an activity and its equivalent condition in other standards.
So if we know that a part of our PCI compliance is to send logs to a SIEM for immediate analysis, we can search the NIST Cybersecurity Framework to see where audit logging might fall.
We learned then that we are not only PCI compliant (yea!) but also made some headway into CIS’ Critical Security Controls, ISACA’s COBIT5, the International Society of Automation’s 62443 series, the International Standards Organization 27001, and NIST’s SP800-53 series.
It should be noted that this extra credit isn’t automatic. You’ll still need to research the associated requirements.
But it is a good start, and the chances are good you can re-use your existing activities (with some updates).