Loading...

Mastering multiple compliance frameworks: Navigating the complexities of compliance strategies | Baker Tilly

compliance frameworks

Webinar

Mastering multiple compliance frameworks

Navigating the complexities of compliance strategies

April 8, 2025 · Authored by Samantha Boterman, Nicole Kramer

Managing multiple frameworks can feel daunting, but a unified approach can streamline the process and reduce the redundancy of overlapping controls. In a recent webinar, Baker Tilly cybersecurity specialists discussed the intricacies of managing multiple frameworks for effective compliance management.

As with all effective compliance management, success begins at the outset. Challenges in navigating multiple frameworks must be addressed before embarking on an assessment; one of the first points of action is to determine whether your organization may successfully address aligning several, sometimes conflicting, requirements or whether resource constraints necessitate professional assistance.

Challenges of multiple compliance frameworks

Challenges can often lead to confusion and inefficiencies. Individual frameworks may overlap or have conflicting requirements, making it challenging for your organization to align compliance efforts effectively. For example, the General Data Protection Regulation (GDPR) and the Health Insurance Portability and Accountability Act (HIPAA) have different data retention requirements emphasizing minimizing data retention vs. mandating retaining data for extended periods. These conflicting compliance requirements are a great example of why it’s difficult for organizations to develop a unified data retention policy. Additionally, vendors or customers may have conflicting compliance standards, further complicating the alignment of compliance efforts.

Managing regulatory risks requires significant investment in time, money and personnel. Many compliance teams still rely on costly manual processes, which can be a major resource constraint. The regulatory environment is constantly evolving, with frequent updates and new regulations emerging. For instance, in 2023 alone, nearly 40 U.S. states and Puerto Rico introduced 350 consumer privacy bills, according to the National Conference of State Legislatures (NCSL).

Senior management must be involved in integrating the risk management strategy with the organization’s strategic goals. Without solidified stakeholder buy-in, it becomes challenging to align these strategies effectively. Where organizations manage similar requirements separately for each framework, overlapping requirements can lead to duplicative efforts. This duplication can be inefficient and burdensome for compliance teams.

Benefits of multiple compliance frameworks

Related sections

Article Tags

HITRUST Cybersecurity soc report Risk Assessment

Security consultant reviews ISO 27001 report

Next up

Unlocking security with ISO 27001: A guide for businesses

HITRUST

HITRUST can combine requirements from multiple standards like HIPAA, NIST, ISO, and Payment Card Industry (PCI), and can include nearly 40 frameworks. HITRUST is a certifiable framework that demonstrates compliance with a wide range of security and privacy controls, emphasizing the protection of sensitive data. Achieving HITRUST certification can help organizations establish higher trust with clients and partners.

Key takeaway: Unified, certifiable compliance framework

AICPA SOC 2

American Institute of Certified Public Accountants (AICPA) SOC 2® includes Trust Services Criteria (TSC) such as security, availability, processing integrity, confidentiality and privacy. Organizations can choose which TSC to include in their SOC 2 report based on their specific needs, allowing controls to be tailored to a service organization's environment. Although SOC 2 is not mandated by law, it is often pursued to build customer trust and meet contractual obligations. It also provides unique control set coverage on topics such as the Committee of Sponsoring Organizations of the Treadway Commission.

Key takeaway: Framework that provides trust and transparency for service providers

HIPAA

HIPAA is mandated by U.S. federal law for covered entities and business associates handling Protected Health Information (PHI). There is no HIPAA certification, but third-party assessors can provide HIPAA attestation reports. The security and privacy rules include specific requirements for safeguarding PHI. Several notable changes to HIPAA regulations are forthcoming in 2025. Stay connected with our Baker Tilly team to understand how notable changes to HIPAA regulations may impact your organization.

Key takeaway: Legal requirement for healthcare data protection

NIST Cybersecurity Framework (CSF)

NIST CSF is designed to help organizations manage and reduce cybersecurity risk through guidelines, best practices and standards. Although not mandatory, NIST CSF is widely adopted across various industries to improve cybersecurity posture. The framework provides comprehensive coverage by offering a structured approach to managing cybersecurity risks through its core functions: identify, protect, detect, respond and recover. Many regulatory bodies and industry groups have aligned cybersecurity requirements with the NIST CSF. It is highly customizable, allowing organizations to tailor the framework to their specific needs.

Key takeaway: Framework that provides a comprehensive and flexible approach to managing cybersecurity risks

NIST 800-53

NIST 800-53 offers comprehensive security, and privacy controls and provides a comprehensive approach allowing organizations to tailor security measures to their specific needs and risks levels. Compliance is required for federal agencies and contractors, making it mandatory in this space. The framework is highly adaptable and serves as the baseline for many other frameworks in the federal agency space, such as MARS-E (Minimum Acceptable Risk Standards for Exchanges) and other state agency frameworks.

Key takeaway: Framework that provides comprehensive and adaptable security and privacy controls for federal agencies

ISO 27001

ISO 27001 is an internationally recognized standard for information security management systems (ISMS). It emphasizes a risk-based approach, focusing on risk assessment and management to protect information assets. Organizations can achieve ISO 27001 certification to demonstrate their commitment to information security. This standard is internationally recognized and adopted across various industries worldwide.

Key takeaway: Framework that is an internationally recognized standard for ISMS.

Scoping, planning and conducting risk assessments

Conducting efficient compliance assessments necessitates thorough planning, especially when navigating multiple frameworks. Baker Tilly cybersecurity specialists have outlined a four-step strategy to streamline the process:

Step 1: Define your compliance obligations

Define obligations based on industry, location, the types of data you handle and the certifications or frameworks in use.

Step 2: Define the scope of your assessment

Identify which aspects of your organization apply to the risk assessment. Also, consider factors like product or service offerings, customer requirements, geographical locations, business units, regulatory requirements, the timing of the assessment and the audit period.

Step 3: Plan for the assessment

Define timelines and allocate resources to conduct the assessment. Engage with a third party if resources are strained. Perform a control mapping as many frameworks also have overlapping requirements which can lead to duplicated efforts and redundant controls if not managed properly. Communicate your findings and plans to ensure that all teams, departments and service lines know the timeline and road map to success. This sets the stage for achieving a positive result once the assessment begins.

Step 4: Conduct the self-assessment

Identify control owners and schedule walkthrough meetings to review the controls with them, understand how the control is implemented and begin to identify any risk associated with the implementation. Analyze and review the evidence gathered during the walkthroughs, observations and any additional evidence provided afterward to understand what is implemented. Identify and document the gaps and risks to implementations with a control matrix and present your findings to stakeholders and control owners to ensure they are correct and relevant.

Once the assessment is complete, the work is not over. The gaps or risks identified will need to be remediated. It is the risk assessor's job to follow up on remediation activities, set timelines for remediation and conduct regular internal audits to ensure the gaps are remediated.

The increasing role of technology in compliance

As technology continues to evolve, it can significantly impact the world of compliance and how organizations adapt.

Risk management software offers numerous advantages, such as identifying, assessing, and mitigating risks. Furthermore, collaborating with an external assessor or auditor provides access to various tools to support your compliance efforts.

Governance, risk and compliance (GRC) platform and its benefits

When managing multiple frameworks, is there one control set to rule them all? Transitioning to a GRC platform automates processes, reducing the manual effort needed to manage policies, track controls and monitor compliance, moving away from manually mapping risks. By providing real-time monitoring and alerts for compliance status, GRC tools also help organizations quickly identify and address potential issues. Furthermore, it can provide a centralized platform for managing governance, risk, and compliance activities, making it easier for organizations to maintain consistency and oversight. Additionally, GRC tools assist organizations in staying aligned with various regulatory requirements by mapping controls to specific regulations and standards.

Artificial intelligence (AI): Use cases and risks

As organizations evolve with advancing technologies, AI can enhance efficiency and accuracy by automating complex processes. By utilizing machine learning algorithms to predict patterns and identify risks, human expertise can be augmented, enabling individuals to focus on more intricate and creative security strategies.

AI use cases include anomaly detection, malware detection, incident response, phishing detection, vulnerability detection and more. It is crucial to consider the risks associated with AI before integrating it into your risk management strategy. Potential risks include reputational, competitive, operational, financial and regulatory challenges. Thoroughly analyzing these risks beforehand is essential. If external assistance is required, Baker Tilly specialists are available to help.