Webinar
Mastering multiple compliance frameworks
Navigating the complexities of compliance strategies
Apr 08, 2025 · Authored by Samantha Boterman, Nicole Kramer
Managing multiple frameworks can feel daunting, but a unified approach can streamline the process and reduce the redundancy of overlapping controls. In a recent webinar, Baker Tilly cybersecurity specialists discussed the intricacies of managing multiple frameworks for effective compliance management.
As with all effective compliance management, success begins at the outset. Challenges in navigating multiple frameworks must be addressed before embarking on an assessment; one of the first points of action is to determine whether your organization may successfully address aligning several, sometimes conflicting, requirements or whether resource constraints necessitate professional assistance.
Challenges of multiple compliance frameworks
Challenges can often lead to confusion and inefficiencies. Individual frameworks may overlap or have conflicting requirements, making it challenging for your organization to align compliance efforts effectively. For example, the General Data Protection Regulation (GDPR) and the Health Insurance Portability and Accountability Act (HIPAA) have different data retention requirements emphasizing minimizing data retention vs. mandating retaining data for extended periods. These conflicting compliance requirements are a great example of why it’s difficult for organizations to develop a unified data retention policy. Additionally, vendors or customers may have conflicting compliance standards, further complicating the alignment of compliance efforts.
Managing regulatory risks requires significant investment in time, money and personnel. Many compliance teams still rely on costly manual processes, which can be a major resource constraint. The regulatory environment is constantly evolving, with frequent updates and new regulations emerging. For instance, in 2023 alone, nearly 40 U.S. states and Puerto Rico introduced 350 consumer privacy bills, according to the National Conference of State Legislatures (NCSL).
Senior management must be involved in integrating the risk management strategy with the organization’s strategic goals. Without solidified stakeholder buy-in, it becomes challenging to align these strategies effectively. Where organizations manage similar requirements separately for each framework, overlapping requirements can lead to duplicative efforts. This duplication can be inefficient and burdensome for compliance teams.
Benefits of multiple compliance frameworks
As complex as multiple frameworks may be to manage, they can provide several benefits for your organization. For example, multiple frameworks emphasize various security aspects, leading to a more comprehensive and robust security posture. In addition, maintaining compliance with multiple frameworks allows organizations to meet the diverse requirements of clients across different regions and industries, which can open new market opportunities and enhance competitive differentiation.
Operational efficiency is also enhanced using multiple frameworks by harmonizing compliance processes, reducing redundancies and streamlining efforts. Furthermore, by demonstrating compliance with multiple frameworks, an organization can significantly enhance its reputation and build customer trust while becoming prepared to adapt to new regulations as they emerge, thereby reducing the risk of non-compliance penalties.
Identifying commonalities of key compliance and audit frameworks
Compliance frameworks often share numerous commonalities. These commonalities can be leveraged to streamline your organization’s risk management processes and efficiently address legal, regulatory and contractual obligations.
Frameworks such as System and Organization Controls (SOC) 2®, HITRUST, HIPAA, National Institute of Standards and Technology (NIST), International Organization for Standardization (ISO) 27001 and others emphasize protecting sensitive information and ensuring data privacy.
Each compliance framework incorporates principles designed to identify, assess and mitigate potential security and privacy concerns. These frameworks provide a set of controls and standards that organizations must implement to achieve compliance. Additionally, third-party assessments or audits are often required to verify adherence to a framework. While some frameworks may be industry specific, others are broadly applicable across various sectors, ensuring your organization can benefit from guidelines and standards specific to your industry.
Learn more about each framework:
HITRUST can combine requirements from multiple standards like HIPAA, NIST, ISO, and Payment Card Industry (PCI), and can include nearly 40 frameworks. HITRUST is a certifiable framework that demonstrates compliance with a wide range of security and privacy controls, emphasizing the protection of sensitive data. Achieving HITRUST certification can help organizations establish higher trust with clients and partners.
Key takeaway: Unified, certifiable compliance framework
American Institute of Certified Public Accountants (AICPA) SOC 2® includes Trust Services Criteria (TSC) such as security, availability, processing integrity, confidentiality and privacy. Organizations can choose which TSC to include in their SOC 2 report based on their specific needs, allowing controls to be tailored to a service organization's environment. Although SOC 2 is not mandated by law, it is often pursued to build customer trust and meet contractual obligations. It also provides unique control set coverage on topics such as the Committee of Sponsoring Organizations of the Treadway Commission.
Key takeaway: Framework that provides trust and transparency for service providers
HIPAA is mandated by U.S. federal law for covered entities and business associates handling Protected Health Information (PHI). There is no HIPAA certification, but third-party assessors can provide HIPAA attestation reports. The security and privacy rules include specific requirements for safeguarding PHI. Several notable changes to HIPAA regulations are forthcoming in 2025. Stay connected with our Baker Tilly team to understand how notable changes to HIPAA regulations may impact your organization.
Key takeaway: Legal requirement for healthcare data protection
NIST CSF is designed to help organizations manage and reduce cybersecurity risk through guidelines, best practices and standards. Although not mandatory, NIST CSF is widely adopted across various industries to improve cybersecurity posture. The framework provides comprehensive coverage by offering a structured approach to managing cybersecurity risks through its core functions: identify, protect, detect, respond and recover. Many regulatory bodies and industry groups have aligned cybersecurity requirements with the NIST CSF. It is highly customizable, allowing organizations to tailor the framework to their specific needs.
Key takeaway: Framework that provides a comprehensive and flexible approach to managing cybersecurity risks
NIST 800-53 offers comprehensive security, and privacy controls and provides a comprehensive approach allowing organizations to tailor security measures to their specific needs and risks levels. Compliance is required for federal agencies and contractors, making it mandatory in this space. The framework is highly adaptable and serves as the baseline for many other frameworks in the federal agency space, such as MARS-E (Minimum Acceptable Risk Standards for Exchanges) and other state agency frameworks.
Key takeaway: Framework that provides comprehensive and adaptable security and privacy controls for federal agencies
ISO 27001 is an internationally recognized standard for information security management systems (ISMS). It emphasizes a risk-based approach, focusing on risk assessment and management to protect information assets. Organizations can achieve ISO 27001 certification to demonstrate their commitment to information security. This standard is internationally recognized and adopted across various industries worldwide.
Key takeaway: Framework that is an internationally recognized standard for ISMS.
Scoping, planning and conducting risk assessments
Conducting efficient compliance assessments necessitates thorough planning, especially when navigating multiple frameworks. Baker Tilly cybersecurity specialists have outlined a four-step strategy to streamline the process:
Step 1: Define your compliance obligations
Define obligations based on industry, location, the types of data you handle and the certifications or frameworks in use.
Step 2: Define the scope of your assessment
Identify which aspects of your organization apply to the risk assessment. Also, consider factors like product or service offerings, customer requirements, geographical locations, business units, regulatory requirements, the timing of the assessment and the audit period.
Step 3: Plan for the assessment
Define timelines and allocate resources to conduct the assessment. Engage with a third party if resources are strained. Perform a control mapping as many frameworks also have overlapping requirements which can lead to duplicated efforts and redundant controls if not managed properly. Communicate your findings and plans to ensure that all teams, departments and service lines know the timeline and road map to success. This sets the stage for achieving a positive result once the assessment begins.
Step 4: Conduct the self-assessment
Identify control owners and schedule walkthrough meetings to review the controls with them, understand how the control is implemented and begin to identify any risk associated with the implementation. Analyze and review the evidence gathered during the walkthroughs, observations and any additional evidence provided afterward to understand what is implemented. Identify and document the gaps and risks to implementations with a control matrix and present your findings to stakeholders and control owners to ensure they are correct and relevant.
Once the assessment is complete, the work is not over. The gaps or risks identified will need to be remediated. It is the risk assessor's job to follow up on remediation activities, set timelines for remediation and conduct regular internal audits to ensure the gaps are remediated.
The increasing role of technology in compliance
As technology continues to evolve, it can significantly impact the world of compliance and how organizations adapt.
Risk management software offers numerous advantages, such as identifying, assessing, and mitigating risks. Furthermore, collaborating with an external assessor or auditor provides access to various tools to support your compliance efforts.
Governance, risk and compliance (GRC) platform and its benefits
When managing multiple frameworks, is there one control set to rule them all? Transitioning to a GRC platform automates processes, reducing the manual effort needed to manage policies, track controls and monitor compliance, moving away from manually mapping risks. By providing real-time monitoring and alerts for compliance status, GRC tools also help organizations quickly identify and address potential issues. Furthermore, it can provide a centralized platform for managing governance, risk, and compliance activities, making it easier for organizations to maintain consistency and oversight. Additionally, GRC tools assist organizations in staying aligned with various regulatory requirements by mapping controls to specific regulations and standards.
Artificial intelligence (AI): Use cases and risks
As organizations evolve with advancing technologies, AI can enhance efficiency and accuracy by automating complex processes. By utilizing machine learning algorithms to predict patterns and identify risks, human expertise can be augmented, enabling individuals to focus on more intricate and creative security strategies.
AI use cases include anomaly detection, malware detection, incident response, phishing detection, vulnerability detection and more. It is crucial to consider the risks associated with AI before integrating it into your risk management strategy. Potential risks include reputational, competitive, operational, financial and regulatory challenges. Thoroughly analyzing these risks beforehand is essential. If external assistance is required, Baker Tilly specialists are available to help.
On-demand webinar
Want to discuss more?Conclusion
In conclusion, mastering multiple compliance frameworks is a complex yet essential task for organizations aiming to enhance their security posture, operational efficiency and regulatory preparedness. By adopting a unified approach, leveraging technology and meticulously planning compliance assessments, organizations can navigate the intricacies of various frameworks and achieve comprehensive compliance. As the regulatory landscape evolves, staying informed and proactive in compliance efforts will be crucial for maintaining trust and credibility with stakeholders. For more information and assistance, connect with Baker Tilly's cybersecurity specialists today.
Baker Tilly resources
Cybersecurity
Proactively protect and address your cybersecurity and information technology (IT) risks.
HITRUST CSF Assessment Services
The HITRUST CSF provides an integrated, certifiable approach to securing PHI. Any organization handling PHI on behalf of customers may be required to obtain a HITRUST CSF certification.
System & Organization Controls (SOC) Reporting
Baker Tilly’s dedicated AICPA SOC specialists perform hundreds of SOC engagements each year and help clients with their SOC reporting needs across a wide variety of industries.
HITRUST FAQ
Here are the answers to frequently asked questions regarding HITRUST, HITRUST compliance requirements, assessment types, external assessors and HITRUST certification timelines.
SOC FAQ
This article addresses frequently asked questions about system and organization controls (SOC) reporting.
SOC 2+: Enhancing SOC 2® compliance with additional frameworks
Learn how integrating additional frameworks like HIPAA, ISO, HITRUST and NIST can enhance SOC 2 compliance. Baker Tilly cybersecurity specialists explain how to protect customer data, ensure compliance and manage cybersecurity risks.