The Problem

Organizations often face multiple compliance requirements—ISO 27001, GDPR, SOC 2, industry regulations, and internal policies. Each framework demands controls, documentation, and evidence. Without a systematic approach, teams end up creating duplicate controls for overlapping requirements, maintaining separate evidence for identical activities, and struggling to demonstrate compliance efficiently during audits.

The result is wasted effort, inconsistent compliance status, and audit fatigue. A single security control might satisfy requirements from three different frameworks, but if you're tracking them separately, you're doing triple the work.

i

What You'll Achieve

By the end of this tutorial, you will have a compliance obligation register that maps requirements to existing controls, identifies gaps, eliminates duplication, and provides a clear view of your compliance posture across all applicable frameworks.

Prerequisites

  • A list of regulations, standards, and frameworks that apply to your organization
  • Access to the full text of each requirement (standards documents, regulatory guidance)
  • Your existing risk register with documented controls
  • Understanding of different types of controls (preventive, detective, corrective)

Step 1: Build Your Compliance Obligation Register

Start by creating a central register that lists every compliance obligation. This isn't about controls yet—it's about capturing what you're required to do.

For each obligation, document:

  • Source: The regulation, standard, or policy (e.g., GDPR Article 32, ISO 27001 A.9.4.1)
  • Requirement summary: Plain-language description of what's required
  • Specific clause: The exact reference for traceability
  • Applicability: Which business units, systems, or processes are in scope
  • Compliance deadline: When compliance is required (if applicable)
  • Review frequency: How often this requirement needs reassessment
i

Use Original Sources

Always reference the original regulatory text, not summaries or third-party interpretations. This ensures accuracy and provides auditors with clear traceability.

Step 2: Group Obligations by Theme

Once you have all obligations listed, categorize them by theme or control objective. This reveals where different frameworks require similar things.

Common themes include:

  • Access Control: Authentication, authorization, privilege management
  • Data Protection: Encryption, backup, data handling
  • Incident Response: Detection, notification, remediation
  • Third-Party Management: Vendor assessment, contract requirements
  • Training and Awareness: Employee education, competency requirements
  • Documentation: Policy requirements, record retention
  • Monitoring: Logging, review, audit trails

For example, you might find that GDPR Article 32 (security of processing), ISO 27001 A.10 (cryptography), and your data protection policy all require encryption of personal data. These go into the same "Data Protection" theme group.

Step 3: Map Obligations to Existing Controls

Now connect your obligations to controls you already have in place. Review your risk register and identify controls that address each obligation.

For each obligation:

  1. Identify related controls: Which existing controls address this requirement?
  2. Assess coverage: Does the control fully satisfy the requirement, partially address it, or not apply?
  3. Document the link: Create explicit connections between obligations and controls
  4. Note evidence: What documentation or proof demonstrates the control meets the requirement?

One control often satisfies multiple obligations. Your "encryption at rest" control might address requirements from GDPR, ISO 27001, SOC 2, and PCI DSS simultaneously. Capture all these connections—this is where you eliminate duplication.

Step 4: Identify Gaps and Overlaps

Analyze your mapping to find issues:

Gaps: Unaddressed Obligations

Look for obligations with no linked controls. These represent compliance gaps that need attention. Prioritize based on:

  • Regulatory severity (fines, legal consequences)
  • Audit timeline (upcoming assessments)
  • Risk exposure (likelihood and impact of non-compliance)

Overlaps: Redundant Controls

Identify where multiple controls address the same requirement unnecessarily. Signs of overlap include:

  • Different teams maintaining separate controls for the same purpose
  • Multiple policies covering identical requirements
  • Duplicate monitoring or testing activities

Understanding inherent versus residual risk helps you evaluate whether your current controls are sufficient or if gaps represent significant exposure.

Step 5: Consolidate Where Possible

Reduce duplication by consolidating controls:

Merge Duplicate Controls

If two controls do the same thing, combine them into one. Assign clear ownership and update all obligation mappings to reference the consolidated control.

Expand Control Scope

Sometimes a control partially addresses multiple requirements. Consider expanding its scope to fully cover all related obligations rather than creating separate controls.

Create Unified Policies

Rather than maintaining separate policies for each framework, create comprehensive policies that address all requirements. Map each policy section to the specific obligations it satisfies.

!

Preserve Audit Trails

When consolidating controls, maintain documentation showing how the consolidated control addresses each original requirement. Auditors need to trace from requirement to control to evidence.

Step 6: Establish Ongoing Monitoring

Compliance tracking isn't a one-time exercise. Set up a sustainable process:

Regular Review Cycle

Schedule periodic reviews following the same principles you'd use to review and update your risk register:

  • Quarterly: Review control effectiveness and evidence currency
  • Annually: Full obligation review and remapping
  • Event-triggered: New regulation, audit findings, organizational changes

Regulatory Change Monitoring

Track changes to applicable regulations:

  • Subscribe to regulatory updates from governing bodies
  • Assign responsibility for monitoring each regulation
  • Define a process to assess and incorporate changes

Evidence Management

Organize evidence so it's readily available for audits. For each control:

  • Document what evidence is required
  • Specify where evidence is stored
  • Define retention periods based on regulatory requirements
  • Assign responsibility for evidence collection and updates

This preparation significantly reduces stress when preparing for internal or external audits.

Common Mistakes to Avoid

  • Treating frameworks as separate projects: Each new framework shouldn't require building compliance from scratch. Always map to existing controls first.
  • Creating controls for every clause: Many regulatory clauses can be satisfied by the same control. Group related requirements before creating controls.
  • Ignoring implementation reality: A mapped control only counts if it's actually operating effectively. Verify controls work, don't just document they exist.
  • Letting mappings go stale: Regulations change, controls evolve. Outdated mappings create false confidence and audit surprises.
  • Over-complicating the structure: Start simple with clear obligation-to-control links. Add complexity only when needed.
Outcome Checklist

Before considering complete, verify:

  • All applicable regulations and frameworks are identified
  • Each obligation is documented with source, requirement, and applicability
  • Obligations are grouped by theme to identify relationships
  • Every obligation is mapped to at least one control (or flagged as a gap)
  • Redundant controls are consolidated
  • Evidence requirements are documented for each control
  • Review cycles are scheduled
  • Ownership is assigned for each obligation and control