-
Intro
-
General Guidance
-
Tasks
-
Compliance
-
Controls
-
Meta Model
-
Administration
Administration
Structures
Role-Specific Access
Compliance Manager
Even though structures do not have a major impact on the effectiveness of compliance management, they need to be managed with care. The maintenance of elements for structures is reserved for users with the role of compliance manager in a tenant.
In the context of the application, all users can access existing structures and apply them to different entities throughout vucavoid.
To summarize shortly:
- Authorized to create, modify, and categorize structures within vucavoid.
- Responsible for structuring and managing the compliance framework through structures.
- All users can apply existing structures across the tenant.
Overview
Structures are menat to provde structure to compliance management of every tenant in vucavoid.
To do so, structures are divded into the following (stand-alone) parts:
- Domains
- Categories
- Standards
- Assurances
All but assurances come with easy-to-use template values for import (see below).
Additionally, for all structures, tenants can activate and import blueprints (also as part of blueprint sets).
Domains
Domains are meant to be used for splitting compliance management into its multidude of activity clusters. Examples for such are:
- Information Security
- Data Protection
- Quality Management
- Payment Card Industries (PCI)
- Business Continuity
- and more
All these domains can friendly co-exist in vucavoid. Entities can be assigned to one or multiple domains at any time.
Categories
Categories are as straightforward as domains: they are meant to categorize different entities within a comprehensive compliance management.
Examples for such are:
- Access Control
- Asset Management
- Environmental Security
- Incident Management
- ...
Categories can be modified as required by the tenant as needed.
Ideas to make the most use of categories encompass adding projects or programs of the organization to it (e. g. a security program). It would allow to track the compliance posture of the project or the implementation progress of a program.
Standards
Similar to domains, standards provide for more transparency in a tenant's compliance management.
Examples for such are:
- ISO 27001:2013
- ISO 27001:2022
- ISO 9001:2015
- BSI C5
- NIST SP 800-53
- HIPAA
- PCI-DSS 3.2.1
- PCI-DSS 4.0
- ...
Assurances
Assurances provide more inherent logic than the other structure elements (domains, categories and standards).
There are two types of assurances in vucavoid.
The first one is certifications, which mostly relates to ISO and other certifiable standards. Certifications are issued by accredited certification bodies or registrars and mostly have a specific validity of about three years (e. g. ISO management system standards like 27001, 22301 or 9001).
Attestations on the other hand involve an independent CPA (Certified Public Accountant) or a firm performing an audit to verify that a service organization has adequate controls and processes in place. The focus is more on providing assurance about the effectiveness of controls and practices rather than certifying compliance with a standard. For example, SOC-2 (Service Organization Control) reports are based on the Trust Services Criteria and ISAE 3402 for assurance over financial controls at service organizations.
It is possible to build and measure assurance (e. g. conformity with a standard) for internal purposes only. Most of the time, there is an external audit following internal preparations. Assurances in vucavoid can be configured accordingly.
By making use of assurances in vucavoid, organizations can easily track the development of their compliance management across requirements, findings, risks, incident and more.
Examples for use cases
An organization is facing different requirements. On the one hand, it wants to provide an ISO 27001 certification to all of its clients, showcasing a generally high attention for security. On the other hand, a specific (high-stakes) client is asking for a SOC-2 report to be handed in with its auditors once a year. The SOC-2 scope is spanning over financial, operational as well as security controls.
At first, the organization is clustering all its references to requirement clusters that represent the essence of the single references.
All references can be aligned with the organization's vucavoid setup, being assigned structural elements, as follows:
- The references ISO 27001 will be assigned the domains "Information Security", partly also "Business Continuity" (and even more, depening on the tenant's setup of domains).
- Also, the references from ISO 27001 will be assigned different categories, based on the nature of each respective reference (e. g. access management, asset management or human resources).
- Naturally, these references will all be assigned to the standard ISO 27001.
- Additionally, the client requirements, references (origin "Contract" in vucavoid) will also be assigned to domains, categories and standards, based on its nature.
Depending on the level of detail for requirement clusters, the number of individual requirements to deal with will be significantly lower than the number of references.
Controls will be mapped to the requirements, showing implementation of what is required. Over time, control performance reports will be gathered for each control, providing transparency on the degree of fulfilment/compliance.
With requirements, there will be risks, findings and incidents identified and handled along the way. All of them can be assigned to relvant structural elements, too.
Just like the other structural elements, assurances can also be assigned along the way, making tracking and management of certification or attestation reports significantly easiert than before.
Now, this example can be fully domain-agnostic and expanded for any domains or standard that is asking for compliance with a specific set of requirements in its roots.
Blueprints
For all structural elements, blueprints can be used, making it easier to
- find the right blueprint for import
- combine multiple blueprints to create blueprint sets (e. g. for a blueprint of "Becoming ISO 27001 certified").
Please refer to the overall documentation on blueprints to understand how they can be used and imported to any tenant.