Request failed with status code 502

Compliance Management

Learn how to do ISO 27001, PCI-DSS, NIST, SOC2 or any other compliance requirement with eramba

  • Episodes9
  • Duration39m 14s
  • LanguagesEN
Episode 9

Mapping Solutions to Requirements

Linking Internal Controls, Policies, Projects, etc. to your Compliance Requirements

Introduction

In this episode, we explain how the solutions you have identified are linked to Compliance Requirements. This process is done manually (one by one) or using CSV imports.

Actions

Unlike other modules in eramba, there is no "Add" option on the action menu. The reason for this is that the association between solutions (Internal Controls, Policies, Exceptions, etc.) is done one by one on the existing compliance requirements. For that reason, you need to "edit" each requirement instead of "adding" new items.

Editing the treatment of each compliance requirement will result in solutions being displayed on the filter as shown in the screenshot below.

You can use CSV imports to "bulk" edit all mappings if you wish. You can upload this CSV as many times as you want and the table will simply update with whatever content you push into the system.

Roles

At the time the Compliance Package was created you specified a role that was automatically passed into the Compliance Analysis module. This role is supposed to be the "Expert" for this requirement, the person who understands what the expectation is. This is not necessarily the person who operates the "solutions" for this problem.

You can modify the Owner individually for each requirement in the Compliance Analysis module.

General Tab

When editing compliance requirements you will be presented with several tabs, the first being "General".

The key fields here are:

  • Strategy: this is something we have explained in previous episodes, the options presented in this field should have identified it as part of the solution identification process.
  • Efficacy: this field is used to subjectively define to what extent the solutions for this requirement address the problem. You might have the feeling that more could be done in order to fully treat a requirement and therefore the efficacy is not %100.

Treatment Tab

The treatment tab is where the "solutions" to your requirement will be selected. As part of the solution identification process, you should know what items you need to choose from your catalogue of Policies, Internal Controls, Exceptions and Projects.

You should have created solutions beforehand for options to be shown on these dropdowns.

Risks Tab

In some scenarios, you might want to associate Risks from the risk module with compliance requirements. This is sometimes needed as part of ISO-related certifications.

Findings

You can also link Compliance Findings to your requirements. After an auditor reviews the extent of your compliance program eventually findings will pop and they can be documented in the Compliance Analysis Finding module.