Throughout the 1970ies, the Netherlands National football team disrupted the "status quo" of the way of playing football (soccer). They came over with the "total football" (totaalvoetbal) doctrine. In total football, a player who moves out of his position is replaced by other players. In that way, the team will preserve its organizational structure during the game. In this fluid system, no outfield player is fixed in a predetermined role; anyone can successively play as an attacker, a midfielder, and a defender. The only fixed position is the goalkeeper. Using this doctrine, the Netherlands ' national team was able to get second place on the World Cups of 1974 and 1978.
When we face the world of compliance controls development, the tools are intended for a specific standard. Consequently, it is not the same planning a control system for PCI, HIPAA, GDPR, ISO 27K, NIST, or any other standard.
Even when organizations want to adhere to a specific standard, data protection products must adapt to a multi-standard environment. Multiple end-users wish to measure their compliance with different standards. That is the breeding ground of a concept defined as cross-mapping.
Cross-mapping is the capacity of a system of measuring compliance with multiple standards.
It requires studying each one of the standards, looking for the common ground, and creating a body of controls that can be found on any of the standards and constitutes the base for the compliance measurement tool.
Once you have that common ground defined and secured, it is time to start looking for each one of the specific control objectives which are unique in each standard. The next phase will begin mapping technical controls to each of the control objectives, so sensors can be adapted to cover each one of the common and specific control objectives.
Those sensors must be aligned to a framework such as MITRE ATT&CK®, which helps organizations to create and evolve sensors and technical controls based on the attacker's perspective. It will allow companies to integrate the tactics and techniques into the control system for data protection. The remaining tasks are the easy part. All you need to do is connect all the dots in the equation, and you will achieve the Valhalla of compliance: multi-standard in a nutshell.
At this point, you will have a powerful tool that can be adapted and customized to each standard possible. Using the analogy of the total football doctrine, it does not matter what standard an organization uses.
The only important thing here is the capability of preserving the controls regardless of the standard used. In a world-leading to powerful and strict data security standards like the one we're living nowadays, cross-mapping is becoming like some "swiss knife" that will allow companies to adjust their controls to compliance on the common ground quickly.
The road to achieve this is not simple. It requires dedication, study, documentation, and many cups of coffee. In the end, organizations will find added value to your product, based on versatility, adaptability scalability, and resilience by using cross-mapping controls.