Trustero Curated Content Design
      Back to home
      1. Trustero Support
      2. The Why Behind the Phases: Big-Picture Strategy
      3. Trustero Curated Content Design

      Trustero Curated Content

      Content Structure for Information Security & Privacy

      Overview

      At Trustero, we’ve developed two streamlined methods for structuring compliance content: the Privacy Stack and the InfoSec Stack. Both approaches simplify the management of privacy and information security frameworks, reducing the complexity of control implementation for GRC professionals.

      1. Foundational Frameworks

      • Privacy Stack: We use ISO 27701 as the global privacy framework.
      • InfoSec Stack: We use ISO 27001 as the foundation for information security.

      For both stacks, we extract control names and objectives from these frameworks, treating each as an individual control block. Each block encapsulates a specific control, allowing GRC professionals to focus on the building blocks without being overwhelmed by the granular requirements of each framework.

      2. Creating Control Names and Objectives 

      • For both ISO 27701 (Privacy) and ISO 27001 (InfoSec), we break down the frameworks into control names and objectives.
      • These control names and objectives form the blocks, which are organized into policy sections.
      • Each block is a simplified, standalone control section, making it easier for GRC professionals to manage.

      3. Policies to Encapsulate Controls

      • We then create policies that encapsulate these blocks, organizing the controls efficiently within the larger policy framework.
      • Key Principle: Focus on the block, and you’re covered. This reduces the number of controls you need to manage overall.

      4. Benefits of the Block Approach

      • Simplified Management: By focusing on the blocks, GRC professionals manage fewer controls compared to the traditional approach.
      • Efficiency: This method significantly reduces the total number of controls. For example, rather than managing hundreds of granular requirements, you focus on a smaller set of blocks.
      • Scalability: As new frameworks or updates are introduced, you can adjust or add new blocks, without needing to overhaul entire policies or controls.

      5. The Spider-Web Method: A Contrast

      The Spider-web method represents an alternative approach that focuses on mapping policies to the granular details of each framework’s requirements.

        • Example: UCF (Unified Control Framework) offers pre-mapped policy sets that align with specific framework requirements.
      • Drawbacks:
        • High complexity: Professionals must manage each requirement ID per framework, making tracking difficult.
        • More controls: This method generally results in a greater number of controls to manage and track.
        • Time-consuming: Each policy must address multiple framework-specific requirements, creating a more complex, harder-to-manage compliance environment.

      6. Real-Life Example: Consulting Case Study

      Approximately 11 years ago, while consulting for a national healthcare transportation client, my team was brought in to assist with their compliance efforts for SOC 2, HIPAA, HITRUST, and others. They had struggled for 3 years to become "audit-ready" while managing 943 controls.


      By applying the block method:

      • We reduced the 943 controls down to 230 blocks.
      • This streamlined the process and allowed the team to get audit-ready in a much shorter time frame.

      Conclusion

      The Privacy Stack (ISO 27701) and the InfoSec Stack (ISO 27001) allow GRC professionals to focus on the essential building blocks of compliance while simplifying overall management. This method contrasts with more complex frameworks like the Spider-web method, which can overwhelm teams with too many granular details. At Trustero, we empower our teams by reducing the complexity of compliance and focusing on core controls that deliver results efficiently.