This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Best Practice Guide: Adopting a New Framework in CrossComply

AmaraW
AuditBoard Staff
AuditBoard Staff
yesterday

Who Should Use This Guide

This guide is designed for teams implementing their first compliance framework using AuditBoard’s CrossComply. Regardless of the specific framework or standard you're working toward, this guide will help you build an agile compliance program that will scale as your organization grows. 

Here’s what you’ll need to get started: 

  • Core-user-level access to CrossComply
  • Working knowledge of AuditBoard compliance terms and definitions
  • In-scope frameworks and controls
  • Content licenses, if applicable (CrossComply will notify you if additional licensing is required) 

 

Recommended Training from AuditBoard Academy

If you haven’t yet completed CrossComply training in AuditBoard Academy, now is a great time to start!Building out Your Framework InfrastructureAssessing Compliance with Framework Assessments and Control Assessments are three highly recommended courses that are also eligible for CPE credit through the National Association of State Boards of Accountancy. Additional learning  opportunities include: 

  • Live Interactive Training: Learn how to conduct CrossComply framework and control assessments alongside other AuditBoard customers in real time.  
  • CrossComply Administrator Learning Path: This learning path is ideal for CrossComply Admin team members.  It takes about 5 hours to complete – including many additional opportunities for CPE credit. 
  • CrossComply Team Member Learning Path: Help team members become experts in managing and performing the day-to-day core functional activities in your organization's compliance environment with this interactive learning path. 

Disclaimer: This guide provides general best practices for implementing a compliance framework using AuditBoard’s CrossComply. While it is intended as a starting point, it may not address all unique organizational or regulatory requirements. Therefore, please consult with your compliance team or advisors for specific or additional guidance.

 

SOC 2 vs. ISO 27001: What You Need to Know

While guidance inside this best practice guide can be applied to any compliance framework, SOC 2 and ISO 27001 are among the most frequently pursued. Understanding the differences between them is crucial for determining which to pursue or whether both are necessary for your organization:

  • ISO 27001 focuses on establishing an Information Security Management System (ISMS).
  • SOC 2 emphasizes protecting data across the Trust Service Criteria (e.g., security, availability, confidentiality).

Learn More

 

Step 1: Review and Understand Framework Requirements

Why this step is important: Getting familiar with the framework provides you with essential insights into its scope, relevance, and key requirements. Many frameworks, such as ISO 27001, SOC 2, and NIST CSF, offer guidance on how to get started, including risk assessments and defining applicable criteria. Understanding these principles from the start helps you tailor your compliance program to your organization’s needs and sets the stage for effective implementation.

 

Action Description
Import the Framework
Review Framework Details Each compliance framework comes with official documentation and guidance provided by the issuing organization. This documentation is your primary resource for understanding how the framework works, what’s required, and how to align your organization with those requirements. Watch for: 
  • Key concepts: Understand the main principles behind the framework. For example, ISO 27001 focuses on establishing an Information Security Management System (ISMS), while SOC 2 emphasizes protecting data across the Trust Service Criteria (e.g., security, availability, confidentiality).
  • Framework requirements: Each framework will outline controls or criteria you need to follow. For instance, Annex A of ISO 27001 contains a list of controls, while SOC 2 provides controls based on its Trust Service Categories.
  • Implementation guidance: Some frameworks, like NIST CSF, offer specific guidance on how to implement framework requirements. Review this carefully to understand how to apply it to your organization.
  • Industry-specific guidelines: While frameworks like SOC 2, ISO 27001, and NIST CSF provide general implementation guidance, many industries have additional standards or best practices that are important to consider.
Consider uploading additional framework requirement information per official documentation and guidance. If additional documentation is needed, you may add custom fields to the framework requirement page

 

Step 2: Plan Your Gap Assessment

Why this step is important: A well-structured plan ensures that resources are allocated correctly, stakeholders are aligned, and business units are involved based on the scope. Utilizing AuditBoard’s inventory feature ensures that the correct business units are identified and included in the assessment, making the process more organized and targeted. 

Action Description
Scope Requirements Define the scope of each requirement based on your organizational goals, current environment, and the compliance framework, ensuring it aligns with the relevant business units and company objectives.Once you have identified the applicable framework requirements, you can mark each requirement as in or out of scope.
Inform Leadership Based on your understanding of the framework, build an overall project plan to achieve compliance, defining the happy path and potential risks or challenges. Establish a timeline, key deliverables, roles, responsibilities, and estimated effort. Once complete, share the plan with leadership to align on the scope and value of the gap assessment and ensure they understand the estimated timeframe, typically 1-2 months.
Announce to Stakeholders If leadership approves moving forward, inform relevant stakeholders about the assessment objectives, timeline, and their roles and responsibilities to ensure alignment and readiness for execution.
Connect with Other Platform Admins If your organization already uses AuditBoard for other GRC use cases, we strongly recommend connecting with them to see how you can save time and streamline workflows by using risks, controls, evidence, entities, application listings and other data already inside your AuditBoard environment.
Assign Requirement Owners Bulk update framework requirements to assign each requirement to appropriate stakeholders who can provide the necessary information. This step facilitates a smooth assessment process and efficient workflow management.

 

Compliance Pro Tip
Set your team up for success by engaging leadership and stakeholders before you launch your first compliance assessment in AuditBoard. First, schedule a kickoff meeting with all key stakeholders and leaders to go through the project plan, set expectations, and explain the benefits of AuditBoard. After your kickoff meeting, schedule an AuditBoard training session to walk stakeholders through the assessment process to facilitate faster adoption. Resources to help you get started: 

  • Program announcement email: Use this template to jumpstart your next compliance initiative. We encourage you to adjust the content and tone to match your organization's brand and culture.  
  • Compliance program RACI: Document roles and responsibilities across stakeholders with this RACI template. Add, delete, or adjust roles, phases, and tasks to fit your needs. 

 

Step 3: Run the Gap Assessment and Collect Evidence

Why this step is important: Running a thorough gap assessment provides a clear understanding of where your organization stands. With AuditBoard’s notifications and workflows, you can efficiently assign tasks and set deadlines, keeping the project organized and on track.

 

Action Description
Stage Project Create the gap assessment project in AuditBoard to identify compliance gaps. Ensure the assessors, reviewers, assessment questions, and due dates align with communicated timelines. 
If you would like to collect evidence, determine which evidence requests should be imported from the request library or created manually. If you are unsure about what evidence to request, simply send assessment questions to ask for any evidence that may be helpful to support the compliance conclusion. 
Launch Assessment Launch the assessment and use notifications and workflows to ensure that owners are notified of their tasks and deadlines.
Track and Drive Progress Track progress using AuditBoard’s dashboards to ensure the assessment is completed within the planned time frame.
Review Evidence and Conclude on Compliance Status Review the evidence received and conclude on compliance results.
Document Gaps and Issues Use AuditBoard’s issue workflows to log gaps and issues identified during the assessment.

 

Compliance Pro Tip
If you’re launching a new compliance program, we recommend inviting your stakeholders to a live session to complete the first assessment in AuditBoard together. This serves as great hands-on training, provides an opportunity to address any questions, and ensures everyone is comfortable completing the process moving forward.

 

Step 4: Issue Compliance Report

Why this step is important: The compliance report is critical for communicating the results of the assessment to leadership and stakeholders. It provides a clear overview of where your organization stands and what work needs to be done next to achieve your goal. AuditBoard’s reporting tools make it easy to generate this report efficiently.

 

Action Description
Generate Report Use AuditBoard’s reporting features or out of the box dashboards to generate a comprehensive compliance report from data gathered during your gap assessment. We recommend using this report template to accelerate your reporting process and ensure stakeholder understanding of your current compliance posture. 
Share Report with Leadership Present the findings to leadership and stakeholders to ensure that the next steps for remediation are clear and aligned.

 

Step 5: Begin Remediation Process 

Why this step is important: The remediation process is crucial because it ensures that your organization is not only correcting existing compliance gaps but also proactively reducing future risks. By addressing issues, managing risks, updating policies, and implementing controls in parallel, your organization can close gaps more quickly and efficiently.

Here's how each of these elements interrelates:

  • Addressing issues and managing risks are often interconnected
  • Policy updates and control implementations are complimentary 
  • Control implementation and evidence collection can occur in tandem

Addressing Issues and Managing Risks

Issues are specific gaps or failures in controls identified during the gap assessment, while risks are potential problems that might occur and require mitigation. Remediating an issue also reduces the associated risk, so addressing both at the same time ensures that the organization is tackling current weaknesses and future vulnerabilities in tandem.

 

Action

Description

Remediate Issues

Create an issue and action plan for any gaps and work with stakeholders to remediate all identified issues (e.g., a gap in access control).

Run a Risk Assessment Project

Conduct a risk assessment to understand the broader impact of each issue and prioritize related issues based on risk level.

Build Evidence Requests

Once issues are remediated, create an evidence request and set a recurrence for stakeholders to upload the required documentation each time they perform the required action. Additionally, use the automated evidence collection feature to gather documentation automatically, ensuring ongoing compliance and issue resolution.

 

Compliance Pro Tip

During this stage, multiple workflows — such as addressing issues, managing risks, updating policies, implementing controls, and automating evidence requests — can be worked on in parallel because they complement each other in driving efficient and comprehensive remediation.

 

Updating Policies and Implementing Controls

Policy updates often go hand-in-hand with control implementation. Policies set the formal guidelines for behavior (e.g., data encryption or access control), while controls enforce these guidelines operationally. By working on both in parallel, you will ensure that organizational policies are backed by effective, enforceable controls.

 

Action

Description

Update or Create Policies 

Create and review policies that reflect the necessary changes in compliance (e.g., implement a new data retention policy or update access control policies).

Document the Control Implementation 

Implement the controls that support these policies (e.g., configure encryption, establish access monitoring systems) and document implementation details:

  • Recommended approach: Establish common controls by adopting SCF controls  or another commonly used control set as a baseline. Either create a 1:1 match between your controls and SCF controls, or develop a more comprehensive set of common controls where each can cover multiple SCF controls.
  • Alternative approach: Document the implementation on the requirement level, using a designated field on the requirement page to capture details. This approach works well in the short term, but may lack the efficiency a broader common control set can provide once you are in a multi-scope and multi-framework environment.

Build Requirement and Control Evidence Requests
  • Build an evidence request library to collect proof of framework and control implementation (e.g., encryption logs, access control records).
  • Leverage the knowledge obtained via the gap assessment, policy updates, and framework/ control implementation process to determine if additional requests should be added to your library.
  • Use the automated evidence collection feature to create, send, and review requests.

 

Issues, Risks, and Exceptions: What You Need to Know

Understanding the difference between issues, risks and exceptions is fundamental to building a compliance program. Each represents a distinct challenge that requires a tailored approach to management and mitigation.

 

 

Issue

Risk

Exception

Definition

A problem or gap that has already occurred and needs resolution.

A potential future event that could negatively impact the business.

A formal request to deviate from a policy, control, or standard due to specific circumstances.

Example

Multi-factor authentication (MFA) is not enforced for all users, which is a required security measure.

An attacker could gain unauthorized access to sensitive systems, potentially leading to data breaches, financial loss, and regulatory non-compliance.

A legacy application used by the finance team does not support Multi-Factor Authentication (MFA), which is a required security measure. Since the system is critical for operations and cannot be immediately replaced or upgraded, an exception is granted with compensation control in place.

AuditBoard Solution

Immediate Issue Remediation: Addressing current control gaps and issues ensures you can quickly regain compliance and minimize exposure.

Proactive Risk Management: Monitoring and mitigating risks provides a forward-looking approach to safeguarding compliance, ensuring that potential threats are neutralized before they become real issues. A strong risk management process assesses these risks continuously to ensure that mitigation measures are in place before they become actual issues.

Exception Management: Organizations should have a structured process to review, approve, and track exceptions to ensure they are justified, temporary, and mitigated with compensating controls.

 

Step 6: Run a Readiness Assessment

Why this step is important: After remediating issues and updating policies, it’s important to conduct a readiness assessment to ensure that all gaps are closed and controls are functioning as intended. Involving internal audit, if applicable, can provide an extra layer of assurance and improve your chances of a successful external audit. AuditBoard’s workflows and dashboards help track progress and ensure that nothing is missed.

 

Action Description
Conduct a Readiness Assessment Set up new framework or control assessments to review remediated items.
Confirm Evidence is Audit Ready Use the evidence request feature to track updates and ensure that all required documentation is complete.

 

Step 7: Engage External Auditors

Once remediation is complete and all gaps have been closed, it’s time to bring in external auditors. AuditBoard’s pre-built reports and dashboards help you organize and present your compliance status to external auditors. You can also partner directly with external audit teams using external audit projects in AuditBoard. This feature offers a separate, secure workspace to enable collaboration on evidence requests while maintaining proper data restrictions. 

Why this step is important: Ensuring that auditors have access to all necessary evidence and documentation will make the audit process smoother and more efficient. Follow these best practices inside AuditBoard to organize evidence and ensure readiness before your external audit. 

 

Best Practices for Involving Auditors Description
Review
Organize and Prepare
  • Organize and present evidence clearly using AuditBoard evidence requests.
  • Create an audit project, upload audit requests and map them to evidence requests to reuse documentation gathered throughout the year. 
  • Create new evidence requests to gather fresh documentation for the audit.



0 Kudos
Popular Articles
Copyright © 2025 Khoros, LLC