The pain of overlapping requirements
Overlapping requirements can work to an organization’s benefit, but only if it’s equipped to deal with them in the right way. A few examples of regulations and standards with overlapping requirements might be as follows:
- ISO: 5.1.1 Policies for information security
A set of policies for information security should be defined, approved by management, published and communicated to employees and relevant external parties.
ID.GV-1: Organizational cybersecurity policy is established and communicated.
- PCI DSS: Requirement 12: Maintain a policy that addresses information security for all personnel.
12.1 Establish, publish, maintain, and disseminate a security policy.
Each of these requirements shares common ground, but too many organizations work to comply with them separately as they are added into the mix. If a business already complies with NIST ID.GV-1, for instance, and then it makes a business decision which means it has to demonstrate compliance with PCI DSS Requirement 12.1, it will find itself duplicating a lot of work in terms of collecting data multiple times and auditing essentially the same requirement.