+91 (0) 80-4049-6666

Simplify and Accelerate Your It Compliance by Leveraging a Common Controls Framework

This eBook summarizes the webinar on how to simplify and accelerate your IT Compliance by leveraging a Common Controls Framework, with Jason Mefford, Speaker & Trainer, Unified Compliance, and NS Rao, Group Vice President, Customer Success and Services, MetricStream.

This eBook covers the following aspects as discussed by the speakers:

It Complianc

Simplified Steps to Compliance

In an organization, people feel overwhelmed when they are asked to comply with several mandates. However, a unified approach makes it simple and easy for every stakeholder to comply with mandates specific to the organization.

Here are some steps that facilitate better compliance:

IT Compliance 2


There are some pain points that organizations typically struggle with in compliance:

IT Compliance 3

What is an Authority Document?

An Authority Document can be a lot of different things – law, regulation, contractual obligation, safe harbor, international/national standard, audit guideline, best practices, etc. In compliance, certain regulations are mandatory to be followed. Apart from these, there are also several voluntary regulations that an organization chooses to follow or comply with.

Mandates don’t use the same terms across Authority Documents. For instance, if one document refers to the term “Shut the Faucet”, another one might say “Close the Spigot” and another one may refer to “Turn off the Nozzle”.

To prove that all these three terms mean the same thing, one would have to rely either on what’s already built in the Unified Compliance Framework (UCF) or do it manually by building a noun or a verb translator.

For example, a Personal Data Request can be a harmonized term for citations like Request Access to Personal Data, Request by a Concerned Party, or Request Information on the processing of his/her personal data. The process can be streamlined by providing common control that is a shared compliance requirement connected to the original mandates that an organization must follow.

What is a Unified Compliance Framework Common Control?

One can cross-walk citations manually or harmonize citations through common controls. A UCF common control helps map each of the mandates in the documents back to a common control if the verbs and nouns are related, making it easy to comply with. It is an enormous library of interconnected compliance documents and the world’s only commercially available Common Controls Framework.

The UCF features:

IT Compliance 4

One can access the UCF through the Common Controls Hub SaaS portal which is the only way to access the UCF data. A free starter account is available at Click here

There is also modularity in the UCF Common Control which can be customized to suit each organization’s needs. The Authority Documents are mapped and placed into a Common Controls Hub that one can access and use. By leveraging the framework, one gets access to a consolidated de-duplicated list of controls. It is quite an extensible framework and comprises almost a thousand of the most common Authority Documents.

UCF saves time. Without it, there will be twice the number of controls which require twice the effort. It is also an easy-to-use tool from which one can either export their requirements into a spreadsheet or move the content from the UCF into MetricStream through an API. This process is cost-effective as well because it helps reduce manual labor requirements.

How does MetricStream Make Your Compliance Mandates Actionable?

Features And Functionality
  • Federated Data Model - The Federated Data Model allows for many-to-many relationships. This allows organizations to maintain one control and mitigate multiple risks across different regulations or processes. The Federated Data Model is the source of information on how to bind core GRC libraries together.
  • Multi-Dimensional Organization Structure - This structure helps manage all organizational entities and departments across the globe.
  • AI/ML Capability - The world is moving rapidly towards using AI and ML for complex processes and compliance is no exception. In the context of GRC, MetricStream’s AI capability helps check policy citations, find related issues based on common patterns in issue titles, etc.
  • APIs & Connectors - Risks and mitigation plans originate from multiple sources. Therefore, APIs and Connectors help integrate MetricStream’s platform with your systems of record. MetricStream has pre-built APIs and a framework to build more APIs which can easily integrate with third-party systems enabling a scalable architecture.
  • Configurability - GRC needs are evolving and every organization can have a specific requirement to meet. The seamless configuration of MetricStream’s GRC tool helps you tailor it to your specific needs. It helps you to accelerate app development and reduce configuration time with low-code frameworks, reusable libraries, and drag-and-drop tools. It also helps you to stay ahead of the regulatory curve by adapting to regulatory changes rapidly and reducing the associated costs.
  • Modern Cloud Architecture - The Modern Cloud Architecture provides scalability and agility in updating the platform to ever-changing risk environments.
Risks Aligned with Library Elements

Typically, controls are mapped to risks and processes. It is also vital that risks and controls are mapped to policies and procedures as well. If there are too many exceptions in the policy, those exceptions play an important role in how effective the control is. The Federated Data Model provides organizations with the ability to map intelligently across the landscape of the GRC processes and policies.

The Data Explorer Feature

The Data Explorer feature gives you the ability to drill down from a control perspective to find the number of controls for a given regulation, the assessments that are done on a specific control, the issues logged out of the control assessments in a graphical representation format, and with information about the GRC library landscape.

What are the Core Components of IT Compliance Within MetricStream?

The core components of IT Compliance in MetricStream are listed below:

  • Libraries - These are the controls, risks, processes, procedures, citations, etc. that are an integral part of IT Compliance.
  • Self-Assessments and Testing - Once the libraries are in place, self-assessments and testing procedures for each control are defined thoroughly and granularly.
  • GRC Intelligence - GRC intelligence using a pre-built integration pulls the UCF into the IT Compliance product that can further help make intelligent decisions.
  • Issue Log - The issues that stem from self-assessments and testing are logged and used by the platform to guide data-driven insights.
  • Unified Compliance Framework - Integration with the Unified Compliance Framework is the key for IT Compliance and the MetricStream platform provides this feature.
  • Surveys, Reports, and Dashboards - These components give an in-depth insight into the various processes, citations, and procedures involved in IT Compliance.

All these components put together give organizations the flexibility and freedom to manage their IT Compliance program effectively, at scale

How does MetricStream IT Compliance Help Your Organization?

IT Compliance 3

Benefits of Using MetricStream’s IT Compliance Solution for Your Organization

The MetricStream IT Compliance solution helps an organization realize the following benefits:

  • 20-30% reduction in the time spent in finding the right controls for organization-specific citations and regulations, as well as a reduction in time taken for the assessments.
  • 30% reduction in fines because every process and compliance fulfillment process is standardized, which further makes it easier to formulate reports, maintain these reports, and present them to auditors and regulators as the need arises.
  • Improved awareness of the changing IT compliance requirements, which helps in reducing the cost of potential non-compliance due to oversight and human error.
  • Enhanced maturity of the compliance function, resulting in better corporate brand recall among auditors, governing bodies, and investors.
  • Optimized business performance and decision-making by providing a unified and real-time view of the compliance status.

Use Case of Implementing MetricStream’s IT Cyber Risk and IT Compliance for a Leading Cybersecurity Solution Provider

Cybersecurity as a domain is the equivalent of the first line for organizations and their data today. As a result, they are bound by several laws and regulations around how they collect, store, and use data, as well as their ability to comply with the very frameworks laid out by them as best practices for their industry.

Before implementing MetricStream’s IT Compliance solution, the cybersecurity solutions provider listed the following challenges:

IT Compliance 5

Post implementing MetricStream’s IT Compliance solution, the organization reported the following outcomes:

IT Compliance 6

Comprehensive GRC Products from MetricStream

MetricStream offers a comprehensive product suite in the areas of:

IT Compliance 8

MetricStream is the world’s largest independent GRC software provider with 1,200+ employees, an Enterprise SaaS Platform, a global partner ecosystem, and an experience of 450+ Enterprise Implementations, thus consistently ranking us a leader in prominent industry analyst reports.

Ready to get started?

Speak to our experts