By Emily Smith, Lead Security Engineer

It’s not surprising that organizations must navigate a complex landscape of laws, regulations, and industry certifications. Non-compliance can result in legal penalties or breaches of contractual commitments. Meeting these obligations can be challenging, as it can involve significant time, effort, and financial investment.  

Falling short isn’t just a risk—it can mean costly penalties and lost trust. But what if you could simplify compliance, reduce duplication, and strengthen your security posture? That’s where a compliance framework crosswalk comes in. 

Performing a compliance framework crosswalk is a valuable practice for organizations aiming to strengthen, align, or improve their cybersecurity program. A crosswalk (or mapping) is the process of comparing and aligning the controls, requirements, or practices of two or more information security frameworks or standards to help find overlaps, reveal gaps and streamline compliance efforts. 

Why Performing a Crosswalk is Helpful 

1. Uncover Gaps and Redundancies 

Many organizations must meet multiple regulatory and industry standards. Conducting a crosswalk enables them to develop a unified set of policies and controls that align with several frameworks simultaneously. This process helps find compliance gaps and highlights missing requirements, while also revealing where different frameworks overlap (e.g., NIST CSF and ISO 27001).  

By recognizing these overlaps, organizations can reuse existing controls, minimize redundant efforts, and reduce the administrative workload associated with managing multiple audits or compliance assessments. 

2. Improve Strategic Decision Making 

Crosswalks help show which controls fulfill multiple framework requirements. This helps leaders understand what’s already in place, where gaps exist, and where to focus on improvement efforts ensuring resources are directed where they provide the most value across compliance, risk, and security goals. 

3. Enhance Audit Readiness and Reporting 

Provides clear documentation showing how controls meet various audit requirements, reducing repetitive evidence requests, and minimizing back-and-forth with auditors. In addition, crosswalks enable the consolidation of control and risk data, supporting the development of unified risk and compliance dashboards that give leadership real-time visibility into control effectiveness, audit readiness, and overall compliance status.  

4. Facilitate Maturity Assessments 

Mapping frameworks can show how your current controls and processes align with best practices or more mature models like NIST CSF, ISO 27001, or CIS Critical Security Controls, enabling benchmarking against industry standards. This mapping helps organizations assess their relative maturity, find strengths and improvement areas, and benchmark their security and risk posture against industry peers and regulatory expectations. 

When Organizations Should Conduct a Crosswalk: 

• When adopting a new framework or standard (e.g., ISO 27001, NIST, CMMC) 

• When entering a regulated industry with specific legal and compliance requirements (e.g., HIPAA) 

• When updating or transitioning to a newer version of an existing framework 

How to Complete a Crosswalk Exercise: 

1. Select the frameworks you would like to compare. In this example, we will be performing a crosswalk for HIPAA and CIS Critical Security Controls v8.1.  

2. Gather relevant framework documentation. Documentation should include control lists and any other implementation supporting documentation. For HIPAA, we will be using the HIPAA Security Rule, and for CIS we will be using the CIS controls workbook. 

3. Define the scope. Define the scope by finding which domains, processes, and controls are relevant to your organization. Are all domains, processes, and controls relevant? Exclude any elements that do not apply to focus resources on areas that truly affect compliance and risk management. 

4. Create a crosswalk matrix. Utilize a spreadsheet to document relevant information including control IDs and descriptions for each framework. Review each CIS control to see if and where a HIPAA security rule control matches. Document whether the match is a full or partial map for each requirement. If it is a partial map, note what the gap is. 

CIS v8.1	HIPAA Security Rule	Relationship	Gaps Noted
4.3 Configure Automatic Session Locking on Enterprise Assets  Configure automatic session locking on enterprise assets after a defined period of inactivity. For general purpose operating systems, the period must not exceed 15 minutes. For mobile end-user devices, the period must not exceed 2 minutes.	164.312(a)(2)(iii) Automatic Logoff   Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity.	Partial	CIS requires defined time periods.
3.5 Securely Dispose of Data  Securely dispose of data as outlined in the enterprise’s documented data management process. Ensure the disposal process and method are commensurate with the data sensitivity.	164.310(d)(2)(i) Disposal  Implement policies and procedures to address the final disposition of electronic protected health information, and/or the hardware or electronic media on which it is stored.	Match	None
11.2 Perform Automated Backups  Perform automated backups of in-scope enterprise assets. Run backups weekly, or more frequently, based on the sensitivity of the data.	164.308(a)(7)(ii)(A) Data Backup Plan  Establish and implement procedures to create and maintain retrievable exact copies of electronic protected health information.	Partial	CIS requires backups on in-scope assets and specifies running backups weekly or more frequently.  HIPAA Security Rule applies to ePHI.

5. Analyze Gaps. Find areas where controls exist in one framework but not the other and document what the gap is for the control. This provides leadership with a clear view of missing coverage and helps prioritize actions to strengthen compliance and risk management. 

Unmapped CIS Safeguards
1.3	Utilize an Active Discovery Tool	Utilize an active discovery tool to identify assets connected to the enterprise’s network. Configure the active discovery tool to execute daily, or more frequently.
2.1	Establish and Maintain a Software Inventory	Establish and maintain a detailed inventory of all licensed software installed on enterprise assets. The software inventory must document the title, publisher, initial install/use date, and business purpose for each entry; where appropriate, include the Uniform Resource Locator (URL), app store(s), version(s), deployment mechanism, and decommission date. Review and update the software inventory bi-annually, or more frequently.
4.11	Enforce Remote Wipe Capability on Portable End-User Devices	Remotely wipe enterprise data from enterprise-owned portable end-user devices when deemed appropriate such as lost or stolen devices, or when an individual no longer supports the enterprise.

Unmapped HIPAA Security Rule
164.308(a)(1)(ii)(C)	Sanction Policy	Apply appropriate sanctions against workforce members who fail to comply with the security policies and procedures of the covered entity or business associate.
164.310(a)(2)(ii)	Facility Security Plan	Implement policies and procedures to safeguard the facility and the equipment therein from unauthorized physical access, tampering, and theft.
164.310(d)(2)(ii)	Media Reuse	Implement procedures for removal of electronic protected health information from electronic media before the media are made available for re-use.

6. Document Findings. After completing the crosswalk and gap analysis, summarize the level of alignment between frameworks. Highlight areas of strong alignment, partial coverage, and gaps where controls are missing or differ in scope. For each identified gap, provide actionable recommendations to address deficiencies, such as implementing new controls, adjusting existing processes, or updating policies.  

Streamlining Compliance: Performing Framework Crosswalks 

By following these crosswalk steps organizations can streamline compliance by effectively mapping controls and processes across multiple frameworks. This reduces duplication, eliminates redundant work, and allows resources to be distributed more efficiently, saving both time and costs. As a result, organizations gain a clear and actionable view of their security and risk posture, supporting informed decision making, prioritized remediation efforts, and enhanced readiness for audits and regulatory assessments. 

Getting Started: Actionable Checklist 

• Identify which frameworks apply to your organization 

• Gather official documentation for each framework 

• Define the scope of your crosswalk 

• Build your crosswalk matrix (use a spreadsheet or template) 

• Analyze and document gaps 

• Develop an action plan to address deficiencies 

• Review and update your crosswalk regularly 

Additional Resources 

• https://www.nist.gov/cyberframework 

• https://www.iso.org/isoiec-27001-information-security.html 

• https://www.cisecurity.org/controls/ 

• https://www.hhs.gov/hipaa/for-professionals/security/index.html 

Get in touch to get help with your compliance framework maintenance and management today.