Different industries may require different security standards, frameworks, or regulations. Luckily, there is a proven methodology to implement multiple frameworks in parallel. With proper planning and understanding of critical implementation milestones, within a year an organization can potentially be certified in two or more standards or frameworks.
ISO (formally known as the International Organization for Standardization) 27001:2013 is the recommended standard to manage multiple frameworks. Frameworks easily map back to the ISO 27001 standard; for example, the NIST documentation provides the mapping of controls back to ISO 27001.
Think of ISO 27001 as having the blueprints of a home, and the frameworks as guidelines for electricians, plumbers, etc. ISO places more emphasis on how the program operates, which provides flexibility in how a control is implemented to integrate with many regulations and frameworks. This standard is one of the few standards that have a certification that is accepted globally. Some United States (U.S.) based companies may still require a SOC (System and Organization Controls) 2 Type 2 attestation report while the two standards have about 70% to 80% overlap.
While the above security standards are contractual obligations, there are regulations to take into account, known as legal obligations. Consider regulations such as the Health Insurance Portability and Accountability Act (HIPAA) and General Data Protection Regulation (GDPR) as requirements that enhance the controls around a certain classification of data. HIPAA and GDPR do not necessarily tell you how to run the specified program.
Semper Sec recommends starting with ISO 27001 as your foundation to build out the rest of your programs. ISO 27001 allows an organization to integrate other frameworks into the Annex controls, implement ISO 27701 to cover privacy controls, and/or implement SOC 2 requirements. If ISO is done correctly, SSAE 18 (Statement on Standards for Attestation Engagements System 18) and SOC 2 (System and Organization Controls 2) should not be difficult regarding the implementation of additional controls.
Given the below (recommended implementation) timeline, the goal is to push on the front end for certain tasks to be completed so that when it comes time for the individual audits, chances of there being any confusion are slim. For instance, change can impact company culture. To avoid uncertainty, all employees should be aware of any updated procedure that apply to their specific department/role prior to an audit. All new systems should be understood and followed accordingly at the time of an audit. Should an organization opt to implement multiple standards and/or frameworks without help, six months to a year may be added depending on the organization's ability to adapt change management.
Set a certification date and then develop the appropriate timeline. Depending on the organization, some will take their time while others will be more eager to finish. An important note to remember: This process takes the amount of time that you give it.