Compliance Crosswalks: One Control, Many Obligations ==================================================== Purpose ------- This document explains how Thinkwerke reduces compliance overhead by **mapping a single technical control to multiple regulatory and assurance frameworks**. Instead of implementing controls separately for each regulation, we build **shared, evidence-producing controls** that satisfy multiple obligations simultaneously. --- Why Crosswalks Matter --------------------- Organisations operating in EU-regulated environments typically face: - ISO 27001 - NIS2 Directive - Cyber Resilience Act (CRA) - GDPR - Customer security requirements - Industry questionnaires and tenders Without crosswalks, teams duplicate work, create inconsistent controls, and struggle to explain coverage. Crosswalks solve this structurally. --- Thinkwerke Crosswalk Philosophy ------------------------------- Thinkwerke crosswalks are: - Control-centric, not document-centric - Grounded in real implementations - Evidence-first - Maintained alongside systems Each control answers three questions: 1. What requirement does this control satisfy? 2. Where is it implemented technically? 3. What evidence proves it continuously? --- Core Crosswalk Dimensions ------------------------- Each crosswalk maps across four dimensions: - **Regulatory requirement** - **Technical control** - **Operational process** - **Evidence artefact** This ensures traceability from law to pipeline. --- Example: Vulnerability Management Crosswalk -------------------------------------------- A single vulnerability management workflow can satisfy: - ISO 27001 A.12 / A.8 - NIS2 Article 21 (risk management measures) - CRA vulnerability handling obligations - Customer assurance requirements Mapped elements include: - Detection tooling - Severity classification - SLA enforcement - Workflow ownership - Exportable evidence --- ISO 27001 ↔ NIS2 Crosswalk -------------------------- Key alignment areas: - Risk management - Incident detection and response - Access control - Logging and monitoring - Supplier and service management Thinkwerke ensures these are implemented once and mapped cleanly to both frameworks. See also: :doc:`iso27001` :doc:`nis2` --- NIS2 ↔ CRA Crosswalk -------------------- NIS2 and CRA overlap heavily in: - Secure software lifecycle (SSLM) - Vulnerability disclosure and remediation - Supply-chain security - Incident handling Thinkwerke aligns these through: - CI/CD-integrated controls - SBOM and dependency governance - Evidence-producing workflows See also: :doc:`cra` --- GDPR ↔ Security Framework Crosswalk ----------------------------------- GDPR privacy requirements intersect with: - Access control - Logging and traceability - Data minimisation - Incident detection Privacy controls are mapped alongside security controls, ensuring GDPR is enforced technically — not just documented. See also: :doc:`gdpr` --- Customer & Tender Alignment --------------------------- Crosswalks extend beyond regulation into: - Customer questionnaires - RFP and tender responses - Partner security assessments Evidence generated for regulators is reused for customer assurance with minimal adaptation. --- Evidence Reuse Model -------------------- Crosswalks enable: - One control → many requirements - One evidence artefact → many stakeholders - Reduced audit fatigue - Faster tender responses This significantly reduces recurring compliance workload. --- Maintaining Crosswalks Over Time -------------------------------- Crosswalks are kept current through: - Change management integration - Architecture updates - Pipeline evolution - Regulatory updates They are living artefacts, not static spreadsheets. --- Key Takeaway ------------ Compliance scales when controls are engineered once, mapped correctly, and proven continuously. Crosswalks turn regulatory complexity into a manageable, auditable operating model.