Cybersecurity

A Show-and-Tell Approach to a Common Control Catalog

Austin todd

Austin Todd

Senior Consultant, Coalfire

March 13, 2025
Coalfire Collaboration Common Controls

The Benefit

Managing numerous regulatory, compliance, and security obligations has become daunting for organizations, leaving stakeholders overwhelmed with control and audit fatigue. Building a Common Controls Catalog aims to reduce this fatigue. 

By utilizing a “Show-and-Tell” approach, security leaders can build a Common Control Catalog through candid control owner conversations. This creates a holistic and maturity-focused view, rather than the fragmented scope of multiple audits driven by customer and compliance requirements. The result of this approach is an accurate benchmark of enterprise-wide security practices without the obligation to disclose opportunities for improvement to external parties.

The approach described within this article can help achieve the following benefits:

  • Provide an accurate and comprehensive account of how an organization implements security, without being constrained by audit scope limitations (e.g., ISO 27001, SOC 2, PCI DSS) or concerns about audit findings
  • Organizational discovery
  • Knowledge sharing and removing silos to reduce the risk of lost knowledge
  • Speed up onboarding of new employees and auditors
  • Create an improvement roadmap for controls maturity

The Starting Point

When planning to develop a Common Controls Catalog, it is important to make the following considerations:

  • How do I ensure organizational buy-in to the effort needed?
  • How does my organization start this process?
  • What about resourcing?

Approaches to develop a Common Controls Catalog can vary, though when obtaining management buy in, it is important to clearly share:

  • The benefits of a Common Controls Catalog
  • That Common Controls Catalog documentation will not be completed quickly with limited resources
  • That a phased approach can be taken to target documentation of higher risk controls and domains in a methodological way
  • Internal or trusted external resources can be leveraged to complete this exercise

Pick a Meta Framework & Maturity Scale

To initiate a Common Controls Catalog project, the selection of a baseline meta framework and maturity scale is needed. Utilizing an established meta framework and maturity scale, will allow your organization to scope appropriate controls based on the organization’s priorities and risk profile, avoid the toil of customized control development, and allow for continuous improvement monitoring through the selection of a defined maturity scale.

Examples of established frameworks and maturity scales include the following:

Meta Framework ExamplesMaturity Scale Examples
NIST SP 800-53Capability Maturity Model Integration (CMMI)
Unified Compliance Framework (UCF)Cybersecurity Capability Maturity Model (C2M2)
Secure Controls Framework (SCF)Cybersecurity & Data Privacy Capability Maturity Model (C|P-CMM)

Select Valuable Controls

Meta frameworks can be large, so determining the appropriate scope for the Common Controls Catalog is important to ensure that the Common Controls Catalog can accomplish planned benefits.

Common Control Catalog scope should consider the following factors:

  • Select controls that provide a greater value per interview minute (e.g., parent controls that process owners will be able to elaborate on to provide granular sub control details that are being performed)
  • Use data points to identify priority controls which can include:
    • Regulatory and/or security standards and laws
    • External audit requests
    • Internal audit requests
    • Customer security questionnaires and contractual obligations
    • Organizational risk tolerance

By using a meta framework, initial scope can easily be adjusted on a year-by-year basis to account for the need to incorporate new controls or to remove less important controls from scope.

The Show-and-Tell Approach

Show-and-Tell is the practice of showing something to an audience and then describing it to them. Successful data gathering and subsequent documentation of an organization’s Common Controls Catalog relies heavily on control owner sessions being conducted appropriately with the following principles.

Create an Inviting Forum

  • This activity is an open Show-and-Tell, not an audit
  • Use sessions for control owners to elaborate on what their teams are proud of, where the challenges are, and noteworthy ongoing initiatives 
  • Communicate that the information provided will be used as the first point of reference for responses to internal and external audits, helping the control owners save time in the long run
  • Be easily accessible
  • Keep it casual

Guide the Session

  • Understand that some control owners may have never met with an external party to talk about the things they own and do
  • Prepare specific questions which need to be answered to determine the maturity of in-scope controls
  • Be able to provide subject matter expertise related to framework(s) being utilized
  • Reserve time for control owners to Show-and-Tell off script
  • Provide questionnaires ahead of interviews to allow preparation time if desired
  • Maintain a high level of flexibility to capture initial control owner thoughts either online or offline, depending on their preference
  • Always conduct at least one interview session to get the unfiltered answers (brag and vent sessions) regardless of specific control responses
  • Always leave time and encourage control owners to share programmatic areas of strength, self-identified areas where control owners struggled, and future program improvement goals

Documentation

After dedicating valuable time and resources to Common Controls Catalog scoping and data gathering, documentation of Show-and-Tell sessions is essential to ensure that the project benefits can be achieved. Considerations while progressing through documentation should be: 

  • Perfect is the enemy of great. While you want to be accurate in everything documented, splitting hairs on maturity values assessed the first time is unnecessary. There will be more opportunities for assessment
  • Where scoped controls map to external reports (e.g., PCI, ISO, SOC), consider assigning standardized maturity ratings to reduce the initial level of effort
  • Consider designating some documentation as “internal use only” to promote candid Show-and-Tell responses without audit risk
  • Consider mapping in relevant control frameworks and regulatory obligations where they apply

Plot the Course for Improvement

While control operations can regress, organizational goals to maintain or increase control maturity over time should be established. Increased maturity only comes after changes are made to the way things used to be done. That is why understanding areas of strength, self-identified areas where control owners struggled, and future program improvement goals are critical to understand.

The course for improvement can be defined by:

  • Learning about and understanding organizational and control changes
  • Conducting regression checks
  • Strategic improvement based on control risk and impact
  • Reassessment of desired control domains to check-in on control operation to see if any changes (good or bad) have occurred. Numerous options exist for selecting controls to reassess strategically
    • Controls that initially did not meet organizational maturity expectations
    • Based on data points collected (e.g., regulatory changes, external audit requirements, internal audit focus areas, etc.)
    • Based on changes controls owners had planned during initial review efforts
    • Based on a specific time cadence

Leverage and Improve the Work

Once the full control story is told without audit scope limitations (e.g., ISO 27001, SOC 2, PCI DSS, etc.) or the concern for audit findings, your organization will be in the position to improve its security and compliance posture over time. This will help achieve the project’s intention of achieving organizational discovery by removing silos, reducing the risk of lost knowledge, creating an opportunity to speed up onboarding of employees and auditors, and establishing a meaningful improvement roadmap.

The knowledge gained and data documented is only valuable if it is maintained and discoverable. After completion, ensure the Common Control Catalog documentation is easily accessible and appropriately shared within your organization.

Call to Action

For organizations looking for assistance with adopting a Common Controls Catalog through a Show-and-Tell approach, Coalfire is an industry leader in cybersecurity compliance. Coalfire experts routinely provide organizations with tailored cybersecurity services to include: 

  • Program builds, strategy development, and remediation support through Cybersecurity Consulting Services
  • Assessment and enhancement of cybersecurity maturity using industry recognized frameworks tailored to organizational goals through Cybersecurity Program Services