Aligning Security Policy Requirements with Framework Controls

Last updated: May 13, 2025

When implementing security policies, it's important to ensure that all policy requirements are properly mapped to controls within your compliance framework. Here's how to verify and maintain alignment between your policies and controls:

Finding Corresponding Controls

Each requirement in your security policies should have a corresponding control in your compliance framework. To locate relevant controls:

  1. Navigate to the Framework section in Bastion

  2. Use the search functionality to find controls related to specific policy requirements

  3. Review the control details to ensure they match your policy requirements

Documentation Requirements

For controls that require evidence of processes or analysis:

  • Upload documentation demonstrating actual implementation when available

  • If a process hasn't been executed yet, you can provide theoretical documentation outlining your planned approach

  • For disaster recovery and business continuity controls, consider using a tabletop exercise document to demonstrate your planned response

Example: For Business Continuity requirements, while the policy might mandate annual system analysis, the corresponding framework control could be satisfied either through documentation of completed analysis or a detailed plan for conducting such analysis.

Best Practices

To ensure comprehensive coverage:

  • Review all policy requirements systematically

  • Map each requirement to specific controls in your framework

  • Identify any gaps where policy requirements lack corresponding controls

  • Document both implemented processes and planned procedures