Our company has different divisions (through acquisitions so treated like separate companies essentially) and each needs to have different compliance requirements. For example, company or division A requires PCI compliance, company for division B, requires HIPAA compliance. Is there a way to separate out these divisions and map compliance to them?
I’m not an expert, but using the custom roles, you could create a group for each division and add that group to each page via the Customization tab. Create filters based on that group.
Short answer: Yes.
Slightly longer answer:
Each of those sets of requirements would be entered as a compliance packages. You’d want to use a naming convention like Company A - PCI to help with organization.
You will need to have unique controls for each company to the extent they do their own thing as well - like “Company A - Change Management” so you can differentiate, but then global shared services can be shared across the compliance needs.
from the documentation: Compliance Management | Eramba learning portal
If your company has to certify ISO in three different scopes you should upload three ISO compliance packages, just name them differently. This will create multiple Compliance Packages for the same set of requirements. Each scope can adress compliance independantly of the others. For example,
- PCI-DSS Production Datacenter
- ISO 27001 India
- ISO 27001 UK
In this example ISO 27001 UK records its compliance measures separately to those for India allowing those responsible for each scope to allow for local variations in processes and procedures.
If you plan to do compliance for different companies (because you are a consulting business) is then perhaps best to use separate installations to ensure data segregation in particular in the area of reports (check the reporting documentation).
I have the same situation with a client, and I created custom fields in the various modules to separate controls, risks, assets, etc., via a dropdown menu per division. This makes reporting and filtering easy.
One big downside is that the risk report charts are not limited to the applied filter. They contain all the risks in the asset risk registry. For reporting purposes with the various business units, this is a bummer. So when both decisions have 30 asset risks, the chart will show all 60 risks.
yes, this needs to change but it cost a sh…ton of money, we’ll eventually start with this probably towards the end of the year.
in order to finance this feature, we might be an optional module that will need some extra money from enterprise customers.