Overview

Cross-mapping is the process of finding controls that apply to multiple frameworks or compliance requirements. You can use Sheet AI Actions to cross-map controls.

In this tutorial, we'll demonstrate how to cross-map SOC 2 controls to PCI DSS requirements. You can follow these steps even if you're working with different frameworks.

Before you begin

This tutorial provides instructions for cross-mapping control activities between frameworks, such as SOC 2 and PCI DSS, using AI Actions.

If you're looking for direct framework-specific guidance or manual mapping methods, consider using other resources.
Make sure you have access to both sets of control activities that you will be mapping.

How it works

Fieldguide AI is able to consider the meaning and and context of a control to find other relevant control activities, requirements, or framework sections. This approach goes beyond keyword searches or rigid industry mappings, which may overlook the specific language and intent of each control activity.

Steps

Step #1: Set up the engagement's control matrix

Set up a sheet for your first framework inside the engagement. This sheet should have all the client's controls for the framework inside the Control Activity column.

In this tutorial, we're using a PCI DSS testing sheet.

Step #2: Set up the controls for the additional framework

Make sure your client's controls for the other (secondary) framework are in the Controls menu.

In this tutorial, we're using SOC 2 controls.

To get your client's controls into the Controls menu:

If you're about to start an engagement for this framework, you can achieve this by setting up a sheet with the client's controls.
Or, you can add the controls directly to the Controls menu.

Step #3: Add a Sheet AI Action

Add a text column to the control matrix that you created in step #1. This column is where the suggested cross-mappings will be stored.

We added this column to our PCI testing sheet and named it "SOC 2 Mappings".

Click to add an AI Action on the column.

Enter a prompt that instructs Fieldguide AI to identify controls that are related to the current control. To help you get started, copy and paste our example prompt from below and modify as needed based on the frameworks you're using.

In this example, we're adding the prompt to our PCI sheet and our prompt asks Fieldguide AI to find cross-mappings to SOC 2.

Example prompt

Instructions: I am doing a mapping of SOC 2 Controls to a PCI DSS v4.0 Requirement. First, read the PCI DSS v4.0 Requirement below and each of the SOC 2 Controls. Then generate a response for which of the SOC 2 Controls are directly related to by having similar context to the PCI DSS v4.0 Requirements.

Response format:

Only generate a response with the SOC 2 Controls that maps to the PCI DSS v4.0 Requirement.
Include the full SOC 2 control description in the response. There may be more than one SOC 2 Control that maps to the PCI DSS v4.0 Requirement.
Do not include any reason for the response and do not include the PCI DSS v4.0 Requirement wording in the response.
If no SOC 2 Controls are directly related to by having similar context to the PCI DSS v4.0 Requirements, then just respond with 'No Mapping'.

PCI DSS v4.0 Requirement: {Control Activity}

SOC 2 Controls:
(Paste a unique list of all your client's secondary controls here)

You'll need to replace these parts of the prompt based on the specific frameworks you're using:

Text to replace	Replace with
PCI DSS v4.0	Replace this with the framework that's connected to the sheet you're adding this prompt to.
SOC 2	Replace this with the secondary framework that you want to find cross-mappings to.
(Paste a unique list of all your client's secondary controls here)	Replace this entire line with a list of unique controls from the secondary framework you're using. See the instructions below for getting the list of controls.

Add controls to the prompt

To get a list of your client's unique controls, you can export from the Controls menu to Excel. To see only controls from a specific framework, use the "contains" filter on the mappings column in Excel.

You can copy and paste the control keys and controls from Excel into the prompt.

Review your prompt

When you're done, your prompt should look something like this:

Generate a preview of the prompt to see an example of how the output will look. Save your prompt and provide a label for the AI action button.

Step #4: Generated suggested mappings

Once the action has been created, you can use the AI action button on any cell in this column to automatically populate suggested cross-mappings.

Clicking the AI action button only generates a response in the cell where you clicked it. It won't populate the entire column. To generate suggestions on additional rows, you'll need to click the AI action button again.

Step #5: Review Fieldguide AI's suggestions

You should follow up on any of Fieldguide AI's suggested mappings with a human review. Make sure the AI Action's output is accurate and make edits, if needed.

Next steps

Once you have the relevant cross-mappings listed in your sheet, there are some additional actions you take.

Filter the cross-mappings column for any cells that contain "No Mappings" to see how many of this framework's controls are not covered by the other framework.
Add a key reference column to this sheet and link each row to the respective control in the other framework's matrix. This lets you easily view the tests and results for the other engagement.
Use shared columns to cross-link the most applicable controls from the other engagement, and link the Requests column between both engagements to streamline evidence collection.

Use AI to cross-map controls