Towards compliance management automation thru ontology mapping of requirements to activities and controls


College of Computer Studies


Information Technology

Document Type

Conference Proceeding

Source Title

Proceedings of the 2018 Cyber Resilience Conference, CRC 2018

Publication Date



In recent years, the complexity and scale of compliance requirements has grown significantly due to globalization as well as maturing of different fields and regulations. However, there remains a gap between compliance management tools and security management tools whereby the later cannot be directly linked to the former as the focus and terminologies used are very different. The tasks of mapping security implementations to compliance requirements that will allow compliance monitoring and management is therefore performed manually and repeatedly across multiple standards, regulations, and organizations. This process is highly inefficient, costly, and does not allow for management to determine compliance levels and gaps in a continuous and automated manner. In this paper, we present an approach that combines ontology mapping, natural language processing, secure systems development lifecycle, and heuristics to allow for mapping of security controls and activities to compliance documents such as standards and regulations to focus on compliance and support continuous compliance management and monitoring as well as reduce the compliance efforts needed in multiple standards compliance by allowing reusability via conceptual mapping of multiple standards and requirements. Practices such as unit testing and continuous integration from secure systems development life cycle are also incorporated to allow for flexibility of the automation process while at the same time using it to support the mapping between compliance requirements. © 2018 IEEE.


Digitial Object Identifier (DOI)



Computer Sciences


Compliance auditing--Automation; Compliance; Natural language processing (Computer science)

Upload File


This document is currently not available here.