Summary
Most vendors advertise the following logic:
At first glance, the idea makes perfect sense: if frameworks like CIS Controls and ISO 27001 ask for the same thing in certain requirements, then by meeting one, we’ve automatically met the other — right?
This logic then gets stretched even further: “Why stop at two frameworks? Let’s map dozens of them together!”
It’s a nice theory. Unfortunately, it doesn’t hold up in practice. In this article, we’ll prove that with real, practical examples — and we’ll also show you what actually works in the real world.
Note: We have nothing against Vanta — or any other vendor, for that matter. Many companies in the industry promote this same approach. Our criticism isn’t about who does it, but about the idea itself, which oversimplifies what real compliance work actually involves.
Problem #1: No two (or more) requirements are the same
The screenshot above comes from a spreadsheet distributed by CIS, where they provide their view of how CIS 8.1 maps to ISO 27002:2022. This is their official guidance.
Let’s focus on the first two rows, which suggest that CIS 1.1 corresponds to ISO 5.9 and ISO 8.8.
To compare them properly, we need to break down CIS 1.1 and both ISO requirements into their individual statements. Here’s the catch: CIS 1.1 contains roughly five statements, while the two ISO controls combined contain around forty.
The right way to approach this comparison is to analyse the requirements semantically — looking at what they actually mean, not just how they’re worded.
You can look at it from both directions:
- Right → Left: Does being compliant with ISO A5.9 and A8.8 automatically make me compliant with CIS 1.1?
- Left → Right: Does being compliant with CIS 1.1 automatically make me compliant with ISO A5.9 and A8.8?
Right to Left Comparison
Here we look at the requirement CIS 1.1 and compare how much of that is actually in the scope of ISO 5.9 and 8.8. The table below shows the result of that analysis. At best, CIS covers 30%–50% of the cumulative statements of 5.9 and 8.8.
Green is good, red is bad (no match whatsoever).
Left to Right Comparison
No we do it the other way around, comparing 40 statements against 5. The list is much longer because ISO requirements have many more statements than CIS. no. The GAP is in this instance around %15, perhaps %20.
Problem #2: Comparing is very complicated
So far, we have analyzed one single CIS requirement against two ISO requirements. This required 400 subjective comparisons:
-
~5 CIS 1.1 statements x ~40 ISO statements = 200 possibilities.
-
If you count the mapping in both directions (left-to-right and right-to-left), that equals 400 comparisons.
Imagine the complexity if you were to map the entire CIS Benchmark (roughly 100+ requirements) against the entire ISO 27001 Annex A (93 controls). The manual effort becomes unsustainable; you are looking at nearly 10,000 potential intersections to validate.
The insane thing is that many vendors will come with mapping tables that include, many many more frameworks, not just two as we did before. One (of many) examples shown below:
You don’t need to be a math wizard to see where this is going — the number of combinations explodes exponentially.
The workload is so massive that nobody’s ever actually done it; therefore, all these documents you see floating around are very vague and lack professionalism. The reason no one ever truly completed this is not because it’s impossible (these days, AI could technically chew through it), but because everyone already knows how it ends: the overlaps are statistically tiny, and the rest is pure interpretation.
Problem #2.1 - Comparing gets even more complicated
The math is already proving that comparisons are really complicated, this is well known mathematically principle. This is why we semantically compare them. The other issue when comparing two compliance requirements (and this becomes impossible with more than two requirements) is that two items can be:
- Equal
- Intersect (they have something in common and some stuff not)
- Subset (a small portion is the same, the rest is different)
- Superset (a large portion the rest is differnet)
Our CIS problem is green and ISO is gray, since equal does not exist, you constantly end up on a situation where something is off.
Problem #3: Auditors
Your ISO auditor isn’t going to ask how compliant you are with CIS — not even a little bit.
They’ll ask about ISO requirements, and they’ll expect you to show evidence that proves you meet those requirements. Full stop. Basta.
In real audits — the kind that actually matter — nobody uses framework “mappings” as a shortcut. Those neat-looking crosswalk tables might be fun in theory, but they don’t hold up when an auditor starts digging for evidence. If an audit has real consequences, then there’s only one map that matters: the one leading directly to your compliance evidence.
If, on the other hand, the audit is so “lightweight” that failure brings no consequences… well, that’s not really an audit. It’s just theatre with spreadsheets.
Problem #4: Cooked Reports
The idea that a few mapped controls can magically make you compliant with 50 different frameworks is, frankly, a lie — and yet, many people still fall for it.
Those fancy reports claiming your organization is suddenly “aligned” with ISO, NIST, GDPR, PCI, and a dozen others after ticking a few boxes? Pure fiction.
If someone insists these mappings are accurate, feel free to do what we did: ask them to prove it.
You’ll quickly discover two things:
- It will take them ages to compile the evidence — that’s Problem #2.
- And once they do, you’ll see the mappings are wildly inexact — that’s Problem #1.
Solution: Problems & Solutions
The solution to this problem is well known, is not about "trying to make all compliance requirements equal”, is about adding a layer that “adds” or “removes” when needed to cover the subset, superset, and intersect issues.
Review our compliance documentation in particular mappings to understand how this works.