Question - Mapping multiple standards

mike.gorman · July 7, 2020, 11:07am

I am looking at mapping out several standards. We are waiting on our first SOC-2 report now, and I am being asked about other standards. We are also a secure product, and get asked about everything under the sun at one point or another. I’d like to be able to map to a new standard and say, we’re 80% compliant already, or 50%, or whatever, at least based on mappings. Has anyone used mapping extensively and has pointers? I was thinking of creating a package of my own, based on my control catalog, and making is the center. Everything else mapping to it, and then using a large framework, like NIST 800-53, to map new standards to it. That is, control X of standard Y maps to SA-14.2 of NIST 800-53, which maps to control 3 of my internal catalog, and make the link.

Any reason that would be horribly wrong?

eramba · July 9, 2020, 6:19am

mapping is in our experience … miss-leading. this is why eramba uses internal controls to compliance requirements FIRST and compliance requirements to compliance requirements SECOND

we re-enforced this idea of miss-leading these last months as we prepared a base database of mappings for opensourcegrc.org. two resources that might help:

1- read this FAQ we drafted for opensourcegrc , the first 8 pages (sorry) in particular this: https://docs.google.com/document/d/1ov4V1Ou7r69KOqXjxlK5R77jrgc-JOEhzFe545_pqaU/edit#heading=h.sdxevcltkot2

2- we have mappings (for OSGRC) prepared on this file, they are not “public” but if you have patience you will understnad what they mean and how to import them to eramba (https://docs.google.com/spreadsheets/d/1C2wakH6MFTkP1gAHRbuqFXbpPpcRg6u1E_sRMpj37MU/edit?usp=sharing) .

david.schroth · July 17, 2020, 1:53pm

Why not just introduce the new control package of what you want to map to and then map your inventory of controls to it? You should then be able to report on your gaps and as you do mapping, if a control only gives you partial coverage you can set that percentage as well. On the plus side, at least you have an inventory of your internal controls :-).

As Esteban is getting at, there’s very rarely a 1:1 mapping at a control level between the frameworks - it’s usually a Many:Many mapping with a number of stragglers to deal with. This is especially true for SOC 2 and other flexible frameworks.

The AICPA also publishes their attempt at mapping back and forth to a few other standards: https://www.aicpa.org/interestareas/frc/assuranceadvisoryservices/mappingsrelevanttothesocsuiteofservices.html

mike.gorman · July 17, 2020, 2:12pm

The issue here is that these aren’t necessarily packages I will be working towards for myself. We are a security product and get asked all the time about this standard or the other, industry specific ones, or other countries. I’m trying to find a way to cheat and load up a cross mapping table from somewhere, to get a gut feel. There probably just isn’t an easy button, but man, how I’d like there to be. I’m still investigating the concept with NIST 800-53 as the root, as with nearly 1000 controls, it seems rare that something won’t appear there. It looks like if they find something that isn’t, they add it in the next rev. If I have any success, I’ll post back.

mbiby · August 12, 2020, 8:31pm

Perhaps this may help in some way. It is free, just need to sign up

eramba · August 14, 2020, 11:45am

opensourcegrc.org will hopefully help here , also bare in mind eramba can do mappings (which you must define manually or via CSV)