Question: Mapping compliance packages (newbie, general questions)


I’m currently testing Eramba for internal use with the free Community Edition. Mapping compliance packages seems to be an Enterprise Edition (paid) feature now, doesn’t it?
I ask because in the “Getting Started” edition comparison, mapping is included in all editions: Get Eramba | Eramba learning portal

If we go for the paid version, I would like to use the mapping feature. I found a generator for importable mapping CSV files here: opensourceGRC

My problem is that no ISO27002:2022, no PCI-DSS 4.0 and no CIS8.0 templates are available. Can I get access to newer mapping information to use in my Eramba in the paid version? Are there other sources? ISO27001:2013, PCI 3.2.1 and CIS7 are deprecated and not useful, it seems like a lot of work to do the mapping by myself…

Thanks for any hints, best regards, Thilo

The list of available compliance packages is located in the Learning portal here - Compliance Management | Eramba learning portal

You can download from there - you’ll see that the ones you’re looking for are present in that repository. For ISO, you need to email support to get a copy of it as you need to prove ownership of the standard.

Additionally, the section above the repository includes instructions on how to make your own - if you find the available ones to be lacking, then those instructions will come in handy.

Now, the red label “compliance mappings” that you see on the Compliance Packages screen is a bit of a different feature - that one lets you map packages like, PCI 3.2.1 to 4.0 where they share commonalities. I do not believe that is intended to be included in the “Compliance Mappings” checkbox - it’s just the same word used two different ways that probably should get adjusted… @kisero can probably confirm.

Hi David,

Thanks for your reply. In the meanwhile I managed to import all the Compliance packages I need (PCI4.0, ISO27001/27002 (2022, proved ownership) and CIS8).

“Compliance Mapping” is with red label (->Enterprise), yes. Therefore I can’t test the Mapping of the requirements from the packages.

If we decide to use the paid version, we are wondering, how the mapping is done. I don’t think, that the mapping is available out of the box. To map every Requirement one by one would be a lot of work.

Importable mappings are available here: opensourceGRC - but only for deprecated compliance packages (CIS7, ISO27001/27002 (2013), PCI 3.2.1)

Therefore we need to know, whether there are somewhere mappings for PCI4.0, ISO27001/27002 and CIS8 available - or did I misunderstand something? Will it Work out of the box?
This may be important for our decision.

I hope, I explained my point more accurate now :wink:

Thanks for your supporting hints.

Best regards, Thilo

So, again, want to make sure that we’re using the same terminology for the activities being described. I’d also highly suggest understanding the problem vs solution principle - Compliance Management | Eramba learning portal

To me, compliance mapping gets mixed up with the function of the “Compliance Analysis” function (Compliance Management | Eramba learning portal) which is included in Community. This is where, for any given Compliance Package/Item, you can associate “solutions” to each of the items to determine your overall compliance level.

“Compliance Mapping” as the Enterprise feature in Eramba (Compliance Management | Eramba learning portal) is creating associations between different compliance package items. Quite frankly, from my point of view, this feature has very little value as I generally find that I need to review each item one by one because there are always nuances between them. In the amount of time you spend figuring these generic mappings out, you could have already manually done the mappings to the relevant things. This is similar to having clients that want to map everything to SCF to the moon and back.

Which of the two features described above are you trying to refer to?