I am looking at mapping out several standards. We are waiting on our first SOC-2 report now, and I am being asked about other standards. We are also a secure product, and get asked about everything under the sun at one point or another. I’d like to be able to map to a new standard and say, we’re 80% compliant already, or 50%, or whatever, at least based on mappings. Has anyone used mapping extensively and has pointers? I was thinking of creating a package of my own, based on my control catalog, and making is the center. Everything else mapping to it, and then using a large framework, like NIST 800-53, to map new standards to it. That is, control X of standard Y maps to SA-14.2 of NIST 800-53, which maps to control 3 of my internal catalog, and make the link.
Any reason that would be horribly wrong?