Open ab-smith opened 1 month ago
@ab-smith As already mentioned in the discussion sector: What about this case;
Do you think this documentation/data-model.md model is sufficient enough in the long run?
Initial situation:
ISO27001 <-> NIST
ISO27001 <-> CCB
Client A is currently NIST compliant
Goal:
Client A needs to implement the latest CCB requirements to be NIS2 compliant.
Current Model:
Currently that means in your model that each control needs to be mapped against each other control which would create a huge overhead.
Maybe ( I´m not sure about that) it would make more sense to have a - let´s say - top level framework, like the ISO27001
All controls need to be mapped to that
To achieve the described goal you would have/need to implement a transitive relationship between the frameworks and by that the controls
--> NIST <-> ISO27001 <-> CCB
By that the top-level framework will always be the connecting element.
Hey, sorry @42mst I missed your comment on this one. As a matter of fact, what we are building currently is pretty close to what you're describing using a graph representation; for instance:
we will set the filled arrows, and the dashed ones will be deduced.
makes sense?
Frameworks don't overlap necessarily, but if it can get half the work pre-done, it's a win
Multiple frameworks already have part of it done and we can improve that