Mapping Frameworks

[ab-smith]

• I want to do an assessment on one framework and automatically get my posture on another one
• will be helpful to move from, let's say CSF to CMMC to assess the same project on a different scope
• will be helpful when a framework gets an upgrade to avoid redoing the assessment
• will be useful for reporting: I've just finished CSF assessment. How am I doing against ISO for instance?

Frameworks don't overlap necessarily, but if it can get half the work pre-done, it's a win

Multiple frameworks already have part of it done and we can improve that

[42mst]

@ab-smith As already mentioned in the discussion sector: What about this case;

Do you think this documentation/data-model.md model is sufficient enough in the long run?

Initial situation:

ISO27001 <-> NIST
ISO27001 <-> CCB
Client A is currently NIST compliant

Goal:

Client A needs to implement the latest CCB requirements to be NIS2 compliant.

Current Model:

Currently that means in your model that each control needs to be mapped against each other control which would create a huge overhead.
Maybe ( I´m not sure about that) it would make more sense to have a - let´s say - top level framework, like the ISO27001
All controls need to be mapped to that
To achieve the described goal you would have/need to implement a transitive relationship between the frameworks and by that the controls
--> NIST <-> ISO27001 <-> CCB
By that the top-level framework will always be the connecting element.

[ab-smith]

Hey, sorry @42mst I missed your comment on this one. As a matter of fact, what we are building currently is pretty close to what you're describing using a graph representation; for instance:

we will set the filled arrows, and the dashed ones will be deduced.

makes sense?