ab-smith
commented
2 months ago Is covered in #185
Closed drummbelbummel closed 2 months ago
ab-smith
commented
2 months ago Is covered in #185
ab-smith
commented
2 months ago Hello @drummbelbummel, We've merged today the work done for #185, which does that. We will convert and provide the crosswalk provided by the NIST within the OLIR program, and people from the community are welcome to contribute as well.
We've put two examples as a starting point: for upgrade as in CSF 1.1 to CSF 2.0 and for mapping as in CSF 1.1 to ISO 27001:2022
The SCF is indeed interesting and is already supported, but the license for using the crosswalk is blurry. So, we won't be integrating it directly; we will provide instructions for users to do so.
drummbelbummel
commented
2 months ago Thank you @ab-smith,
i did not find #185 and i think it is a sligthly different approach.
Looking forward on how you will implement the "cross-mapping".
I just did this with one oy my tools and even seeing the differences between NIS-2 and ISO 27001:2022 is very interesting.
For me this was possible be using SCF as the base and filtering out only ISO 27001/2 and NIS-2 controls.
Problem statement For some companies more than one standard is relevant like ISO 27001 and DORA and NIS2-directive.
Expected behavior It should be possible to somehow link relevant controls in different standards so that you can see overlappings. NIST-CSF-2.0 as example is having such a cross reference to ISO 27001 with additional and missing controls. Maybe something like "Secure Control Framework" could build the base for all controls where the relevant controls are mapped to? This way it would be simple to focus on a somehow more general control that is covering concrete controls in different standards. I am aware that this is a undamental change but on the other hand there's many tools like CISO Assistant and until now i did not find a tool that is able to implement the concept of a "shared control framework"