Ask the Expert

Can one catalog map to multiple compliance standards?

I'm working to create a generic safeguard catalogue that is mapped to many standards. The catalogue could then be used as the sole auditing resource, ensuring compliance with many standards while saving time and money. My idea was to use the COBIT/ISO 17799 (2nd edition) mapping provided by ISACA. Is such a catalogue possible, in terms of mapping to many standards and providing total coverage of information security issues?

Requires Free Membership to View

My philosophy is that a strong security program leads to compliance, and for that reason, I advise everyone to focus on security first. Implementing proper safeguards will result in compliance with any given regulation.

The reality is that you need some way to map a security control to the appropriate requirement of a regulation to prove that you are doing something. So I see a definite need for some type of catalog. A number of corporate governance consultants and software companies have done similar mappings.

With these compliance and governance offerings, each organization will face the buy vs. build decision. In general, I'm a fan of buying rather than taking matters into my own hands, but this is not always an option. There are clear situations where a commercial offering that focuses on a set of generic controls and common regulations may not fit your environment, especially if you have a very complex and customized one. But those environments are few and far between. Given the significant resource requirements necessary to keep a catalog mapping up-to-date and relevant to dynamic business conditions, I figure most organizations are better off buying.

The biggest challenge you'll have is making the catalogue relevant to a security person's day-to-day activity. Why? Basically because most catalogs and/or mapping is just another set of reports that security professionals need to deal with. Optimally, reporting and compliance can be leveraged with daily operational activities. That way, it's easier to see how implementing new controls or remediating problems can actually have an impact regarding specific regulations.

More information:

  • Security information management products (SIMs) can address compliance mapping --and much more. Download this webcast to discover their many capabilities.
  • In this Compliance School lesson, learn how compliance control frameworks can improve the risk assessment process.
  • This was first published in April 2007