Mapping COBIT 4.1, ISO 27002 : 2005 and NIST SP 800-53 Rev 2
OR MUCH ADO ABOUT MAPPING
Within the IT Governance and Information Security fields there are many requests for mapping
one standard to another to ease implementation of standards and provide additional guidance where needed. However, one caution is that not all mapping is created equal and in no case should one blindly follow the mappings provided without understanding the standards themselves and how they are implemented. In other words, mappings should only be used as a touchstone or starting point and not th
e definitive guidance for implementation.
COBIT 4.1 , ISO 27002:2005 (formerly ISO 17799:2005) and NIST SP 800-53 Rev 2 all are mapped to each other in various documents. For brevity, these standards will be referred to COBIT, ISO and NIST for the rest of this post. Luckily the COBIT mappings also provide a qualitative assessment of how well ISO control objectives and controls and NIST controls fufill the COBIT Control Objectives. The NIST mapping does not provide that qualitative assessment, however they provide similar cautions that I am discussing.
A short illustrative example of the dangers in blindly following mapping is illustrated below:
In the COBIT Mappings I selected three simple control objectives that both NIST and ISO fufilled completely. The image below illustrates the mappings. (Click to Open the Image Fully)
I selected those COBIT Control Objectives as the each have only one NIST and one ISO control that completely fills the COBIT Control Objective and should be easy to compare. One would expect that at a minimum, mapping the same NIST Controls to ISO would show the same ISO Controls and Objectives as those listed under the COBIT mapping. The table below shows the NIST mapping of those same controls (CP-3, CP-4 and CP-5) to ISO. (Click to Open the Image Fully)
Note that the ISO Control 14.1.5 that was listed as completely fufilling COBIT Control Objective DS4.6 is not present at all in the NIST Control CP-3, which was also listed as completely fufilling COBIT Control Objective DS4.6. The other two NIST Controls list additional ISO controls and objectives, but that MAY be OK. It may be that those additional ISO Control Objectives are truly not part of the COBIT control objective listed above and are not needed to be identified. This was simply to illustrate the dangers of blindly accepting mapping. There obviously is a difference of opinion in the mappings of the COBIT standards to ISO and NIST and the mappings of NIST to ISO as shown in this example (specifically NIST CP-3). Which is why there is no substitute to understanding the standards and applying them as you understand your requirements.
Mapping is not without value, but it should be used as a starting point to understanding, not as a replacement for understanding.
Without going too far down this rabbit hole, here is a slightly more complex mapping. In this case the single COBIT Control Objective is completely fufilled by a list of NIST Controls and a list of ISO Control Objectives/Controls. The assumption would be that every NIST Control should have at least one, if not more of the ISO Control Objectives/Controls mapped to it as well. However, only TWO of the NIST controls (those highlighted in Green) map to ONE of the ISO Control Objectives/Controls listed. The others (those hightlighted in Yellow) have different ISO Control Objectives/Controls and vice versa. (Again, Click to Open Image Fully)
For Further Information on Mapping these Standards Visit http://www.isaca.org and http://www.nist.gov
Feel Free to Contact Me with Any Additional Questions.
[More Help]
January 29th, 2008 at 7:12 pm
Hi there. I’ve done the same type of mapping/crosswalk with PCI, HIPAA, NIST 800-53 and ISO and found the same issues. The benefit to a complete crosswalk is exactly as you point out, that one mapping does not always fit all, requiring several matrices to fully mesh out the details and “fit” of the controls. If you’re interested in an exchange of information, minus any copyright issues from CoBIT or ISO, let me know.
January 29th, 2008 at 9:35 pm
David -
I’ll be sending you the complete mapping I have. It’s slightly more complete than the official mappings simply because it contains in a single document, the mapping provided by the organizations I list, but also a reverse of the mapping so you can see how the opposite works. In addition at the bottom, there is listed the controls of each standard that are not covered by the mapped standards. Finally, there is the updated mapping of the COBIT 4.1 control objectives to ISO, a check against the latest release of NIS 800-53 (no changes) and a best fit mapping of the COBIT 4.1 AC Control Objectives (in place of the old COBIT 4.0 AC Contol Objectives). There may be errors as this is over 60 pages long. If you find any please let me know.
My next project unless I get any other requests is likely trying to do the same with ITIL. I think much beyond that and this gets a bit unwieldy for me, although I like HIPPA and PCI as I think their needs are perhaps a bit more targeted. I’m interested in hearing your thoughts - at first guess I would think PCI maps best to some of the ISO components and HIPAA to NIST, but that’s just a semi-educated guess.
Thanks for the comment (my first!).
Erik
January 31st, 2008 at 5:07 pm
Thanks for the download - Great work! I’ll send a copy of my crosswalk with HIPAA and PCI-DSS requirements mapped also. You’re somewhat correct about the mappings - HIPAA makes reference to use of NIST, but the HIPAA standards are not categorized as well as 800-53. The PCI-DSS is very specific in areas, which the 800-53 covers to some extent, though I cannot say absolutely because I haven’t yet had a PCI assessment which would point out any gaps that I missed. But the 800-53 is broader, resulting in better overall coverage, which fits well with my environment. I’m not well acquainted with ISO yet. I ordered the documentation and will be developing a plan for implementation after learning the standards. But from what I have seen of ISO (17799;2005), there are some areas that fit better with the PCI-DSS.
It would be nice to see the standards in a database with simple cross-references and easy import/export capabilities to add, update and archive the standards. If you have any ideas to get this started, I’d be glad to start this up.
February 5th, 2008 at 4:19 pm
Wow. I’m trying to build a solid Security Policy for my organization from scratch. We have some HIPAA, PCI, and other protected data in the various parts of the organization. Trying to get a handle on things have been a nightmare…and are far from over. If possible, I’d sure appreciate a copy of the crosswalk.
February 5th, 2008 at 4:34 pm
Stan,
I will be emailing the COBIT/ISO/NIST mapping. Although I am not sure what you are doing between controls and policies, I hope it helps. I don’t have David’s PCI crosswalk and wouldn’t feel right distributing that. I may tackle HIPAA next. When I send it, feel free to send any questions to me regarding that and your policies.
February 6th, 2008 at 12:14 pm
Stan, Yours sounds like a similar situation. Mapping the different standards will ultimately help to determine which is most comprehensive and best fitting for your environment. Once you’ve gotten over this hurdle, you can start developing your policies. A lot of policies are built off of the initial controls - say like in the 800-53, where the first control of each family discusses having a policy and procedures in place. ISO, PCI and others have policy references in accordance to their methods also. But this is why mapping is important.
Erik, I finally emailed you with my current crosswalk - it’s still rough, but it’s a work in progress. Let me know if you have any questions about it. Stan, I can send a copy to you as well, if you’d like. What’s your e-mail address?
February 7th, 2008 at 12:30 pm
I’ve decided (I think) to use the 27002 as an outline and NIST 800-53 for the individual controls — for the most part. Hopefully, I can then map HIPAA and PCI to the document and add, modify, or delete as needed…then throw it against the wall and see if it sticks.
David, I haven’t even started working the PCI angle but when you finish your “ground-breaking” work…maybe you could throw a few crumbs my way…;-)
February 18th, 2008 at 8:54 pm
already done for virtually any std @ unifiedcompliance.com
February 18th, 2008 at 9:48 pm
Regarding the post above - The UCF has lot of nice matrices and seems to be a good product and may be worthwhile again for those that just want to map their efforts. But again, the dangers I put in my original post are the same: Implementing mapping without understanding what is mapped is dangerous. In addition, there is no QUALITATIVE mapping (Implementing mapped controls from two different standards may not 100% map each other). Finally, the UCF reorganizes the standards to fit their various areas, but it seems difficult to do a comparitive analysis of two standards, as in - Are there items in a given standard not covered? I would check this out, but it’s a bit unweildy to do on the HTML versions and 1000 USD is a bit steep just for a quality check. Still seems a good product, just presented differently.
February 18th, 2008 at 10:40 pm
yep and to clear the air, im not a marketer for uc, i just though the uc site is pretty slick. 1K slick? thats for you or your reader to deicide. but, why re-invent the wheel was all i was getting at. ur points noted above obviously still stand.
February 18th, 2008 at 10:56 pm
Points taken and my original comments edited for correctness.
February 19th, 2008 at 2:03 pm
I wanted to know if I could get a copy of your COBIT 4.1, ISO 27002 : 2005 and NIST SP 800-53 Rev 2 mappings ?
February 19th, 2008 at 2:45 pm
Jason - sent to your email. Regards.
February 22nd, 2008 at 6:21 pm
Could I get a copy of your mapping, too? Please? Thank you.
February 25th, 2008 at 6:04 pm
Clint - sent to your email. Regards.
February 26th, 2008 at 5:40 am
In an echo of Jason and Clint’s request, could I request the mapping too?
It would be very helpful as my company is just about to start tackling COBIT for ISMS purposes and wants to ensure that we also hit as broad an ISO footprint as possible.
Regards - John
February 26th, 2008 at 11:26 am
John - Sent to your email, regards.
March 3rd, 2008 at 1:06 pm
I sure could use any of the mappings that you have. I have tried to look around and it seems a little daunting, plus 1K (and more at some sites) is just too much for me to bear on my own.
March 3rd, 2008 at 1:10 pm
I should also say that I’m interested in the thoughts about if following frameworks actually leads to the most effective security. After spending a life implementing various security systems and eventually doing consulting, I wonder why infosec hasn’t applied some rigorous scientific methods for risk analysis and reduction.
Steven - I sent you my mappings. Also re: your above comment…interesting question and I figure worth a short blog post of my opinion.
e.
March 3rd, 2008 at 5:34 pm
[…] of the comments on my Much Ado About Mapping post asked the following question, “…thoughts about if following frameworks actually […]
March 3rd, 2008 at 7:17 pm
Wondering if I could also receive a copy of your mapping? Thanks very much.
Sent to your email. thx.
March 5th, 2008 at 9:09 am
I am having difficulties find documents mapping cobit to 27002 to pci to hippa can someone help me?
thanks
Julius - I don’t have PCI or HIPAA in my document - sorry. I am working on getting HIPAA in it. Other than that, there are a lot of mapping items from COBIT (ISACA.ORG) should you become a member. Unified Compliance offers an online capability but it is not a direct mapping, but rather areas that are in common. I have seen on some message boards that there are concerns with that approach as well. Some of the posters on here are also working on their own mappings, you may want to contact them directly. I also know there are a lot of companies out there selling compliance solutions, that may help.
March 5th, 2008 at 8:41 pm
Can I have a copy of your mapping too? Thanks a lot.
Ben - Sent to your email - new version 1.01 (just a disclaimer added really)
Regards.
March 7th, 2008 at 12:11 am
Would you mind providing me with a copy of you mapping?
Thanks!
Mark- Sent to your email - new version 1.01 (just a disclaimer added really)
Regards.
March 7th, 2008 at 2:39 am
Hey
I am BTECH student and am currently doing an assignment on how COBIT and ISO 27002 can be combined to form a sound ISMS.
I think your work can be a great work and am also interested in ISM, so can you please mail me your document!
Llody- Sent to your email - new version 1.01 (just a disclaimer added really). It is true they can be used in a complementary manner - I assume you are using Cobit as the general framework with the ISO controls providing the detail. Just make sure that you put some focus in the 27001 as well.
Regards.
March 10th, 2008 at 1:10 pm
Good afternoon,
I have looked at the UCF and agree that it’s pretty slick and also concur that mapping one regulation to another can be difficult at best. I’m trying to map COBIT 4, SOX, GLBA and HIPAA to ISO 27001. I would greatly appreciate seeing the mappng you have completed to see how it measures up to what I’ve done so far.
Thanks!
Pat
Pat - sent to your email….thx.
March 11th, 2008 at 8:51 am
Could I get a copy of your mappings?
S. No problem. Sent to your email.
March 11th, 2008 at 3:05 pm
Any chance for me too? I’m particularly interested in a mapping of PCI NIST SP 800-53. My boss wants it and I hate reinventing the wheel. Don’t worry, I’ll tell her I work smart not hard!
No problem - but PCI is not on here. Probably the best thing to do is determine wether PCI for your organization is a high or moderate level for controls and then get the NIST recommended set to start mapping with that. Will email it to you anyway.
e.
March 12th, 2008 at 9:58 am
Can I get a copy to of the mappings?
Thanks
Sure.
March 13th, 2008 at 5:11 pm
Admin: May I please have a copy too? Reinventing the wheel is just not fun, at all. Thanks
Matt Zimmerman: how are you addressing the need to meet PCI DSS using NIST 800-53? I am a little lost why CISP needed to create PCI DSS when NIST and ISO already exist (and are mapped already) instead of identifying, in the case of NIST, which class and family of controls it requires of its clients.
March 18th, 2008 at 4:10 am
Hello,
Can I get a copy of the mapping please?
Thanks!
Martin, sent to your email. Regards.
March 18th, 2008 at 5:29 am
Can I please get copy of 17799/800-53 mapping too? Thank you!
sent to your email but bounced back…please check your email submitted….regards.
March 18th, 2008 at 3:51 pm
Can I get a copy of the GLBA to ISO 27001 mapping, too, please?
How about OWASP to ISO? Thank you so much!
Ginny - I don’t have GLBA or OWASP in this document, sorry. I’ll put them on my to do list, but I think first I am adding some HIPAA and expanding the NIST mappings to include the supplemental controls. But I’ll entertain any suggestions. Thanks.
March 24th, 2008 at 6:55 am
May I get a copy of the mappings. Much appreciated.
Mike -
Will send via email. Thx.
March 25th, 2008 at 9:31 am
I have a mapping in early draft that incorporates hipaa, 800-53, PCI and ISO 17799:2005. Due to copyright concerns, I can’t include ISO, but I’d be glad to share what I have. I haven’t done any work on it since January, so there may still be some gray areas to work on, but all contributions for work are accepted!
March 27th, 2008 at 4:58 am
Great job. Can I get a copy? Thanks!
Sent to your email.
March 31st, 2008 at 6:29 pm
I would much appreciate anyone emailing me their mappings of Nist 800-53, CobIT 4.1, ITIL and/or ISO 27002. Also, ISACA has a mapping white paper on ITIL, ISO 17799 and CoBIt 4.0 (Joint publication with the Brits at OGC and the ISACA folks, availabe no cost to ISACA members). They also have a 4.1 map to ITL in the works, reportedly. Thanks for the map(s) in advance if you email them to me.
Craig - Sorry for the delay, mappings sent to your email. The mappings I’m sending you are for my personal use and meant to outline inconsistencies with mapping at the control level. The main problem I have with current mappings is 1) They don’t identify gaps (which mine does) 2) They only show mappings in one direction (mine shows forward and backwards). 3) Most mappings are not qualitative, they are only binary in nature (mine is no more qualitative than the others - yet) 4. Without a full understanding of the controls and taking mappings for face value, one can THINK they have adequate controls but really do not. In this case the only solution is to break each control to more atomic levels and map at those levels. I don’t think any mapping has done this yet, ultimately it is where I’d like to go and this is probably going to be a blog post soon.
April 4th, 2008 at 11:02 am
I should have checked this before (then again, we all probably spend a bit of time checking out NIST and the other sites), but NIST will be coming out with an update to their SP800-66 which will provide mapping of the 800-53 with the HIPAA Security Rule. This should save some headaches (and money!) for those who need to map the two.
Another organization that offers unified compliance solutions is Informatica - has anyone used their product or services?
David - Thanks for that reminder. The DRAFT is out now as of May 1. What I will be doing is adding that to this document. Benefits? I add the backwards pass which will also easily highlight the gaps. Also again, it will be interesting to see if this is consistent with the NIST 800-53 Mapping to ISO and COBIT (in other words, if it IS consistent, then one should be able to easily map those to HIPAA as well. If not, then just another danger of blindly accepting mapping without understanding context) I hope it is consistent, but from what I’ve seen so far in publicly available mappings, I’m not holding my breath. In any case, I am sure it will be a good tool when used correctly.
April 4th, 2008 at 11:09 am
Great resource. Can I get a copy of the IT Mappings also? Thanks!
Clint - sent to your email. Regards
April 8th, 2008 at 4:58 pm
Very good points. Could I get a copy of the mapping? Thanks.
Ken - Sent to your email, regards
April 15th, 2008 at 4:33 am
I cam across this thread after googling for a mapping and found it very interesting.
Can I have a copy of the mapping to look at?
Thanks,
Sent you your email….regards.
April 17th, 2008 at 7:13 am
Fantastic great work. Can I have a copy?
Regards,
Willem
Willem - sent to your email. Regards.
April 17th, 2008 at 1:09 pm
David,
Excellent sir! Can you send me your 800-53 / ISO27002 crosswalk. I have an urgent need to map these standards. All I have at the moment are the older 800-53/17799 mappings with GAO FISCAM, DOD 8500-2, DCID 36/353, DISA STIGs, etc. if you’re interested in those mappings.
Best Regards,
Cal Smith
Northrop Grumman
Project Manager
Cal - In case David has not sent his mappings, here are the ones referenced on this blog Sorry for the delay. I used to work for NG a few years back (INRI bought by Logicon bought by NG)
April 18th, 2008 at 8:07 am
I have been struggling to map ISO to NIST. How can I get a copy of this document?
Kenny - sent to your email.
April 18th, 2008 at 3:53 pm
I couldn’t help but notice that you have been able to Map NIST 800-53 with COBIT, HIPPAA, and others. Is there a chance you could send me a copy?
Thanks!!
HIPAA is not added. But what I have is sent to your email. I merely use other mappings and put them in a more readable format for consistency, identifying gaps and also doing a backward pass. If you can’t wait for HIPAA, the new draft SP-800-66 is out. I will be adding that in the next couple weeks.
April 21st, 2008 at 11:00 pm
Can I get a copy of your mappings? Thanks!
Sent to your email
April 22nd, 2008 at 8:41 am
This is awesome! Can you send me a copy of your mappings? Thanks!
Sent to your email
April 23rd, 2008 at 6:33 pm
@ Admin:
A copy of 17799/800-53 mapping would be highly appreciated.
I must concur a unified mapping or one map fit all mapping could be ‘dangerous’ for organisation.
More especially when “IT”, Risk, business, Compliance… are disjointed.
Merci
Ade - sent to your email. Thanks for the comment. It is good to understand the similarities but each compliance need should be evaluated on their own as they will be audited on their own as well.
April 25th, 2008 at 8:56 am
Hi … I am in process of designing IS framework for my organization, would love to get a copy of your mapping to make my life easier.
sent to your email
April 29th, 2008 at 6:35 am
I’am now 2 days been working at a mapping between Cobit 4.1. ISO27002:2005, NIST-SP800-53, ITIL, COSO and Prince2, when I found this website….
Could it be possible that I get a copy of you’re mapping?
I would be grateful and will send you my “homework” whem I complete it
Thanks
sent to your email. sorry for the delay.
April 30th, 2008 at 12:30 pm
Hi,
I´m new in security standards and was searching for tips to map Cobit and ISO 27001, I really think you did an excellent work and was wondering if I could get a copy of your mapping please?
Thanks and regards.
Sent to your email. Look for additional posts on my thoughts on where mapping should go in the near future.
May 1st, 2008 at 7:34 am
Hi,
it looks like you did a great job!
I do research on various standards comparison, could you please send me your mappig as well>?
regards,
P.
sent to your email.
May 2nd, 2008 at 5:59 am
This is a great piece of work and follow up discussion. I have just started work on correlation between clouds of compliances Vs. clouds of frameworks. Can I get your copy to start with? Many thanks.
of course. sent to your email. I would be interested in hearing more on what your work entails…perhaps an abstract of sorts? I would be glad to include it in a post should it fit the theme of this blog.
May 2nd, 2008 at 2:15 pm
Hi there,
Is it possible to obtain a copy of the mapping on Cobit/ISO/NIST? I would greatly appreciate it lots!
sent to your email.
May 2nd, 2008 at 6:35 pm
Any chance you will send a copy of the crosswalk my way ? This is exactly what i’ve been searching for. Thanks.
sent to your email.
May 5th, 2008 at 2:59 am
Can I have the mapping doumument.
Sent to your Email.