Mapping COBIT 4.1, ISO 27002 : 2005 and NIST SP 800-53 Rev 2
Wednesday, January 23rd, 2008OR MUCH ADO ABOUT MAPPING
Within the IT Governance and Information Security fields there are many requests for mapping
one standard to another to ease implementation of standards and provide additional guidance where needed. However, one caution is that not all mapping is created equal and in no case should one blindly follow the mappings provided without understanding the standards themselves and how they are implemented. In other words, mappings should only be used as a touchstone or starting point and not th
e definitive guidance for implementation.
COBIT 4.1 , ISO 27002:2005 (formerly ISO 17799:2005) and NIST SP 800-53 Rev 2 all are mapped to each other in various documents. For brevity, these standards will be referred to COBIT, ISO and NIST for the rest of this post. Luckily the COBIT mappings also provide a qualitative assessment of how well ISO control objectives and controls and NIST controls fufill the COBIT Control Objectives. The NIST mapping does not provide that qualitative assessment, however they provide similar cautions that I am discussing.
A short illustrative example of the dangers in blindly following mapping is illustrated below:
In the COBIT Mappings I selected three simple control objectives that both NIST and ISO fufilled completely. The image below illustrates the mappings. (Click to Open the Image Fully)
I selected those COBIT Control Objectives as the each have only one NIST and one ISO control that completely fills the COBIT Control Objective and should be easy to compare. One would expect that at a minimum, mapping the same NIST Controls to ISO would show the same ISO Controls and Objectives as those listed under the COBIT mapping. The table below shows the NIST mapping of those same controls (CP-3, CP-4 and CP-5) to ISO. (Click to Open the Image Fully)
Note that the ISO Control 14.1.5 that was listed as completely fufilling COBIT Control Objective DS4.6 is not present at all in the NIST Control CP-3, which was also listed as completely fufilling COBIT Control Objective DS4.6. The other two NIST Controls list additional ISO controls and objectives, but that MAY be OK. It may be that those additional ISO Control Objectives are truly not part of the COBIT control objective listed above and are not needed to be identified. This was simply to illustrate the dangers of blindly accepting mapping. There obviously is a difference of opinion in the mappings of the COBIT standards to ISO and NIST and the mappings of NIST to ISO as shown in this example (specifically NIST CP-3). Which is why there is no substitute to understanding the standards and applying them as you understand your requirements.
Mapping is not without value, but it should be used as a starting point to understanding, not as a replacement for understanding.
Without going too far down this rabbit hole, here is a slightly more complex mapping. In this case the single COBIT Control Objective is completely fufilled by a list of NIST Controls and a list of ISO Control Objectives/Controls. The assumption would be that every NIST Control should have at least one, if not more of the ISO Control Objectives/Controls mapped to it as well. However, only TWO of the NIST controls (those highlighted in Green) map to ONE of the ISO Control Objectives/Controls listed. The others (those hightlighted in Yellow) have different ISO Control Objectives/Controls and vice versa. (Again, Click to Open Image Fully)
For Further Information on Mapping these Standards Visit http://www.isaca.org and http://www.nist.gov
Feel Free to Contact Me with Any Additional Questions.