Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Image RemovedStructuring your Programs

ZenGRC: Program mapping structure

Table of Contents

Image Added

Version 1: The ideal mapping structure *PREFERRED*

With this structure your Program has a nested mapping structure where Regulations/Standards/Policies/Contracts break down into Sections/Clauses, then Objectives are extracted from those Sections/Clauses, and finally Controls are mapped to the Objectives.  

 

When it comes time to run an Audit or Assessment, you can easily trace how specific controls are effective in achieving objectives that are vital to your Program.  This makes collecting evidence much easier as you will know where to look and who to talk to when the time comes to prove you are compliant.

Image Modified

Version 2: Reality on day 1

The preferred mapping is ideal, but who ever has all that detail worked out on day 1?  The reality is, you probably have very little detail about the Program that you need to start preparing for Audit or Assessment ready on day 1.  That shouldn't prevent you from mapping what you do know!

 

Let's pretend that we are setting up a Program for ISO 27001.  We already have a program for PCI DSS v2.0 and we know that many of the same controls will apply to our ISO Program.  We haven't yet broken down the ISO 27001 standard, but we can immediately create our ISO Program, then Create and Map the ISO Standard to that Program, and we can go ahead and map the controls from the PCI DSS v2.0 Program to our new Program as well.  

Image Modified

Version 3: Starting to have more detailed Mappings

 

Let's continue with our example Program for ISO 27001 and imagine that a couple weeks have gone by.  You've applied some resources to breaking down the Standard into Sections and from those sections, you've begun extracting Objectives. 

You haven't done anything further with the Controls from PCI that you mapped earlier, but you did learn that a specific Facility, Data Asset, and 2 existing Processes are all going to be part of your Program for ISO. 

Your mapping structure would now look something like this:

Image Modified

Version 4: Ideal Mapping Structure

Hopefully you are starting to see how a Program can be refined to show more and more detail in terms of mappings.  ZenGRC lets you get started with mapping what you know on day 1 at a very high level, and as you do your compliance work, you can further refine those mappings by making them at the nested level of the Controls, Objectives or Sections/Clauses, in your Program. 

Over time, this results in the Prefered Mapping Structure that will help ease the burden of the compliance work to come.  Knowing what other objects are mapped to specific Controls and Objectives makes gathering evidence much easier when that time comes.

Image Modified

Conclusion

So what does all this mean in terms of using ZenGRC?

...