Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 6 Next »



Version 1: The ideal mapping structure *PREFERRED*

With this structure your Program has a nested mapping structure where Regulations/Standards/Policies/Contracts break down into Sections/Clauses, then Objectives are extracted from those Sections/Clauses, and finally Controls are mapped to the Objectives.  

When it comes time to run an Audit or Assessment, you can easily trace how specific controls are effective in achieving objectives that are vital to your Program.  This makes collecting evidence much easier as you will know where to look and who to talk to when the time comes to prove you are compliant.

Version 2: Reality on day 1

The preferred mapping is ideal, but who ever has all that detail worked out on day 1?  The reality is, you probably have very little detail about the Program that you need to start preparing for Audit or Assessment ready on day 1.  That shouldn't prevent you from mapping what you do know!

Let's pretend that we are setting up a Program for ISO 27001.  We already have a program for PCI DSS v2.0 and we know that many of the same controls will apply to our ISO Program.  We haven't yet broken down the ISO 27001 standard, but we can immediately create our ISO Program, then Create and Map the ISO Standard to that Program, and we can go ahead and map the controls from the PCI DSS v2.0 Program to our new Program as well.

Version 3: Starting to have more detailed Mappings

Let's continue with our example Program for ISO 27001 and imagine that a couple weeks have gone by.  You've applied some resources to breaking down the Standard into Sections and from those sections, you've begun extracting Objectives.

You haven't done anything further with the Controls from PCI that you mapped earlier, but you did learn that a specific Facility, Data Asset, and 2 existing Processes are all going to be part of your Program for ISO.

Your mapping structure would now look something like this:

Version 4: Ideal Mapping Structure

Hopefully you are starting to see how a Program can be refined to show more and more detail in terms of mappings.  ZenGRC lets you get started with mapping what you know on day 1 at a very high level, and as you do your compliance work, you can further refine those mappings by making them at the nested level of the Controls, Objectives or Sections/Clauses, in your Program.

Over time, this results in the Prefered Mapping Structure that will help ease the burden of the compliance work to come.  Knowing what other objects are mapped to specific Controls and Objectives makes gathering evidence much easier when that time comes.

Conclusion

So what does all this mean in terms of using ZenGRC?

Well, if you map something to an object page via the Left Hand Nav or if you add it to that Object page via the Map Object Selector, you are creating a direct mapping of Object to Object like what we have on Day 1.

When you map objects under the nested views of Sections/Clauses you are creating the more detailed, extended mappings that create the ideal structure we are after for the long run.

  • No labels