Frequently Asked Questions

Common Q&A about our Security Control Mapping Software

  • How are the control mappings made?

    The controls are mapping using a proprietary algorithm developed by analyzing existing industry mappings and control framework documentation. In other words, that’s our secret sauce. I created the mappings database as part of my PhD dissertation project to understand the effectiveness of the Cybersecurity Framework (CSF) compared to other information security risk management frameworks.

  • How accurate are the information security control mappings?

    It is the responsibility of each organization to define how they meet/adhere to a particular security control, and up to an auditor to decide whether or not the organization’s interpretation fits the general meaning of the control. The intent of each security control within a framework is therefore subject to interpretation and will never be 100% accurate based on the needs of your organization. However, if you are looking for framework mappings then you are probably trying to understand how your organization lines up against a particular framework. Our mappings will get you most of the way there.

  • Am I entitled to updates after I purchase a mapping and the framework is updated?

    No. Each time a framework is updated the controls within that framework must be analyzed and re-mapped to other frameworks. These changes require a significant amount of manual effort. A new framework will create a new mapping and requires a new purchase.

  • Do you offer custom mapping services?

    Yes, Night Lion Security, our parent cybersecurity risk management firm, regularly develops custom information security risk frameworks for organizations that need to comply with regulatory requirements and their own internal organizational requirements. Please contact us for more information.