Frequently Asked Questions

Common Q&A about our Security Control Mapping Software

  • How are the control mappings made?

    The controls are mapping using a proprietary algorithm developed by analyzing existing industry mappings and control framework documentation. In other words, that’s our secret sauce. I created the mappings database as part of my PhD dissertation project to understand the effectiveness of the Cybersecurity Framework (CSF) compared to other information security risk management frameworks.

  • How accurate are the information security control mappings?

    It is the responsibility of each organization to define how they meet/adhere to a particular security control, and up to an auditor to decide whether or not the organization’s interpretation fits the general meaning of the control. The intent of each security control within a framework is therefore subject to interpretation and will never be 100% accurate based on the needs of your organization. However, if you are looking for framework mappings then you are probably trying to understand how your organization lines up against a particular framework. Our mappings will get you most of the way there.

  • Am I entitled to updates after I purchase a mapping and the framework is updated?

    If you elect to be part of our annual subscription program, we will provide you with updates quarterly, or each time there is an update to a purchased framework. If a subscription is not purchased, then a new mapping will need to be purchased.

  • Do you offer custom mapping services?

    Yes, Night Lion Security, our parent cybersecurity risk management firm, regularly develops custom information security risk frameworks for organizations that need to comply with regulatory requirements and their own internal organizational requirements. Please contact us for more information.