Which additional alignments could be made to the SOC-CMM

Which additional alignments could be made to the SOC-CMM - Printable Version

+- SOC-CMM forum (https://www.soc-cmm.com/forum)
+-- Forum: SOC-CMM (https://www.soc-cmm.com/forum/forumdisplay.php?fid=1)
+--- Forum: SOC-CMM development (https://www.soc-cmm.com/forum/forumdisplay.php?fid=4)
+--- Thread: Which additional alignments could be made to the SOC-CMM (/showthread.php?tid=8)

Which additional alignments could be made to the SOC-CMM - robvanos - 02-20-2019

The SOC-CMM is currently aligned with NIST CSF 1.0 and NIST CSF 1.1. Indirectly, this connects the SOC-CMM to other standards, such as: COBIT 5, ISO/IEC 27001:2013 and NIST SP 800-536. What additional alignments could be valueable to the SOC-CMM community?

RE: Which additional alignments could be made to the SOC-CMM - jquine - 06-20-2019

Could be interesting if we could consider: https://www.cisecurity.org/controls/

The 20 controls probably are really basic, but when you go deep, you will found there are some interesting controls associated.

RE: Which additional alignments could be made to the SOC-CMM - robvanos - 07-04-2019

Hi Jquin,

Sorry for the late reply. I've never considered the CSC before. Mostly because of the fact that it's too high level. But I agree that there's more to CSC than just the high level part of it. I'm going to take a more detailed look. Even if it's not fit for mapping purposes, it may still be useful for further improving the capability side of the SOC-CMM.

Regards,
Rob.

RE: Which additional alignments could be made to the SOC-CMM - jvbon - 08-16-2019

(02-20-2019, 02:12 PM)robvanos Wrote: The SOC-CMM is currently aligned with NIST CSF 1.0 and NIST CSF 1.1. Indirectly, this connects the SOC-CMM to other standards, such as: COBIT 5, ISO/IEC 27001:2013 and NIST SP 800-536. What additional alignments could be valueable to the SOC-CMM community?

Imho any alignment analysis with other practice-based frameworks is rather meaningless. It would only illustrate redundancies and blanks between these frameworks.
Instead, I would recommend to cross-reference the framework with a method that describes a management system.
If you would also cross-reference the other frameworks with that same method, you would have an impartial reference point. THAT would make 'alignment' of cross-referencing meaningful.

If you would try this with e.g. the USM method (Unified Service Management), you would find astonishing results for all involved frameworks...