Mapping of distinct security controls is essential for proper valuation of the enterprise security profile score. Common security control mapping documents do not meet business requirements. Think about the current use of security control mapping documents.

Are Your Security Control Mappings Useless?
  • What is the practical use of security control mapping in your organization?
  • When was a control set used, in your organization, to manage a control in another set?
  • Why does the organization use a mapping? Are you meeting that objective?
  • How does referencing any control sets in a security policy help the organization?
The ESPM maps all security controls to a central control catalog, the NIST Cyber Security Framework.

Precise security control matching is required to build a structure for quantitative measurements, otherwise, mappings are useless. Mapping needs to be in-depth and linked to a measurement. OWASP describes the difficulty putting controls to use when, "the concept of a security control is hard to define clearly in a way that enables practitioners to begin writing controls and putting them to use. Some definitions exist, but are open to wide interpretation and may not be adaptable to every need" (OWASP, 2015).

The mapping in the ESPM enlightens an organization by providing a high-level perspective of controls while at the same time delivering applicable security controls at the operational level. Security control mapping stands as a pillar on a central framework foundation.
Indexing controls is at a many-to-one relationship rather than in a many-to-many matrix, the ESPM creates a mapping that is utilized for organizational security management. The indexing creates a useful security control mapping. The organization can focus on a single control catalog and reduce the confusion of managing many security controls from multiple control sets.

In addition to viewing the security control number in the mapping, the ESPM provides a definition of the security control. This perspective allows keywords to bring controls together. In contrast, "different organizations and standards will write controls at differing levels of abstraction, it is generally recognized that controls should be defined and implemented to address business needs for security" (OWASP, 2015).

The ESPM solution provides the perspective for an informed information security management program.