Hi everyone,
please find below the minutes from our yesterday's first workshop session in 2021.
In few lines what was discussed and next steps:
- The CCMv4.0 - CCMv3.0.1 mapping has been adapted to include the FINAL V4 control specifications (remaining mappings, IG and CAM will follow),
- Professionals were kindly invited to compare each V4 draft and V4 final control and based on the applied "deltas" determine if an update to the current mapping is deemed necessary (i.e., the list of mapped V3 controls + gap levels) ,
- Each domain is assigned 2 professionals, who are invited to work independently and In parallel, and place their recommendations for any change that needs to be applied by February 12th,
- CCMv4.0 - CCMv3.0.1 mapping Tool can be accessed here to work on.
Please find below the usual well-structured and detailed minutes section.
Agenda Items (AIs):
- Provide a summary of the activities in scope of the workshop sessions (what has been done, where we stand, next steps)
- Kick-off the update review for the "CCMv4.0 – CCMv3.0.1 mapping" based on the V4 Final control specifications
- AoB
Participants (18):
Renu Bedi
Geoff Bird
Madhav Chablani
Angela Dogan
Angell Duran
Odutola Ekundayo
Jon Erickson
Jan Jacobsen
Frank Jaramillo
Erik Johnson
Bala Kaundinya
Bilal Khattak
Nancy Kramer
Claus Matzke
Vitor Silva
Lefteris Skoutaris (PM)
Ashish Vashishtha
Dimitri Vekris
Meeting Minutes (MMs):
1. Provide a summary of the activities in scope of the workshop (what has been done, where we stand, next steps)
- The professionals of the group have delivered the development of 5 activities in Q4 2020 that were all based on V4 Final Draft version, including 3 mappings (ISO27001/02/17/18, AICPA TSC, CCMv3.0.1), the Implementation Guidelines (IG), and the Controls Applicability Matrix (CAM),
- With the arrival of CCMv4.0 Final on January 22nd, it was deemed necessary that all the above activities must be adapted and updated to include the final V4 controls specifications,
- The 3 mapping exercises have to be updated and delivered at a final version by end of February,
- The IG and CAM have to also be delivered as final by mid-to-end of April.
2. Kick-off the update review for the "CCMv4.0 – CCMv3.0.1 mapping" based on the V4 Final control specifications
- PM has adapted the CCMv4.0 - CCMv3.0.1 mapping tool to the V4 final control specifications and has presented the applied mods to the group of professionals,
- Professionals are kindly invited to navigate to the "Mapping Update Guide" tab where guidance on "how to" approach the update is provided,
- The changes that led to the transition from "V4 Final Draft" to "V4 Final" are well documented under the "CCMv4_ChangeLog" tab,
- The 2 professionals assigned per domain are kindly asked to begin the update review and provide their recommendations under the corresponding columns "J-K-L" and "M-N-O" respectively (AP1),
- Geoff stated his interest to participate in the mappings and asked to join in the case of unavailability from a professional currently participating,
- Angela reminded the group that a "serial number" added to each of the controls will help to identify & locate them in case of a change occurence. Lefteris proposed that Angela uses a V4 domain & control as pilot and bring an example to present back to the group (AP2),
- Lefteris to adapt the remaining activities to the V4 Final until the next workshop session (AP3).
Snapshot from the CCMv4.0 - CCMv3.0.1 mapping tool illustrating the inclusion of the new V4 controls specification next to the previous final draft one.
3. AoB
- Next CCMv4 mappings workshop is scheduled for February 4th, 6 pm EEST (8 am PST/ 5 pm CET/ 11 am EST).
Action Points (APs)
AP1: The 2 professionals assigned per domain are kindly asked to begin the update review exercise and provide their recommendations under the corresponding columns "J-K-L" and "M-N-O" respectively.
AP2: Angela to come back to the group with a V4 domain "pilot" example on the usefulness of adding a serial number per V4 control or CAIQ question.
AP3: Lefteris to adapt the remaining activities to the V4 Final until the next workshop session.
Please let me know if anything important is missed above.
Thank you all for your attendance and support.Best regards,Lefteris------------------------------
Eleftherios Skoutaris
Program Manager
Cloud Security Alliance
------------------------------