I'm looking through the CCM controls and note that some controls aren't mapped to other standards. For example, AIS-03 has no mapping to the Trust Services Criteria or DSP-05 has no mapping to ISO/IEC 27001:2022. If, in my present state, I'm only interested in implementing one or certain standards - for example, undergoing a SOC 2 audit or an ISO 27001 certificate - I could ignore the CCM controls that are a Full Gap to the standards that I'm interested in. This isn't to say that those controls aren't good or important, but rather that if I need to prioritize the implementation of controls, I can prioritize based on the standards that are most applicable.
Is this a fair assessment? If so, are there plans to release filterable CCMs or CAIQs that are a subset of the controls based on standards or would this be a manual exercise left to the organization?
------------------------------
Thomas Owens
Process Improvement Analyst
Self
------------------------------