My organization wants to use 800-53 r5 as our primary control catalog. We also have PCI DSS obligations.
Is there some kind of authoritative, published mapping between the PCI DSS controls and the 800-53 r5 controls?
We would much rather implement, assess ourselves against, and generally “speak” 800-53 r5 internally, and then translate to other control frameworks as required when we have external obligations. I realize there might not be a 1-to-1 mapping of every single idea between control frameworks, but we’re just looking for a pointer in the right direction.
[link] [comments]