So many GRC tools use their “cross mapping” as a selling point.. but have you ever thought about how these mapping’s have been conducted?

“subject to interpretation”

Mapping is often conducted as an abstract exercise (e.g., “map A to B”) without explicitly determining, documenting, or communicating the mapping’s purpose, use cases, scope, audience, or other assumptions. As a result, people who use the mapping must guess at its meaning and context. These kinds of mappings save people a little time by pointing them to potentially relevant information. Users of these mappings still need to read and comprehend the concepts in both documents within the documents’ respective contexts to understand the nature of the relationship.

Read more: https://www.linkedin.com/posts/compliancerisk-io_nist-mapping-relationships-risk-management-activity-7098244006043623425-3g67?