Mapping and integrating security and risk standards: A systematic literature review

Abstract

Organizations are under increasing pressure to comply with various rules, standards, and policies in today’s regulatory environment. Compliance controls are put in place to avoid legal or regulatory violations, which could lead to severe penalties, loss of reputation, and financial damages. However, these controls may have similar scopes and objectives, resulting in duplicated work and unnecessary costs for the organizations. To address this issue, researchers carry out the mapping and integration of these standards to avoid duplication, streamline compliance efforts, and identify best practices. Our work aims to improve the State-of-the-Art by exploring the main benefits and problems resulting from these processes, as well as identifying methods or artifacts that can be reused in the future. We focus on the fields of Risk, Security, and Business Continuity, as these are critical areas where compliance is crucial for organizations. Through our research, we have found that current methods of generating mapping artifacts are not only cumbersome to execute but also ineffective, as they output a single artifact without the reasoning behind it.