Consistency between 1.4 and 2.1 or added context

Question

Consistency between 1.4 and 2.1 or added context

Opened this issue 5 years ago · 2 comments

Controls

Control 1.4: Maintain Detailed Asset Inventory
https://controls-assessment-specification.readthedocs.io/en/latest/control-1/control-1.4.html

Control 2.1: Maintain Inventory of Authorized Software
https://controls-assessment-specification.readthedocs.io/en/latest/control-2/control-2.1.html

Comment

Is there a documented logic as to why these controls while conceptually similar take different approaches towards defining Measures + Metrics?

Answer 1 · 2023-03-17T15:48:47.000Z

Hey PL!

The logic here was that 1.4 is more focused on tooling and ensuring the tooling is working/configured appropriately across relevant assets to help update the inventory. 2.1 is more generic since we do not know if enterprises will be using tooling or not, and we do not make a recommendation either way. Does this help? If not, we can discuss further.

v/r
Ginger

Answer 2 · 2023-03-17T15:59:11.000Z

PL,

Was this for Controls v7.1 or CAS 1.0? If so, closing.