The Consulting Army approach to compliance mapping

The Consulting Army approach is scientific, and based upon comparing each Citations’ primary nouns and primary verbs, and then determining if a match exists. This approach allows you to illustrate the proof. You should be able to see how each of the Citation texts match each other. In the example below, two Citations are listed. The Citations are tagged for their nouns (which are bracketed as “[noun]”) and verbs (bracketed as “{verb}”).

Compare this text

NIST ID.AM-1 Physical devices and systems within the organization are inventoried and an inventory of these assets shall be drawn up and maintained.

to this text

NIST ID.AM-1 Physical devices and systems within the organization are inventoried and an inventory of these assets shall be drawn up and maintained.

So that you know there is a match.

Compare this text

Noun: physical devices

Verb: inventory

to this text

Noun: assets associated with information and information processing

Verb: identify and log

While there is science behind it, this approach uses a very complex crosswalking method. Crosswalking supposes that the person who performed the exercise examined each Citation in relation to the other Citations in a matrix form as shown in the diagram that follows.

There’s only one major problem with this approach – it is highly time consuming and very costly. On the surface, it sounds easy – read and interpret the Citation and determine if it matches another Citation. But the reality is much different because each Citation must be matched to each of the other Citations. The mathematical formula requires calculating a set of combinations. You can easily calculate this in Excel by typing =COMBIN(N,2) into any cell, wherein N stands for the total number of Citations in both documents being compared.

Let’s take the example of comparing the NIST ID.AM-1(NIST CyberSecurity document) with the ISO/IC 27001 and the NIST SP 800-53 document. There are a total of 1,060 Citations that need to be compared between the three documents. If you are going to compare two sets of documents, you’ll have to calculate mathematical formulas for each.

The comparison between the NIST ID.AM-1 document and the ISO document equals over 50,000 different combinations. Comparing the NIST ID.AM-1 document with the NIST SP 800-53 document takes several hundred thousand tasks!

NIST CyberSecurity Citations94Cybersecurity to ISO52,650
ISO 27001 Citations231CyberSecurity to 800-53343,206
NIST 800-53 Citations735All three to each other561,270

With the amount of work that it would take to perform comparisons using the Crosswalking method, many organizations performing this work will limit the comparisons to two or three documents.

While the Consulting Army approach can work, it only works through brute force (hence why they need a small army to do all the work, and why the costs are so high!). In addition, it may not be reasonable to assume that everyone using the Consulting Army approach is performing all the required combinations, as the number of tasks is overwhelming.

If you want to see the Consulting Army approach calculated out for the number of Citations in documents you care about, we’ve created an online calculator that uses the Excel formula and builds out a nice report.


Get to the calculator yourself.