My philosophy is that a strong security program leads to compliance, and for that reason, I advise everyone to focus on security first. Implementing proper safeguards will result in compliance with any given regulation.
The reality is that you need some way to map a security control to the appropriate requirement of a regulation to prove that you are doing something. So I see a definite need for some type of catalog. A number of corporate governance consultants and software companies have done similar mappings.
With these compliance and governance offerings, each organization will face the buy vs. build decision. In general, I'm a fan of buying rather than taking matters into my own hands, but this is not always an option. There are clear situations where a commercial offering that focuses on a set of generic controls and common regulations may not fit your environment, especially if you have a very complex and customized one. But those environments are few and far between. Given the significant resource requirements necessary to keep a catalog mapping up-to-date and relevant to dynamic business conditions, I figure most organizations are better off buying.
The biggest challenge you'll have is making the catalogue relevant to a security person's day-to-day activity. Why? Basically because most catalogs and/or mapping is just another set of reports that security professionals need to deal with. Optimally, reporting and compliance can be leveraged with daily operational activities. That way, it's easier to see how implementing new controls or remediating problems can actually have an impact regarding specific regulations.
This was first published in April 2007