The foundation for an organization's cybersecurity and privacy program is its policies and standards. These components form the alignment with leading practices to help ensure applicable statutory, regulatory and contractual requirements for cybersecurity and privacy are addressed. From these policies and standards, procedures and other program-level guidance provide the specific details of how these policies and standards are implemented.
There are a lot of choices to pick from when selecting a cybersecurity framework. If you are not sure what works best for you, you can read more here. The most common frameworks are NIST 800-53, ISO 27002, the NIST Cybersecurity Framework and the Secure Controls Framework (SCF). To do NIST CSF, ISO 27002 or NIST SP 800-53 properly, it takes more than just a set of policies and standards. While those are foundational to building a cybersecurity program aligned with that framework, there is a need for program-specific guidance that helps operationalize those policies and standards (e.g., risk management program, third-party management, vulnerability management, etc.). It is important to understand what is required to comply with NIST CSF vs ISO 27002 vs NIST SP 800-53, since there are significantly different levels of expectation.
It is important to understand that picking a cybersecurity framework is more of a business decision and less of a technical decision. Realistically, the process of selecting a cybersecurity framework must be driven by a fundamental understanding of what your organization needs to comply with from a statutory, regulatory and contractual perspective, since that understanding establishes the minimum set of requirements necessary to:
This understanding makes it easy to determine where on the "framework spectrum" (shown below) you need to focus for selecting a set of cybersecurity principles to follow. This process generally leads to selecting the NIST Cybersecurity Framework, ISO 27002, NIST SP 800-53 or SCF as a starting point.
|
|
Effective cybersecurity and data protection is a team effort involving the participation and support of every user that interacts with your company’s data and/or systems, it is a necessity for your company’s cybersecurity & data protection requirements to be made available to all users in a format that they can understand. That means your company must publish those requirements in some manner, generally in either PDF format or published to an internal source (e.g., wiki, SharePoint, Jira, GRC, etc.). Our goal is to make that process as efficient, cost-effective and scalable, as possible. Since words have meanings, it is important to provide examples from industry-recognized sources for the proper use of these terms that make up cybersecurity & privacy documentation. Simply because you have heard a term used in one manner for the last decade, it does not mean that is correct. That is why we wrote the following guide to help explain how cybersecurity and data protection documentation is meant to be developed, based on authoritative definitions of the components that make up documentation (e.g., policies, standards, procedures, controls, etc.). As a "rule of thumb" to understand how documentation ages, if your cybersecurity policies, standards and procedures are old enough to start kindergarten (4-5 years old) then it is time to perform a thorough refresh / update cycle. Cybersecurity and privacy are evolving fields and your documentation needs to be current to address these new requirements and threats. |
The concept of a "best" cybersecurity framework is misguided, since the most appropriate framework to align with is entirely dependent upon your business model. The applicable laws, regulations and contractual obligations that your organiation must comply with will most often point you to one of four (4) starting points to kick off the discussion about "Which framework is most appropriate for our needs?":
While policies, standards and procedures form the foundation of any cybersecurity and data protection program, there are many other components that build off of those documents:
Give us a call or send us an email - we are happy to help you find the right solution for your needs!
Secure Controls Framework (SCF)
Secure Controls Framework (SCF) "Premium Content" - Expertise-Class Policies, Control Objectives, Standards, Guidelines, Controls & Metrics. Product Walkthrough Video This short product walkthrough video is designed to give a brief overview about...
ComplianceForge NIST Cybersecurity Framework Compliance Documentation Templates
NIST Cybersecurity Framework 2.0 (NIST CSF 2.0) Policy Template - Editable Policies & Standards Product Walkthrough Video This short product walkthrough video is designed to give a brief overview about what the CDPP is to help answer common...
ComplianceForge ISO 27001 & 27002 Compliance Documentation Templates
ISO 27001 & 27002 Policy Template UPDATED FOR ISO 27001:2022 & 27002:2022 Product Walkthrough Video This short product walkthrough video is designed to give a brief overview about what the CDPP is to help answer common...
ComplianceForge NIST 800-53 Compliance Documentation Templates
NIST 800-53 Rev5 Policy Template LOW & MODERATE BASELINE Product Walkthrough Video This short product walkthrough video is designed to give a brief overview about what the CDPP is to help answer common questions we receive...
ComplianceForge NIST 800-53 Compliance Documentation Templates
NIST SP 800-53 Rev5 Policy Template LOW, MODERATE & HIGH BASELINE Product Walkthrough Video This short product walkthrough video is designed to give a brief overview about what the CDPP is to help answer common questions we receive...
The NIST Cybersecurity Framework (NIST CSF) is commonly used “cybersecurity best practice” for organ...
Cybersecurity Supply Chain Risk Management (C-SCRM) is the process of identifying, assessing and mit...
Determining the scope of controls (e.g., assessment boundary) is different than determining control...
NIST 800-171 focuses on protecting Controlled Unclassified Information (CUI) anywhere it is stored,...
