What Is a Control Standard?
A “control standard” is a misnomer, the term “control standard” blends two (2) distinct terms to describe something else entirely.
In the context of good cybersecurity documentation, components are hierarchical and build on each other to build a strong governance structure that utilizes an integrated approach to managing requirements. Well-designed documentation is generally comprised of six (6) main parts:
- Policies establish management’s intent;
- Control Objectives identify leading practices (mapped to requirements from laws, regulations and frameworks);
- Standards provide quantifiable requirements;
- Controls identify desired conditions that are expected to be met (requirements from laws, regulations and frameworks);
- Procedures / Control Activities establish how tasks are performed to meet the requirements established in standards and to meet controls; and
- Guidelines are recommended, but not mandatory.
Often times, individuals use the term “control standard” to describe a “control framework”:
- NIST Cybersecurity Framework (NIST CSF);
- ISO 27001/27002;
- NIST SP 800-53;
- NIST 800-171; or
- Secure Controls Framework (SCF) (or a similar metaframework).