You’ve just ticked the box on that ISO 27000 certification, but before you can celebrate, a major client requests information on your alignment with NIST. Another partner is asking for your SOC2 report. With a sigh, you start the testing process again.
Many organizations will have a preferred controls framework to help demonstrate that their operations are secure – but other stakeholders may have other ideas, forcing you to adopt or adapt to multiple control frameworks. You may also choose to align to multiple certifications to ensure that you aren’t missing out on anything important.
In this blog, we will break down:
- Why organizations adopt a cybersecurity framework
- Why control frameworks may differ
- Why alignment with multiple frameworks is becoming more common
- How to relieve the burden of mapping and controls assurance
To find out more, join our upcoming webinar, Cyber risk: Get on top of your controls and frameworks:
Why organizations adopt a cybersecurity framework
I’m sure you don’t have to look very far to find a recent cybersecurity event occurring in your sector – or perhaps find someone you know who has been affected by one. Cyber breaches or security weaknesses can also impact our extended enterprise, either directly via third party breaches, or indirectly while our organization suffers from a cyber breach that cripples operations and has downstream impacts such as interrupting supply chains.
It’s why the biggest reason that organizations adopt a cybersecurity framework is simply trust. Aligning with a framework – especially one they can be certified against or easily demonstrate they are conforming – can expedite that trust with third parties, customers and regulators.
Why are the control frameworks different?
Control frameworks may be managed by different industry or government bodies; they might simply disagree on what ‘good’ looks like, or what should be minimum requirements compared to ‘nice to have’ improvements. NIST’s control framework is a good example, which includes base controls and a range of enhancements to consider. Some other frameworks consider some of those enhancements to be the minimum.
The NIST SP 800-53 states ‘Control enhancements are used in systems and environments of operation that require greater protection than the protection provided by the base control.’ Returning to the extended enterprise – our organization might not require some of those controls, but our partners, suppliers and other third parties with whom we share access and data might.
Why alignment with multiple frameworks is becoming more common
Demands from third parties to gain assurance over information security controls is one driver for adopting multiple frameworks. Impacts from a cyber intrusion or breach can be significant, and those third parties want assurance that your information security controls meet their standards, not just yours. If they’ve defined their standard based on a different framework, you might have to throw existing controls testing out the window and start again. Similarly, regulators are raising the temperature on managing cyber, and aligning with a control framework they recommend or prefer can help demonstrate a minimum standard.
But that’s not the only reason.
Beyond the external pressure, CISOs and information security teams are thinking about the direct impact a cyber incident can have, from impact on the financial stability and valuation of the organization down to the real impact on customers and employees. This prompts the critical question ‘What am I missing?’ This comes not from a position of compliance, but of risk management. How can I better protect the organization and its stakeholders?
“A challenge for a CISO is convincing management to budget for security measures, especially when they may not have sufficient understanding of the risks. It is the CISO's job to translate these risks into understandable terms and examples that are relevant to decision-makers.”[1]
“To be an effective CISO, one has to shift from focusing on tech tools and outputs towards having informed business risk conversations.”[2]
Mapping existing controls to multiple frameworks can help identify gaps and opportunities for improvement in the cybersecurity posture. Maybe you conform 100% to applicable controls in the NIST framework, but only 70% in ISO. What’s in that other 30%? Are there quick wins?
At a strategic level, frameworks can also help you understand how to effectively align your controls to your business processes and strategic objectives – for example, NIST CSF has a specific model for breaking down critical business processes.
Using mapping to gain assurance
There are some challenges to mapping control frameworks against each other. First and foremost is structural. Each framework has its own structure, and they don’t all match. Some will have different categorization, or different levels of granularity. You’ll need to decide what ‘level’ each of these map to. Once you’ve mapped two, you can add a third, and so on. Once you begin mapping many-to-many, you will need effective tools to help manage the web of relationships.
Once these are mapped, you can then align your existing controls to one of the frameworks. If you are using appropriate mapping tools and you’ve ensured the control meets each framework, this can automate the mapping to other frameworks. If you’ve got this far, the next step is to align your assurance program.
Your test plan should be designed to ensure it meets the criteria of the frameworks you’ve mapped the control to, and automatically scheduled and issued as appropriate. And voila – test once, and meet multiple frameworks. This can enable oversight of how effectively your control environment compares to each of the aligned frameworks.
Conclusions and next steps for your organization
Mapping to multiple controls frameworks can be painful if you don’t have the right tools, but it is increasingly becoming a necessity to meet the demands of stakeholders while also being proactive in managing information security risks.
But what if you could streamline this process? What if you could confidently map your controls across multiple frameworks, identify gaps, and ensure that your cybersecurity posture is as strong as possible, without the headache of re-testing and re-aligning for each new request?
To find out more, join me and Protecht’s Senior Manager, Research & Content Michael Howell for our upcoming webinar, Cyber risk: Get on top of your controls and frameworks, where we'll dive into practical solutions for managing the web of control frameworks. You'll learn how to align your cyber risk controls with your ERM strategy and discover strategies for gaining assurance that your controls meet not just your internal standards, but those of regulators and critical third-party stakeholders.
You won’t want to miss this opportunity to get the confidence you need to simplify your cyber risk management. Secure your spot today, and take the next step toward a more resilient and compliant cyber risk strategy: