Starting a security programme is a daunting task depending on the size of the organisation. Thus, organisations look at existing security frameworks to help provide the structure for that programme.
In the industry, there are 3 of the most well-known and implemented frameworks: ISO 27001/27001, NIST Cybersecurity Framework (CSF), and the CIS Critical Security Controls (CSC). I know there are others who used COBIT and ISA 62443 (also known as ISA99) but they are not as widespread from my experience due to either scope (ISA) or complexity (COBIT).
From a complexity perspective, here are a few high level statistics:
- CIS CSC (2017) has 20 security controls.
- NIST CSF (2014) has 22 categories and 98 sub categories.
- ISO 27001/27002 (2013) has 114 controls.
So does that mean that ISO is better because it has more controls? Not necessarily as there have been a number of mappings made between frameworks and there are instances wherein a control is in NIST CSF but not in ISO 27001/27002 and vice versa.
Having gone through these frameworks (and knowing that no organisation is alike so your traction may vary), the NIST CSF offers the best of both worlds in terms of comprehensiveness as well as simplicity. Comprehensiveness in that the high level functions Identify, Protect, Detect, Respond and Recover cover the key areas of an information security programme. Simplicity in that each of the categories and subcategories are easily understood.
However, what it doesn’t provide is on the prioritisation. When you identify a number of gaps in your security programme (against your chosen framework), you need to prioritise as you will not have enough resources to execute on it and the organisation may not have enough change tolerance for the programme to be successful.
For this, the CIS CSC will help as it is based on a practitioner’s experience on which controls actually work. It was written in such a way that it is prioritised. However, I would exercise caution on using its prioritisation as gospel as there are a few priorities which I don’t agree on its placement. For example, I would recommend having an Incident Response Plan and Process (CSC 19) earlier than sooner as you will be faced with security incidents (with varying magnitude). It does not have to be perfect in the beginning but you should have one especially on the different roles and responsibilities and when you should be communicating.
And the CIS CSC tends to focus on the technical security controls so before you even utilise it, you need to have the ‘Identify’ part in the NIST CSF done first (related to that are the sections on Information Security Policies and Organisation of Information Security in ISO 27002). This is to help provide the foundation for your security programme wherein you identify your business environment (and what’s important to the business), identify the key risks and assets, and identify the governance needed to inform your strategy.
I hope that helps provide some food for thought.
- (2013) ‘ISO/IEC 27001:2013 – Information Technology – Security Techniques – Information Security Management Systems – Requirements’, ISO/IEC.
- (2014) ‘Framework for Improving Critical Infrastructure Cybersecurity’, National Institute of Standards and Technology [Online]. Available at https://www.nist.gov/sites/default/files/documents/cyberframework/cybersecurity-framework-021214.pdf (Accessed 4 September 2017).
- https://www.cisecurity.org/controls/ (2017) CIS Controls [Online]. (Accessed 4 September 2017).