Although I always had a keen interest in cybersecurity frameworks and standards, I didn’t get down to the meat of it until recently, and goodness gracious, I was (and still am) overwhelmed with how convoluted the landscape is! I mentioned the fragmentation in the cybersecurity space in a previous post (regarding vendors and technologies), and the same applies to planning and developing a cybersecurity program. Where do you start, and how do you make sense of all the existing frameworks, methods, standards series, guidelines, best practices, benchmarks, and the like, both in general and in the context of your business and operations?
Let’s consider IT risk management and security controls, for instance. This would cover how an organization assesses and manages risk and protects its assets: data, devices, networks, people, i.e., anything of value. I have counted over seventy (there are certainly more) frameworks, standards, guidelines, best practices, or baselines from at least a dozen publishing organizations. Table 1. lists some of the main standard bodies and a few of their publications about risk management and security controls. There is a large amount of overlap between these documents. Still, they usually cover different levels of detail, or activities and functions, within the (macro-level) process of managing and dealing with cyber risk, including assessment, analysis, prioritization, mitigation & controls, and setting up an overall strategy and process. They also quite often reference each other, which is helpful.
| Organization – Category | Publication |
| ISO, IEC | – ISO/IEC 31000 (Risk management — guidelines) – ISO/IEC 27557 (Extended from ISO/IEC 31000 to cover privacy risk management) – ISO/IEC 31010 (Risk management — Risk assessment techniques) – ISO/IEC 33015 (Guidance for process risk determination) – ISO 28000/1 (Requirements for security management systems / Supply chain security, assessments, and plans) – ISO/IEC 27001/2/3/4/5 (ISMS – Requirements / Controls / General guidance, and guidance on managing information security risks) – ISO/IEC 27701 (Privacy extension to ISO/IEC 27001/2) – ISO/IEC 20000-1 (Service management system requirements) – ISO/IEC/IEEE 16085 (Risk management for systems and software engineering projects and lifecycle activities) – ISO 22301 (Security and resilience – BCMS – Requirements) |
| NIST | – SP 800-30 (Guide for conducting risk assessments) – SP 800-37 (NIST’s RMF – Risk Management Framework) – SP 800-39 (Managing information security risk) – SP 800-221/(A) (Practice of ICT risk management within the context of ERM) – IR 8286/(A/B/C/D) (Integrating Cybersecurity and Enterprise Risk Management) – SP 800-161 (Supply chain risk management practices) – IR 8276 (Supply chain risk management: observations from industry) – NIST CSF (Cybersecurity framework) – SP 800-160 (Developing Trustworthy/Cyber-Resilient Systems) |
| Function or Domain-Specific | – NIST SP 800-53/171/172 (Security and privacy controls, targeting different entities/organizations) – CIS Controls & Benchmarks (CIS Critical Security Controls & guidelines for hardening specific systems) – HITRUST CSF (HITRUST Common Security Framework) – NIST SP 1800 series (30+ Cybersecurity implementation use cases) – ISA/IEC 62443 (Cybersecurity for OT/ICS – Risk assessment, processes, and requirements) – ISO/SAE 21434 (Cybersecurity of road vehicles) – ISO 12100 (Safety of machinery — Risk assessment and risk reduction) – ISO 14971, IEC/TR 80001-2-2 (Application of risk management to medical devices/ networks incorporating medical devices) – ISO 17666 (Space systems — Risk management) – NIST SP 800-82 (Guide to Industrial Control Systems Security) – NIST SP 800-218 (Secure Software Development Framework) – NIST SP 800-207/(A) (Zero Trust Architecture) |
| ENISA, ETSI, CEN/CENELEC | – BS 7799-3 (Guidelines for information security risk management) – ETSI TS 102 165-1 (Method and pro forma for Threat, Vulnerability, Risk Analysis – TVRA) – ETSI TS 103 701 (Cyber security for consumer IoT) – SIST EN 17640 (Cybersecurity evaluation methodology for ICT products) |
| AICPA, CIMA | – SOC for Service Organizations – Trust Services Criteria – SOC for Cybersecurity – SOC for Supply Chain |
| Some national Initiatives | – MEHARI Standard (France – MEthod for Harmonized Analysis of RIsk) – EBIOS RM (France – A method for assessing and treating digital risks) – MAGERIT (v3) (Spain – An Open Methodology for Risk Analysis and Management) – BSI Standards 200-1/2/3/4 (Germany – ISMS guidance, requirements, risk analysis, controls, and emergency management) – ACSC ISM (Australia’s Cyber Security Centre Information Security Manual) – MONARC (Luxembourg – Optimised risk analysis method) |
| Others | – FAIR (Factor Analysis of Information Risk) – ISACA/COBIT (IT Risk and Governance Framework) – OCTAVE (Operationally Critical Threat, Asset, and Vulnerability Evaluation) – ITSRM² (IT Security Risk Management Methodology) – C2M2 (Cybersecurity Capability Maturity Model) – CERT-RMM (CERT Resilience Management Model) – COSO Enterprise Risk Management Framework – MITRE ATT&CK Framework (Knowledge base of adversary tactics, techniques, and mitigations) – OWASP Risk Assessment Framework |
Where do you start?
I haven’t found clear answers to what a “typical process” for setting up a cybersecurity program would look like, or where to start in terms of frameworks and standards. Some security professionals recommend risk assessment as a starting point, which can be supported by a framework like NIST SP 800-30/37/39, ISO 31000, FAIR, etc. Others think you could select any framework and build your security program around it. This could be anything: one of the risk frameworks mentioned above, CSF, ISO 27001/2, or only a control list such as CIS Controls. A good few talk about defining the ‘why’ first, i.e., strategic goals and objectives the organization must achieve to deal with and reduce its risks and the metrics to analyze progress. The choice will then depend on those goals and metrics. For instance, if your primary goal is efficient reporting and rapid response and recovery, you might not start with any of the above-mentioned frameworks. It would rather be something like the NIST SP 800-160 (v2) or the ISO 22301, which can then be used with complementary frameworks to perform other functions, e.g., control selection.
In any case, a security program should be supported by multiple frameworks, standards, and guidelines. This makes sense since none of them is an all-encompassing source of security needs. While it’s important to understand what separates them from each other, in reality, navigating the entire landscape to pick and choose from is probably too involved and a tedious exercise. Not sure if anyone does that at all. Organizations might prefer to assess their posture in terms of how well they are doing relative to peers, for instance, using whatever certification target is predominately used (or imposed) within their industry or vertical. It seems there is a lack of common understanding and processes of how to use this wealth of information efficiently. As a result, ensuring information security will probably still be an ad hoc affair for a good while to come.
