Why Adopt an Information Security Framework for your Business?
Adopting a Security Framework will start your organisation on the journey to a better security posture, reduced security incidents, and reduced business risk.
A Security Framework provides the reference your organisation needs to identify risks and define the security controls required to address those risks. The gaps between your current security controls and those required by a framework provide the driver for your security strategy and show where security spending would address the most significant risks. There are other reasons for adopting a well-known Security Framework, not just to improve security or meet compliance obligations but also as a sales enabler.
Due to recent high profile supply chain attacks like the Solarwinds hack in 2020, organisations are becoming more aware of their supply chain risks and conscious of the security posture of their business partners. Increasingly, clients are writing Information Security controls and objectives into contracts, with clients often reserving the right to audit their vendors’ security.
Modern digital business transactions are underpinned by trust. Therefore, arguably the most important benefit of adopting a Security Framework, especially externally audited and certified, is the ability to both retain existing clients and attract new clients.
Which Security Framework is right for your organisation?
Choosing the right Security Framework for your organisation will depend on the organisation’s size, maturity, the number of Security and Governance, Risk & Compliance resources, the Security budget, the markets that the business operates in, and the benefits that the organisation is looking for adopting a given framework.
Small to Medium-Sized Organisations
Center for Internet Security (CIS) Top 18
Previously known as the CIS Top 20 and the SANS Top 20, this Security Framework identifies 18 key controls to implement and is one of the easiest to implement while providing a good uplift in the organisation’s overall security. The CIS Top 18 is a recommended starting point for the initial adoption of a Security Framework.
The controls in this framework provide significant security uplift and offer a foundational capability to move to other Security Frameworks in the future. While there is no certification for the CIS Top 18, an organisation can measure its maturity against the framework using the Capability Maturity Model Integration (CMMI), which ranks maturity against each control with a score between “Level 1 – Initial” to “Level 5 – Efficient”.
The NIST Family
The US National Institute of Standards and Technology (NIST) has released numerous security frameworks. The most comprehensive is NIST 800-53 Security and Privacy Controls for Information Systems and Organisations, a framework with 20 groups of controls, with over 1,100 separate controls. Adoption of NIST 800-53 is not recommended as an organisations first Security Framework.
NIST Cybersecurity Framework, commonly known as NIST CSF, is a subset of NIST 800-53 and NIST 800-171 Protecting Controlled Unclassified Information in Non-federal Systems and Organisations is a subset of NIST CSF.
NIST CSF is the “Goldilocks” of Security Frameworks, with just over 100 controls over 5 groups of controls. It is not overly complex nor comprehensive but still covers the most important controls and provides high levels of assurance without the overhead of NIST 800-53. NIST CSF is recommended for medium-sized organisations that aren’t ready for more complex frameworks that come with certifications. An organisation can be assessed against NIST CSF either internally or using an external parting using CMMI ratings.
While there is no certification body for the NIST family, the US Department of Defence (DoD) requires a third-party maturity assessment against 800-171 for vendors wanting to do business with the DoD, known as the Cybersecurity Maturity Model Certification (CMMC).
ISO 27001 Information Security Management
ISO 27001 is part of a family of Security Frameworks (the ISO 27000 family) that detail how to manage Security & Risk. ISO 27001 is comprised of 114 controls in 14 groups and 35 control categories.
ISO 27001 has the advantage of being certified by external auditors, and passing an audit against ISO 27001 provides the organisation with an internationally recognised certification. ISO 27001 is most popular in the UK & Europe, along with Japan, India and China.
ISO 27001 is a good fit for larger or more mature organisations, especially with international clients with higher security expectations or requirements.
Service Organisation Controls (SOC) 2
SOC 2 covers almost 300 controls across 5 control groups; Security, Availability, Integrity, Confidentiality and/or Privacy. SOC 2 controls are defined by the American Institute of Certified Public Accountants (AICPA).
SOC 2 reports are either a Type 1 report which reviews the controls at a point in time versus a Type 2 report which examines the controls over a fixed time period, normally six months to a year. SOC 2 controls are more prescriptive than ISO 27001, and there are twice as many.
SOC 2 certification is only recommended for very mature organisations that have contractual requirements for SOC 2.
It is not uncommon for global organisations to be certified against multiple Security Frameworks. Thankfully, there is considerable overlap between frameworks, allowing the organisation to move to another framework without much rework.
Compliance with Security Frameworks uplifts an organisation’s security, reducing incidents and risk. When an organisation is certified against a Security Framework, it can provide clients with a level of assurance of your organisations’ security which can be a differentiator to clients in a crowded market.