If you look at this from the perspective of a debate over which soft drink tastes best (e.g., Coke vs Pepsi), it generally comes down to personal preferences, since both products are essentially sugary, carbonated drinks and only differ slightly in flavor and packaging. If you ask a cybersecurity professional to identify their preferred "best practice framework", it generally comes down to NIST or ISO.
#ISO 27002 CHECKLIST ISO#
This process generally leads to selecting either the NIST Cybersecurity Framework, ISO 27002 or NIST 800-53 as a starting point:Ī key consideration for picking a cybersecurity framework involved understanding the level of content each framework offers, since this directly impacts the available security and privacy controls that exist "out of the box" without having to bolt-on content to make it work for your specific needs. This understanding makes it pretty easy to determine where on the "framework spectrum" (shown below) you need to focus for selecting a set of cybersecurity principles to follow. Realistically, the process of selecting a cybersecurity framework must be driven by a fundamental understanding of what your organization needs to comply with from a statutory, regulatory and contractual perspective, since that understanding establishes the minimum set of requirements necessary to (1) not be considered negligent with reasonable expectations for security & privacy (2) comply with applicable laws, regulations and contracts and (3) implement the proper controls to secure your systems, applications and processes from reasonable threats.
It is important to understand that picking a cybersecurity framework is more of a business decision and less of a technical decision. Which framework is right for my business? NIST Cybersecurity Framework vs ISO 27002 vs NIST 800-53 vs Secure Controls Framework
0 kommentar(er)
