your go to cybersecurity framework? ISO 27001 vs NIST CSF

UnixGuy

I've been doing more and more cyber maturity assessments lately, and this question comes up every now and then.

What's your take? if you're to do a fresh assessment for an environment, would you start with ISO 27001 or NIST CSF and why?

Or would you start with CIS 20 and then assess later after some baseline has been done?

stryder144

Honestly, I would recommend the CIS Controls first, then move into the next phase.  I would think, though I am not an expert, that I would scour the industry my company is in for any further guidance.  That would keep me out of the hell of regulatory compliance missteps that seems to frequently happen.

iBrokeIT

UnixGuy said:

 if you're to do a fresh assessment for an environment...

Check out this resource: https://www.auditscripts.com/free-resources/critical-security-controls/ specifically CIS Critical Security Control v7.1 Assessment Tool

After you have the assessment for CIS 20 done, you can then map those to all other frameworks using the AuditScripts Critical Security Controls Master Mapping. 

Cheers!

UnixGuy

@iBrokeIT cheers for the links!

scasc

Very timely topic. Personally I’ve found that using CIS 20 allows you to focus on some actionable outcomes pretty quickly without having to go over the rigours of a framework such as ISO. It’s great to align your focus on maturing you cyber capability by focusing on critical concerns. This aligns to NIST pretty nicely also. So CIS links to NIST from a controls perspective.

ISO is more risk management focused and less on real deep cyber matters. Think organisational security, suppliers, 3rd parties, physical etc. I’m sure these topics are in the above but just saying nothing deeply substantial here from a cyber front.

I think as a true end to end framework NIST pretty much covers the full spectrum around real cyber pretty well - identify, detect, protect etc. For cyber this is what I would recommend. I’ve seen too many ISO certified places who seriously lack the rigour of a proper cyber programme.

It also depends on industry, risk appetite, goals, expectations and desired result. If there is no regulatory mandate and a completely new slate I would look at the above. 

UnixGuy

@scasc agree with the ISO

we have essential 8 in Australia (https://www.cyber.gov.au/publications/essential-eight-explained ). I'm thinking get CIS 20 implemented first instead of essential 8

I usually start with the essential 8 for a basic sanity check, then I like to do a NIST assessment straight away, baseline a score, and then get some recommendation to lift up everything simultaneously

scasc

Sounds like a plan. Always good to check the fundamental controls and then going that one step further in finding weaknesses per domain (tiers - protect, identify, detect, recover). Good thing here is that both reference each other. I’m actually attending the SANS GCCC - controls course next month in London. Should give me a better insight . 

UnixGuy

that sounds like an awesome course. Let me know how the course goes, curious to see how good SANS is for control assessment, seeing their forte seem to be technical stuff (forensics/pentest) 

scasc

Attending the work study for 566 tomorrow. I’ll give you an update how it goes. One thing I’ve seen is that there’s a full day for NIST which is great as I’m very keen in this area.

UnixGuy

@scasc sounds very exciting! 

btw im coming to one year in my current job. thanks for all your tips and encouragement early on! 

scasc

Congrats, no problem at all. Hopefully it’s all working out well and you’re having fun. Let me know if you need anything else.

UnixGuy

@scasc it’s been a real blast. Best job I ever
had! 

scasc

UnixGuy said:

@scasc it’s been a real blast. Best job I ever
had! 

That’s great to hear. You working in security risk and assessments right? 

I’ve just come finished 566 - was really good and supplements the knowledge one has to go and assess your programs against these controls. Recommends some nice tools too. Would recommend doing it with James as he’s the author. With Sans I’ve noticed that if you pick the wrong instructor you’re experience may not be great. But this one was well worth it.

UnixGuy

@scasc sounds awesome and suitable for CISOs to do!

correct I do security risk & assessments, but I also do cyber advisory stuff, security architecture, identity and access management...basically whatever comes my way as I have a broad technical background