The Information Security Forum, a U.K.-based association of leading companies from around the world, released a “mapping” document Monday that for the first time helps companies that currently use the ISF’s standard of good practice—known simply as the standard—to guide their information security programs to know if they are in compliance with the U.S. National Institute of Standards and Technology’s cybersecurity framework.
Since the release of the framework in February, neither NIST nor the Department of Homeland Security have been able to provide details on the number of private sector companies that have adopted the voluntary set of cybersecurity standards. William E. May, associate director for laboratory programs at NIST, opened a 45-day public comment period on Aug. 21 soliciting feedback that NIST hopes will shed some light on the private sector’s level of awareness about the framework and what, if any, impact it has had on security and risk management policies and procedures.
“With the newly created mapping between the NIST Cybersecurity Framework and The Standard, ISF members can now determine which of their current controls satisfy the corresponding control objectives in the NIST Cybersecurity Framework, and thus demonstrate their alignment with it,” said Steve Durbin, managing director of ISF, in a statement. “Using the NIST Cybersecurity Framework, together with The Standard and other information risk management tools, enables organizations of all sizes to effectively demonstrate to their stakeholders the progress they’ve made in building a robust cyber resilience approach.”
ISF’s standard of good practice is one of the most comprehensive guides for information security in the world. More than half of ISF’s 300 member companies are included in the Fortune 500 and span more than a dozen countries.
The ISF standard is updated annually and “enables organizations to meet the control objectives set out in the NIST Cybersecurity Framework and extends well beyond the topics defined in the framework to include coverage of essential and emerging topics such as information security governance, supply chain management (SCM), data privacy, cloud security, information security audit and mobile device security,” ISF said in a statement. “Using the NIST Cybersecurity Framework – together with the ISF’s Standard of Good Practice and other information risk management tools – will enable you to effectively demonstrate to your stakeholders the progress you have made in building a robust cyber resilience approach.”
According to an information sheet on the new mapping, released by ISF, the benefits of leveraging the ISF standard to better understand where your organization’s level of compliance with the NIST framework are threefold:
- You can rely on a well-established, robust control set with sufficient detail to address the control objectives in the framework.
- The Standard of Good Practice covers not just technical topics, but includes operational and governance controls necessary to maintain a resilient information security program.
- You can assess your existing security arrangements against the Standard of Good Practice controls to determine how well you are currently satisfying the control objectives in the framework.
You can find more information about ISF here.