We have been PCI compliant for a decade now and we have used PCI as a de facto cyber framework despite its limitations (it is very prescriptive and very narrow in scope). We want to adopt one of the broader frameworks (NIST, Essential 8 etc) while avoiding too much duplication and added work – does anyone have any recommendations or experiences to share in this area?
We looked at this in panel discussion and there were some suggestions that NIST works best as a basis but the best answer may be a tailored mix. I like that (and I think it is always inevitable to some extent) but I do also like the certainty when interacting with partners, insurers and board of being able to state compliance to a particular framework. Any further thoughts?
NIST is a great standard to follow and you can measure the maturity of your security posture ie., current vs future. However, if your organisation wants to pursue an industry certification to comply with that can gain trust with your clients, I’d recommend ISO 27001. Also, depending on your organisation there are probably standards that you will require to comply with i.e., financial -CPS 234, medical - DHHS 31 (pretty light thought I’m guessing), energy - AESCSF, defence - ISM (pretty comprehensive)…etc. Either ways, all these have overlapping controls and ofcourse there is always a cost associated with maintaining certification i.e., if you want to be certified. ASD E8 is a subset of CIS top 35, I consider this to be a good one to bloster technial controls and is very focussed to significantly reduce the risks (again depends on the size and complexity of the org).
In summary, NIST+ASD8, if no certification is required. But, there is always a mapping between NIST and ISO 27001, so one way or the other you’ll be aligned.
For me, the best general purpose framework for cybersecurity has to be the CIS Controls. 150+ security procedures and tools that fit together logically and seamlessly, plus metrics to measure maturity. It is prescriptive inasmuch as it says which controls should be implemented first.
I find the NIST CSF to be a bit of a dogs dinner — lots of bits and pieces to think about and do, but it has inconsistencies and gaps, and lacks canned metrics.
ISO 27001 is really good from the standpoint of creating a robust cybersecurity program, and of course it’s needed where you need to be certified. However, the Annex A controls are just guidelines, with no prescription as to which should be implemented and when. In the absence of any client or other requirement, it’s the CIS Controls for me.
NIST to get the widest possible view of cyber related controls required within an enterprise. Downside is many controls are outside cyber (such as enterprise risk management), so make sure you understand who owns which controls. Measuring maturity level can be a challenge - various auditors have their own yardstick for what constitutes meeting each level. Essential 8 if you want to get some solid technical controls in place and nail the team(s) down to deliver them.
If you were looking at a framework to move from PCI to, I’d recommend ISO 27001 as a starting point. That will cover off all the essentials but then I would also be supporting it with documentation on Essential 8 and CIS Controls as many customers will also want to understand the next level of controls down (maybe somewhat dependent on what industry you are in).
After that if you wanted to understand the effort to uplift or translate to another standard there’s plenty of tools out there which can help, always found this from Agilient (need to register) very useful https://www.agilient.com.au/?page_id=5788
Firstly, I would like to say that Essential 8 is not a broad framework and is very prescriptive - as mentioned in other comments- it is a subset. It works best though if you are going for overall ISM compliance - however this is only relevant in Australia - so guessing you are an Australian company?
That takes me to my next response which is - it depends where your company in located and if you are national or global. If global then you will find ISO 27001 seems to fit best- NIST is a close 2nd but mostly used in US, like CIS. The good news is that they can all map to each other and whilst being compliant in 1 - you will find you are often compliant in others by default.
Also depends if you want certification- if you go for big tenders / contracts then this is often desireable. So ISO 27001 is a good one as you can determine the scope.
As a lead implementer - this is a frequent question and my response is always about understanding what is going to fit best with your requirements / experience / resources / capabilities. I find non IT people seem to relate to ISO 27001 well as they are usually familiar with ISO frameworks in other places of the business. This is great if you need them to contribute - e.g. HR contributes to your personnel security controls.
Again, no matter what you pick- there will be overlap- but for my thoughts ISO 27001 is a very good broad starting point which is not too burdonsome (not sure if that is a word LOL).