The ISO/IEC TS 27110:2021(E) - Cybersecurity framework development guidelines explicitly require a Cybersecurity framework creator to use Identify, Protect, Detect, Respond and Recover concepts to structure and organize the desired CSF framework.
If you are not ISO/IEC 2700X certified, the NIST approach can support you in implementing a corporate cybersecurity framework tailored to your reality in a short time frame, keeping you in developing the processes/producers' cultural change.
If you plan to be ISO/IEC 2700X or are already ISO certified, you can incorporate NIST CFS into your cybersecurity framework.
The NIST methodology is your toolbox for a continuous, detailed improvement of the cybersecurity framework, and it can be integrated into the ISO/IEC 2700X, regardless of your tier profile.
CSF NIST Core: Identify, Protect, Detect, Respond, and Recover.
NIST CSF and ISO/IEC TS 27110
The NIST Cybersecurity Framework
The National Institute of Standards and Technology (NIST) was founded in 1901 as the National Bureau of Standards (NBS), as part of the U.S Department of Commerce, becoming NIST in 1998.
Over the years, NIST has been instrumental in developing industrial electrical products, digital imaging and data encryption standards.
Since 2013 NIST has been working with stakeholders to develop a voluntary framework based on existing standards, guidelines, and practices for reducing cyber risks to critical infrastructures.
The NIST Cybersecurity Framework (CSF) is a flexible methodological tool accessible to organizations of all sizes and market sectors.
Any organization can use the NIST CSF as part of its systematic process for identifying, assessing and managing cybersecurity risks.
The NIST CSF can be used by an organization with extensive cybersecurity programs and those just beginning to think about putting a cybersecurity framework in place.
NIST CSF doesn't have the objective of replacing existing processes. An organization can use its current processes and overlay them into the framework to determine gaps in its current cybersecurity risk approach and develop a roadmap to improvement.
NIST CSF improves communication across organizations, sharing expectations with business partners, suppliers, and corporate sectors.
The Cybersecurity Framework consists of three main components: the Core, Implementation Tiers, and Profiles.
The Cybersecurity NIST Framework Assessment
at glance: understand your NIST CSF maturity level
During the design phase, the organisation follows a structured approach to establish or improve the existing cybersecurity program. Along each step of the design phase, EVBS will deliver to the Client key users identified at the beginning of the project-specific templates to collect and analyse all the required data.
The Client Management and the line managers need to be part of the design phase because of the strategic nature of the project.
With EVBS support, the Client project manager decides the assessment level of depth and the complexity of analysis and controls.
The Client’s organisation can repeat the below steps continuously to monitor the implemented cybersecurity program, increasing the granularity depth.
1. Prioritize and scope: the Client makes strategic decisions regarding cybersecurity implementation, identifying the organization's business objectives and high-level priorities. With EVBS's strategical analysis support, the Client classifies the critical business lines and related risk tolerance. Prioritize and scope step involves the Client organization transversally (e.g. Management, Business Owners, Compliance, Legal, Risk Management, Operation, Administration, HR, and Internal Audit). The deliverable of this step is the cybersecurity program scope. Prioritizing and scope analysis results can impact the target implementation tier.
2. Orient: after the cybersecurity program scope is defined, the Client, with EVBS support, will identify the business lines systems, assets, regulatory requirements and overall risk approach. The deliverable of this step is the list of threats and vulnerabilities applicable to the systems and assets of interest.
3. Create the current profile: EVBS supports the Client in creating the existing profile, indicating which category and subcategories from the Framework Core are currently achieved. Partial results will be the input for the subsequent steps providing the requirements for the baseline information for the gap analysis. The deliverable of this step is the Client's current profile classification.
4. Conduct the risk assessment: EVBS supports the Client in performing an overall risk management assessment. The operational environment is analyzed considering the likelihood of a cyber security event and the related impacts on the business. The deliverable of this step is the Client's current risk profile.
5. Create the target profile: EVBS supports the Client in creating a target profile focused on the framework categories and subcategories describing the organization's desired cybersecurity profile, considering external stakeholders such as government entities, customers, and suppliers. The deliverable of this step is the Client's target profile.
6. Determine, analyze, and prioritize gaps: by comparing the current profile and the target profile, the Client, with EVBS support, determines the resources (e.g. funding, workforce) to address the gaps. An action plan considering the prioritized gaps will define costs, benefits and amortized risk to achieve the outcomes in the Target Profile. The deliverable of this step is the gap analysis.
7. Implementation action plan: The Client with EVBS support determines which identified gaps have to be implemented according to the defined organization priorities to achieve the target profile. The organization should determine which standards, guidelines, and practices, including those that are sector-specific, work best for their needs. The final deliverable of this step is the implementation action plan.
Attackers tend to follow a repetitive pattern; they prefer low-hanging fruit provided by easy targets. That’s why protective measures should be geared to improving one’s digital resilience or maintaining it at a high level. We rely on a vulnerability scanner that is integrated in our security incident management process as an optimal augmentation of our SOC services. Axians’ vulnerability management & compliance service (VMC) provides for the identification, assessment and remediation of (technical) infrastructure vulnerabilities. Axians offers you a 360-degree VMC service. We take care of planning and architectural design, implementation and integration in your infrastructure, and attend to the operative management of scanning, reporting, automation and integration. And we advise you in the remediation process if the need should arise.