Cyber Effectiveness – Which Cyber Security Framework?

The InfoSec Consulting Series #22

By Jay Pope


A cyber security framework is a way to improve an organisation’s existing security defences by making use of the experience and wisdom of other professionals and organisations.  With an increased focus on how to prevent and deal with cyber-attacks, there are several frameworks that organisations could choose to adopt. But what are the options, what are the advantages and downsides of each option, and how should you go about selecting a suitable cyber security framework for your organisation?

Many frameworks are created or sponsored by governments, but the principles and best practices can be applied across all industries. A framework can provide direction, guidance, and focus.  The most commonly used frameworks/specifications are:


ISO Standards

These standards for security management are published by the International Standards Organisation (ISO). Having originated from Shell as a corporate security document back in the 1990s, they have evolved and have been revised on a regular basis. The latest full revision was carried out in 2013, but amendments were made and added in 2014, 2015, & 2017.

ISO/IEC 27001:2017 outlines a formal management system that is focused on establishing governance over an organisation’s IT security. ISO27002:2017 is the management and implementation guide that provides recommendations on best business practices for cybersecurity.

These documents deal with all aspects of an organisation, including physical and environmental security, access control, asset management, human resource security, IT security policies, operational security, cryptography, systems acquisition, incident management, communications security, third party interaction, compliance, and more. The cybersecurity framework provides suggestions for security controls to address all concerns identified during a risk assessment or evaluation. The guidance also advocates the development of organisational cyber security standards and security management practices.

ISO27032 focuses explicitly on cyber security. It recognises the factors that cyber-attacks rely upon and includes guidelines to help protect your information internally and externally.

ISO27035 deals with incident management and is a crucial first part of cyber resilience. It is essential that organisations are prepared to respond promptly and effectively when faced with a cyber security incident. In addition, this standard includes guidance for modifying processes and policies to strengthen any existing controls and to minimise the risk of recurrence.

ISO27031 is the standard that deals with ICT readiness in the context of business continuity. This logically follows incident management, since an uncontrolled incident can all too easily become a threat to the continuity of ICT systems. As part of the overall strategy, it is crucial that your business is fully prepared for a cyber-attack defeating primary defences and threatening systems in their entirety.

ISO22301 is the international standard dealing with business continuity management systems (BCMSs) and is a core component of cyber resilience. ISO22301 focuses on the fallout and recovery from attacks as well as on maintaining the security of and access to information as the organisation attempts to restore full functionality.

PAS 555 was released by the British Standards Institution (BSI) in 2013, it is unusual because it concentrates on what the solutions should look like as opposed to how to approach certain identified problems. When used in conjunction with other standards, PAS 555 can be used to confirm the effectiveness of various solutions.

PAS 555 is broad in scope and specifically targets an organisation’s senior management team. It is a framework for cyber security governance which allows an organisation’s cyber security measures to be compared against already established ones.


NIST Cyber Security Framework (CSF)

The National Institute of Standards and Technology (NIST) Cybersecurity Framework was developed by order of the US Government following significant cooperation with private sector security experts. The Framework deals with how to assess security, consider risk, and how to contemplate resolving security issues. It includes guidance for cyber security management, improving security planning, how to communicate with internal and external entities, and advice for C-level executives in terms of awareness and security-related decisions.  NIST CSF bases effective cybersecurity around five core functions: Identify, Protect, Detect, Respond, Recover. It comes with a wide range of reference documents which outline details of each element.


Control Objectives for Information and Related Technologies (COBIT)

COBIT is a security framework that deals with IT security, management, and governance. It was designed by the Information Systems Audit and Control Association (ISACA) and is aimed at helping organisations to re-align their IT operations with their business objectives. It is based on five core principles:

  1. Meeting stakeholder needs
  2. Enabling a holistic approach
  3. Covering the enterprise end-to-end
  4. Applying a single integrated framework
  5. Separating governance from management


Centre for Information Security (CIS) Critical Security Controls

The CIS CSCs are a recommended set of 20 actions to help organisations prevent attacks. The latest version was released in March 2018. They are as follows:

  1. Inventory and Control of Hardware Assets
  2. Inventory and Control of Software Assets
  3. Continuous Vulnerability Management
  4. Controlled Use of Administrative Privileges
  5. Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers
  6. Maintenance, Monitoring and Analysis of Audit Logs
  7. Email and Web Browser Protections
  8. Malware Defences
  9. Limitation and Control of Network Ports, Protocols, and Services
  10. Data Recovery Capabilities
  11. Secure Configuration for Network Devices, such as Firewalls, Routers, and Switches
  12. Boundary Defence
  13. Data Protection
  14. Controlled Access Based on the Need to Know
  15. Wireless Access Control
  16. Account Monitoring and Control
  17. Implement a Security Awareness and Training Program
  18. Application Software Security
  19. Incident Response and Management
  20. Penetration Tests and Red Team Exercises

Selecting a suitable cyber security framework is a business-critical decision and one that should always be taken at a senior level.


Does Your Organisation Need Top Cyber Security Consultants?

We are a team of experts with extensive knowledge and experience of helping organisations improve business performance. Our highly qualified consultancy team can deliver cyber security capability at all levels of your organisation and are on hand to help ensure your projects deliver solutions that are appropriately aligned to your cyber security risk position, and meet technical, business and ethics due diligence requirements. Schedule a call above to learn more about how we can help.