CyberSecurity NIST framework core elements briefing note
1
I created this overview to add some perspective to the recent NIST CyberSecurity Framework development effort. I have already created the GAP Assessment to aid any organization planning on adopting this framework. In the table below I have mapped the NIST CyberSecurity to best practices ISO 27001:2013 and ITIL. Under the column titled “Clause” I mapped specific sections of ISO 27001:2013 and ITIL to the NIST standard. Under the column titled “control points” I included the total number of control points for the specific section. For example in some circumstances like under “Protect” section I had to include the total number of control points for each standard with the understanding that a detail Gap assessment is required and these control frameworks overlap. I also include “D” for discretionary risk mitigating controls that would require risk justification in or out of scope. I added a “M” for mandatory where control points must be in place to provide governance and risk management oversight. Page 1 of 2 This information has been shared freely by Mark E.S. Bernard. If you find it useful please acknowledge this contribution. If you would like additional information or assistance with the customization and implementation of a balanced risk management process for your security program then please contact Mark email; [email protected]
-
Upload
mark-edward-stirling-bernard -
Category
Business
-
view
1.859 -
download
0
description
CyberSecurity NIST framework core elements briefing note
Transcript of CyberSecurity NIST framework core elements briefing note
I created this overview to add some perspective to the recent NIST CyberSecurity Framework development effort. I have already created the GAP Assessment to aid any organization planning on
adopting this framework. In the table below I have mapped the NIST CyberSecurity to best practices
ISO 27001:2013 and ITIL. Under the column titled “Clause” I mapped specific sections of ISO 27001:2013 and ITIL to the NIST standard. Under the column titled “control points” I included the total
number of control points for the specific section. For example in some circumstances like under
“Protect” section I had to include the total number of control points for each standard with the understanding that a detail Gap assessment is required and these control frameworks overlap. I also
include “D” for discretionary risk mitigating controls that would require risk justification in or out of
scope. I added a “M” for mandatory where control points must be in place to provide governance and risk management oversight.
Page 1 of 2
This information has been shared freely by Mark E.S. Bernard. If you find it useful please acknowledge this contribution. If you
would like additional information or assistance with the customization and implementation of a balanced risk management
process for your security program then please contact Mark email; [email protected]
