Every organization, regardless of its specific field or specialization, has “something” they must comply with. Compliance requirements can come from several sources, including laws, regulatory requirements, and best practices.
In general, most companies want to show their customers that they are serious about Cybersecurity, and will demonstrate this by allocating the necessary resources toward achieving an effective compliance framework.
Cybersecurity Compliance Frameworks are foundational guidelines that can be very general in nature or very specific to an industry group. This article provides an overview of these frameworks.
Which Framework is Best for My Firm?
Okay, so you want your organization to have the reputation for being in the top of its class as far as complying with Cybersecurity laws, regulatory requirements, and best practices goes. Which framework should your organization subscribe to? The answer might be only one or all of them, depending upon your budget, risk factors, and the availability of compliance resources. Below is the short list of the most relevant Cybersecurity Compliance Frameworks for you to consider:
- ISO – International Organization for Standardization
- NIST – National Institute for Standards and Technology
- CMMC – Cybersecurity Maturity Model Certification
Yes, there are many others; especially if you take in consideration all the local/regional and/or international frameworks, but let’s limit this discussion to the those most likely to be in your playbook.
ISO
If the scope of your organization’s operations is international, you will probably put the ISO framework at the top of your Compliance list. ISO maintains many standards applying to virtually every area of an organization’s functions; however, the most relevant to this discussion is ISO 27001 “Information Security Management.” ISO 27001 currently has 11 Security “Domains,” 39 Control Objectives, and 130+ Controls.
NIST
While not originally introduced as an international compliance framework, NIST has gained wide acceptance in global organizations. Like ISO, NIST has published hundreds of Compliance Frameworks. As with ISO, we need to narrow the list down to those most relevant to Cybersecurity:
NIST 800-171 – “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations,” and
NIST 800-53 – “Security and Privacy Controls for Information Systems and Organizations”
CMMC
This is the newest of the list. It was originally intended to measure the degree of Cybersecurity protection members of the U.S. Defense Industrial Base have in place for certain types of information the Department of Defense (DoD) routinely releases in support of its procurement contracts. The framework, however, has proven to be so robust that non-government, commercial companies are taking a hard look at complying with it.
So, Now What?
Which of the above Cybersecurity Compliance Frameworks should your organization invest in complying with? Well, maybe all of them!
While each has its particular provisions, all three follow a proven best-practices Cybersecurity structure. What some organizations do is compare the compliance requirements for each security framework and then choose the most restrictive to comply with. The end result of this process may well be that your Cybersecurity Compliance Program embraces a mix of all three.
How Does My Company Get Started?
My next, follow-up article, entitled: “Performing a Cybersecurity Compliance Assessment” will answer that question, as well as walk you through the high-level process of determining your organization’s current Cybersecurity “health.”