Your organization has made the crucial commitment and investment to protect your own, as well as your clients,’ information and data assets by successfully implementing a formal cybersecurity compliance program.
Now, is it safe to sit back and let the controls that were put in place do their job?
Are there cybersecurity review mandates?
There is no mandate that every available cybersecurity control within the most commonly used compliance frameworks be deployed in your organization.
As an example, the ISO27001 framework contains 114 controls that can be included in your Information Security Management System (ISMS). The NIST Cybersecurity Framework (CSF V2) is structured differently and contains 22 unique controls (CSF “Categories) within 6 functions. Upon your organization’s implementation of one of these ̶ or another ̶ framework, a decision was made to selectively implement controls based on their perceived relevance to your organization at the time they were implemented.
A well-managed cybersecurity compliance program requires continuous monitoring of the effectiveness of the controls that were put into place. How well are these controls performing? Did we select the right controls to ensure the safety of our critical business assets? Are the controls selected when the ISMS/CSF was first implemented applicable for our current business operation?
How often and when should your cybersecurity controls be reviewed?
For ISO 27001, clause 9.3 requires a formal management review of the ISMS to be performed at least once a year or more frequently if there have been material changes that could affect the ISMS. While the NIST CSF does not require such a mandated review, the prudent organization would perform a controls effectiveness review at least once a year.
Some triggers that should require an analysis of how well the controls are performing and whether there are any gaps in your current cybersecurity compliance framework include:
- Does your firm have a policy to perform a review of your cybersecurity compliance framework annually at a minimum? And spot checks on key controls periodically?
- Have select performance metrics (KPI’s) indicated that the current controls in place are functioning as designed?
- Have there been any unanticipated events?
- Has your firm performed any new system implementations or integrations?
- Has your firm acquired another company or created a subsidiary that will impact your cybersecurity compliance?
- Has your firm divested itself of a subsidiary?
- Has the Executive Leadership Team issued a new statement of strategic direction or mission?
In Conclusion
Protecting your organization’s critical business assets has never been more difficult. With the pace of technological and AI advances, new and ever more pressing and dangerous challenges arise almost daily.
i3 Can Help
Obtaining an objective third party assessment can be invaluable to your organization. i3’s cybersecurity team led by our Certified Information Security Manager (CISM) can help by performing a complete review of your cybersecurity compliance program and identifying any gaps or areas of exposure and risk. In many cases, this assessment can take as little as two weeks to complete.