Often when organisations perform these assessments internally, or with some of the less capable consultancies out there, single standard assurance frameworks are used as the basis of the assessment. Often the framework itself is picked, seemingly at random, from the typical ‘acceptable list of cyber security standards’, so namely;
- SANS Top20 Controls
Whether one standard is selected over another tends to be as a result of either;
- what is quite simply the flavour of the month for the client, and/or;
- what is the personal preference of the person sponsoring the cyber maturity assessment
- what the board is used to seeing
Now, what we have seen in recent years is a move towards creating bespoke assurance frameworks, made up of 2 or more security standards to perform these kinds of assessment. There are a number of benefits we have found in doing so;
1. Not all Standards are Born Equal – I think everyone would agree that there is no utopic security standard that accurately and completely encompasses all ‘security’ domains. As such, you have security standards that are a little more focused on IT controls (e.g. ISO) and some that are are focused a little more on the technical domains (e.g. SANS Top20) and some that focus more on IT risk, etc. etc. By combining these standards together into a single framework, you start to cover some of the shortfalls a particular standard has with the strengths of another. This produces a much broader framework to be able to assess against. I’ve demonstrated this conceptually in a very basic format below.
As you can see, some standards will overlap in terms of the scope and coverage, but they will also add to one another, making for a much more valuable and insightful framework.
2. Granularity of Reporting – as the framework broadens not only do you have an increased number of security domains you can report on, but also you have an enriched set of security domains in themselves. E.g. more sub-capabilities within capabilities and more insight into what organisations should be expected to be doing at certain cyber maturity levels.
3. Dynamic Reporting – often within organisations different parts of the business require reporting against different standards. If you build your framework correctly and you assess the cyber capabilities in the right way, one can perform a cyber maturity assessment and then slice and dice the reporting according to the requested security standard in question. So for example, you’ve used a framework that encompasses NIST, ISO and SANS however the risk and audit committee has requested to see the results of the cyber maturity assessment through only a NIST lens. Using this type of framework, you can fairly easily and quickly filter out the controls that were assessed against NIST and then provide a NIST only view.
As you can see, applying a multi-standard security assurance framework has its benefits. Just ensure that if you intend to apply this to your organisation, you have people performing the assessment who have done this a number of times before and are familiar with how these assessments are performed. Done right, they can be a fantastic tool for cyber assessment.