Selecting a control framework

Thursday, 16 February, 2023

Direction signs decorative

There’s no “right” control framework, it’s about finding what works best for you.

Control frameworks are used to improve cyber security posture and manage cyber security risks. Using these can help to understand and gather awareness of risk within your business. For example, they help to mature your security by using a set of baseline controls for you to follow and use gap analysis to work out where you are not compliant.

There are many control frameworks, some examples of the most commonly used include: NIST Cybersecurity Framework (CSF), NIST SP 800-53, CIS Critical Security Controls (CSC) and ISO 27002.

Picking which framework works for you

When picking a framework it comes down to what is more suitable in terms of control applicability to you. A framework helps to manage your risks by providing guidelines, so it needs to be relevant to your risk and business.

You could consider whether you want to use a control framework from a high level, or low level.

Your approach may depend on your resources. If you have little resources, are a small business, or even have limited time to implement your framework, you might decide to look at it from a higher level. If you have extensive resources you may be more likely to use the low level categories of a control framework to be more comprehensive.

Let’s start off with NIST CSF. It uses the approach of five categories: Identify, Protect, Detect, Respond and Recover, to manage its 23 categories and 108 subcategories. CIS Critical Security Controls at a high level has 18 controls, with 153 safeguards in total.

This consideration may take into account what are “essential” controls. Some frameworks, such as CIS CSC use different layers within their safeguards to create prioritisation of controls.

Control frameworks are not prescriptive. They provide guidance on what you should do to manage your risks. So, when you can’t choose one that works for you, you could use a custom framework. This can combine what you perceive as the best parts from multiple control frameworks. This will be beneficial for selecting what would suit your risks and requirements.

Consider the application of the framework

As we’ve said before, “frameworks frame, but don’t fix”. You may choose a framework you see fit, but there’s still the possibility that it isn’t used in the right way.

So when choosing a framework you need to consider the next step and think “how would this actually work?”.

ISO 27002 is a good example. With the controls split between organisational, people, physical and technological, different teams in an organisation could implement them. Respectively this could involve people from senior leadership, HR, facility security and for technological controls, infrastructure, end user support and developers.

These teams are likely to have a different understanding of security. Despite seeming good teams to be responsible for the types of controls, the implementation of the framework controls may suffer as a result. It’s similar to how cyber risk should be handled. Read more detail in our previous blog “Who should own cyber risk in your organisation”.

Measuring framework compliance

Depending on your resources, you may do internal audits on your implemented framework to ensure they meet the correct standards.

External audits are even better. For some frameworks there are requirements for these. For example, auditing ISO 27002 implementation as part of the ISO 27001 standard.

Something else you might consider is automated tooling. Your choice of control framework could be dependent on whether it works with the tooling you are using, or want to use.

Automated tooling is useful to help collect evidence and measure compliance. For example, a folder could be used for documentation “evidence” to be stored. The tooling can extract this information to measure, and display, the health of compliance into dashboards.

Our own experience

A client of ours wanted to understand their cyber security posture and approach which would help in any auditing or due diligence requests they receive.

By using a framework, we could map their approach to industry standard practices. NIST CSF was the most appropriate framework as we found the function split useful and could go down to the next level to use the categories.

Given the company size and the estate, the priority was “what do we have and need to focus on?”. Using a framework gave us a less intense process to documenting their approach, in comparison to CSF’s subcategories, or other control frameworks. Being a common framework they were already familiar with enabled the approach to be maintainable.

The framework revealed where controls were but also highlighted where some important controls were missing or where improvements could be made.

Frameworks need to be adapted to you

So while frameworks may seem like the perfect solution, choosing and adapting it to your needs is key to implementing security controls and processes that aren’t maintained for the sake of saying you are compliant.

_Photo by Brendan Church from Unsplash. _