It is quite easy to spot a connection between the ISO/IEC 27001:2022 security standard, the NIST CSF 2.0 cybersecurity framework and the Risk Treatment Plan (RTP). They are methods used in internal control to evaluate a management system from different perspectives. They have in common the need to evaluate the activities relevant to management systems and are identified by the abstraction model of the system itself.
The ISO standard requires the evaluation of the effectiveness of the controls present in the Statement of Applicability, the NIST framework requires the evaluation of the level of implementation of the subcategories of the cybersecurity profile, while the RTP must evaluate the effectiveness of the risk containment measures. Technically, each of those activities is called a control, and in turn these controls are composed of further elementary activities – that is, simpler tasks that the company implements for its own functioning and that we can call control tasks.
For example, let's consider an elementary task such as updating the risk policy. This is part of control 5.1 of ISO27001 on information security policies. It is part of the subcategory GV.PO-01 of the NIST CSF on policies for managing cybersecurity risks, but it is also present in the RTP with regard to the generic risk of failure to update company policies. The elementary control tasks are evaluated individually. Then, the results of multiple similar tasks are aggregated to obtain a control of one of the various standards, frameworks or plans that we are considering.
I believe that the best method for evaluating the effectiveness of control activities may be to adopt the Capability Maturity Model Integration (CMMI). It is a simple model for finding the level of maturity of implementation of an action with respect to the objectives set for that action. Furthermore, it is sufficiently generic to be adaptable to all evaluation environments and is perfectly linked with gap analysis. The latter is precisely the technique suitable for our evaluations – that is, by measuring the current state of maturity of implementation of the control and comparing it with the pre-established level of effectiveness, we are able to determine how much still needs to be done.
In short, the advantage of evaluating control tasks instead of the controls proposed by the frameworks is twofold.
- The first advantage is in the very nature of the control task that corresponds to a concrete action, required by some business process, and therefore well identified in terms of role and responsibility. In other words, something is used that the company has built for its own needs and therefore knows well. This is an indicator of quality in the evaluation.
- The second advantage is in the method of treatment of the various frameworks. Instead of building specific controls with new costs to be sustained for their management, it is preferable to identify each control of the framework for which control tasks are relevant and automatically aggregate the relative evaluations. The only burden is to define the relationship between the company;s control tasks and the controls of the chosen framework, but just once.
As a result of all this, it is clear that it is possible to manage multiple control frameworks at the same time, but with the effort of managing only one. More details and considerations on pros and cons are described in my recent ISACA Journal article, “Adding Value With Risk-Based Information Security.”
