Knowledge Base

ISO 27001 / ISO 27002 Information Security Framework

  • ISO 27001 / 27002 Information Security Framework

ISO 27001 / 27002 Information Security Framework

The International Organization for Standardization (ISO) created a standard for Information Security that is the basis for certifications to demonstrate effective cybersecurity programs for internal and external stakeholders. Some organizations will determine they need a full audit and certification. Other organizations may decide to “align” with ISO requirements.  The decision is mainly dependent upon determining the business drivers for the recurring investment and organizational change.

ISO27001:2022 is the latest iteration of the 27001 series that provides the framework for implementing an Information Security Management System (ISMS) which provides continual improvements to secure information assets across the pillars of confidentiality, integrity and availability. The framework is comprised of clauses and controls. Clauses outline the organization and management controls to maintain the program and manage risk, while controls outlined in Annex A are the activities required to mitigate the risks identified from the risk assessment process. Certification is derived from the ISO 27001 series requirements over that can be evidenced over a period of time.

ISO27002:2022 is the latest iteration of the 27002 series that supports the ISMS from 27001 with additional implementation guidance and control details found in Annex A of the ISO 27001 standard.

Who does it apply to?

The ISO standards are meant to apply to any organization, region, or industry, and are typically followed by larger international organizations and those that operate out of Europe and Asia.

How can Socium Security help?

Socium Security can help organizations determine their own readiness for an audit. We can assess, design and build a security program aligned to the ISO standards in preparation for eventual certification by an accredited audit firm. Read about our guidance for first time ISO 27001 Audit Readiness guidance.

CMMC v2.0 (NIST 800-171)

  • CMMC v2.0

CMMC v2.0

With this final rule, posted on 10/15/2024, the DoD establishes the Cybersecurity Maturity Model Certification (CMMC) Program in order to verify contractors have implemented required security measures necessary to safeguard Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). This rule is effective December 16, 2024. The mechanisms discussed in this rule will allow the Department to confirm a defense contractor or subcontractor has implemented the security requirements for a specified CMMC level and is maintaining that status (meaning level and assessment type) across the contract period of performance. The full published document can be found here

The Defense Federal Acquisition Regulation (DFARS) established a rule to implement a Cybersecurity Maturity Model Certification (CMMC) framework to assess contractor implementation of cybersecurity requirements to protect specific data types within the DoD supply chain. CMMC Model 2.0 is currently within the rulemaking process with the objective to:

  • Safeguard sensitive information to enable and protect the warfighter
  • Enforce DIB cybersecurity standards to meet evolving threats
  • Ensure accountability while minimizing barriers to compliance with DoD requirements
  • Perpetuate a collaborative culture of cybersecurity and cyber resilience
  • Maintain public trust through high professional and ethical standards

CMMC requires that companies entrusted with national security information implement cybersecurity standards at progressively advanced levels, depending on the type and sensitivity of the information. 

Who does it apply to?

The primary purpose of CMMC practices and processes is to protect Controlled Unclassified Information (CUI) and Federal Contract Information (FCI).

 FCI – means “information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as on public websites) or simple transactional information, such as necessary to process payments.

 CUI – is “government created or owned information that requires safeguarding or dissemination controls consistent with applicable laws, regulations and government-wide policies.”

 CMMC is designed to assure the DoD that a contractor and or subcontractor can adequately protect FCI and CUI at a level in proportion with the risk. It is used to verify the implementation of processes and practices and certifying that a contractor and or subcontractor complies with the CMMC standard.

A contractor on a DoD contract needs to comply with the Standard. The contractor is required to obtain a CMMC certificate. If a contractor does not store or transmit CUI but does possess FCI, they must be certified at CMMC Level 1.

CMMC is based on the NIST 800-171 r2 security requirements organized across the following families:

  • Access Control
  • Awareness and Training
  • Audit and Accountability
  • Security Assessment
  • Configuration Management
  • Identification and Authentication
  • Incident Response
  • Maintenance
  • Media Protection
  • Physical Protection
  • Personnel Security
  • Risk Assessment
  • System and Communication Protection
  • System and Information Integrity

How can Socium Security help?

Socium Security can provide assessment and program readiness services for organizations that are or will be processing FCI and / or CUI in support of federal contracts. This will establish a security roadmap and operational program to meet the Federal requirements. 

Common Cybersecurity Frameworks Overview

  • Cybersecurity Framework Overview

    List of the most common cybersecurity frameworks

Cybersecurity Framework Overview

A cybersecurity framework provides a set of standard requirements for IT and security leaders to align their programs with to demonstrate a consistent way to establish, operate and measure security risk. The cybersecurity frameworks align to countries, regions, and industry specific perspectives so that a common language can be established for what practices are expected based on varying data and risk profiles. Typically, smaller organizations will align to a single framework, whereas larger more complex organizations will align to multiple frameworks to cover their products, data, and geographies.

The graphic below outlines the spectrum of typical cybersecurity frameworks and the coverage of the control requirements.

For more information on these frameworks;

GRC and Program Management Tools

  • Governance, Risk, and Compliance

    GRC and the technologies that support it

Governance, Risk, and Compliance (GRC) Management and Supporting Technologies

The growing market for technology to support security programs is creating a more complex situation for many of our clients to navigate. Part of this is due to the many use cases that the marketplace is addressing, and the specific use cases that they are supporting. We recommend that buyers consider the maturity of their programs, and the following list of capabilities in order to narrow the search;

  • Assessments – Ability to conduct assessments at different levels in the organization depending on business unit, computing environment, etc.
    • Program Maturity Assessments
    • Vendor Assessments
    • Risk Assessments
    • Roadmap and planning – Ability to establish a prioritized roadmap of remediation and steady-state activities and track status over time.
  • Document / Policy Management – Ability to produce and manage Policy and Process documentation.
  • Controls Management / Compliance – Ability to upload and manage evidence of control compliance to recognized frameworks and regulations (NIST, ISO, PCI DSS, CMMC , etc.), and/or automate the evidence collection
  • Workflow and automation – Ability to integrate with external business systems and trigger workflow
  • Data reporting and analysis – Ability to present real-time data and visualizations including the ability to click into objects to understand source data.

Questions to consider

What is the organization’s motivation for GRC technology?

Determining what or who is driving the need for GRC technology and why can help clarify and narrow the marketplace of options. Typically, there are a few primary reasons;

  • An event / incident like a data breach has occurred.
  • The current solution can no longer support the program requirements.
  • An executive or board member requested the project.

How are you going to support the GRC Platform?

A GRC platform should integrate with your organization’s technology, processes, and people resources. Refining how you expect to support the technology will help the selection and ongoing operation.

  • Internal IT / GRC resources
  • Existing partners or consultants
  • A combination of internal and partner resources

Where are you now with program maturity and what is your target?

Program maturity is a primary consideration of how GRC and security program management tools should be selected. Depending on the complexity and maturity of the organization’s security program, the requirements will shift to specific players in the market. The following maturity descriptions can be used to narrow the best vendors for your needs:

Initial
Programs that are early in their development and operation, have simple compliance requirements, and limited support resources.

  • Provide Policy templates and control mappings aligned to standards (NIST, ISO, SOC2, etc.)
  • Provide surveys to assess and report on control implementations
  • Provide vendor assessment workflow and reporting
  • Provide ability to assess and report on risks

For programs that are in the “Initial” state of maturity, the following options should be considered; OneTrust, MyCISO, Drata, Logicgate

Established
Programs that are designed and aligned to business needs, have some documented / repeatable processes, but limited support resources.

  • Provide workflow to support process implementations
  • Provide roadmaps to plan annual cycles and reporting
  • Improve awareness of control owner responsibilities, documentation, and implementation support

For program that are “Established” and looking to advance, the following options are suitable; OneTrust, Drata, Vanta, Riskonnect, Fusion, CyberSaint, ZenGRC

Mature
Programs that have documented and repeatable processes, an adequate level of support resources, and defined business alignment demonstrated over a few annual cycles of improvement. Mature programs will typically have the following objectives:

  • Increase program efficiency through automation and workflow APIs
  • Improve risk decisions through data analytics
  • Increase collaboration across stakeholders and departments with role based access (IT, Risk Management, Legal, Compliance, Executive Management)

For the “Mature” programs, the following vendors are worth consideration; RSA Archer, MetricStream, ServiceNow GRC, SAI Global

Pricing

Most tools in this space are priced by the user count and number of control frameworks required. Larger platforms also charge for the number of modules so that the solution can scale with the customer’s need.

Services Offered

Socium Security can provide advisory services to establish the security program foundation and assist with GRC evaluation and selection projects to support the program. Socium can also provide support services to manage the ongoing operation of the GRC platform

NIST Cybersecurity Framework CSF

  • NIST Cybersecurity Framework (CSF)

NIST Cybersecurity Framework (CSF)

The NIST (National Institute of Standards and Technology) Cybersecurity Framework (CSF) was established as a result of an executive order by former President Obama to improve critical infrastructure cybersecurity through partnership and collaboration. Compliance to this standard is voluntary but this framework is often used as a basis to assess cybersecurity program maturity, practice gaps, and mitigation roadmaps due to its flexibility and common language. The NIST CSF is currently in version 1.1 as of April 2018.

The NIST CSF v1.1 is comprised of 5 key Functions – Identify, Protect, Detect, Respond, and Recover.

Under the 5 Functions are 23 Categories and 108 Subcategories (control activities).

Currently v2.0 of the NIST CSF is in process of being drafted based on industry feedback and can be tracked here on the NIST.gov site.

Who does it apply to?

The NIST CSF applies to almost all cybersecurity programs and is commonly used as a reference framework within the US and North America. It is often used to assess program maturity and provide a basis of reporting to internal and external stakeholders regarding the overall security posture.

How can Socium Security help?

Socium Security can provide companies of all sizes an independent program maturity assessment based on the NIST CSF using a standard methodology. This service is typically paired with a Security Architecture Assessment that includes an assessment, report, and risk-based recommendations around the IT architecture, data processing, and security controls in place. Together, this provides management and technical stakeholders a complete picture of the current state security posture.

If your cybersecurity practices are operating with measurable maturity, consider testing the program’s capabilities with a crisis management exercise or penetration test by Socium Security.