In February 2014, NIST released version 1.0 of the Framework for Improving Critical Infrastructure Cyber-security. The frameworks is intended to be a “voluntary” set of standards that can help small and medium sized businesses develop an information security program. (Part of the problem, of course, is that we don’t need another framework – but a rational and scaled down version of other frameworks such as NIST 800-53 or ISO 27002 that would make sense for small businesses.) While the framework is currently voluntary, some speculate that it could become a default standard for evaluating smaller businesses and contractors that have a part of the critical infrastructure.
Mapping ISO 27002 to the CyberSecurity Framework
For those organizations that base their information security program on the ISO 27002 information security standard, we have developed a new policy map between the control categories of ISO 27002:2013 and the Cyber Security Framework. This mapping should help your organization rationalize security controls across these two frameworks. For existing customers, this mapping also includes references to the sample information security policies found within Information Security Policies Made Easy.