BSI is Considering an Approach to Provide a Third-Party Certification to the CSF
G2 is helping BSI explore industry interest in a third-party assessment based on a combination of the Cybersecurity Framework (CSF) and the ISO/IEC 27001:2013 standard. It issued a Request for Information back in August, which we've publicized here.
As our engineers help to implement the CSF around the world, we often hear frustration that the CSF outcomes are somewhat high-level (e.g., PR.DS-01, Data-at-rest is protected). They were built that way because it would be inappropriate for the Framework to declare a prescriptive approach for all users and all types of data. CSF’s purpose is to inspire users to determine for themselves what procedures and controls are necessary to achieve risk management goals (as determined in CSF Step 1), and then identify ways to monitor the ongoing effectiveness of those measures. The “how” is intentionally in the eye of the beholder.
The challenge, then, comes when we try to use the CSF Profiles to compare my target state requirements against another’s current state assertions. Some organizations may need an independent and qualified 3rd party to determine whether a Current State Profile accurately describes the procedures and controls in place, and to render an opinion on the effectiveness of those measures claimed.
Many Framework adopters already use the ISO/IEC 27000 family of international standards, and 27001 was well referenced by CSF. An organization that wants to leverage BSI’s Certification to ISO/IEC 27001 Information Security Management will already be formally assessing those CSF subcategories to which ISO controls are mapped. When a 3rd-party assessor assures that the necessary ISO/IEC 27001 procedures and controls are in place and working effectively, that same reviewer could consider the reasonableness of the other Current State Profile assertions. This approach wouldn’t bind CSF to any particular standard, but it might be beneficial for those that already apply ISO 27000 standards to organizational practices, and it might help provide some confidence to those that need higher assurance that the Current State Profile is accurate and reasonable.
What are your thoughts? We’re getting ready to post the formal responses received in the Downloads folders here, and we’d welcome your thoughts in the Forums (fora?)
Until then, be safe and have a great weekend!